Are IT Security Professionals Less Happy? 363
zentanu writes "It's said that if you want to be happy, be a gardener. What about IT security professionals?
Having worked as an IT security consultant for several years, I now wonder if my job has a negative influence on my happiness, because it constantly teaches me to focus on the negative side of life: I always have to think about risks and identify all sorts of things that could go wrong.
As an auditor I search for errors that others have made and haughtily tell them. As a penetration tester I break systems that system engineers and administrators have laboriously built. I assume inside threats and have to be professionally suspicious. The security mindset surely helps me in my job, but is it good for me on the long run? What kind of influence has being an IT security professional had on your general attitude towards life? What helps you stay out of pessimism and cynicism? Is protecting existing things really as good as building new ones?"
Nah (Score:2)
I hate doing security work (why can't ve just assume that all users are friendly people who would never rockroll or goatse anyone?), but I still don't like life. ;)
haughtily (Score:5, Funny)
"As an auditor I search for errors that others have made and haughtily tell them."
You must be very popular.
Re: (Score:2)
"As an auditor I search for errors that others have made and haughtily tell them."
You must be very popular.
It's all in the tone of voice, haughty but nice.
Good times and Bad times in any job (Score:5, Insightful)
I'm an IT consultant with over 30 years experience since I graduated. There are good times and bad times.
The good times for me were in the mid 1990's when I worked in the old Soviet Block. There, I could see the work I was doing making a difference.
The bad times were when the company I worked for got taken over and the whole job changed. Suddenly we were supposed to apply production line metrics to consulting assignments.
Luckily I got out and started on my own.
However in your job, it does weem that you are predominantly occupied looking at the down side of IT. Keeping those pesky hackers at bay is not a job I'd want to do.
I'm a fairly creative person. So I have concentrated in spending more time doing things outside of IT.
I've just signed a deal to get my first novel published. Not a huge amount of money. But I can concentrate on the positive for at least part of the day.
Perhaps you do really need to take a long hard look at your work life balance.
Re: (Score:2)
Just be glad you're not doing outsourcing. That job is truly shitty.
I work as a guard now. Less stress. Hehe.
Re:Good times and Bad times in any job (Score:4, Interesting)
Keeping those pesky hackers at bay is not a job I'd want to do. I'm a fairly creative person.
Heck, keeping those pesky hackers at bay IS fun to me. I find that sometimes, ok most times you have to be creative to do this. The graet thing is that different people find different things fun and interesting.
-----
Right click here to download sig file
my 2c (Score:5, Interesting)
I have never *ever* used my job when considering my own self worth.
Jobs are the means to make money. Sure if you enjoy them, great, but if you don't, and you judge your self worth by them, well then you're fucked.
Its better to have other measures, other means to judge how well you are doing in life. For me its my open source coding, and my amateur science efforts, as well as being a dad. Any job I do is only, and will only ever be, the means to provide the necessitaties of life, like savings, a home, money for my kid and such.
Ok, that's important, but its not a thing upon which your self image should be based. At least that's how I feel.
Re: (Score:2)
Umm.. the question was nothing to do with whether IT security professionals feel good about themselves because of the job they do. He's asking if the mindset required to do the job negatively affects their attitude in other aspects of their life.
Actuary (Score:4, Interesting)
I can think of a few jobs that are a lot less happiness inducing, like insurance actuary... placing bets on how long people have to live must be a downer.
OTOH, if you can learn to leave work behind when you go on vacation then IT security pays a decent salary and you should be able to afford a relaxing and distracting trip to whereever entertains you, especially in nature settings.
Re:Actuary (Score:5, Interesting)
Or insurance claims denier.
"I'm sorry ma'am, but we can't cover your little girl's ambulance ride. You should've taken the bus."
I knew someone who did that and after a few "yay, you're not dead, welcome to financial ruin" type calls, he had to quit.
happiness... (Score:3, Insightful)
Re:happiness... (Score:5, Funny)
Re: (Score:3, Insightful)
Attitude makes all the difference. I enjoy finding the bad guys who are actually maliciously doing something bad and stopping them. It's rewarding to pull up a list of things you've accomplished and say, "See? I stopped these guys who stole a thousand dollars a day from us!" Do I care what kind of people they were? No. Do I care why they were stealing? No. Do I care what crap happens to their lives after being convicted of theft? Not really. Once someone has crossed that line of stealing from the
Oh yes it does! (Score:2)
Re: (Score:3, Insightful)
that's why many IT departments block as much crap as possible, because THEY don't want to be that in that kind of investigation, so they cut off outside email, IM, myspace, etc so people can't make those mistakes with THEIR toys. Sure people will try, but then you have policies in place long before their actions become "illegal" and police get involved.
Re: (Score:2)
I thought system admins were gardeners (Score:5, Insightful)
Why do you think they call them server farms?
Seriously, being a system admin is like being a commercial-grade landscaper or farmer.
If a system admin has a good job, he'll have the authority to decide what to plant/what equipment to install, what to feed it and how often to water it/what scheduled hardware and software maintenance is necessary, etc.
He will also tend the garden/maintain the system and reap and share the rewards for his efforts/get paid and have happy customers or bosses.
Re: (Score:3, Funny)
And neither ever seems to have enough ladybugs to make their lives easier. :-(
Be careful of the root rot!
Oy vay (Score:5, Insightful)
Come on. Get over yourself. Cops, laywers, doctors, nurses, paramedics, military people... these walks of life deal with human misery, pain and suffering every day. If you're so worried about offending your sunny disposition maybe you should join a convent.
Listen, in any field if you can't take enjoyment out of what you're doing then (a) you should change your profession, or (b) realize if you can't do (a) you're in the same boat with about 80% of the rest of the population.
As a member of the IT world, security-related or otherwise, you have intellectual challenges and brain-teasers to deal with on a constant basis. Testing your knowledge and skill, forcing you to re-evaluate whether you're as good as you think you are every step of the way. And yet, even in such a position you're bound to go through times when you find yourself working for some real asshole(s). They're no fun, either, but you have to keep plugging away.
Either that or apply for a job at the factory where they make those "Have A Nice Day!" bumper stickers. Oh wait ... that's in China. Never mind.
Re:Oy vay (Score:5, Insightful)
Come on. Get over yourself. Cops, laywers, doctors, nurses, paramedics, military people... these walks of life deal with human misery, pain and suffering every day.
Are you saying that because other people can do it then the he/she should too? If so I can't help but ask who are you to tell someone what they can and cannot do? This is known as "minimization" and can be a very ineffective, not to mention damaging, way to communicate with someone.
If you're so worried about offending your sunny disposition maybe you should join a convent.
Can you sense the hostility?
Listen, in any field if you can't take enjoyment out of what you're doing then (a) you should change your profession, or (b) realize if you can't do (a) you're in the same boat with about 80% of the rest of the population.
