I have been an information security consultant for a long time. Software dev background. 2006 start app sec consulting -> senior consultant —> principal consultant -> CTO (of small consulting firm) -> get bought by NCC start my own company 10 yrs ago -> CTO/managing principal -> sell company -> still consulting. Done so many different things but the common theme is app sec. Finding bugs and risks in software via reversing, assessment, threat modeling, and code review.
Do I still love it after 17 years? no. A lot has changed. A lot has not. I still like it most days. By far my favorite thing has been building a team and teaching others what I learned. I hit burn out here and there. I think computers and tech are different and objectively a little less fun now for this field. When I started I could find a bug in a system and write an actual exploit (actual machine code!) for it by hand in a reasonable time scale and that was always really cool. Now teams of people are required to achieve the same exact goal. Just one of many examples.
So anyway, some get off my lawn cause I am older now, some is just me changing what I like and want from life, some is tech changes. It’s still a great field as a consultant. Show up. Hack. Write report. Leave. Never be a CISO, you can’t pay me enough to do it. The end.
Yeah, ultimately the goal of infosec is to make itself obsolete. On the one hand, it seems to be working because exploiting things has become more difficult/expensive. On the other hand, cyber attacks seem more rampant than ever, because exploiting things has also become more lucrative. So are the effects of the infosec industry real? Or is it just an arms race?
We still find SQL Injection at an alarming rate... but yes, eventually it would be nice to make it nearly impossible to do the wrong thing by default for programmers. That is the dream. Information systems are just too vast and complex for that to be true on any time scale I could predict for you, though, so job security seems pretty good!
Yep, memory corruption bugs on a modern OS are really hard, but still possible. That’s why sketchy firms like those that build Pegasus now pay 7 figures for a locked and loaded iOS exploit, which objectively does the same thing mine did a decade or so before. :)
We all collectively made developers better. Anyway, memory corruption is mostly stopped by the kernels and memory corruption mitigation strategies. Mostly implemented security focused devs and guided by information security research. It’s a yin and yang thing. We find stuff, the community and big organizations research and figure out nee mitigation strategies etc. It is an ecosystem with many loops that have security researchers and bug hunters almost everywhere.
It really depends on what you want to do. We hire folks from dev backgrounds all the time and many stick around and enjoy it. If you get pushed into some corporate app sec role where you aren't doing interesting problem solving, I do not recommend it. If you get to really dig into security problems and challenges using engineering and technical skills you have acquired, yes, it is still fun. You get to take apart other people's puzzles (apps/code) and there are tons of opportunities for automation, scripting, writing tools, etc. It is an awesome field to grow in when you have a lot of hard CS and development skills and can apply them meaningfully. That makes things pretty narrow in terms of roles out there that check all of the boxes I mentioned, but, yes, it is still interesting and fun. Look at all the cool things people have done with fuzzing over the last 5-10 years, starting with AFL which really changed the game. Now people do fuzzing with VMs (qemu) etc. Just a ton of really cool stuff that a solid C/C++ dev can really dig into and play with :)
I think the trick to staying happy in cyber security is to chase down niche fields in technology. Your work won't be perceived as sexy by the broader community since you're not tracking north korea, but the trade off is that you will have fun and not have to brush shoulders with so many egos. So what's green these days? That's for you to decide, but one area I think is interesting is smart contract security on blockchains. Lots of folks are pouring into that space.
Average tenure for a CISO is lowest of any C suite. You will likely take the hit in the event of a security incident and be fired. Tedious work. What to do is often obvious. Getting everyone to do it is the hard part and usually devolves into politics. Thankless job, you can only be wrong once. Just not appealing and CISO is becoming legally sketchy, requiring a lot of diligence out of a CISO to not end up in legal trouble. But if this appeals to you, it can be rewarding stuff, but it is not a great tech role IMO. Or a great management role.
> Average tenure for a CISO is lowest of any C suite. You will likely take the hit in the event of a security incident and be fired.
As far as I can tell, this is the actual purpose of a CISO: being the sacrificial goat when an entity experiences a security event that ends up in the news. I say this without any sarcasm.
At a former job I worked directly under the CISO doing architecture audits.
He described his job as "we shouldn't do this, or this. we probably need money for both, or failing that, implement some really annoying, workflow-impacting changes that will annoy people. so gib mony plz".
inevitably the org would say no to both, so he asked for that in writing and then played the CYA game hard when it went bad.
"a cortisol rollercoaster followed by begging followed by more rollercoaster" was a phrase he used.
> Average tenure for a CISO is lowest of any C suite.
Do you have any stats to support this statement? I work as a Information Security Officer, other firms have BISOs or other names for this kind of position.
Additionally, a lot of what you are describing is either cliché ("you can only be wrong once"), only true for certain types of businesses or regions. There have been examples where CISOs have experienced legal pain in the US, see Uber's former CISO. But I would not expect companies to see this as an exemplary case.
You own a bunch of unsolvable risk and your head is one of the first to get lopped off if you're popped.
Honestly, the CISO role probably needs a golden parachute and a direct report to the CEO for it to be an appealing path for most anyone who's experienced it at least once. The former to incentivize owning that much risk, the latter to enable the role to drive change.
