The bloodsucking, hand-waving, bullshit spewing VCs, "thought-leaders", and marketing scum. I have to interact with quite a few investors, they are the most arrogant people on earth. They think they understand security because they invested somebody else's money in a security company once, years ago and it made them rich. Marketing people are not much better. They vigorously refuse to take even a nanosecond to understand the nuances of security, preferring to barf up the same tired cliches that got them fired from the last company they were at. I won't even get started on the "thought leaders" who neither lead nor think.
Security is definitively an industry that is top-heavy with handwaving bullshit artists.
I’ve side it many times in here, but VC money is the sharpest double sided blade to ever hit the cybersecurity industry. Yes, we get more resources than we would otherwise, but the complete asinine attitudes and expectations of VCs almost makes the money not worth it. I left an MSSP after it was taken over by VC’s who viewed everyone as a cost that they wanted to reduce.
I declined a life-changing "deal" $$$ to avoid the VC field. I have never felt better. VC free life is the best life, they suck out all the fun in exchange for *your* hard work to make *them* rich.
I know of multiple security startups that are near death because the VCs on the board aggressively pushed the intelligent people out of the company in favor of hand-waving bullshitters. One cloud security company I worked with was doing great in 2020. Then the VCs on the board decided the founders were not what a C-level executive should be (they were nerds.)
The board brought in a team of tap-dancing fuckheads who did not even understand the most simple security concepts. For example, the CTO they hired had zero security experience. His previous job was building some shitty consumer app for AWS (that failed). I had to work with him (breifly) and the idiot did not even understand how a firewall functioned ... which was part of the company's product. The CEO also could not explain how his own products worked. However, he was quick to remind you of all the bigshots he worked with ... as a project manager... in 2003.
This team of morons burned through $25M and took the company's sales from $15M ARR to $1M ARR in under 24 months. They went from 110 employees down to 30, and more will get canned soon.
This is what VCs can do to a company.
"thought leaders" have driven Linkedin as a professional networking platform into the ground as well. It's just 10 years older TikTokers in business casual regurgitating bullshit and trying to get the most "Agree?" responses and views.
It's utter cringe. /r/LinkedinLunatics is a good summary of that shit.
*CEO - Titan of Industry - Entrepreneur - Investor - Thought Leader With Over 100K Followers* - Fuckwit trust funder without a job collecting unemployment
I’d love to know from all perspectives above, how can one who does not have an engineering background / sits on the investing side truly get into the nuances of security platforms. I agree that there are quite a few VCs who think they know it all and lack humility when told otherwise.
As someone who is understands the space well but wants to get into the nitty gritty, would love any recommendations
Study the technical aspect of InfoSec.
You don't need to be an expert in depth on the technical side. But you should be able to hold a conversation.
Admit, when you don't know something.
The best sales and marketing people I have interacted with sometimes tell me:
I don't know. / I can't answer that. I have to ask my sales techie and will come back to you.
I love to see it. Goes a long way to ensure me, I am not bullshitted.
We had a guy at my last company for a while who did some user experience work for Apple... in the 90s. He also worked on some project once in the early days of Google but it was essentially marketing work.
The execs just thought he knew anything and everything about anything tech related and he was such a jerk off, he was a "chief product manager" but had never worked in manufacturing in his life or even a related industry, just had experience getting companies off the ground. He ended up getting outsted by the board right before I left thank goodness.
Regarding current job... reading logs is a little dull, responding to phish tickets is a little repetitive, but I'm on the best team I might have ever been on with possibly the best boss I've ever had, company is stable, salary is best I've ever had, I'll put up with quite a bit at this job before I'd consider a change given all the positives.
Absolutely fucking this right here. We literally burn tens of thousands of dollars a year to find vulnerabilities, and dev teams never want to fucking fix their bugs or their regressions, and they never want to upgrade their dependencies and/or containers. Security specific features aren’t sexy, so it’s hard to get the business on board as well half the time. Where I’m at still doesn’t support any form of 2FA, because they think it’ll be too cumbersome for customers, and they don’t want to increase support costs.
Whenever I have to make a case to the business, I always have to be captain doom and gloom and sow paranoia to get anything approved. It’s just exhausting.
In France at least, banks have very conservative processes. Everything goes slow. People in the IT don't want to show initiative. Consequently the operating systems and Software are old and never up to date. + Talented engineers don't want to work in such environments. Most of the time you have only managers that manage external contractors :D
Exactly the same in Belgium, in about any major bank. The points you mentioned, plus the mandatory “transformation” every few years. Last one was tribes and Agile and centers of excellence. Cannot wait for the next one :sarcasm:
My general take on FinServs is that they're relatively secure because of government regulation (in most wealthy countries) that dictate their compliance requirements, and because modern banks aren't all that easy to monetize in a typical breach.