That 80% of the population you claim has the same capability to make choices about their life that the other 20% do. People choose what they do for their own reasons, not for yours or mine.
but you have to keep plugging away.
*YOU* might have to keep plugging away but the OP doesn't. That's for him/her to decide. Besides that, 80% of statistics are made up 20% of the time.
You make some good points but I sense a lot of underlying hostility in your comments that, if I saw in myself (and, believe me I have) would eventually force me to take an inventory about where I am in life.
The OP asked a very good question and you have seemingly interpreted it as him griping about his job. Maybe that is the subtext that spawned the question but it is not how the question is presented.
Re:Oy vay (Score:4, Interesting)
As much as the crowd around here pretends like it's a farce, I turn to faith to provide my much needed avenue away from cynicism and pessimism. So how does it help me?
So for everyone who says that religion is a crutch, I treat my faith like a scaffold, lifting me up, and giving me the support necessary to paint my life in a way that will please my Father.
Oh, and yes, I still have to fight worry (job security), gossip, and being someone no one likes to hang out with outside of work. I'm not that different from you.
Re:Oy vay (Score:4, Insightful)
Why was this modded Troll? He's at least speaking his mind here.
I work with lots of IA people (Score:5, Interesting)
A good number of them would be checking bags on the way out of BestBuy if they didn't know how to boot a PC.
My experience lately is that security people, generally, are:
a) not intellectually curious,
b) fearful of change,
c) often suspicious of others' motives because they, themselves, have malevolent intentions, and
d) powertrippers, because they've been given power to second-guess solutions they weren't technically-savvy enough to come up with themselves.
It's fun to discuss something like IPv6 with an IA weenie. He doesn't understand it, so it must be a threat!
BTW, I work for a large federal organization, where these people are everywhere.
Security Drama Majors (Score:2)
Those don't sound like security professionals... I've run into people like that, they're the ones who applaud "security theatre" solutions like Vista's UAC, but I wouldn't call them "IT Security Professionals". They sound more like the mob over in QA pushing ISO9000.
Sounds fun! (Score:2, Funny)
I've run into people like that, they're the ones who applaud "security theatre" solutions like Vista's UAC, but I wouldn't call them "IT Security Professionals".
Security Theater. Is that anything like Dinner Theater? It sounds fun!
Re:Sounds fun! (Score:5, Insightful)
Re:Sounds fun! (Score:5, Funny)
like being strip-searched by a clown.
I thought the TSA had a patent on that.
Re:Security Drama Majors (Score:4, Interesting)
So what does "IA" stand for?
It stands for "Information Assurance." It's what the Federal government calls IT security. And the OP was right - the Feds are in a world of their own with this stuff. Any time IT security can even possibly intersect with access to classified information, the paranoia level goes just off the charts.
Probably... (Score:2)
After all, the IT security people know what it takes to make things secure, BUT they aren't allowed to make it secure.
Why? Because that would make it too much of a hassle for the end users, or some bean counter says it'll cost too much.
Less Happy? How About More Happy! (Score:5, Insightful)
I used to be a software developer for many years and am not in IT security. For me, IT security is actually more satisfying. I'd much rather be the person responsible for finding security weaknesses and assessing risk than the person responsible for getting high quality systems built under tight deadlines.
When you present your security assessment findings to the developers/engineers, there's no need to be haughty about it. Nobody's perfect and every system is going to have some bugs and weaknesses in it. Just present the risks in a matter of fact way so that the people in charge will understand and can make informed decisions on what to fix and how quickly.
Also, when you do security assessments / pen tests, why not also include a section in your report where you tell the developers what they're doing well from a security standpoint? I always do this, which helps to balance out the negative aspects of a pen test makes the developers feel good before I show them what they need to improve on.
You want answers? (Score:5, Funny)
No.
What kind of influence has being an IT security professional had on your general attitude towards life?
I beat my wife.
What helps you stay out of pessimism and cynicism?
Beer.
Is protecting existing things really as good as building new ones?
No, not really.
Sorry, am I being too negative here?
Re: (Score:2, Redundant)
Yes, you are. I suggest smoking more weed and drinking less beer^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H. It helps.
You sir are correct. (Score:5, Funny)
Yes, you are. I suggest smoking more weed and drinking less beer^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H. It helps.
You're absolutely correct sir!
You see, one of the side effects of weed is paranoia. And I can't think of anything better than increasing paranoia in a security professional.
Weed for IT security folks should be a job requirement - paid for by the company!
The answer (Score:5, Funny)
ah: number of happy IT Security Professionals
au: number of unhappy IT Security Professionals
bh: number of happy non-IT-Security Professionals
bu: number of unhappy non-IT-Security Professionals
The answer is yes if au/(au+ah) > bu/(bu+bh)
At least infosec is less likely to be offshored (Score:2)
Infosec is also less likely to be taken over by offshore guest workers. Or, at least, I would think so.
So, unlike every other US IT worker, you won't be training your replacement within two years. I guess that's something to be happy about.
Correlation vs Causation (Score:5, Insightful)
Hasn't it been fairly well established that more intelligent people are less likely to be happy in general? Being good at IT security (and not just an appliance operator, trained to run a few tools and read the generated reports) requires a fair amount of creative thinking and intelligence. I've worked in the field in the past, and I don't think it's specifically the adversarial mindset that causes unhappiness. I actually had a lot of fun doing that stuff - at least, when my work was appreciated by those I was advising and I wasn't seen as an interloper. That depends more on people skills, both on the working level and in management.
On the other hand, for the last few years I've worked on projects that are ostensibly for the public good, ensuring safe water supplies and such, but I've been rather unhappy with it. Why? Because the company I was working for was far better at securing grants and government contracts than at building anything useful and actually putting it to use beyond carefully controlled tests and demos. I came to realize that nothing I ever did there would ever really matter.
Since then I've been self-employed, doing ten times as much work but I'm happier.
Re: (Score:2)
On the other hand, for the last few years I've worked on projects that are ostensibly for the public good, ensuring safe water supplies and such, but I've been rather unhappy with it. Why? Because the company I was working for was far better at securing grants and government contracts than at building anything useful and actually putting it to use beyond carefully controlled tests and demos. I came to realize that nothing I ever did there would ever really matter.
Bechtel?
Re:Correlation vs Causation (Score:4, Interesting)
Nope, much smaller, but I think we touched on some of the same projects.
I had a guest show up as I was finishing the last post and I cut it a little short. I was trying to say that I'm more satisfied working for myself because I work on what I believe in. Whether I can make a living at it in the long term remains to be seen, but I'm happier than I was at a comfortable desk job with a nice salary and vaguely defined work goals.
Smart and happy are a difficult combination. I wish I had more advice to give on the subject, but I'm grateful just to be reasonably content without medication. Most days, anyway.
Thankless job (Score:5, Insightful)
Think about it, you have to constantly deal with user mistakes or quite often the mistakes of others and correct them. By correcting someone's mistake you are showing them their faults, not generally a good idea if you want people to be nice to you.