That's insightful, but I still think the assumption that the CISO has to go when the company gets compromised is a bit issue.
Instead of security being a team effort, with the goal being making the hard choices together, finding the correct compromises to let the business thrive while being secure - it usually makes the CISO take an adversarial position to anything in their company - since it's always their head if something bad happens....
Amazing CISOs lead security by enabling others to make secure choices that still let them move quickly and deliver value. To do that - they shouldn't always be one hack away from losing their job.
The CISO is an odd role because it mostly has to help protect against tech risk without owning tech, and because it's a bit of a crap role, you end up with all sorts of the wrong people and behaviours in the role.
Common Pitfalls:
- Act as a gate that slows everything down, i.e. it must be secure, which in turn makes things less secure, as there's less time on the board to fix things.
- Chase massive budget. Eventually get massive budget. Buy silver bullets that don't fit in techs guns.
- Focus on the non-tech parts. We'll train people not to open cat.jpeg.exe instead if you know, auditing their usage and turning off their kit / login when they're pwned.
With anything, it's all about the people you put in place, but my experience is the average large company CISO sits on a pile of paperwork and IT security whilst their servers aren't patched.
The CISO gets blamed and fired because it’s a language that shareholders understand. You think shareholders are going to understand that the CISO enabled others to make secure choices?
CISOs are starting to report to the board. The biggest challenge is budget. It's hard to put an ROI on a theoretical risk that chances of risk happening are at best an educated guess. Most company leaders don't value detection of breach but only prevention so things like the significant cost of storing network flow logs is an uphill battle.
I fumbled on an interview once when asked “tell us how a security initiative you led brought value to your organization”. I rambled on about average breach/downtime cost but i couldn’t quantify anything on the spot. In retrospect, I should have focused on manhours saved through prevention system. It’s a hard sell!
CISO direct report to CTO can be a conflict of interests for the CTO.
C-suite positions need a golden parachute because they can be career-ending. You don't climb to the C-suite then go back to being an IC or lower-level director.
CISO can be even riskier than other C-suite positions. So CISOs really need golden parachutes. But CISOs almost certainly don't get golden parachutes worth the while -- they are generally seen as less important than CTO, CFO, COO, and CEO.
If a risk is "unsolvable" it gets accepted as is by the accountable person in the business side of things. They will/should have good reason why they can't solve it.
Plenty of companies keep their security teams + CISO after they get popped.
You'd be surprised how often this happens though. I've seen all the following structures:
CISO -> COO -> CEO
CISO -> CIO -> COO -> CEO
CISO -> CSO -> COO -> CEO
CISO -> CLO -> CEO
CISO -> CLO -> CFO (wtf?) -> CEO
And none of:
CISO -> CEO, or even
CISO -> CSO -> CEO
The only one I've seen be extremely effective aside from a direct reporting relationship has been where the role reported up to the CLO (general counsel) and said role reported up to the CEO directly. Reporting up to the CIO or CFO (again wtf?), there were conflict issues at play where the CIO or CFO was obligated to prioritize their main mission. CISO to COO worked fine generally from what I saw, as did CISO to CSO to COO, but it meant the CEO was often shielded from issues where they could impactfully move the needle where needed.
---
The CFO one was at a company owned by private equity, which makes perverse sense when you consider that most business leaders consider infosec to be a pure cost center rather than a business enablement function. Doesn't help that many CISOs historically never ran their shops with business enablement in mind either, which put a lasting dent in infosec's reputation as a function that many emerging leaders are still trying to rehabilitate.
Normally you are juggling a huge amount of security technical debt, massively under-resourced, the CFO under-funding IT and having no budget for innovation in the first place is part of what caused the problem.
The security world and the compliance world are changing daily, don't track each other, and your compliance drives costs, while security drives incidents.
I asked for more detail because I’m in a role training under a CISO and rapidly approaching a decisioning point to assume their role. Sorry I didn’t make that clear in my original comment.
Anyhow, I think I elaborated in other places. I don't think it is a bad role, but as a tech first, programming first type of person I would never be a CISO. Even as a manager I want to manage interesting technical things and spread knowledge and skills of how to build (secure) interesting technical things to people. CISO and risk management roles everywhere herd cats and don't really get to do that. So you have to keep in mind my perspective. Comp and top end of the risk management and information security management career can be really rewarding, but it is a mostly thankless job trying to get people to do things that no one will ultimately like all that much even if it is the right thing and they know it :)
This really resonates with me. I'm also passionate, and most corporate gigs I've had over 20 years kill my soul. I wish there was a place I could use my skills where they weren't wasted, where I could perform at the top of my game and really make incredible things happen. The reality is I spend 90% of my time trying to work around some stupid bureaucratic limitation, and it's not uncommon for my work to be literally thrown away after months or years of work.
I've been in this position a few times throughout my career. Try looking around and see what else is out there. Maybe consider a smaller company that doesn't have the level of politics that you've described. Wish you the best!
I recommend smaller companies were you take an architect type role where you build the systems, or at least have a domain you control and are accountable for. I've been doing exclusively that since about 2005. It has it's own problems, mainly pressure to constantly get things done, which is fine, but it can be unrelenting sometimes.
