Summary: Show Notes: https://justinfimlaid.com/the-cavalry-is-not-coming<br> <br> <br> <br> Sponsor: https://www.nuharborsecurity.com<br> <br> <br> <br> Contact Me: https://justinfimlaid.com/contact-me/<br> <br> <br> <br> Twitter: @justinfimlaid<br> <br> <br> <br> LinkedIn: https://www.linkedin.com/in/jfimlaid/<br> <br> <br> <br> I hear it all the<br> time, security burn out is high. I wasn’t until this week that I realized that<br> folks got the reason for burn out completely wrong. After listening to someone tell me that a<br> large tech company burns out their staff due to work volume and rotates the<br> staff every 2 years I realized we have it twisted. I don’t know about you, but most security<br> folks I know love doing security and a 60 hour week hasn’t burnt anyone out<br> when they do what they love. If a 60<br> hour week does burn you out, then I'd recommend changing your work profession<br> as a matter of mental health. Go do<br> something you love to do, then no one would have to pay you to work because<br> you'd do for free because you love it.<br> <br> <br> <br> As a former CISO I<br> can say first hand that the work never burnt me out. The environment and people are what burned me<br> out. What I mean by that is that having<br> accountability for security and no direct responsibility for security in a $6B<br> organization was incredibly stressful. Most security folks I know are in this<br> spot. They have accountability for enterprise security but the role and action<br> of security is distributed across the organization. <br> <br> <br> <br> Also - there should<br> be some segregation of duties between IT and Security. Since security is often monitoring an<br> environment they often see mistakes make by peers in the company outside of<br> security. Those mistakes can make security challenging, but those same peers<br> often have little motivation to clean up those mistakes unless it directly<br> impacts their job. So, security having<br> to feel like they are in the position of digital janitor and clean up can be<br> exhausting. There's only so many times<br> you'll clean up the spilled milk before you just leave it spilled.<br> <br> <br> <br> Security leadership<br> has become a political position, evangelizing for security, educating you work<br> colleagues on security all so those same company peers when faced with a<br> security decision will self-select the correct decision related to security<br> when no one is looking.<br> <br> <br> <br> To amplify matters,<br> you don’t have all the budget you need or want to do your job. Nor likely do<br> you have all the actual authority to make that decision you want to. The threat landscape is also shifting so<br> tomorrow is always a new type of cyber attack.<br> <br> <br> <br> All this is to say<br> that it's a tough job. Not because of<br> work load only, but the surrounding intangibles of working in organizations who<br> probably are excited to pass off security can be draining.<br> <br> <br> <br> I've got news for you, the Cavalry is NOT Coming. You are on your own.<br> <br> <br> <br> For those of you<br> listening to this maybe not grasping the challenge, let me propose an<br> analogy. We’ve all been out to dinner at<br> a restaurant. Let’s say being a CISO is like being the chef of the restaurant.<br> In this analogy the chef is accountable for your meal, but not responsible for<br> preparing it or delivering it. The chef<br> has a partial budget, and needs to convince other kitchen staff to pool their<br> budget to buy the food needed to serve the menu. The kitchen staff, however, also have other<br> department chefs they work for that diverts their attention. To make matters more complicated, the kitchen<br> is consistently invaded by rodents and kitchen hygiene is ...