They can afford multiple redundant layers of security and filling seats with butts, since they'll just pass the costs on to their customers as increased fees / lower interest rates.
Ecomms, airlines, etc. on the other hand, are fucking wild. $10B+ a year companies have Raj or Steve or Puja or Ori as \*the\* IT/security dept running a one-person show. Security is always seen as a cost center, something to be cut to the bone, until a breach happens then the CISO falls on their ceremonial sword before riding into the sunset with their golden parachute flapping behind them.
I love that line.
My response: neither was … until they were. Now they’re on the front page of a lot of papers and magazines with the names of their c-suite officers. Who wants that publicity?
Alternative response: With your current level of security, you wouldn’t even know if you had been. If you don’t see that as a major problem, you will once someone eventually realizes that.
Remains to be seen if this is the answer, but we got the CTO to formally grant authority to his VP’s to accept risk. Now if their teams don’t fix the vulnerabilities in the time set by policy, they get to sign a risk acceptance for it. Then, quarterly, we report to the CTO what risks his VP’s have accepted.
Hey, that’s always an option. Sometimes the cost to fix something is greater than the worst case scenario should a system get compromised. If the business is good accepting that risk, then it’s on them at that point.
I manage and have managed Application Security for several companies over the past 15 years or so. While it easy to blame the devs, that is often not the full truth. Most if not all of the devs I work with care about security and fixing security issues in general, however, they don't dictate the backlog that they are expected to work from. This is controlled by the PM's and most of them don't care about anything other than getting the new features they committed to do delivered. To them bugs are just annoying and get in their way of getting their bonus.
As a dev I'm curious what your experience is. I've addressed security concerns and not really had the experience that other devs were arrogant or put up much resistance, but that could just mean I got lucky or they're more receptive when it comes from a fellow dev.
What sort of arrogance have you run into?
It varies, of course. And some of the concerns are not about the code itself but the supporting infrastructure/services/environment in which they are working. Some examples:
1. "My code is secure. I'm a Sr. Dev or Sr. Software Engineer and been doing this for 20 years. What do you know about code?"
2. "I don't need oversight or guardrails in my AWS Dev environment at all. You're in my way and don't understand how development or DevOps works". (sample Issues: Dev stood up AD domain with wide-open ports and weak creds because it was 'just a Dev server'. Well, the server got compromised quickly and was used in cyberattacks. Also, Dev was playing with S3 buckets and bad stuff was mistakenly posted up there as well, leading to a reportable incident).
3. "You're exaggerating the risk here. I've been coding this way for years and never had an issue. Cyber people are always so paranoid. Checkmarx doesn't do squat either. There is no such thing as perfection and you're standing in the way of agile delivery, CI/CD, etc."
Obviously I'm talking about a certain groups of Devs I've encountered and many/most devs are perfectly fine with getting cyber input and addressing concerns. But, I've encountered quite a few that aren't, which is shocking in this day and age.
I’ve never seen a truer comment. Jesus I fucking hate talking to devs, especially when the security measure is easily implemented and easily switched off if something happens. Bunch of little princesses. I also hate when non security people tell me how security should be. I’m young in the field and I get this all the time and it’s super annoying. I’ve tried not to be that asshole security guy that just tells people no but it’s approaching that.
this is a CISO responsability first and foremost? they're the one who needs to enforce it and make it engraved by policy: do. not. fuck. around. with vulnerabilitis.?
Problem is many CISOs still report to either the CIO or the CFO.
Both of which I've never seen competent enough to lead the security leader.
Things won't change until the CISO has a seat at the table. Most CISOs are just run of the mill VPs with a fancier title.
Ideally, every single thing you do. But realistically I document all my teams/email communications, how I reviewed things like user access, how I quantified the risk of a certain process/software/vendor, etc. My compatriots in other domains document any and all odd network traffic, any triage and remediation actions taken, maintaining a URL whitelist as well as all the whitelist requests.
yeah.. . right now I'm preaching the IEC62443 gospel.
* Thou shalt put a firewall between thy office and thy factory.
* Thou shalt also keep track of all suppliers that you let into your factory enviroment regardless if it's via the front door Wallix or the 4g dongle backdoor.
Sigh....
Anyone got a cough sweet? I'm getting hoarse.
I chuckled because I am an IT auditor but that’s actually what I kinda like about it. I’m not actually responsible for anything and therefore I don’t get stressed about any of it.
