TLDR: Security offers a baseline professional life. The work itself can be exciting and engaging, but after years of being misperceived and undervalued: I’m out.
I finally worked my way up to a title+salary that made me feel like I arrived professionally.
No I’m not well into 6 figures and no, I don’t have a “C” in my title. …And I don’t give a shit.
I’m extroverted and, over the last 20 years; can count on one hand the number of people I have not -for the life of me- been able to professionally tolerate (i.e. Not to toot my own horn, but on the scale of typically getting along with others: I feel like I’m one donut short of Homer Simpson levels.) I’ve been a black sheep of infosec my entire career: rather than jump straight to “no,” I typically jump to “Yes, but this is how that would work securely…” I don’t know why, but I’m still surprised when I see my co-workers’ surprise that I (the ISO) actually have a sense of humor (if an unfunny one, the fact that it exists seems to blow them away).
The last 6 years (3 employers: education, banking\finance, and health) in senior security roles has taught me an important lesson: **being paid a decent salary doesn’t mean the work is valued.** (Every business says that security is their “*top priority*.” If security was valued: we wouldn’t be hitting **20 YEARS** of constant headlines about hacks, ransomwares, and breaches.)
I’ve had to constantly attempt to teach, but usually argue and fight with managers and directors that are “*tired of security getting in the way of the business.*” I’ve successfully (and with luck) kept their names and faces from appearing on the local news and\or infosec editorials\textbooks. It’s a thankless, constant grind trying to help them save themselves. It has become blatantly obvious why so many other senior infosec pros are complete dicks. (I’ve had Executives call me out for not being aggressive enough.) I’m not that guy, and no desire to be. (But I wish I could be a fly on the wall a few months down the road, at the moment of recognition when it dawns on them that whoever they hire as my successor is not an aggressive project-managing machine; they’re just an asshole on a power trip.)
All 3 employers have made my value clear. I’m paid to make sure the minimum risks are covered. (1) They don’t get fined due to non-compliance and\or (2) sued for gross negligence. For everything else: there’s insurance.
All these articles about the “talent shortage” in infosec? Rubbish. There are so many skilled employees that could step into cybersecurity roles in a heartbeat. Why don’t they?Why don’t they, indeed.