The soul sucking large corporate entities, I couldn't agree more. Stay away from that if you can. You really only need one big company household name to spice up your resume and you probably have that already. I have mine and never went back.
I have a multi-decade career, and for like the first decade or decade and a half or so, i tried to stay as long as reasonably possible at whatever big compoany i worked for....being raised to think that loyalty, and working a long number of years at the same employer was a sort of weird badge of honor. I got hit by bureacratic BS/blocks on such a constant basis, and then got hit by my first layoff...then i thought: "oh man, its me, i'm the problem, maybe i'm not as good as i thought, etc." Then I got yet another corporate job....and then another layoff...which by the way both layoffs were to due to re-orgs, and impoacted many people, and not specific to my performance. But, you know, the ego and heart gets hit hard.
So, i tried 1 year (during the middle of the pandemic) to work for a non-profit...thinking that maybe i can use my passion and people and tech skills for some good causes...Nope, never again! The sample size is of course so small (I only worked for a single non-profit), but i encountered the same corporate blocks as in the for-profit world, but with a vastly reduced paycheck. I still love my peers in the non-profiut, and while i was there i actually made a difference in thousands of people's lives, as well as gaining accoloades from IRS for a model and taxpayer experidnc e that i developed foir some web potals that i lead the dev. for. And, i still very much believe in what the non-profit where i worked does...But wow was the org. crazy disfunctional! Anyway, over the last couple of years since then, i keep jumping from one big company to another....and after all these decades i feel i have more passion than ever before for the tech and the problem spaces! ...BUT...now i have less patience for corporate buracratic BS/blocks...so i jump more often nowadays; which i dont like doing. Maybe i will try small, for-profit firms and see how things go....but, man, corporations really do know how to hamper those among us who have the passion, drive, and technical chops to really make a difference. Passion and competency - at least at the big boys/girls where i worked - seem to count for nothing nowadays.
It's a marathon. When you don't enjoy it, start a new one. There will always be bureaucracy, just deal with it and disconnect at the end of the day so you can do the things you love with the people you love.
Yeah, i guess i wish that i could just join a single marathon (and stop keep starting new ones). I do unplug at the end of the day; that lesson i learned over the many years. But while I'm at my day job, i really want to give it my 100%...But, it seems so many firms can't get out of their own way to let the passionate (and highly competent) people contribute in meaningful ways. Its silly really, since these same firms have everything to gain - from revenue perspective, talent retention, yes good PR too, etc...Oh well. Towards new (smaller) marathons i'll head i guess. :-)
Stuck out to me as well—author uses it only once apart from the title, and it's in scare quotes. Are they calling attention to the fact that it's not the usual form of the word, but then failing to explain why that's important to the subject of the post?
In any case, TIL that although "quit" is most common for past tense/past participle, "quitted" is sometimes included in dictionaries as an alternative.
The author is French, the usage of quitted is more likely a mistake outright. As for the quoted version it's explained next to it, he's quitting professionally but likely will continue as a hobby, in French you'd use quotes to highlight the fact it's not to be taken literally.
"To quit" is an irregular verb in English, the past tense is just quit instead of quitted. So "I quit" can be either present or past tense, but from context it would be clear that "I quit infosec" is past tense.
It is valid in English to use quitted in this manner, but it does look and sound odd. Most dictionaries list quitted as an alternative simple past/past participle of to quit, but admittedly it's uncommon to see it in modern English. Usually quitted is used in the sense departed or left (following French usage), which, while perhaps archaic, is perfectly valid in English as well.
If you're looking to avoid burnout, it helps to think of your profession as something entirely separately from your identity. I'm not an "aerospace engineer" or a "project manager", I am merely a man who plies the trades of engineering and project management during the day. That's the service I provide to society in exchange for food, fuel, land, tools, weapons, medicine, textiles, etc. (I don't think it's a fair trade but that's out of the scope of this discussion.) The parts of life that I actually consider meaningful parts of my identity occur outside of work and mostly revolve around my family, friends, religion, storytelling, and art.
This may kind of seem tautological, but I think adding the extra degree of mental separation (I am a man/woman who practices X profession vs. I am X profession) can help clear your head and open new life avenues to you. If you spend 8 years grinding for a graduate degree and enter into an obscenely competitive job market and find little success, it's easy to feel claustrophobic and like you've failed if you take a job outside your field. However if you think "for 8 years I performed statistics, writing, lecturing, and reading, and now in order to make my fortune I'll try another trade" you feel feel less indebted to your past self and make more clearheaded decisions about what to do in life.
I work to provide food for my children and me. I am not my work. Even if I like development, I do more interesting types of development outside of my job.
I had watched a few courses on information security and noticed that those working in the more management / corporate related infosec roles seemed to be massively overweight, almost all of them (I am too, btw). Not saying that to shame anyone, just: Does the job make you miserable or stressed out?
I have been forced to do the infosec role as a "side thing" in a couple of jobs now, mainly because nobody else was around that even had the basic skills. One of the things that discouraged me from going further in that field is that it doesn't seem to make people all that happy and fulfilled. Again, I may be wrong on that, as an outsider looking in.
