Stress levels in Cyber Security?

L_D_G

On one hand, I can see how the answer might seem obvious. Tech is advancing more than ever and every other day seems like there is a new revelation in one country hacking another. Of course you would think the threat of attack is stressful.

On the other hand, I would imagine the proper certs and experience needed for a given position will give someone the peace of mind to know they can probably handle it all.

The career field seems very interesting to me. I'm very excited to get into it, but I did have a thought creep into my head that while the world of CS could be fascinating, it could also be somewhat exhausting. So I thought I'd ask from the people who I'm thinking would know best.

gespenstern

Pretty stressful. Not uncommon to hear from colleagues who switched careers that they lose their sleep literally.

Certs don't help much, because too many things are out of security control. Unless it is something supersecret DoD, security is always an afterthought and it can't be more expensive than the cost of an asset it is supposed to protect, only a small fraction otherwise it doesn't make sense.

So the problem is not to secure everything using your knowledge -- it's impossible for majority of cases, the problem is to make sure that all the decision makers are informed properly about all the risks they are taking by doing this or that so when bad things happen you know that at least you warned them and documented it. At least it lets you calm down your conscience and you can sleep slightly better if you are positive that you've informed everyone, but in real world chances are you'll be fired anyways no matter did you warn them or not if bad things happen.

And if you get fired after a high profile breach landing a new gig can become really complicated, who needs a professional who didn't make it? On lower levels (SOC Analyst) it's not that serious, but Sr. Security Engineer and higher it gets tough. CISOs -- I don't even want to think about how do they sleep at night, at least the responsible ones.

L_D_G

gespenstern wrote: »

Pretty stressful. Not uncommon to hear from colleagues who switched careers that they lose their sleep literally.

Certs don't help much, because too many things are out of security control. Unless it is something supersecret DoD, security is always an afterthought and it can't be more expensive than the cost of an asset it is supposed to protect, only a small fraction otherwise it doesn't make sense.

So the problem is not to secure everything using your knowledge -- it's impossible for majority of cases, the problem is to make sure that all the decision makers are informed properly about all the risks they are taking by doing this or that so when bad things happen you know that at least you warned them and documented it. At least it lets you calm down your conscience and you can sleep slightly better if you are positive that you've informed everyone, but in real world chances are you'll be fired anyways no matter did you warn them or not if bad things happen.

And if you get fired after a high profile breach landing a new gig can become really complicated, who needs a professional who didn't make it? On lower levels (SOC Analyst) it's not that serious, but Sr. Security Engineer and higher it gets tough. CISOs -- I don't even want to think about how do they sleep at night, at least the responsible ones.

So the tech person essentially becomes a scape goat? I don't know the rules when it comes to contractors, but is it that easy for those above to let you go in circumstances like that-where you did all you could?

the_Grinch

I've investigated a number of breaches and honestly, heads don't roll as quickly as one would think. Especially since the tenure of IT security people typically isn't very long. Most are inheriting a mess that is not of their own creation and management knows that. Also, if your management team doesn't expect to be breached then that is a company you do not want to work for. Everyone points out Target, but that is an extreme example in my opinion. In the past three breaches I have seen, not one person was fired. But that was because they were able to detect and prevent significant loses. Notice I did not say prevent the breach or prevent all loses. As security people it is our job to find the risks, mitigate them and keep management abreast of issues. This also means expounding that total prevention is an impossibility.

As far as stress is concerned it is a lot like being a fire fighter. When there's a blaze you are completely stressed, but there are times where you are just doing your daily stuff. There are always things that can be tweaked, tools/devices to maintain and monitoring to be done.

gespenstern

L_D_G wrote: »

So the tech person essentially becomes a scape goat? I don't know the rules when it comes to contractors, but is it that easy for those above to let you go in circumstances like that-where you did all you could?

Plenty of stories. For the ones on the surface search online for "Target Corp fires 475 security employees after the breach". Then where do they go, how do you think? And what do the people who consider them for positions think? Like, "well, looks like you recently were fired from security engineer position from Target, right?" And he's like "Ummm, well, yeah, but I did everything I could, it's just higher management failure". And you are that higher management in another company these guys are trying to apply. Tough times.

Where do you think former Target's CIO works now? Search online. They didn't have CISO at the time so had to fire CIO as she was responsible for security as well.

Higher management cares primarily about themselves, so as middle management. They will make you a scape goat no problem if the choice will be either them or you.

Luckily, majority of smaller to mid-size breaches are never reported to the public so no scape goats are needed. It's just CC breaches are easy to spot for banking industry who isn't interested in sweeping things under the rug. But PII/PHI/confidential info breaches... they almost never reported unless the bad guys decide to go public with what was stolen despite what HITECH and other regulations say.

80hr

I can tell you from a government standpoint that "Spills" happen almost on a weekly basis. While this does increase the stress level, not much you can do about it. I am stressed , but I just take it as part of the job and try not to "show" my stress . My boss on the other hand is always yelling in the office or slamming his door etc..

Overall I would stay that Cyber( insert new buzz word) is stressful, just as IA policy is stressful ( depending on which level you are at) the important thing is how you handle the stress. The key I think is not to be controlled by stress and realize that stress comes with every job and decent paycheck.