Therefore you end up with user aggression towards the people who provide their computer support.
And when it's the fault of faulty hardware they blame you, you can't win.
Damned if you do... (Score:5, Insightful)
As the saying goes: "Damned if you do, damned if you don't."
If you don't point out the mistakes, then you're the one who gets blamed when there is (inevitably) a security breach.
If you do point out the mistakes, you've irritated and embarrassed the user -- and, possibly, forced them into doing something they don't want to.
Which means, assuming you never make a mistake, the only kind of feedback you'll ever get is negative -- that you were annoying, or that you failed -- never positive. (Compare this to, at the very least, a sysadmin -- bring up a new service, and you get to be a hero, at least for awhile. But nobody ever sees an attack that failed.)
Wouldn't this threory apply elsewhere? (Score:5, Interesting)
Wouldn't cops and military personnel also be extremely unhappy as well, based on this?
Wouldn't people who work in demolitions, tearing down buildings, be very unhappy?
Wouldn't this mean that anyone working in a job that had a potential negative impact on others, also be very unhappy? I mean with gas prices what they are, isn't the guy working at the gas station feeling miserable, because people hate paying as much as they are for gas, and he is the front-line representative seeing these reactions?
Too busy (Score:5, Funny)
If it floats your boat (Score:5, Insightful)
If you say you're happy, then why question that?
All I know is that when I worked with mainframes there was no such job classification as "security professional" unless you count the people in charge of guarding the building.
When one mainframe needed to communicate with another we did so over leased lines, and the notion of receiving an executable from another mainframe and running it automatically I don't think would have ever occurred to anyone.
While you might conclude that having a powerful computer on everyone's desktop makes the security exposures we have today inevitable, I don't think it necessarily follows from that that enterprise computing should be as vulnerable as it has gotten. Obviously the "PC revolution" has not resulted in economies of scale, quite the opposite. How many orders of magnitude has growth in enterprise IT gone through? I guarantee you right here an Slashdot there are people who see no problem in downloading large chunks of sensitive data to a machine (even a laptop) outside the data center, for either temporary fiddling, local cache, or whatever and then (if the machine hasn't gotten lost or broken) uploading it to the corporate database overlaying intermediate transactions.
I talk to people working in these environments quite frequently who just don't have a clue. Someone in your job has to not only constantly try and stay a jump ahead of crackers (not hackers!) but also fight with people who are supposed to be on your side about how rules you impose keep them from getting their job done (or so they think). Our profession has been considerably dumbed down in my opinion by the advent of desktop computing. There is no solution in sight. That's why I would find a job like yours unappealing.
Re: (Score:3, Insightful)
That's true, but it could be argued that similar security holes still exist. When exploiting buffer overflows and the like, you are not asking the system to run an executable automatically, you are 'confusing' it to such an extent that it can't thin
Re: (Score:2, Informative)
IBM still ships their IBM i systems insecure as hell, leaving most customer setups in the same shape.
Example:
Telnet is enabled by default, but telnet/ssl is not. Everyone uses SSL. I've seen many people directly exposing Port 23 to the Net, cause the i is secure.
Oh, and don't talk about SNA and DDM Files.
I know how you feel (Score:2)
Good or bad (Score:5, Insightful)
In this regard, they likely are miserable people but frankly, you should have people in your security department that are jazzed about IT and security. Not someone who flipped a quarter between CPA and IT professional.
Re:Good or bad (Score:5, Insightful)
Sometimes the 'user mindset' gets silly. I often find our users think they're so important to the company that they're justified in doing ANYTHING, including surfing for porn in open cubicles during business hours at world headquarters with tour groups walking past. Or, more frightening, to cover up their ignorance or to short-cut understanding... blah, blah, blah.
Sure, there are roadblock powertrippers out there in the IT security field, just as there are in pretty much any security field (CIA, cops, mall security, etc.) On the other hand, there are legitimate risks out there that do have real-world bottom-line consequences. No one thinks that viruses are a big deal until you've got an entire factory floor idled because the controller's infected. No one thinks that they'll be hacked and make the news for it, but they do (Caterpillar [jammed.com], TJX [scmagazineus.com], even security company Guidance Software [internetnews.com], to name a few).
What gets me down about my job (yes, I'm in IT security) is not the adversarial nature of it. What really gets me is that absolutely NO ONE really wants security implemented until AFTER the company makes the Wall Street Journal for being hacked. Who gets fired on that day? Often times, it's the security people, despite the fact that they'd been trying to implement countermeasures that would have at least reduced the damage from the attack. Until your company makes the WSJ, security is overhead, a liability, a roadblock. Afterwards, they're the ones who let the barbarians through the gates, regardless of how many times the board denied funding security projects.
I used to be jazzed about IT security, but 10+ years of being told that nothing overrides the business need, and that I'm nothing but a roadblock has ground me down to the point where I'm just punching the clock and trying to figure out what career path to do next.
And to all you whiny, lazy, good-for-nothing assholes who can't remember their precious password: Can you remember where your car keys are? Your Social Security Number? Your birthdate? Your wife's birthdate? The phone number to the restaurant that delivers your dinner? The name of the girl you had a crush on in 4th grade? People remember all sorts of things when they want to, and when it's important to them. Now, think about this... if your company makes the WSJ because you set your password to Ripken09, who are they going to fire? Yeah, you're right: they'll can the poor security schmuck that's dedicated his career to compensating for stupid pukes like you, but you'll probably keep your job since there really wasn't much that could be done about the hacker anyway.
I guess there's the problem in a nutshell. The only people who care enough about security to do something about it are those who stand a chance of losing something when security fails. The vast majority of the time, the only people at risk are the security guys.
Holy crap, I just re-read that. Never realized how bitter and vindictive I've become. I got to get me a new job!
Re:Good or bad (Score:4, Interesting)
Completely true, and one of the big reasons that I believe that static passwords provide almost no security. I'd much rather see the use of stronger authentication methods, such as SecurID tokens or digital certificates, which really do improve security without the extreme pain caused to end-users by passwords that can be cracked in a few minutes anyway.
Here we get back into the whole "security is overhead until after compromize, and then they're scapegoats" mode. Both token and certificate-based authentication cost HUGE amounts of money. They require adding servers, more administrative work, and frequently more hardware on the workstation, so very few companies actually deploy them, despite the obvious benefits.
Forget gardening. (Score:2)
Gardening is hot, sweaty, sometimes backbreaking work. If you've got any allergies, you'll be sneezing and/or blistered all the time. If you slack off a bit, your work for a season or more is wasted. And you've still got security threats, in the form of rodents, ruminants, insects, and the slower but more tenacious weeds.