I'm very interested in security vulnerabilities and clever hacks. Because of that I thought I'd be good in a security role. Then I discovered that defending against security problems is awful.
The biggest security weaknesses are people. Employee get socially engineered or phished. Management doesn't take security seriously so they put only a tiny budget toward security. Lazy sysadmins don't keep their systems patched. Software developers can't be bothered to learn how to write secure software, and this is mostly because their bosses don't incentivize them to. Security vendors often hype up their snake oil products. Good security protocols and technologies aren't adopted because people don't want to change.
Dealing with these human problems is awful, demoralizing, and generally unsolvable.
Oh, yes. Infosec has all the downsides of being an ER/ICU nurse at a miserably understaffed hospital, with ~none of the upsides of saving people or genuine patient/family gratitude.
* real, genuine infosec requires deeper knowledge of OS's, protocols, tools, programming & scripting, etc. Gotta be a little more experience to get that, and even more experienced to move away from it into mgmt or higher level roles. In other words, older office worker, and that means more gut.
If you prevent all the security threats, nobody notices, and the bosses wonder why they even pay you. If a security issue gets through, the bosses wonder why they even pay you.
Meditation could be helpful. Maybe the "Muse" EEG headset might be something for you.
Medication shouldn't be out of the question to stop the stress from killing you. I don't need to know any specifics but just when you say "stress" and "overweight" I can tell you to get checked for at the very least sleep apnea and diabetes. Both can and will ruin your day if you don't catch them early enough, and most people don't.
You're always, always going to be playing catch-up with criminals. It's a defense-only game. It's also like the scenario that caused the development of police radar detector-detectors, etc.
> The main warning I might just give to people is to keep proper distances between work and personal life
I've been thinking about this a lot lately. As a millennial, I've tied so much my self-worth into my career and recently, started questioning this belief and I think the next generation (i.e. Gen Z) might be on to something around quiet quitting, their generation placing extra emphasis on pursuing things that make them happy and viewing work as .... well, work.
For me, paid work is a means to achieve what I personally want to achieve. If I can achieve what I want during work hours that's great, stars are aligned. If not, work is just a way of getting the money I need to achieve what I want, and should never drain me.
I don't care about career, I care about being paid enough to do what I want to do of my life. I won't sacrifice personal life for it.
Work is a good chunk of the time so it should also be enjoyable as best as possible.
Of course, advancing your carrier can help get paid even more / enjoy even better, if so it might be good thing to do. It's just that it's a means, not a goal, like it seemed to be for some of our parents or grand parents.
> IT in Europe here and we work 8-5 with 1h lunch...
Similar in the US, I've never actually seen an office that works 9-5, despite that being the phrase. It's always 8:30-5 or 8-5.
It may once have been A Thing here in the US, with a 30-minute lunch and two 15-minute breaks coming out of a total of eight hours at work, since there are legally-mandated break periods for ordinary wage or hourly workers—but it seems like everyone's "exempt" now and so has far less legal protection, plus I'm sure enforcement's nearly non-existent. I assume it did actually exist, once, though, for "9-to-5" to have entered the language to begin with.
Millennial here as well, it's really excited to see our generation and the next generation reject "making money for someone else" as a way of finding meaning in life. I'm chewing on a lot of blog posts about this, regarding for example how the concept of "retirement" is terrifying. I was on a cruise recently and talking with a bunch of old people, and the subject often came up about how people were "finally taking the trips they always wanted to," or "finally exploring xyz hobby they never had time for."
How terrifying is that, busting ass from your 20s to mid to late 50s, and then getting hopefully another 30 years to "enjoy life?" I mean I'm sure many people find enjoyment along the way but damn that just seems so depressing.
Maybe it wasn't bad when that generation was working, I know many had a very nice quality of life for relatively less effort due to higher purchasing power and lower housing costs.
In their 20s and 30s, my siblings pursued their own interests and desires, but unfortunately, this approach did not lead to success. Now in their late 50s and early 60s, they find themselves lacking the necessary skills and experience to keep up with the rapidly changing job market. As a result, they are limited to unskilled labor, with no significant savings or retirement plans. Despite having pursued their dreams when they were younger, they are not particularly content.
Then I would argue that it is a systemic issue that people who do "unskilled work" are not paid enough to be able to save money or access retirement plans (I assume you live in the US where there isn't a public pension system)
or ... there are consequences for never investing in yourself. if you treat work as work, that's all you will ever get out of it. a career is one of the most important things in a person's life and should not be taken as unimportant.
I'm also perplexed about the people who say things like 'why should I make someone else rich'. can you imagine that in an interview? yeah hire me, but you better not be making a profit on me. you better break even or lose money or I'm out! you should WANT people to make money off your efforts.
> How terrifying is that, busting ass from your 20s to mid to late 50s
Agreed. I'm all onboard with delayed gratification. I'm onboard with "putting in the work." But waiting (literally) decades before living it up... sounds totally backwards.
The flip side is there are people out there that do everything they want now. A couple people I know have been doing that for quite some time. They're getting older now - they've raided their retirement, they don't have much in terms of savings, no assets. Life is getting more difficult for them as they get older. My advice would be to find some balance. Go on some great adventures within reason. There's no reason to buckle down entirely until you're 60 but be smart about it.
