On a good day, the cybersecurity profession can be rough on the mind and body. There's no shortage of IT security practitioners who've developed prickly dispositions during an endless battle with upper management over policy and funding -- not to mention employees whose computing habits put the company in danger every day.
But there's no need to feel like a slave to the grind. Just ask Mike Rothman, Security Incite president and principal analyst.
Rothman has been around the block more than once, working for such companies as TruSecure, CipherTrust and now eIQnetworks.
He's butted heads with upper management and been fired more than once. Along the way, he's learned to be happy in his profession despite the challenges.
He's been traveling to different security organizations of late, giving a presentation on the subject called "The Pursuit of Security Happyness." (As in the movie, the last word is deliberately misspelled). In a recent interview, he outlined seven keys to finding it.
Accepting that we can't win
Let's face it: No matter how many hours you spend in your IT shop and no matter how big your security budget and level of upper-management buy-in, the bad guys are always going to be three steps ahead of you.
It's also inevitable that credit won't be given when there's no attack, and blame will certainly be forthcoming in the event of a data breach.
Rothman's advice is to lay out a clear definition for success that accounts for these pesky realities and just do the best you can.
Remember that the CEO may define career success, but YOU define personal success. If the resources, funding and upper-management commitment are enough to give you a shot at achieving personal success, roll with it.
Focus only on what you can control
No matter how hard you try, there will always be things you can't control: senior management, budget, user stupidity, IT operational challenges, DBA "dimwits," as Rothman calls them, office politics, business partners, auditors and regulations.
The good news is that there are things you CAN control: policies, security awareness, monitoring that enables a quicker response to sinister activity (see the third key), incident response, communications, and how to respond to those "dimwits."
Look for not normal
As Rothman noted earlier, the bad guys are always a few steps ahead and soft targets are all around us. For example, with botnets everywhere, DDoS attacks are getting cheaper.
And no matter how much security awareness training employees have, there will always be one or two people who fall for phishing schemes anyway.
This being the case, Rothman recommends IT shops make the most of monitoring tools. The more you monitor systems for unusual activity, the better the chances of stopping a data thief.
Communicate the good and the bad
Since there are things beyond your control, it doesn't hurt to lower expectations or, as Rothman suggests, "manage expectations."
To that end, he recommends using what he calls the rule of three: 1. Tell people what you are going to do, 2. do it, and 3. tell them what you did. "Poke yourself in the eye, then give yourself a hand," Rothman said.
Roll with the punches
This tip is especially hard to heed if you are addicted to trying to control what you can't control. Remember that whatever the atmosphere, it's not about you and, well, someone always has to pay. Try not to take it personally.
Cover thy behind
Rothman's tips for doing this are to protect your flanks politically by documenting everything and being nice -- until it's time not to be nice.
Simply put, Rothman said, work is what you do, not who you are. Asked who he is, Rothman offers a list in this order: husband, father, friend, pain in the behind, security guy, analyst and bad marketer. If you realize after soul searching that you're not doing what you love, it's time to be honest with yourself and take a leap of faith, he said, adding, "Change is good."