Is Infosec Getting More Stressful?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.esecurityplanet.com/network-security/is-infosec-getting-more-stressful.html

It's no secret that many IT professionals find their work stressful.
According to a recent survey, 79 percent of IT admins are considering
leaving their jobs due to work-related stress.

A Reddit discussion of the survey drew more than 600 comments, some from
folks who sound as if they are at the breaking point. User gnarlesincharge,
for example, referred to his job as "a gut wrenching roller coaster of
stress most days."

While many IT pros seem stressed, are information security professionals
even more stressed than most?

Out of Control

Jobs with high levels of unpredictability are stressful, especially for
people who enjoy being able to control their environments, said Jack
Nichelson, global information security and network manager for Ohio-based
manufacturer GrafTech International. That description tends to fit security
pros, many of whom were server or network admins before switching to
security.

He and other security pros "pride ourselves on being able to command
technology to be able to do what we expect it to do," Nichelson said,
noting that the proliferation of data and devices has made traditional
security techniques ineffective. "The walls we were comfortable with to
protect our data are no longer secure. It's beginning to break down."

Data breaches seem more personal now than they did in the past, Nichelson
added. "They aren't just going after servers now, they are going after
people."

And the stakes are getting higher as bad guys pull off hacks that end up in
newspaper headlines and send companies scrambling to try to contain
damages, he said.

"When there is a security issue or breach, it can be very hard to figure
out exactly what is going on, even when you do forensics or bring in
outside experts," Nichelson said. "When there is a data loss, it comes
right back to the person in charge of security. What was the strategy? Were
the right controls in place? Were you implementing them correctly and
reviewing them regularly?  You will be in front of your CEO, your CFO, your
general counsel, all of whom will have questions."

As the security landscape changes, infosec pros find it tough to keep up,
said Bill Gardner, an assistant professor who teaches Digital Forensics and
Information Assurance at Marshall University and is also president and
principal security consultant of Blackrock Consulting.

"The pressure to keep up with the latest developments in the field and to
keep certifications and training up-to-date is relentless and underfunded.
People do not understand or appreciate what we do. As a result, information
security folk feel overworked, undervalued, and generally burnt out,"
Gardner said.

These issues are often exacerbated by a disconnect between security
organizations and other business units, said Jack Daniel, a technical
product manager at Tenable Network Security and a former director of the
National Information Security Group. "Business people do not understand
what we do and we sometimes do not understand what they do, and they do not
always listen to us," he said.

Sergio Galindo, general manager of the Infrastructure Business Unit at GFI
Software, sponsor of the survey that found nearly 80 percent of IT admins
are considering a career change, suggested that companies need to provide
"realistic IT budgets and staffing levels" and also invest in technology
that automates personnel-intensive activities like deploying software
updates.

Soft Skills

While bigger security staffs and budgets certainly won't hurt, Nichelson
said infosec pros may find even more value in learning soft skills that can
help them better cope with crises on the job.

"You are never going to have enough people and money. You're always going
to have pressure, and your boss is always going to have high expectations,"
he said, noting that infosec pros can benefit from learning how to better
manage their time, prioritize tasks and communicate with others.

For example, he said, infosec pros will find that clearly communicating the
reasons behind policy changes tends to cut down on complaints from users.
"If you push through a policy you know will protect your organization but
do it without explaining why it's necessary, then you are disliked. But if
you take the time to build relationships through education and create more
of a partnership relationship, you won't get so many angry calls."

Many security professionals will require a nudge to obtain such training,
he said, noting that if given a choice most of them will choose to take
classes in technology topics instead.

Reducing Infosec Stress

What else can security professionals and their employers do to bring down
stress levels? Tenable's Daniel offered some tips.

For employers:

Offer flexibility. "Micromanagement drives everybody crazy, but for
security people it's even worse," said Daniel, suggesting that employers
should offer infosec pros some flexibility when possible. "So you could
present a set of goals and say something like, 'You need to accomplish
these three things in the next month. You can prioritize them in the order
you want as long as all three things get done.'"

Encourage a team outlook. While many infosec pros prefer working solo,
Daniel said it makes sense to build a team mentality. "It may be a
challenge because strong egos are likely involved, but it's helpful," he
said. "Soldiers do not go alone, first responders do not go alone, Boy
Scouts swim with a buddy. It's good to know someone has got your back."

Small changes can make a big difference. If possible, give security pros
time to pursue personal projects. "If you've got someone who focuses on
crisis-reactive tasks, give them one day a week or one day a month to
explore other things in the security environment," Daniel said, adding that
helping infosec pros obtain training to help keep their skills fresh is a
good idea too.

Make them mentors. It can be helpful for security veterans to heed the
advice they give to up-and-coming infosec pros. "If a younger person asks
you about keeping skills up to date or how to keep from stagnating on the
job, you might find yourself saying, 'Maybe I should listen to what I just
said.' It makes you hold the mirror up to yourself," Daniel said.

And for infosec pros:

Find new outlets for your expertise. Acknowledging it seems
counter-intuitive to recommend taking on more projects, Daniel said infosec
pros often benefit from giving presentations at local user groups or tech
meet-ups. "It reminds you that you know what you are talking about and
gives you the opportunity to feel good about contributing back to the
community," he said. "Plus if you do even a halfway decent job, people will
say things you don't hear often enough at work, like thank you."

Know when to say when. Though Daniel said he does not encourage people to
respond to stress by leaving a job, he said sometimes it is a necessary
move. The good news: "If you have reached that point and you have a current
skill set, it's probably not a bad time to be there," he said.

Why Infosec Stress Matters

Above all, said Daniel and Nichelson, it's important for companies to
recognize the costs of stressed-out security pros.

"If your company suffers a breach, these are the people that will run your
incident response. These are the people who will update your general
counsel, your CEO and CFO. They will coordinate with IT and with an outside
forensics firm. They may assist with writing press releases," Nichelson
said. "If this is someone under extreme pressure and having a hard time,
are they going to make the best decisions? Are they going to manage the
situation correctly? Could they cause more risk and pressure if they
mismanage an event because they can't handle the stress?"

"Companies need to ask themselves: Do they have an adequate number of
people to do what needs to be done? Can they find qualified people easily?
The answer is inevitably no in both cases," Daniel said. "So can you afford
to burn out and drive out your existing talent? No."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!