1. Capitalism takes away your ability to be bored, at least mostly. You'll spend the majority of your time at work. You can be bored there, but not in a very productive way. Your boredom is a function of the company's failure to extract maximum value from you every hour you're there. My gf got laid off with a severance, her boredom is a gift, she can sit and be bored and in that way think about what her purpose is, why she likes being alive and what she wants to do with it. In that way capitalism steals purpose: your purpose day to day is to drive profits for a company. It's not explicitly evil or bad feeling when that happens, because the system rewards you in a million ways when you do tie your purpose to a company's profits. In what ways can people escape this to explore what their purpose might actually be? This isn't necessarily a new thought, I just wanted to explore it.
2. That "retirement" exists as a concept is terrifying for so many reasons, as listed above. It also creates a kind of cultural expectation of sacrificing the bulk of your life to "earn the right" to leisure... but some people are born into that right. That sucks.
3. Capitalism may have weaponized and pillaged the desire to be a part of something greater. Similar to 1, there's probably a natural human desire to "be a part of something greater" (heard in countless interviews of people that do otherwise kinda strange things like join violent militaries or participate in cults or allow themselves to be hazed to join frats). When you join a company, that desire is cannibalized to feed the needs of the corporation. Your day to day energy to spend on being a part of your local community is instead directed to the needs of a company who is possibly transnational and who even could be directly harming your community, by for example dumping trainfuls of harmful chemicals in your backyard. Corporations and corporate culture have been very good at directing the desire to have a common goal and be working together on something, but did they invent these techniques or just pillage them? Is project management something unique to capitalism? What happens if you get a big group of people who aren't having these energies directed by a profit minded project manager, what will they do in their own communities to find meaning? What happens when you take a highly skilled project manager and put them in a situation where there's no profit to be made, what kind of projects and organization will they dream up? This because I do a lot of anarchistic direct action and communal work and am always thinking about managing goals, projects, tasks, needs, and etc in situations where there's no profit motive.
I'm also working on a blog post about how tf to get the 80 different web dev aligned emacs major modes to all respect a .editorconfig file and another one journaling my family's visit to Taiwan so realistically I'm spinning way too many plates....
> busting ass from your 20s to mid to late 50s, and then getting hopefully another 30 years to "enjoy life?"
Its just slavery which the older generations thought was appropriate, much like having a large family to look after you was a thing before family sizes came down.
It sounds cliched, but have a bucket list of things you want to do and try to do some of them. Put yourself first and your job second because the days of businesses looking after their staff and a job for life is long gone as every recession demonstrates.
Do you believe food just magically appears on your plate, water cleans itself, your plumbing just happens to work, medical services operate autonomously etc.?
The problem here, is you're an elitist. For you, your boring desk job is slavery so you want the freedom to go about doing whatever you want while the peasants provide you the means to continue being fat happy without providing anything back to society.
You're speaking from a small minded subset of white collar society that has the inability to understand how society operates as a whole. What you want is to subject a certain class to "slavery" to support your endeavors.
> Do you believe food just magically appears on your plate, water cleans itself, your plumbing just happens to work, medical services operate autonomously etc
Every politician I meet I ask the same question: what do we do when automation has driven the value of nearly all human labor down to pennies? None have an answer. Nobody that's a big fan of the current system has given me an answer other than "it'll never happen," but it seems inevitable to me.
The usa already subsidizes food non productivity to maintain stable prices for agriculture. So why don't they just stop doing that so food does magically appear on my plate? Is maintaining broken market dynamics in every aspect of life so important that it justifies some going hungry, some working two jobs, all of us working 40 hours a week until we're 60?
Its not, but the way the money is distributed and created is. For example during the 2008 crisis because the velocity of money fell, banks were desperate to get people spending again so interest free £million were offered to the rich in order to get them to spend money in the economy, reinforcing the trickle down concept.
> is you're an elitist.
What gave you that impression?
> that has the inability to understand how society operates as a whole.
So explain it then? Explain society.
> want is to subject a certain class to "slavery" to support your endeavors.
I think you are further from the truth, if I could take a pill or an injection to end my live in a non barbaric way today, I would take it. Unfortunately thats not on offer because society dictates I need to be tortured to support it.
My life has already been stolen, and there isnt the science to replace it.
I did explain it to you. YOU want a certain class of people to continue working and providing the sustenance it takes to maintain your modern standard of living while not contributing at all yourself. SOMEONE will have to maintain emergency services, food, and water. Why do you think you alone should get to opt out of the system?
You CANNOT obtain the lifestyle you're going on about with out a sub-class of individuals that do have to continue working these supposedly "slave labor" jobs you're talking about. This makes you an elitist. You think you deserve to live a care free life while others are forced to maintain that for you.
You need an attitude adjustment and you need to put some perspective in place before it's too late. You're not thankful for what you've got.
The leading edge of Gen Z has taken to concepts like quiet quitting, but they still seem to have tied their personal lives to their jobs, often having few physical world friends outside of the workplace and still falling for the "we're a family" line, even if now they want to play to part of kid who doesn't take out the trash if their allowance isn't high enough (which it might not be). Doubt that's healthy and seems a lot like the recreation of a dysfunctional family.
