Do I still love it after 17 years? no. A lot has changed. A lot has not. I still like it most days. By far my favorite thing has been building a team and teaching others what I learned. I hit burn out here and there. I think computers and tech are different and objectively a little less fun now for this field. When I started I could find a bug in a system and write an actual exploit (actual machine code!) for it by hand in a reasonable time scale and that was always really cool. Now teams of people are required to achieve the same exact goal. Just one of many examples.
So anyway, some get off my lawn cause I am older now, some is just me changing what I like and want from life, some is tech changes. It’s still a great field as a consultant. Show up. Hack. Write report. Leave. Never be a CISO, you can’t pay me enough to do it. The end.
When I first started any idiot could back a web application because nearly all of them had a silly exploits like SQL injection.
Can you share why?
You own a bunch of unsolvable risk and your head is one of the first to get lopped off if you're popped.
Honestly, the CISO role probably needs a golden parachute and a direct report to the CEO for it to be an appealing path for most anyone who's experienced it at least once. The former to incentivize owning that much risk, the latter to enable the role to drive change.
The security world and the compliance world are changing daily, don't track each other, and your compliance drives costs, while security drives incidents.
The soul sucking large corporate entities, I couldn't agree more. Stay away from that if you can. You really only need one big company household name to spice up your resume and you probably have that already. I have mine and never went back.
Yep, this is the direction i wish to take next. ;-)
I have a multi-decade career, and for like the first decade or decade and a half or so, i tried to stay as long as reasonably possible at whatever big compoany i worked for....being raised to think that loyalty, and working a long number of years at the same employer was a sort of weird badge of honor. I got hit by bureacratic BS/blocks on such a constant basis, and then got hit by my first layoff...then i thought: "oh man, its me, i'm the problem, maybe i'm not as good as i thought, etc." Then I got yet another corporate job....and then another layoff...which by the way both layoffs were to due to re-orgs, and impoacted many people, and not specific to my performance. But, you know, the ego and heart gets hit hard.
So, i tried 1 year (during the middle of the pandemic) to work for a non-profit...thinking that maybe i can use my passion and people and tech skills for some good causes...Nope, never again! The sample size is of course so small (I only worked for a single non-profit), but i encountered the same corporate blocks as in the for-profit world, but with a vastly reduced paycheck. I still love my peers in the non-profiut, and while i was there i actually made a difference in thousands of people's lives, as well as gaining accoloades from IRS for a model and taxpayer experidnc e that i developed foir some web potals that i lead the dev. for. And, i still very much believe in what the non-profit where i worked does...But wow was the org. crazy disfunctional! Anyway, over the last couple of years since then, i keep jumping from one big company to another....and after all these decades i feel i have more passion than ever before for the tech and the problem spaces! ...BUT...now i have less patience for corporate buracratic BS/blocks...so i jump more often nowadays; which i dont like doing. Maybe i will try small, for-profit firms and see how things go....but, man, corporations really do know how to hamper those among us who have the passion, drive, and technical chops to really make a difference. Passion and competency - at least at the big boys/girls where i worked - seem to count for nothing nowadays.
In any case, TIL that although "quit" is most common for past tense/past participle, "quitted" is sometimes included in dictionaries as an alternative.
This may kind of seem tautological, but I think adding the extra degree of mental separation (I am a man/woman who practices X profession vs. I am X profession) can help clear your head and open new life avenues to you. If you spend 8 years grinding for a graduate degree and enter into an obscenely competitive job market and find little success, it's easy to feel claustrophobic and like you've failed if you take a job outside your field. However if you think "for 8 years I performed statistics, writing, lecturing, and reading, and now in order to make my fortune I'll try another trade" you feel feel less indebted to your past self and make more clearheaded decisions about what to do in life.
I have been forced to do the infosec role as a "side thing" in a couple of jobs now, mainly because nobody else was around that even had the basic skills. One of the things that discouraged me from going further in that field is that it doesn't seem to make people all that happy and fulfilled. Again, I may be wrong on that, as an outsider looking in.
The biggest security weaknesses are people. Employee get socially engineered or phished. Management doesn't take security seriously so they put only a tiny budget toward security. Lazy sysadmins don't keep their systems patched. Software developers can't be bothered to learn how to write secure software, and this is mostly because their bosses don't incentivize them to. Security vendors often hype up their snake oil products. Good security protocols and technologies aren't adopted because people don't want to change.
Dealing with these human problems is awful, demoralizing, and generally unsolvable.
I decided 10 years ago to never work in a role/company where my job didn't contribute to the bottom line. It's much more satisfying.
* can be demanding or irregular in terms of hours
* real, genuine infosec requires deeper knowledge of OS's, protocols, tools, programming & scripting, etc. Gotta be a little more experience to get that, and even more experienced to move away from it into mgmt or higher level roles. In other words, older office worker, and that means more gut.