IMO, the security mindset as described in that article won't hurt you. What will hurt you is trying to counter the threats that mindset helps you find. By locking everything down and d
Part of it comes form PHB who don't get it and for (Score:3, Interesting)
Part of it comes form PHB's who don't get it and force non working software and security rules on you.
you don't get it (Score:2)
Part of it comes form PHB's who don't get it and force non working software and security rules on you.
Those same PHBs have software and rules forced on them by their PHBs and they are tasked with implementing them. It's your job to help them. Either you do it with no questions asked, or you need to convince them that some alternative is better. If you can't do either, you aren't doing your job.
There are ways to turn it around (Score:2)
The trick is to turn it around, concentrate on the benefits of what you are doing and the way it affects other people. The first thing you must do is set up a good relationship with your client so that they understand that yo
the bigger answer: (Score:3, Interesting)
If you are in IT at all you tend to be less happy.
Get a wife/girlfriend (Score:5, Funny)
This is Slashdot, so my comments won't be popular here:
Get a wife or a girlfriend and be *her* penetration tester. You might find a new joy in bringing your work home!
alt.sysadmin.recovery FAQ (Score:3, Funny)
The mention of gardening brought to mind section 5 of the alt.sysadmin.recovery FAQ [faqs.org]. Well worth a read.
Hidden causes (Score:4, Funny)
As an auditor I search for errors that others have made and haughtily tell them.
It's possible InfoSec is not the thing making you unhappy; maybe you're just a dick.
Re: (Score:2)
I thought about that bit as well.
Where I work, we do peer review of all the code that has been written before it can even be committed into our source control. When we find an error in someone else's code, we don't "haughtily" tell them. We just say, "Hey, check line Foo again, it doesn't look quite right."
There's no need to be a dick when pointing out mistakes. There are lots of ways to go about doing so, and explaining the consequences of those mistakes, without being a jerk.
One of the last things you wan
Maybe you need to find a new line of work (Score:2)
As a security pro, it is your job to protect existing computing assets, but the question of personal happiness is not an unreasonable thing to ask in regards to your overall career.
Computer security seems almost hopeless some days. Viruses, bots, hacks and the like... Helplessly watch as some assholes overseas rally up a monster botnet in less than a month because regular folks are too dumb to not to click on the latest meme? It's like watching lemmings go off a cliff. Security researcher has to be one
I totally identify with this... (Score:5, Interesting)
The security mindset can definitely do long term harm, in my opinion, assuming you're not careful that is. In order to be really good at it you need to be thinking about new potential exploits all the time, and it's really easy to let that rub off in your ordinary life.
I started seeing trivial security holes everywhere... everything from what's wrong with security labels, and tabs, on food products, and "tamper-proof" pharmacy jars to flaws in ATM vestibule security... you name it.
Honestly I kind of started developing mini-phobias or something about things like, take the security labels on food items. Let's look at a plastic mustard dispenser. Underneath the screw on top it comes with a little tab that you rip off, and somehow this keeps it safe from tampering during the period between when the manufacturer creates the product and when you purchase it.
It's absolute nonsense, and does NOTHING to stop anyone from doing anything to the contents of the mustard dispenser. Should someone want to insert a harmful substance into the bottle it could still be done with a very thin needle. It's really there just to appease the masses into thinking the product is somehow made "safe" by the introduction of that little security tab.
So I think about that, then I start to think... oh man, even my mustard's not safe, what if someone did something to it!?!?
It's ridiculous, and completely irrational. I don't think in the history of the modern food distribution system has anything ever happened to anyone's mustard. We all hear horror stories about Halloween candy, and over the counter medicine but I think in large part that stuff is all urban legend.
I think absolutely, yes the security mindset can cause mental health problems, in minor ways for some, and for others who are more prone to thinking negative thoughts perhaps in major ways.
The key, I think, with the security profession is that in order to stay on top of the game you need to always be thinking about how the next attack could arrive. Criminals are creative, and so must be the security people as well. In training your mind to think this way I can see how people would find it easy to become unhappy in other areas of life too.
I no longer do security work, but it's not because of finding it difficult to keep that work / life balance alive (I just got another better opportunity in a different sector). Still to this day I have some lingering security thoughts about things, but all I can do is try to think logically about them.
Just because something is insecure that doesn't mean it's worth worrying about. There's a big incentive for criminals to find any way possible to gain access to a sensitive or desirable computer system, but there's very little gain in tampering with a bottle of mustard ;).
As you stated in your question, it sounds more like you're starting to see the pessemistic side of things everywhere. Everyone's a potential threat. I think no matter what it is it's a similar expression of the same issue: security people get paid to do nothing but worry.
It's not a totally correct analogy, but I think it serves well enough. Now that I'm out of the security business I am pretty thankful. I never realized how much of a burden it was until it was gone. The less time I spend thinking about potential security holes the better I feel in general :). I think it's safe to say security pro just isn't the job for me... perhaps others are made for it.
Seriously though I don't know how people do it. How DO you do that job and not immediately size up threats? How do you not instantly look for the gaping security hole in the access panel on the ATM you're using? How do police men not become jaded and see the potential crime in every situation?
I think some people don't... they do become jaded. But others, the ones who stay happy, they just fight through it. I honestly think it's a choice. You are in control of your mind, and you choose what you le
Re:I totally identify with this... (Score:4, Informative)
Re: (Score:3, Informative)
And what both you and the GP miss is that the seal on food (e.g. the foil seal on peanut butter or the classic click-pop of a jar of grape jelly) is not a security measure, it's a safety measure. When the seal is intact, that means that the contents will be edible (up to the printed use-by date, if applicable). If the seal is broken, then the product should be considered inedible since the spoiling process will have begun at some point during shipping, rather than in your home as the manufacturer intended.
Anger Managment (Score:4, Funny)
I used to be constantly unhappy on my job until I found a way to vent. Typically I randomly reset someone's passwords, shutdown a server for no reason, or throttle down the internet bandwidth. When asked what going on I just blame a Microsoft patch. Trust me this is much better way to get the anger out than trying to horsewhip a user (I tried it, wouldn't recommend it)
More seriously, if the job is getting you down look to change the environment. If another job isn't possible look to transfer to at least another position in the company. Never do something that makes you miserable.
Happiness is what you make it (Score:2, Interesting)
I have always been suspicious. I always notice everything. I enjoyed my FT time as a cop and I enjoy my time on the SO. I enjoy what I do at the state agency I work for. I don't think that my contact with the negative part of soc
To be a happy IT professional... (Score:2)
Treat your IT job as gardening. Instead of thinking how to prevent the attack think of preventing all but legitimate use. The attack vectors possible for a malicious agent are far more numerable than the legitimate uses. Encourage the growth of legitimate uses, prune illegitimate uses, and weed out malicious attacks. Allow your mind to shift freely between attacker and user and do not dwell any one place too long.
