Like other professions that are not fully understood by the rest of the organization, cybersecurity is deeply personal. It becomes even more so when you consider the high-stakes nature of your job requirements. You are responsible for keeping cunning adversaries from infiltrating and mining your network to commit data theft and extortion - and, wait, it gets better - you also are charged with identifying and eradicating them if they do.
That is a mighty tall task. Such a complex undertaking is no doubt riddled with potential pitfalls - and can lead to burnout for professionals who lack the appropriate resources and the right mixture of temperament, psyche and pride to handle the high-pressure gig. That is not to say that you and your team (if you even have one) are the only people within the organization who recognize the importance of security. Threats and data protection are more regularly becoming boardroom affairs.
But even with executive support from the board and C-suite - something that is never a guarantee anyway - security is not a function that should ever be led exclusively from the top down. It won't be effective that way, and the wrong message will be sent to security practitioners.
And it appears such an outcome is being better avoided these days. The 2017 Security Pressures Report from Trustwave, which polled 1,600 IT decision makers worldwide, saw a shift toward individual pressures, meaning you the security pro - not anyone else - are more readily accepting the challenges, culpability and consequences that come with the job.
For example, we asked respondents to the survey which (non-malicious) individuals place the most security pressures on them. The highest ratio of respondents chose "boards, owners and C-level executives." However, that percentage drastically fell year over year because the pressure exerted by the respondents themselves soared 13 points to become the second-biggest human pressure pusher among respondents at 24%. Next came "direct managers," "nobody" (yikes!) and "peers."
In another question, we asked respondents when they feel their most security pressures. Forty percent said following a major breach anywhere that draws headlines. Next came at the end of each quarter. But the most evident shift was seen in the survey choice of "directly after a meeting with company bosses and the board," which precipitously declined. One would assume that the pressure-inducing tasks that come out of a high-level meeting wouldn't prompt such a statistical decrease, but that wasn't the case. Finally, we queried respondents on the biggest repercussions that stem from a successful cyberattack or data breach. The most chose "reputation damage to me and my company," which outpaced "financial damage." Another 11 percent selected "losing my job" - a clear indicator that job security is no guarantee in the era of big data breaches.
There are clearly some takeaways here. For starters, the stats seem to underscore that organizations are doing a better job of placing the right candidates in the role of security leader (and trusting them to succeed). Secondly - and arguably far more importantly - there seems to be an understanding among security professionals of "owning" their pressures. This type of psyche is best identified by the following personality traits that may identify a make-or-break disposition.
Feeling pressures is not wrong. After all, if you care about your job, you will naturally experience pressures to achieve big things. But you will also hold your feet close to the fire when difficulties present themselves and the going gets tough, which it will.
You don't need someone else to ignite your inner drive. Sure, it is nice to know others throughout the organization care and want to support and empower your mission, but you don't need a trip to the board room to be kick-started into building a sound security posture and culture.
Not only are you motivated, but you also spark others to step up their game. This can lead to big results, especially in security, which requires a holistic approach that not only involves galvanizing the entire IT department, but also the rest of the organization, partners and industry through communication and shared intelligence.
You will get beaten down in security. The human ego can feel pretty bruised when it is on the receiving end of constant bombardment from ruthless enemies. Just a couple of slip-ups can spell disaster for an organization. But you must stay strong. Of course, is that always possible?
And therein lies the rub. Defense in depth is very much alive - from testing for vulnerabilities to detecting and responding to threats on endpoints - but companies are having implementation problems. As a security leader, you are the one most likely to understand where your needs aren't being met, and oftentimes this centers around a lack of adequate internal resources.
Do what you need to do to get the help you need. That may involve partnering with a managed security services provider. Good luck carrying the traits you need to succeed in this business. And remember, it's personal now.
Dan Kaplan is manager of online content at Trustwave and a former IT security journalist.