Medication shouldn't be out of the question to stop the stress from killing you. I don't need to know any specifics but just when you say "stress" and "overweight" I can tell you to get checked for at the very least sleep apnea and diabetes. Both can and will ruin your day if you don't catch them early enough, and most people don't.
You have to make sure you manage your relationship with your job carefully, or you will burn out as the author did.
I've been thinking about this a lot lately. As a millennial, I've tied so much my self-worth into my career and recently, started questioning this belief and I think the next generation (i.e. Gen Z) might be on to something around quiet quitting, their generation placing extra emphasis on pursuing things that make them happy and viewing work as .... well, work.
For me, paid work is a means to achieve what I personally want to achieve. If I can achieve what I want during work hours that's great, stars are aligned. If not, work is just a way of getting the money I need to achieve what I want, and should never drain me.
I don't care about career, I care about being paid enough to do what I want to do of my life. I won't sacrifice personal life for it.
Work is a good chunk of the time so it should also be enjoyable as best as possible.
Of course, advancing your carrier can help get paid even more / enjoy even better, if so it might be good thing to do. It's just that it's a means, not a goal, like it seemed to be for some of our parents or grand parents.
Please do not use this phrase.
Working 9-5 is called "doing your job"
IT in Europe here and we work 8-5 with 1h lunch...
Similar in the US, I've never actually seen an office that works 9-5, despite that being the phrase. It's always 8:30-5 or 8-5.
It may once have been A Thing here in the US, with a 30-minute lunch and two 15-minute breaks coming out of a total of eight hours at work, since there are legally-mandated break periods for ordinary wage or hourly workers—but it seems like everyone's "exempt" now and so has far less legal protection, plus I'm sure enforcement's nearly non-existent. I assume it did actually exist, once, though, for "9-to-5" to have entered the language to begin with.
Quite a lot of people stay after 18, mainly because of historical/ tradition reasons.
How terrifying is that, busting ass from your 20s to mid to late 50s, and then getting hopefully another 30 years to "enjoy life?" I mean I'm sure many people find enjoyment along the way but damn that just seems so depressing.
Maybe it wasn't bad when that generation was working, I know many had a very nice quality of life for relatively less effort due to higher purchasing power and lower housing costs.
They constantly ask me for money now.
Agreed. I'm all onboard with delayed gratification. I'm onboard with "putting in the work." But waiting (literally) decades before living it up... sounds totally backwards.
Care to share some of your favorite findings?
Its just slavery which the older generations thought was appropriate, much like having a large family to look after you was a thing before family sizes came down.
It sounds cliched, but have a bucket list of things you want to do and try to do some of them. Put yourself first and your job second because the days of businesses looking after their staff and a job for life is long gone as every recession demonstrates.
In terms of adding extra items to improve their happiness, it appears that this strategy is generally ineffective. Despite their efforts, the quiet quitters I met do not appear to be any happier
The alternative to hard work is doing nothing and that certainly will get you no where at all. The idea that a younger generation might have had it slightly better (which I think is pretty subjective anyway, previous generations have all had their fair share of bad shit) so you won't do anything to get ahead is just asinine.
E.g.,
- Don't be an internal company accountant, go work for Big 4 accounting firm to sell your skills
- Don't be in internal company IT Security, go work for a company who sells that skill
It's all about moving up in the value chain. By moving up in the value chain, you're more "valued" / appreciated / sought after.
You're general happiness will be much better as a result, and you'll also make much more money.
This is more true if you're a small startup selling a security product. It's less true if you're one of the top 5 companies in the field.
1 good friend of mine, was a super driven lawyer at a huge world-class firm in NYC. She got cancer, and had to take a leave. Fortunately she recovered fully and quit basically the first moment she got back. This isn't one of those 'she left to follow her passion in the arts' cases - she LOVES being a lawyer, but she realized she wasn't living a life. Now she's in-house at a multi-national brewing company.
Anyhow, all that to say - you may be more valued, but it's much easier to be the client!
> But why don’t they just patch? It’s not that complicated after all.
And you kinda see this later on when the author talks about what they worked on post-transition out of infosec as a mainline career:
> I finally joined Michelin in December 2016 where I started working in the CERT team where my main mission was to automate scanning and reconnaissance phases [emphasis added] on internet-facing assets and this was my real first experience on the other side of the story - defending infrastructure and where I finally experienced change management (and the complexity behind it), impact evaluation and so on.
It seems like the author burned out not because of the work but because wherever he ended up, there was no strategic initiative to streamline and automate patching to a point where it's largely invisible. It's also a hard problem given the risks of patching bringing reliant services down and the need to automate a slew of testing to validate that said patches won't torpedo production and mission critical systems.
The bit above is important not just because it solves a problem but because (I'm convinced that) people like knowing they actually built something and enacted lasting change. And security may be one of the least likely engineering disciplines where you'll experience building a tangible product as an IC.