Gardeners have stress too. It's just over a much longer term. They have cycles of nurturing and
They Are Unhappy For a Very Good Reason (Score:2)
What we are beginning to understand is that high levels of concentration-learning are not what the brain is designed to do. The very reason that we see teens and others fighting learning is that it causes a certain type of brain disability. That built in limit is something that schools and others try to teach us to ignore.
The proof is in savants that are aided by modern medicine. As their disabilities are cured their extraordinary abilities start to vanish.
Are You Being Listened To? (Score:2)
Are doctors unhappy too, then? Since they see problems constantly? What about the fact that we're in infosec to fix problems?
It seems to me like you've already started with the wrong perspective---already focusing on the negative.
It all comes down to the people you work with. Do they listen? Do they improve their organizations based on what you tell them? If so, then finding problems is a good thing. If not, then finding problems is a bad thing because it just adds to the list of things that will never be f
Empathy = happiness (Score:5, Informative)
The best security consultant I met was not a super geek able to hack my Checkpoint installation. He was a very kind, easy going guy, who started by explaining that absolute security was impossible. He asked the management what was the most important stuff to protect, and against who. In a single meeting, less than one hour, he understood our business and our needs, and instead of freaking the management with catastrophe scenarios, he built a security architecture in layers around our most valuable assets.
He did not try to draw suspicion on employees at large. He asked simple questions like: what if an employee in such position is not as competent or as honest as you thought, or what if an employee in this other position starts having problems at home and this lead him to lower his standards at work? Or what if this key employee was injured and could not even communicate with his replacement for weeks?
Other good questions he asked: did you see the graffiti in the parking lot? (yes). Do you think the company or someone here was directly targeted? (No). Then why did someone make this graffiti? (Because he had a can of spray and too much time). Anybody here has a teenager at home with unsupervised access to high-speed internet? (Silence). Anybody here has a teenager at home with unsupervised access to the computer where you have your VPN client installed? (More silence).
In the end that guy provided us with an excellent audit, and a very cost-effective implementation plan for a security upgrade. I don't think he left the building feeling bad for his pessimism; instead I am pretty sure he left with a smile, knowing he helped his customers to get what they needed. Maybe the NSA or some expert hacker can find a backdoor in some obscure network appliance, but our biggest concerns, getting our product specifications stolen by the competition or our CRM database plundered by a disgruntled employee, is not gonna happen.
It's just a job... (Score:5, Insightful)
Okay, a few things here:
1> Your happiness in general shouldn't be based on your job. Sometimes people take shitty jobs because they need to pay the bills. You think people like cleaning toilets or hauling garbage? Some might, but I suspect most don't really care for it. And yet, I know a lot of people who have shitty jobs but very happy lives. They just learn not to let their job get them down and they learn to make the most of their time outside their job.
2> That said, if you have the option, you should get a job that brings you pleasure, 'cause it's worth more than money. After all, you're probably spending most of your waking hours doing your job.
My general impression in IT (not necessarily security), is that the people who do it because they truly enjoy IT, are the ones who are going to be happiest in their jobs. On the other hand, people who go into it only for the money, tend to be the most miserable, unhappy people in IT. It's not just that they may not like it to begin with. They probably liked aspects when they got into it. But working in IT can be more trying than other jobs if you're not into it.
Most jobs (and not all, obviously), don't require you to constantly stay on top of a very quickly evolving subject matter. Let's face it, once you know accounting for example, you're done. It's not like it's a fast paced field with lots of changing ideas and innovation. The same can be said for most other fields. Obviously most technology related fields are this way. Medicine as well, but largely due to advances in technology and its effect on biology and biochemistry research.
To be good in tech, you have to stay on top of things and a lot of times, you have to do that outside your job as well as in your job. If you don't love it, or at least like it quite a bit, trying to keep pace with it can be incredibly frustrating.
Anyway, just my $0.02
Stress and progress (Score:3, Insightful)
I've worked in infosec for nearly a decade and it certainly takes a toll. The most stressfull situations, by far, are internal investigations and legal proceedings. Unfortunately, I believe the inevitability of these situations are just a byproduct of human nature -- the fact that computers were used is many times incidental. I've seen eye-opening security situations over the years, even some from individuals that I never would have guessed possible. Despite the incredible stress these situations can present, having the support of senior management, legal counsel, family, friends, and good beer has helped tremendously in my long-term attitude.
You mentioned you're a consultant. Have you considered taking a role to stay with an organization on a more permanent basis? It has been very rewarding for me to look back through my strategic accomplishments over the years. Despite the ever-increasing, disproportionate workload in security I can clearly show progress and in the end that helps give me perspective.
Wrong business... (Score:3, Insightful)
If you don't enjoy what you do. If you aren't enjoying the chase and the finding of security holes. If it makes you crazy or think it might make you crazy. If your professional "paranoia" is causing you emotional/mental issues... then you are in the wrong line of work. The best IT security professionals enjoy all of that, so it does not cause them problems outside of work.
That can really be applied to any line of work. Any job that causes those sorts of things makes you "less" happy than others in a line of work they enjoy.
"Negative?" (Score:5, Insightful)
I find there are generally two types of IT person whether they are 'security' IT people or otherwise. There are those who think of the users as 'the enemy' and those who see the users as their reason for being employed. Obviously, I consider myself to be a member of the second set... the former set doesn't fully acknowledge the second set except that the second set "only serve to keep the problem going."
Long ago, just after the dot-com bubble burst, I began to realize what everyone else forgot during the dot-com boom. The boom occurred because people thought "IT" was some sort of magic bullet that just made money by virtue of its simply being there. Ridiculous amounts of money were spent on IT development and manpower. Anyone and everyone who was tired of their previous job, changed over to become "an IT professional" and expected enormous wages... some even got it. (There's still a lot of dot-com boomers in the biz... some deservedly so, and others have no clue or talent at all... we all know one or two don't we? You know, the 'cert chasers' and 'job hoppers' with enormous resumes who couldn't manage to set up a server for which he has a certification if his life depended on it?)
That thing I realized was that "IT" is just a support function for business. Sometimes "IT" is the production side of business, but generally speaking, whether directly or indirectly, IT is a utility function like electric and plumbing. While there are supposed to be higher skills and ability involved in the execution of IT functions, this isn't always the case. Upper management sees IT in this way as well because all of their executive clubs, newsletters and conventions tell them so. This is why they think they can outsource a lot of IT without hurting the company and generally lower the wages of the same group of people they classify as exempt from overtime pay.
But the realization that IT is an operating expense on business showed me that just being a great IT guy isn't enough -- I have to have the interests of the business at heart as well. And you can't have the interests of the business at heart when you hate your users and what you do. I do hate spam and spammers with no known limits, and crackers polluting the internet drive me a little crazy, but in the end, I recognize the range and limitations of my role in defending against those ass-clowns and focus on my users and mitigating the damage that can be done and balancing any methods I might employ against the needs of my users.