The success of this approach hinges on the assumption that no one else is doing it. However, even those who quietly quit still rely on others to provide the goods and services they desire. There is a concern that this could lead to a snowball effect and result in food scarcity and famine, but the timeline for such an outcome is uncertain.
In terms of adding extra items to improve their happiness, it appears that this strategy is generally ineffective. Despite their efforts, the quiet quitters I met do not appear to be any happier
Millenials still had cause to buy into the Regan-era story of hard work and hyper capitalism leading to a glorious future for the common person. Zoomers have never been able to buy into that lie because they were born into a world where it is so obviously untrue.
Zoomers aren't even old enough to determine that yet. They're in their early 20's at most and no one that age has the experience to definitively say anything regarding this.
The alternative to hard work is doing nothing and that certainly will get you no where at all. The idea that a younger generation might have had it slightly better (which I think is pretty subjective anyway, previous generations have all had their fair share of bad shit) so you won't do anything to get ahead is just asinine.
> The alternative to hard work is doing nothing and that certainly will get you no where at all.
This is a false dichotomy. I put in a solid 40-50 hours at work. If I have to put in double that just to stand a shot -- not get, but have a shot at -- the lifestyle that my parent's had while only putting in 40 hours a week, then the system has failed me.
And that was 40 hours a week with one person working and the other staying at home.
No one is suggesting you get to have stuff for free, but it is painfully clear that even with dual incomes the average American is failing to maintain their parents' standard of living.
It's a broken system, and the Zoomers can easily see that -- they've had smartphones since they were like 8.
No, your argument is a straw man. I'm not referring to your personal work ethic here. The general idea that you will get ahead by doing less is just bullshit. You seem to have a narrow focus on the white collar workplace as it pertains to you. I'm speaking about life in general.
"It's a broken system, and the Zoomers can easily see that -- they've had smartphones since they were like 8."
If you're referring to the poor decision making on raising kids with smartphones I'd agree with you, but that's a lack of good parenting and bad moral judgement. It has nothing to do with capitalism or modern work ethic.
The irony and cognitive dissonance in this statement. That means by every economic measure they were doing quite well at age 8. Did boomers get cell phones when they were 8? How about survivors of the Great Depression... do you think they had anything close to the equivalent of a cell phone at the time? The other issue here is that you believe constant negative influx of media as always truthful.
The issue with you is that you assume that a generation having slightly less than the previous means we need to scrap the whole system and it doesn't work. You need to put some things in perspective and maybe realize that the life you had growing up was WAY above average so a slight decline to a lifestyle that's still magnitudes better than what the average world citizen deals with isn't all that big of a problem. There are generations and generations of people that died to give you what you got, went through world wars, civil wars, great depression, pandemics. I'm sure they'd have loved to be "slaving away" in your climate controlled office environment with a smartphone.
"And that was 40 hours a week with one person working and the other staying at home."
You can blame feminism for that. It tricked the average woman into thinking they would have more meaning working in an office 40 hours a week than they would doing the most important job in the world... raising kids. It turns out that when everyone starts having a higher average family income, the market adjusts to that. And, the staying home and raising kids part is key, they weren't just sitting at home doing nothing while their partner worked.
You're putting forward a false dichotomy. Not buying into the ethics of 'work hard for a company, they make money, you make money and that is a self evident net positive' is quite reasonable. There is no need to resort to name calling for people who don't buy into this narrative. There is quite a lot more to live, and to being a good person, then pouring your all into paid work. And it is plain to see there was a nice party from 1960 to 1980s and we're the cleanup crew. A working person could support a family, buy a home before 30 and have hobbies 50 years ago. Now that sounds like a bad joke.
You're putting forth a strawman. Where did I mention anything about a company??? Who did I call names?
"A working person could support a family, buy a home before 30 and have hobbies 50 years ago."
Try not living on the coast near your favorite coffee shop and you too can achieve this. It's almost like those generations didn't expect to have a beach front condo in LA with every tech gadget available.
That's because one person worked. What do you think happens economically when both parents in a family start working? This is basic economic principle.
Yes. You always want to be part of a profit center, where (directly or indirectly) there is revenue associated with what you do, rather than being part of a cost center where you are just an expense for the company.
Likewise if you work for a company that sells a security product you're in a profit center, which is good. What's bad is that those sales are extremely difficult to make because what your company is selling is avoidance of loss which is much harder to sell than a product that increases revenue.
This is more true if you're a small startup selling a security product. It's less true if you're one of the top 5 companies in the field.
I agree that is it more lucrative that way. But I super disagree with the happiness part. I don't know anyone working at an IT security company, but know many many lawyers and a handful of accountants. 90% of them ditched big law firms/Big 4 accounting firms as soon as their resume was sufficient to do so because the quality of life was terrible. Very very long hours, demanding clients and political atmospheres (As you go up) around bringing in business. By and large the folks that stayed are workaholics who highly valued money and status.
