We’ve probably all seen that “perception versus fact” meme where there’s an assortment of pictures with captions like “what my family thinks I do,” “what my boss thinks I do,” “what I think I do” and “what I actually do.” People’s understanding of what cybersecurity professionals do often bears little resemblance to the reality of what we actually do. This can lead to a number of problems, especially in terms of job security, but there are things you can and should do to correct this.
What Do You Do?
My husband recently told me that it took him about two years to really understand what I do for a living. My parents used to say they thought I played video games for a living when my job was analyzing malware. Many of my coworkers seem to think I’m something of an internet celebrity — probably because my name shows up in public places a lot.
The picture for “what I think I do” would probably be a picture of a superhero anonymously and stealthily saving the day under the cover of darkness. My husband would also choose the “superhero” picture, so clearly my influence on him is working! The picture of “what I actually do,” which tends toward a more self-deprecating view, would probably be one of a person standing on the edge of a chasm and screaming into the void.
I get the sense that a lot of business leaders (especially those who aren’t particularly technical) picture us as wizards who read mystical signs and portents and then cast pronouncements on “correct behavior.” When requirements seem as inscrutable as superstitions, this doesn’t necessarily bode well for our continued employment, especially if misfortune befalls the company on our watch.
The reality of what most of us do is probably somewhere between “superhero” and “screaming into the void,” but if we’re performing well and managing expectations correctly, there can be more days of the former than the latter. Many of us work in areas that are not seen by most of our coworkers, and the sign of a job well done is usually nothing bad happening.
In light of this, what can we do to bring our work out of the darkness of the cubicle and into the view of the corner office?
Celebrate Your Successes
Have you deflected attacks on your network? Have you decreased the number of successful phishing attempts? Have you improved your risk assessment procedures? Managers will not necessarily know this if you don’t keep them updated.
Making time to celebrate your wins certainly creates more work for you, which can be hard when your plate is already full. Many people feel uncomfortable tooting their own horn, but for security pros in particular, this is an area that’s vitally important.
While info sec is generally considered a cost center, most organizations would struggle to stay in business without our diligent efforts. But if higher-ups don’t know how much value we bring to the company, they will continue to view the cost of securing the organization as one that should be kept to a minimum.
Keep a Diary
Many job-hunting resources suggest keeping a diary of what you do on a day-to-day basis as a way of making sure your resume is both thorough and accurate. And you don’t need to wait until the day when you decide to search for a new job to benefit from this activity. Creating and sharing a list of cybersecurity job responsibilities can be helpful in letting managers know what makes you worth the paycheck — or perhaps even a promotion.
When nobody but your peers knows what cybersecurity professionals do, it’s hard for the people in charge of budgets to know how much work it takes to keep attackers from breaching the company’s systems. While this list should naturally include successes, it should also include the more mundane cybersecurity job responsibilities that require action to maintain the status quo.
Ask Your Coworkers for Help
No security practitioner is an island. You will likely be far more effective if you make a point of having regular, productive interactions with your coworkers who operate outside the security department. Ask them to help you identify data and devices when you’re performing risk assessments; encourage them to report any suspicious files or messages they receive and any accidents that may occur. Listen to and work with them to foster an environment that enables them to do their job safely.
If people in your organization can see you not as the grump who just tells them they’re doing things wrong, but as someone who is there to support them, your interactions are more likely to be constructive, and you’ll be more likely to have vocal champions throughout the company.
Educate Your Staff
Another opportunity to improve your work outcomes and strengthen your connections within your company is to hold regular security training sessions. I should caution, though, that these sessions should be brief, relevant, actionable and positive (or perhaps even fun) so your students look forward to learning. The more you include examples or techniques that are applicable both at work and at home, the more likely your coworkers will be to attend these classes voluntarily. And the more you keep your lessons fresh in their minds by making classes a regular occurrence, the more likely your students will be to remember their lessons when they’re at their desks.
Some of the work that cybersecurity professionals do involves toiling in obscurity, but that doesn’t always have to be the case. By making sure your activities are visible to your coworkers and higher-ups, you can ensure that it remains clear how valuable your work is to the health and longevity of the business.