Another thing I have realized is that the same people who hate their users, probably hate their children as well... if they have any. If doing their job seems to have a negative influence on their personality, I think it's more likely that doing their job merely brings out existing negative tendencies. My point is that they probably already had personality issues to begin with and would likely respond to 'negative' stimulus in the same way whether it's IT or not. Doctors can bitch you out for eating too much. Dentists can bitch you out for not brushing regularly. Mechanics can bitch you out for not changing your oil regularly. And cops might beat you senseless for running a red light. We don't expect or desire these behaviors from people we consider "professional." If you're an IT person and you feel that your users are 'the enemy' then it's time to look at your professional attitude.
Approach it as a puzzle... (Score:4, Interesting)
Apart from that, it's a puzzle. Someone hands me a system or process, and it's my job to see if there's an unguarded way in (or out), a way to DOS the system, etc. Sometimes I don't find them before the real enemy does. It's a race, and it's a thrilling one.
Finally, I don't haughtily tell anyone anything. These are systems that (ideally) people have put their heart and soul into. You don't go up to someone and say their baby is ugly or deformed or broken. You point out that there may be a problem, and that you're a doctor - a specialist - and you're here to help.
It drives the staff at our doctors crazy. (Score:5, Interesting)
Not just IT security (Score:3, Insightful)
That same mindset isn't always good for dealing with other aspects of life. Who wants to always be focused on solving problems in their relationships for example? In my case I had to realize the inclination to always find the "negative" aspect of a situation. Once I became able to realize it, I developed the ability to set aside my initial perception and focus on more positive ways of dealng with situations. For example instead of focusing on what is wrong, I appreciate what is working correctly. By identifying the positive aspects of any particular situation or system I'm better able to bring individuals and departments together. People respond a lot better to a presentation that effectively says, "These systems were implemented to do X, Y and Z. They've been doing them well enough. Lets consider how adjusting A and B will make them even more effective." A few years ago, my presentation would have been more along the lines of, "X, Y and Z are completely cluster fucked. The developers fucked up A and B, and didn't even bother to think of doing C. Now, lets fix this broken pile of shit."
Re:Short Answer (Score:5, Insightful)
Real Question: WHY?
In "traditional" security, people can ascertain the threats on their own - so they are happy to allow the "security" department to interrupt their life (e.g. - using keys to open locks).
In IT security, people just want to download cool screen savers. Most simply don't see the risk. As such, the job of an IT security professional is much more difficult (e.g. - "why can't my password just be the name of my dog?").
So, most people who work in IT security are made out to be Mordac [wikipedia.org] - "Preventer of information services".
re: "traditional security" vs. I.T. security (Score:5, Insightful)
I don't know. In many ways, "security" is never anything more than putting up deterrents to crime. The more of them you implement, the more you create inconveniences for YOURSELF, in the process. It never really ensures the PREVENTION of a crime.
In "traditional" security scenarios, I think people have found a balance they're content with in most cases. (EG. If I want to secure my house against a break-in, I can stick with the "staple items" we universally employ, such as door and window locks. We've pretty much all established that having to find the proper key for one's door to get inside is a minor hassle, vs. the level of crime deterrence it provides. Optionally, people wanting more can buy an alarm system. Much more hassle, expense and inconvenience, but an added layer of protection everyone understands and can opt for or against with a good sense of the pros and cons.)
"Computer security" is largely considered "of little real value" by the public because they (usually CORRECTLY) come to the conclusion that it creates too many impediments to being productive with the computer tools given. I.T. security nazis that demand those "tough to guess" passwords that have to be changed regularly only cause people to have too much trouble signing THEMSELVES in. So to work around this? They start writing the passwords down on things they can easily look at. Problem solved, but security measure largely bypassed.
By the same token, your business can spend thousands and thousands on firewalls and other "network appliances" that all promise to improve security from hackers and outside threats. But one employee can circumvent it ALL with a $50 wireless access point concealed someplace in a drop ceiling, and letting his buddies know they can now get on the LAN from a portable sitting in the parking lot.
I think many people in charge of spending (whether management or other I.T. workers) are realizing that the basics like merely having SOME kind of password required to log in, a basic NAT firewall in place, some anti-virus/spyware package on the workstations, and maybe a spam filtering service on their email is ALL they realistically need. MOST companies just don't have that much on their network that outside hackers even care to access. The most "sensitive" information is usually just of interest to EMPLOYEES of the company (like salary histories of different people?). So let the one dept. that has to handle that data (H.R.) put extra security measures on it, and keep them from inconveniencing everybody else.....
Re: "traditional security" vs. I.T. security (Score:5, Interesting)
no, there is quite a bit of liability involved in IT now. Not properly protecting salary and HR files can be a criminal offense to the company owners.. you have to do it. But you are correct, security is not really about "preventing" wrongdoing, because somebody that wants to get you will. On the other hand one part is to make enough noise that the honest people know you're watching and aren't lead astray. The other part is logging and auditing what's going on... just like a physical security guard, to know who belongs and who doesn't, then able to prove that in court if you need to.
Good security also keeps people from accidentally messing up your data, and that's the most common and disastrous thing that happens. To only give people the minimum they need, then when 2 months of TPS reports are missing you have a short list of who had access rather than entire departments, and find out the boss deleted them not "some hacker". You also keep unqualified people from screwing things up.
Re: (Score:2)
Or a cellphone with a USB cable. 5 minutes searching the web (from home) gives the required driver, and dial-up networking settings. Considering our IT policy forbids network access not provided by the company. They supplied the cell phone, cable, laptop, so all I needed was a driver (not the easiest thing to sneak in without admin rights, may require a boot disk, etc.)
Re: "traditional security" vs. I.T. security (Score:4, Insightful)
Like many other posters from the "other side of the desk" who've had crappy experiences / perception of corporate infosec, you've got some pretty profound misapprehensions about what real infosec is all about. Security that gets in the way of people doing their jobs IS bad security, as a general rule, because as you observe they will route around it - and then you have a false sense of security, because now you don't know what insecure practices are going on, because the users are actively trying to conceal them from you. This is a Bad Thing. Seriously, I spend a lot of my time giving masses of positive reinforcement to people who do the right thing (like dropping me a mail saying "uh, it's probably nothing, but we're coding up this system which includes a secret admin backdoor, is that OK with you guys?" , and likewise making sure that users know to flag it up and complain, LOUDLY, if security does get in their way. When I get to hear about such issues I put of a lot of effort into addressing concerns in a fair way, explaining the risks that eg. rotating strong passwords is designed to protect against, providing tips and hints about how to generate memorable passwords (first letters of a line of a favourite song is one of my favourites), why it's actually OK to write them down on a slip of paper kept in your wallet and so on. I also try to make sure these efforts are highly visible - not because it's a security contest, but precisely because I want to reduce to the inevitable "look out, here come those goose-stepping bastards from security again" attitude to the absolute minimum possible. That's also why I try to take the time to chat to real end-users rather than just listening to what managers tell me their people are doing.
one employee can circumvent it ALL with a $50 wireless access point concealed someplace in a drop ceiling,
That's what 802.1x is for, and why you spent all that time arguing about the wording of your AUP, and making sure that no-one can claim that they didn't know that installing a network backdoor was grounds for instant dismissal (eg. with regular mandatory refresher training, all@... emails and the like.