1 good friend of mine, was a super driven lawyer at a huge world-class firm in NYC. She got cancer, and had to take a leave. Fortunately she recovered fully and quit basically the first moment she got back. This isn't one of those 'she left to follow her passion in the arts' cases - she LOVES being a lawyer, but she realized she wasn't living a life. Now she's in-house at a multi-national brewing company.
Anyhow, all that to say - you may be more valued, but it's much easier to be the client!
Profit/cost center is kind of a false dichotomy in some places. At the least, it lacks nuance. If you sell software or services that require privileged access, security tends to be valued more highly than a checkbox.
Generally companies that have been burned in the past for not having a good security team and have sufficient organizational memory will continue to value security efforts moving forward.
I was working for a hospital, then they converted us to work for a company that sells our services to hospitals, then they outsourced 300 of us to offshore including me.
work for a company where you are developing the comapny's main product, and where the product can be substantially improved by further development. For example, working to develop a website for a supermarket chain, or an app for dominoes pizza, will always have a limit and little respect
This is a nitpick, but customer-facing ordering and delivery technology arguably is the main product for Domino's Pizza. The food basically defines replacement level, but the tech differentiates the experience from other shops.
I'm probably oversummarizing, but this seems to boil down to burnout caused by (from the post):
> But why don’t they just patch? It’s not that complicated after all.
And you kinda see this later on when the author talks about what they worked on post-transition out of infosec as a mainline career:
> I finally joined Michelin in December 2016 where I started working in the CERT team where my main mission was to automate scanning and reconnaissance phases [emphasis added] on internet-facing assets and this was my real first experience on the other side of the story - defending infrastructure and where I finally experienced change management (and the complexity behind it), impact evaluation and so on.
It seems like the author burned out not because of the work but because wherever he ended up, there was no strategic initiative to streamline and automate patching to a point where it's largely invisible. It's also a hard problem given the risks of patching bringing reliant services down and the need to automate a slew of testing to validate that said patches won't torpedo production and mission critical systems.
The bit above is important not just because it solves a problem but because (I'm convinced that) people like knowing they actually built something and enacted lasting change. And security may be one of the least likely engineering disciplines where you'll experience building a tangible product as an IC.
At least in software security it's a bit easier with build and deployment pipelines offering an opportunity to block when patches are outstanding, but I can see where the burnout would arise when a strategic effort to invisibly ensure patching isn't in place or well funded. No one gets to build anything, and likewise, nothing gets solved because nothing was built.
---
So if I could add another takeaway:
• if your job involves running around and putting out fires, consider recommending up the chain and across the aisle all the ways to prevent the fires. And if those recommendations don't catch fire (so to speak), may be worth exploring alternative means to address the burnout risk long term with the current role.
> It seems like the author burned out not because of the work but because wherever he ended up
Don't get me wrong and maybe I was not clear enough (my bad). The infosec part I mostly contributed to was within some consulting companies where I was hopping from one assignment to another one, having different clients every week.
I saw some clients with some really strong security posture, I mean it. The "burn out" I experienced was clearly not related to that but pretty much from hacking, writing report, sleep & repeat.
I have said it before and still say... InfoSec is a glorified policy writer.
You spent more time 90% of the time "writing documentation" rather than on finding the security problem and suggesting the fix. That's why i choose development rather than InfoSec (despite having a knack for it), because its more technical and i don't need to explain "why" everytime.
The best security tools and practices won't protect the business if they're not used consistently. Policy is how things get done. It's an expression of the business' values and priorities. Even if it's just "all employees must install the authenticator app or request a Yubikey otherwise the cyberinsurance will drop us."
I think you are mistaken. Obviously InfoSec is a rather generalising term, while you are abstractly describing the work of someone that works in Application Security.
Does anyone else wonder what their life might have been if you had never gotten into tech? I sometimes think I may be happier, but certainly less wealthy. My free time would probably be just that, free time - instead of having the relentless drive I have to do another app, blog post, etc.
On the other hand - the "hustle" economy is everywhere now, not just tech. Everyone has a side gig, and the grass isn't always greener. So, who knows.
I do, knowing the physical and mental harm of being stuck in front of a computer for most of my life, believe it or not but being sat in a chair for extended periods of time is considered a stress position, and not getting the fun exercise to keep you body fit, bugs me a lot as my health declines and the so called experts ie doctors dont know enough and they are risk averse conformists.
Most non technical white collar sit in front of a computer all day too. Trades like electrical, plumbing, mechanic etc wear out their bodies.
Other jobs that emphasize relationships like sales is something I wonder if might have been a better path. In your old age you have a nice rolodex to market yourself with instead of a decaying skill set that gets more difficult to refresh as you age.
I was a CISO for a Credit Union, and retired early. Couldn't be happier now, I would never go back to infosec. The stress and anxiety was terrible. Infosec is a target for management if there is a breach, fortunately for me I never had an incident, though. After 3 years my mental state is so much better, I highly recommend retiring/switching carreers if your unhappy in your job.
> Taking your passion and making it your day work is obviously tempting but also a risky game, as you will keep “working” tirelessly if you’re not putting barrier
Risky game indeed. It’s 1:24am here in Australia and I’ve finally stopped attempting to reverse a network protocol for an embedded device which I’m pentesting. Reading the article is a good reminder of what can happen if you push it too far. The challenge is with this type of work you often have to put in the hours, particularly if it’s a hard target..