At least in software security it's a bit easier with build and deployment pipelines offering an opportunity to block when patches are outstanding, but I can see where the burnout would arise when a strategic effort to invisibly ensure patching isn't in place or well funded. No one gets to build anything, and likewise, nothing gets solved because nothing was built.
---
So if I could add another takeaway:
• if your job involves running around and putting out fires, consider recommending up the chain and across the aisle all the ways to prevent the fires. And if those recommendations don't catch fire (so to speak), may be worth exploring alternative means to address the burnout risk long term with the current role.
> It seems like the author burned out not because of the work but because wherever he ended up
Don't get me wrong and maybe I was not clear enough (my bad). The infosec part I mostly contributed to was within some consulting companies where I was hopping from one assignment to another one, having different clients every week. I saw some clients with some really strong security posture, I mean it. The "burn out" I experienced was clearly not related to that but pretty much from hacking, writing report, sleep & repeat.
Yeah, this tracks. I rescued myself from this by switching to in-house security teams with ownership of security infrastructure.
Similar to what you did.
You spent more time 90% of the time "writing documentation" rather than on finding the security problem and suggesting the fix. That's why i choose development rather than InfoSec (despite having a knack for it), because its more technical and i don't need to explain "why" everytime.
pentesting? 20% finding the low hanging fruit, 80% writing and explaining your findings.
forensics? 10% finding how they did it, 90% writing and explaining your findings.
malware/policy/security/cloud security analyst? 100% writing and explaining your findings.
the list goes on and on... you are basically and a slave for word processing software, thats why totally understand OP quitting infosec.
On the other hand - the "hustle" economy is everywhere now, not just tech. Everyone has a side gig, and the grass isn't always greener. So, who knows.
Great post and best of luck in management.
Other jobs that emphasize relationships like sales is something I wonder if might have been a better path. In your old age you have a nice rolodex to market yourself with instead of a decaying skill set that gets more difficult to refresh as you age.
https://blog.nacdonline.org/posts/cisos-breach-experience-pr...
When you get older you lose the fun of learning new stuff, and you are paid to do what to know.
Risky game indeed. It’s 1:24am here in Australia and I’ve finally stopped attempting to reverse a network protocol for an embedded device which I’m pentesting. Reading the article is a good reminder of what can happen if you push it too far. The challenge is with this type of work you often have to put in the hours, particularly if it’s a hard target..
If you lack the passion and drive you simply just won’t retain and develop the skills required to deliver. If seasoned pentesters disagree, then I’m all ears.
Someone along the way might modify the page? Unless they're using HSTS, it won't matter.
I'm all for encryption, but I'm also all for using tools when necessary, and not complicating things when not.
I like that the author wasn't afraid to make a change, not everyone can but it makes for an interesting story!
I don't think it speaks badly about the pentesting part of infosec, even though those in auditing tell me it's extremely boring to be in infosec.
Anyways nothing wrong with the text, but my comment stands.
I almost can't imagine not working in infosec, it might feel like losing a limb I think. It's not the assembly, exploits,etc... that does it for me but how I am never bored and always learning something new. The feeling when you find a compromise by sophisticated actor or even stop a compromise in progress, even if no one ever hears about it is amazing. I did networking and other types of jobs that were great too but eventually you master those more or less and start to get bored. I suspect pentesting is similar in that you learn new techniques all the time but the vulns you find are still the same stuff more or less? I have no idea, just guessing. I guess what I am trying to say is how rare it is to find someone with passion for infosec that applies themselves and how broad the industry is (maybe you might enjoy being an instructor or manager?) and how any job in infosec would love to have you because of your background.
AltaVista was a Google competitor, IIRC.
But I am kinda wondering why this brings so much attention? To me this reads like a long trip down memory lane. Is your takeaway: "if your job and your hobby are too similar, then this will lead to burnout?" Or is it "a job in infosec will lead to burnout, because infosec has certain inherent problems?"
Let's just shout "ffs, just patch yo' shit" rather than actually trying to educate people.
Let's all go to a hacking convention, and act like children and hack everything within arms reach at all times.
Let's all belittle people who don't have the same level of technical skill as us.
Let's all be arseholes to women in the field.
etc etc. that's why I took a step back, because for all the "we want to help you fix things to make the world a more secure place", the infosec industry seems to not want to help make it happen.
Looking back, working in infosec was such a great experience and I recommend it to anyone who wants to jump in!
The reflections generally about knowing when to move on are more field-agnostic.
I once worked for company making a security product. The other software engineers knew almost nothing about security or secure coding practices. It was never a requirement for the company to hire people with security skills, nor did security skills even get taught! I tend to think that's the norm in the industry, but I'd be happy to be proven wrong.
Yeah, blow my karma idk
[1] https://books.google.com/ngrams/graph?content=had+quitted%2C...