I think many people in charge of spending (whether management or other I.T. workers) are realizing that the basics like merely having SOME kind of password required to log in, a basic NAT firewall in place, some anti-virus/spyware package on the workstations, and maybe a spam filtering service on their email is ALL they realistically need
Actually, the "right" level of security is as long as a piece of string. What are your assets? What are the risks to them? What (to some arm-waving approximation) is the chance of something bad actually happening? Now compare the costs and benefits. Lo, there is no "one size fits all" solution. For instance my home WLAN is configured with a really crappy WEP encryption doobry, broadcasts it's SSID, etc. However only my Dad uses that connection, and the only plaintext stuff going over it is low-value general mail and web usage; on to of that we're miles out in the countryside, we know the families within wifi range personally and none of 'em have computers anyway... and I couldn't make his cheapo wifi dongle work with WPA2. Given that cat 5's impractical without cutting holes in doors (or drilling thru' 18" thick masonry walls and fitting proper conduit.) Oh and I don't run any a/v or firewall on my work machine; I use a hardened BSD and have no network services running apart from ssh on a high port. See what I mean?
Re: "traditional security" vs. I.T. security (Score:4, Insightful)
You lock them out so they are not calling every hour.
But that's exactly the problem that it causes. Users are constantly calling the helpdesk because they don't have any control over their systems. They need to get something done, but then they need to wait 2 days for IT to respond to the call, because IT are so backed up with trivial requests.
Treating the user like an idiot who needs to be protected from him/herself is not the solution. Better to educate people and teach them responsible computing. Hell, if workers don't know not to install malware and randomly downloaded stuff, then what business do they have being employed in a job that uses a computer? Get rid of the idiots, instead of turning people into idiots by not allowing them to learn, or bothering to teach them.
Re: "traditional security" vs. I.T. security (Score:5, Informative)
Get rid of the idiots, instead of turning people into idiots by not allowing them to learn, or bothering to teach them.
Easiest way to do that is to track who's wasting IT's time, as opposed to who's using the department wisely. When Johnny Sales calls for the tenth time in a week 'cause he just HAD to click the monkey for a better insurance deal, you or your boss should point out that Johnny blew 5 man-hours of labor that week...on a digital monkey.
Anyone that helpless needs to be replaced with someone who CAN follow policy.
Re: (Score:3, Insightful)
Re:Short Answer (Score:5, Insightful)
So, most people who work in IT security are made out to be Mordac - "Preventer of information services".
I do a fair amount of "security engineering" - designing and implementing secure systems. What I have found is that in most cases the reason people (users) see the security people as "preventer of information services" is because the security people don't give a shit about actually using the systems, only about securing them.
I've come to believe that to be a really good security engineer requires loads of human-factors type expertise because the problem is not just how to secure the system, but really how to enable the users to do their work as easily as possible in a secure fashion.
The classic example is the password policy that is so byzantine that nobody can remember their own passwords - sure it is secure on paper, but because nobody took into account that actual people have to use it, the net result is that people 'cheat' and write down their passwords or come up with password creation schemes that produce easily human-guessable passwords if you know any of the previous passwords (!ReD_111, @BluE_222, #GreeN_333, etc).
Re:Short Answer (Score:4, Interesting)
In IT security, people just want to download cool screen savers. Most simply don't see the risk. As such, the job of an IT security professional is much more difficult (e.g. - "why can't my password just be the name of my dog?").
That is exactly why most people don't like IT security. The true answer is that their password _can_ be the name of their dog, for 95% of users, because they won't have access to sensitive information by default. To access that sensitive info, they should have to jump through security hoops, use secure passwords, etc, but not to unlock their workstation after refilling their coffee.
There's an old saying, that I can't remember exactly, that says if you use the same protection to safeguard your bread, as you do your money, then your money will be as insecure as your bread used to be. The reason is that nobody is going to run the vault combination every time they want a slice of bread, so the end result will be that the vault stays open, making your money insecure.
Re: (Score:3, Informative)
That is exactly why most people don't like IT security. The true answer is that their password _can_ be the name of their dog, for 95% of users, because they won't have access to sensitive information by default.
And which are the 5%? And how do you work out which roles those are? Bonus points for describing how to integrate a data access privilege level for every user when they are first hired, when they change role, or every time the information they access changes. Oh look, it's ten thousand times easier and more secure to train everyone to do the right thing in the first place.
Re: (Score:3, Insightful)
And which are the 5%?
The ones who can change other people's passwords.
And how do you work out which roles those are? Bonus points for describing how to integrate a data access privilege level for every user when they are first hired, when they change role, or every time the information they access changes.
The security protection should be put on the resources being accessed, not the user accessing them. Keep things with different security needs separate. When someone's role changes and they need access to that resource, then they have to conform to the security requirements of that resource. If that means using a different password than their desktop log-in, that's fine.
Oh look, it's ten thousand times easier and more secure to train everyone to do the right thing in the first place.
Easier, yes. More secure, no. You can't successfully train everybody at the same level
Re:Short Answer (Score:5, Interesting)
OK, so you can either be a security dick and "haughtily" tell people of their errors, etc, or you can actually help the sysadmins. And I don't mean help by slapping your polished report on the managers desk and think you're helping by listing all the things they've done wrong.
No, get down in the trenches. Build a relationship with the engineers and sysadmins, so that you work together. They'll start coming to you before they make mistakes asking you to help them double check their work. I worked at one shop where the security team was just like this. We'd work with them on what we did, and prevented tons of mistakes before there was ever an issue and things moved to production.
Then you have the security team I work with now, who we simply call "Team No." They're pretty useless, everyone hates ever having to deal with them. They're the type that when you ask for help designing a secure system will respond its not their job. When you question them they'll haughtily respond "I know what I'm doing, I'm a CISSP!!!" Big freakin' deal, I respond, so am I. But the net result is without cooperation, they'll never truly be able to secure our systems.
Please be the kind of security guy that is a help not a hindrance. And then I'm sure you'll start going home at the end of the day feeling much better about yourself.
Re: (Score:3, Insightful)
Being a security person means they walk a tightrope. They have admins who do things without ever considering the security aspect, they have admins who think "to hell with the security people, I know better", and then you have at least some of management who wants to know why all of their pet favorites can't just have root.
I agree
Re:Short Answer (Score:5, Interesting)
I'm not sure, but back in the days when I worked as a programmer making a poker game (before the craze broke out about online gaming) I was constantly feeling numb about the whole programming deal spending some of my days just surfing around feeling kinda worthless to the company and that in turn made me feel kinda worthless too in the long run.
