One of the toughest aspects of working in cyber security is that doing your job well inadvertently drives people crazy. Business Technology’s resident U.S. blogger Keil Hubert advises security techs to accept the drama. It’s fine.
Some truths bear repeating; one of those painful truths is that some other truths shouldn’t be spoken at all… If you know what’s good for you. Some messages that we have to convey in our official capacity are going to torque people off. It’s a known downside of the job, and it’s disheartening.
This came up during a discussion with one of my friends recently about interviewing security experts. We were trading stories about chatting up executives when my mate admonished me for an anecdote that I’d shared about speaking plainly to a CEO over a security incident handling error. ‘Never tell an executive anything that would make him feel inadequate or threatened,’ she advised me. ‘They’ll lash out at you if they perceive you to be even a little bit smarter or more educated than they are.’ She meant it, too – having previously served as a top-tier executive in a different firm.
I laughed. She’s right. She was chiding me for my inclination to speak plainly about uncomfortable topics. Sometimes, her thinking went, it’s better to placate an executive’s ego and leave them in the dark than it is to challenge their thinking about a topic that’s difficult, controversial, or unsettling. The benefit that you might gain from educating your upper management types can be effectively nullified by the resulting career-crippling backlash. Being right often isn’t as important as still being employed at the end of the encounter.
The thing is… While I completely agree with her on the main thrust of her argument, I submit that it’s simply not an ethical option for certain professions… Cyber Security being the foremost of them. As senior advisors to the rest of the business in all matters regarding threats, vulnerabilities, risks, and mitigation, we have (I believe strongly) a positive duty to the business to deliver bad news. When we identify a problem that threatens the future of the business,we’re obligated to report it. When we discover misconduct within the organization, we’re obligated to confront it.
This duty is a common theme in my columns here on Business Technology. I’ve been weathering the problem for a bloody long time, ever since I first got involved building business networks.
Yes, I agree with my mate’s advice that it’s critical that you keep your job if you intend to doyour job. On other hand, I am adamantly opposed to the idea of lying to upper management about security issues, even if it’s only a matter of deception-by-nuance. The CISO or Security Director cannot adequately serve their organization if they lack credibility. Once you’re caught obfuscating a problem to protect yourself, your credibility is irretrievably gutted – and it’s very difficult to rebuild.
This factor often makes a CISO post a no-win position. Every trip to executive row constitutes a potential stroll down the Green Mile. It’s no wonder that dedicated security people tend to be highly stressed… and that many technologists would rather chew off a limb than take over a security team. I get that.
I fully appreciate the problem (having paid an awful price for speaking hard truths on many occasions), and yet I’ve chosen to stay in the field. On reflection, I think that’s because the urge to protect people has always been strong in me. It’s why I joined the Army when I was still in high school. It’s a stronger motivator than my natural sense of self-preservation. Or, more accurately, it’s stronger than my sense of career preservation.
I recognized that in myself a long time ago, and took some common sense steps to mitigate it. Back when I was a lead IT guy with a posh corner office, I kept a faded print of one of my favourite Dilbert strips on the backside of my office door. I clipped it out of the newspaper on Sunday, 3th February 2008. It’s a simple two-character exchange. You don’t need any visuals; the joke is entirely in the dialogue. I laugh every time I read it:
Dilbert’s Mother (a.k.a. Dilmom): ‘How is work, Dilbert?’
Dilbert: ‘Well mom … ‘I’m like a fly stuck in a thick tar of despair. … Incompetence hangs in the air like the cold stench of death. … I’m drowning, and monkeys dressed as lifeguards are throwing me anvils. … My job has convinced me that life is a stale joke with no punch line. … I long for the comfort of the grave.’
Dilmom: ‘Next time, just say “It’s fine.”’ 
I positioned that comic to catch my eye every time I reached for my doorknob. It always helped to remind me that some people simply didn’t want to hear what I had to say even if they’d specifically asked me to say it. Some senior folks, especially, could be counted on to rarely ever want to hear a hard truth. 
And yet… That was my bloody role in most of the organizations where I’ve worked. Solving business problems rarely upset anyone. Sustaining core systems only aggravated the users when our services went offline. Carrying out security actions, though… That part of the job was a sure-fire way to make people insanely upset, no matter how important the actions were to the safety of the business.
Explanations rarely help. It’s amazingly easy to accidentally alienate a person just by discussing a technological problem. Our field is relatively arcane compared to most other business pursuits; whereas the bean-counters talk of ‘profit and loss’ or ‘debit and credit’, we yammer on about ‘buffer overflows’, ‘stack dumps’ and ‘spear phishing’, thereby confusing everyone around us. It’s a nasty side-effect of our essential business function; proficiency in our profession means using a very specialized occupational vocabulary. There are many people who consider our incomprehensible techno-babble to be intimidating, condescending, or both.
Of course, doctors can often be accused of engaging in exactly the same aggravating behaviour: flaunting their specialized vocabulary, possessing obscure knowledge, offering only incomprehensible explanations, etc. The thing is, the average patient usually listens to their doctor  whereas the exact same person just as often won’t listen to their technologist.  What’s astonishing is that bloody doctors often won’t listen to their hospital technologist. You’d think we’d have more mutual respect worked out between us. But… no.
All that being said, it certainly seems sometimes like all of us in the cyber security field have somehow been set up to fail. We can’t stop all of the bad guys no matter how hard we try to. Our mitigation efforts frequently drive our users to distraction. Our jargon sets people’s teeth on edge. We’re often thought of like a badger in the nursery: unwelcome and supremely disquieting.
That’s demoralizing, but it ultimately has to be accepted for what it is. Ours is a complex, confusing, and sometimes disturbing role in the modern corporation. Doing our job well means having to say and do things that occasionally upset people no matter how charming or gently we go about it. We’re the pariah in the lunchroom, the last man picked for office softball, and the butt of jokes in the canteen. We’re that guy.
That’s true, as is the reverse of the coin: we’re also the unseen defenders of the realm. We’re the back-stage kobolds who strive to keep all of the gear-works spinning along while jokers both within and without the company screech and toss us anvils. We’re the frustrated technologists who slog through the threat environment every day, doing our utmost to protect the front-of-the-house functions in good faith because we care deeply about our company’s mission and about the people that we serve. We want the company to succeed, and most of the time we have no desire whatsoever to be gits about it.
It’s hard to get that idea across to people, though. Until folks get to know us, we’re perceived as ‘those annoying people from the IT building’ who ‘always say no to everything’. Our co-workers are often reflexively predisposed to assume the worst of us and from us, assuming that we have some sort of malevolent agenda or superiority complex. It’s a titanic drawback of the job, but it would be dead wrong to say that it can’t be helped.
Our strength as security professionals comes in part from our technical skills, in part from our experience, but most of all from our personal credibility. Every time we strengthen a personal relationship with a key stakeholder, we strengthen our credibility. Every ally that we win over with honest, forthright, discourse helps sway the body politic from a negative predisposition towards us over to a neutral one. Eventually, with enough patience and charm, folks will come around. They almost always do. It just takes patience, a very thick skin, and a commitment to stand firm to the truth even when it hurts us in the short term.
 Or, depending on the exec, anything that challenged their treasured preconceptions.
 Not obey their doctors; that’s a completely different issue.
 Maybe that’s because the medical profession has a better marketing department. Or a 5,000+ year head start on us. Or both.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.