If you lack the passion and drive you simply just won’t retain and develop the skills required to deliver. If seasoned pentesters disagree, then I’m all ears.
Why does a personal blog page need HTTPS? It's an output page, I read the contents and leave, I'm never submitting any of my information across the wire.
Someone along the way might modify the page? Unless they're using HSTS, it won't matter.
I'm all for encryption, but I'm also all for using tools when necessary, and not complicating things when not.
HSTS is a commitment to future downtime for your site, and as such, is not recommended if you care about uptime for your site (like, say, Amazon.com might).
Sure. But the title insinuated an analysis of how information security causes one unending stress, day after 20 years if working in it one develops a hardened siege mentality etc etc etc. I have read things like that befire, which were interesting perspectives
That would be more on point with the title.
Anyways nothing wrong with the text, but my comment stands.
@PaulSec, Why didn't you move to blue team side of things? It may have been more enjoyable catching actual threat actors and learning the latesr tech/platform/attack sp you can defend against it. Glad it worked out for you though.
I almost can't imagine not working in infosec, it might feel like losing a limb I think. It's not the assembly, exploits,etc... that does it for me but how I am never bored and always learning something new. The feeling when you find a compromise by sophisticated actor or even stop a compromise in progress, even if no one ever hears about it is amazing. I did networking and other types of jobs that were great too but eventually you master those more or less and start to get bored. I suspect pentesting is similar in that you learn new techniques all the time but the vulns you find are still the same stuff more or less? I have no idea, just guessing. I guess what I am trying to say is how rare it is to find someone with passion for infosec that applies themselves and how broad the industry is (maybe you might enjoy being an instructor or manager?) and how any job in infosec would love to have you because of your background.
Funny thing is i was mentioning milw0rm this morning to a colleague and remembering the old days when astalavista was a thing :) nice story thanks for sharing!
I have been working in infosec for 10 years now. I know this author doesn't want to convince anyone, and I am happy that they are happy. :)
But I am kinda wondering why this brings so much attention? To me this reads like a long trip down memory lane.
Is your takeaway: "if your job and your hobby are too similar, then this will lead to burnout?" Or is it "a job in infosec will lead to burnout, because infosec has certain inherent problems?"
I think it's mostly that the echo chamber that is the Infosec world gets tiring after a while.
Let's just shout "ffs, just patch yo' shit" rather than actually trying to educate people.
Let's all go to a hacking convention, and act like children and hack everything within arms reach at all times.
Let's all belittle people who don't have the same level of technical skill as us.
Let's all be arseholes to women in the field.
etc etc. that's why I took a step back, because for all the "we want to help you fix things to make the world a more secure place", the infosec industry seems to not want to help make it happen.
For anybody tempted to skim or not read the article, the title [ps. "quit" is a bit less awkward - imo, natch :) ] is a bit misleading; the main takeaway at the end is the rather more positive:
Looking back, working in infosec was such a great experience and I recommend it to anyone who wants to jump in!
The reflections generally about knowing when to move on are more field-agnostic.
my friends, consider only working 4days a week, 6hrs a day, and your profession not defining you, your value nor your ego. Its not a simple matter but worth the effort. Full disclosure i struggle w self value statement constantly still
When I was 18-20 I was also passionate about infosec. But I liked development more and infosec didn't seem at that time a domain that is very easy to find employment and gain money.
I haven't see a lot of job postings for those. It's either a dedicated security professional, or a software engineer.
I once worked for company making a security product. The other software engineers knew almost nothing about security or secure coding practices. It was never a requirement for the company to hire people with security skills, nor did security skills even get taught! I tend to think that's the norm in the industry, but I'd be happy to be proven wrong.
I have one of those jobs, which is why I brought it up :P I am a software engineer and provide security direction to a team of "pure" software engineers (who are slowly getting better at security). Sometimes I help them with the implementation of things.
Other security adjacent roles can be found in areas like web browsers, compilers, and kernels; there's a massive amount of software engineering work that goes into securing existing systems that goes beyond trying to break things. Most large companies will have many people working in such roles.
Even if English is the lingua franca of the world, people master it to varying degrees. Also, it seems like 'quitted' was the more common form up until the ~late 1930s [1], so it's not entirely unreasonable to assume that, if this person learned with some vintage material or they read classics, they've seen 'quitted' more often.
The author is French. I'd be curious to see if you could write something in a second language well enough such that the only criticism a native speaker had was your use of a technically valid, but uncommon word.
Do I still love it after 17 years? no. A lot has changed. A lot has not. I still like it most days. By far my favorite thing has been building a team and teaching others what I learned. I hit burn out here and there. I think computers and tech are different and objectively a little less fun now for this field. When I started I could find a bug in a system and write an actual exploit (actual machine code!) for it by hand in a reasonable time scale and that was always really cool. Now teams of people are required to achieve the same exact goal. Just one of many examples.
So anyway, some get off my lawn cause I am older now, some is just me changing what I like and want from life, some is tech changes. It’s still a great field as a consultant. Show up. Hack. Write report. Leave. Never be a CISO, you can’t pay me enough to do it. The end.