About 7 years ago I started working in craft, with tile laying (bathrooms etc), and I never had a bad day. Sure some days are tough but when the day is done I always feel like I made a difference, and I'm not mentally exhausted when I get home, so I could for instance do some programming for fun or whatever.
It's not true for everyone of course, I know plenty of people that can handle it, but for me it seems like the more work I get done the better I feel. And with my job I can make other people happy, that kinda helps. With IT you are just making people less miserable.
Late night rand, gotta sleep :-) (.se)
Re:Could be a coincidence (Score:5, Insightful)
I'd love to see your security documentation.
"i am a it security professional w/10 yrs exp and i recommend bgr passwds."
I'm guessing you're either full of shit, or have the worst security documentation EVER because you can't use capital letters and you can't write decent English.
Security is more than downloading and installing anti-virus software, you know.
Re:I'd reply but I'm worried someone will be watch (Score:5, Interesting)
I know a guy in IT security. He's generally a happy person, with a good family life to keep him busy. He plays horn with a band, with practice keeping him busy several times a week. He says that's what keeps him sane.
Re:I'd reply but I'm worried someone will be watch (Score:5, Insightful)
A few points:
Re:I'd reply but I'm worried someone will be watch (Score:5, Interesting)
Security nut for local network speaking. Since Security is the antithesis of Usability, you are not popular for doing your job. If you introduce a new security regime that makes things "hard" for people to do their jobs you are seen as a roadblock in the road of progress. If your security regime is not tight enough you are blamed for data leaks.
With this in mind, you need to derive your happiness from other places than peoples praise. I'd say the GPs post example is of a person who has learned to derive happiness from both family life and playing in a band.
I know I get happiness not from doing the security work, but from other sources that are funded by the security work. I can definitely corroborate the correlation with more anecdotal evidence of my own experience.
Now I must get back to writing more policy.
Apparently there is (Score:5, Interesting)
Actually, there was this study linked on Slashdot a few years ago, where average happiness in IT was below that of, say, workers on garbage trucks. I'm too lazy to google it atm, though.
So apparently there _is_ at least some correlation.
There are plenty of personal anecdotes of people who were unhappy in IT jobs and got a lot happier when they resigned and did something else. I don't know if that's enough to "prove" a causation, but it at least makes one wonder.
Of course, it could also be that the people who are drawn to IT work are the ones who are totally unfit for that kind of a job, and who'll hate it. At least theoretically, it's a possibility.
On the other hand, it would be a first for any job.
On yet another hand, about half the people who end up in IT or programming jobs, loved working with a computer before choosing that career. In fact, that's why they chose it. A lot still love working with computers in their free time.
So whatever the cause and direction there is, at least it surely can't be that it draws people who hate computers.
At the very least, something is wrong there either way that causation goes. In the end, regardless of which way it goes, if you're unhappy with a job, you're just unhappy and that's that.
I have to wonder how much you can keep those attitudes separate.
There was a study some time ago, where merely being asked to write an apology of a position contrary to your own, fully knowing that it's just a silly exercise and it's not even supposed to be taken seriously, after a while causes your actual position to shift towards what you wrote. E.g., if you're a Democrat and have to write an essay about how right Bush is, after a while you'll actually start seeing him in a somewhat better light.
It's called cognitive dissonance. The brain basically has a model dissonance with "I'm a honest person" and "I just wrote a lie", and basically resolves it by changing the latter to "well, it wasn't really a lie. Maybe at most a bit of an exaggeration."
So a mask you wear every day, eventually becomes _you_. If you pose as a Linux/BSD/Mac/Windows fanboy to fit a certain crowd even just for a couple of hours a week, eventually you become more and more of an actual fanboy. And if you have to put on a thoroughly unhappy face every day for 8 hours, eventually you _will_ convince yourself that you _are_ unhappy with your situation.
At any rate, you can't really keep two completely opposite mental models, unless maybe if you're schizophrenic. And those attitudes are based on your model, after all: being, say, a misanthrope is based on your model having a pretty bad opinion of your fellow humans. You can't really switch between "humans are evil idiots, and they should have stayed in the trees for another million years until they're ripe" and "humans are nice and friendly, and I enjoy their company" at the drop of a hat. Your brain is wired to keep _one_ big model of everything consistent, not to have several models and switch between them as needed. If it worked with several models, it would avoid cognitive dissonance very easily. In practice, it doesn't.
So any model changes that cause a different attitude at work, _will_ still be there in your model when you're at home or at the pub with your friends. You may build an artificial "us" group (as in, "us vs them") of people who ar
Re: (Score:3, Insightful)
Is he really happy?
He says that's what keeps him sane.
Maybe he really means it.
the secret to happiness is to find value in value (Score:4, Interesting)
I've been working in IT security for almost 13 years now - I started back in the days when were said, "what's a firewall and why do I need it?"
I largely work as an independent consultant, and I have worked in banking, defense, fed gov't and the live-like-a-rockstar-dot-com-days.
I have to say that my overall sense of fulfillment at work has been rather low. Spending a decade telling people 'no' or 'how to do it better' - especially when they don't really understand that you're trying to help them, or they don't understand that there are actual threats - is really frustrating.
Working on endless IT projects, for clueless management, unappreciative end users only to have the project canceled (don't 80% of all IT projects fail?) leaves me with no real sense of accomplishment and meaning.
To mitigate this, I joined the local volunteer fire dept. Nothing beats a day in the cube more than rolling down the road lights and sirens or actually bringing someone back to life.
pax
Re: (Score:3, Insightful)
Re:I'd reply but I'm worried someone will be watch (Score:4, Insightful)
good IT security is not about following anybody's agenda but about securing the property. It's like being the night watchman responsible to lock the doors, close the windows, and be on look out for strangers. IT security is not "policing", nor should it be. In my company our guys work hard to keep their jobs non-political. They'll provide facts but not run around snooping on people for the boss. There's a big difference in the two.
Re:Love What You Do (Score:4, Insightful)
I'd so strangle you to death in the elevator on a typical Monday morning. IT, specifically security, is both a means to buy alcohol and a reason to consume it.
Gone are the days when the ox fall down,
Take up the yoke and plow the fiends around.
Gone are the days when the ladies said' "Please,
Gentle Jack Jones won't you come to me."
The days of getting to go to work and actually do something constructive, creative, and innovative are mostly over in the current environment. Fix this, patch that, comment this, find same old buffer issues, copy what the other company did, file this, give same report you gave three weeks ago to the same people, and worse...
Brown-eyed women and red grenadine,
The bottle was dusty but the liquor was clean.
Sound of the thunder with the rain pourin' down,
And it looks like the old man's gettin' on.
My advice, such as it is, is to leave work at work and home at home. If you can work on not having the security mindset at home and hope for some sort of outlet than great but that's not the case for most of us.
Man... I used to hate people who loved their job. These days I do what I love. ;)