636-555-3226

in my experience, as the infosec mgr for a large global company, my worker bees don't get stressed out too much. part of my job is to deflect and absorb that. i try to make their jobs fun, and i like to think it works a bit, esp. since the turnover rate for my staff is zero.

my stress levels, on the other hand, are through the roof. mostly due to having to manage different messages to different levels of the organization. one or two get the whole truth, some get the partial truth, most get the glossy shiny truth. Having to remember who knows what and trying not to slip to the wrong people is very stressful, esp. when trying to garner support for various initiatives. You know how hard it is to get funding for something when the person at the end of the line has only seen the glossy shiny truth and thinks we're in a good place and don't need to buy any more things? Yet I need those things to block some of the latest attacks? stressful!

NovaHax

Cyber security is stressful if you are the top guy (CISO or equivalent) that is ultimately responsible when things go down. Also, consulting is super stressful (been doing it for 5 years). But internal security support jobs aren't bad...IMO.

NovaHax

...would also say incident response personnel have it pretty rough too. Just because of the high stress situations you have to deal with. Everyone around you is already tense and looking to you for answers. No thank you.

9bits

I'm in an entry-level IT security role, and it's not too bad, but the guy above me is always stressed. He also makes 3x what I make, so stress/high responsibility/high salary all tend to go hand in hand.

It's not just IT security, or even IT, but really the world as a whole is moving faster, growing more rapidly, and becoming more competitive. We live on a planet with a finite surface area and finite resources, yet the population is always increasing. Competition is only going to continue to rise, as will stress.

L_D_G

the_Grinch wrote: »

As far as stress is concerned it is a lot like being a fire fighter. When there's a blaze you are completely stressed, but there are times where you are just doing your daily stuff. There are always things that can be tweaked, tools/devices to maintain and monitoring to be done.

I like this analogy.

Reading through all the responses the stress levels also seem to come hand in hand with how high up you are. Makes total sense. Public knowledge of any errors also seems be a factor (not why I want to get something in the govt, but it does sound like a plus) especially since, as mentioned, banks or publicly traded companies have investors to appease. The govt treats the population on a need to know basis so a problem and solution occurring without public knowledge I can see being advantageous to job security.

636-555-3226 wrote: »

my stress levels, on the other hand, are through the roof. mostly due to having to manage different messages to different levels of the organization. one or two get the whole truth, some get the partial truth, most get the glossy shiny truth. Having to remember who knows what and trying not to slip to the wrong people is very stressful, esp. when trying to garner support for various initiatives. You know how hard it is to get funding for something when the person at the end of the line has only seen the glossy shiny truth and thinks we're in a good place and don't need to buy any more things? Yet I need those things to block some of the latest attacks? stressful!

Having to control information dispersal and basically telling people what you need but not being able to tell them why makes sense as well. I can see myself getting frustrated in that position too. This is probably why, at least right now, I like the idea of being part of a team with a leader/liaison to do that instead of me.

E Double U

How stressful a position is depends on not only the work, but also how that individual handles stress. I've had stressful moments in every job I've had, but never felt any role was overall stressful because I'm not easily stressed. I have a very calm temperament. On the other hand, I've had (and still have) colleagues that get stressed very easily when faced with the same issues that I brush off. It isn't my certifications that ease stress, I'm just naturally relaxed.

TechGromit

I think what industry your in is a factor too. Every hacker and there brother is interested in hacking into Banks, credit card companies, large retail businesses that handle credit cards, etc. A manufacturer that makes widget parts is going to get considerably less attention and love from the hacking community. Everyone is a target, but some are much bigger targets than others. If every day was people running around in a panic they got hacked again, I'm sure with that level of stress, few people would last very long in Cyber Security.

UnixGuy

Keep in mind that stress level has a lot to do with with person and their character.


I've seen people doing so many easy/straightforward work (in and out of IT) and they're just stressed and angry for the sake of being stressed and angry. While on the other hand I've seen people who do very critical work and they're calm and collected.

Your direct boss/supervisor has a lot to do with your stress level, and so do your colleagues but I think it's 90% how you personally choose to deal with work and your attitude in general.

networker050184

I don't work in security directly, but I have noticed stress level in a position is tied almost directly to your management. Outside of you just slacking off or doing something willfully stupid, they should have your back and keep the stuff from rolling down hill.

TheFORCE

Pretty stressful on my side too, like others said it depends on a lot of factors. Being part of a good team is also a factor, having to be a 1 man show very soon you will feel the stress.

Ertaz

Stress is pretty real. Operations CIA triad is ciA Infosec's is more like Cia. Everybody mad.

jayc71

E Double U wrote: »

How stressful a position is depends on not only the work, but also how that individual handles stress. I've had stressful moments in every job I've had, but never felt any role was overall stressful because I'm not easily stressed. I have a very calm temperament. On the other hand, I've had (and still have) colleagues that get stressed very easily when faced with the same issues that I brush off. It isn't my certifications that ease stress, I'm just naturally relaxed.

I agree with this for the most part, it's mostly about temperament and your reaction to stress. Some people get angry and lose it, others stay calm and focus. I'm not going to say one is better than the other, the results are really what matters. Infosec isn't the only stressful job in IT, just ask an Exchange guy about a time the whole company's email was down or a networking guy about the time the WiFi network was down. IT, as a whole, can be stressful because people will look to you to explain things they do not understand and pretty often they will get upset if you don't have an instant answer.

I spent a long time as a sysadmin, virtualization engineer and occasionally jack of all trades, there is always stress. Now, I run an Infosec team and other than deflecting questions from above and managing communications as someone said above, it's not overly stressful because I trust my team.