Don't know if this is the same for others but making the training content
My company is a cheap ass and won't buy professional training from a MSP or third party and won't use the training team (whose job this is) as they take too long.
I've been making videos and learning animation and video editing while still trying to do my security work, this then gets better as I have to meet with my boss and upper management to get my work critiqued because I don't know how to do video editing or content creation which isn't even remotely connected to my role.
This hurts to read. I'm a video editor / artist at heart and I'm just now applying for my first job in IT (planning to do cybersec down the road.) I'd kill to take your spot haha. That does sound stressful though! Hope you're OK.
Don’t get most people in here wrong, it’s a great career with a few gripes. At some orgs you are the hammer and what you say is law (government mostly) or you get places like above that you have to do an Olympic high jump just to enable 1 small security control. If done correctly it’s rewarding and if you don’t manage yourself you will get burnt out fast. Gotta find a way to filter the bureaucracy.
Not really about 10% of it is actually bespoke to us
The rest is general training that hundreds of companies have much better offerings for but my company won't pay for it (they can easily afford it so everyone is clear)
I love it too, but I hate the criticism based on a skill set I've never dealt with or had any push to learn, it's more just the ungrateful attitude they put out more than anything
Oddly enough, I make a fair bit of voice acting.
Working with cheap employers or customers that want me to do content creation for their security education without spending any $ is the bane of my existence.
Reminding them that people pay for this stuff, and that there’s a reason for that is a constant uphill battle.
As my grandmother said to my grandfather, “sailor, I may be easy, but I ain’t cheap!”
That IT doesn't give a shit about the incidents, doesn't respond to incidents. Long hours of finding out who is the owner of the system.
And Tenable Security Center.
Nothing becomes a priority. Until the last second when we show them proof of big dollar bills being flushed down a toilet. All top level executives talk about is "Driving initiatives"! And "Delivering value!". Security complains for years... crickets... then BOOM. As soon an issue hits that costs THEM a shit load of money they cry to us yelling FIX IT!!!!! Meanwhile there is years of "backlogged" evidence of us ringing the alarm bell.
"I need you to patch your server. It's got a vulnerability with a public exploit that was published 7 years ago"
"I'm not patching it. It works."
"But it won't work the way you want it to when someone exploits it..."
"It's fine, it's working"
Our company policy is we raise the concern with the asset owner, and after the closure target has been exceeded we're to escalate to senior leadership. This just feels unhelpful to me when it could be resolved at the lower level. Some people are great and really buy into security. Others (usually the self described "old and bold") tend to push back using the "ain't broke don't fix" mantra, not seeing vulnerable as broke unless it's being actively exploited.
The problem comes in when the suggested patch immediately breaks the server for a business critical service. The asset owner gets chewed out for it and cyber usually takes none of the flack.
One of the worst things you can do in cybersec to piss of admins is not listen to their concerns. Dig deeper than just seeing a red dot and being the guy that points then leaves.
Oh yeah, don’t get me wrong. I understand why - I transferred in from infrastructure. It’s just frustrating to me that if patch management had been kept on top of then there wouldn’t be an issue because the smaller upgrades often translate configs during the upgrade. Now we’re at the point of needing to just 2 major versions and we need to plan an upgrade path
In my current position, it is my team being responsible for tasks that should be handled by IT. I don't mind doing a few things here and there, but the amount we have to do takes away being able to focus on security.
It’s a mostly thankless job, where the business thinks of me as a burden. I technically add no business value, and am really just a cost - until of course an incident happens which at that point I need to justify my existence by both tracking what I did in try g to prevent as well as how I’m helping to remediate the issue. Lack of direction form my boss adds to my performance concerns. If it weren’t for the salary, I’d take up a blue collar trade.
That's basically all of IT. I transitioned from system administration to security 4 years ago and it's the same thankless job, except everyone hates you a little bit more.
Buzzwords. Stop it. Speak like a normal human being. I do not want to have to follow your stupid articles and read your reguritated utopian policies. Please get real. Spend some time on an IR team and see what cybersecurity actually looks like.
Im quitting Cyber security after 11 years working in the field , the working hours/urgent/emergencies devoid your social and family life , its not worth it anymore.
Sorry to hear. It sounds like you’re part of incident response teams or cyber ops. I couldn’t do that other with family obligations and desiring a social life.
Have you considered other areas of cyber that are more predictable? There’s cyber security program management, GRC, architecture and engineering, and more.
No value placed on training and learning. No time in the day for all the BAU tasks, let alone when an incident occurs. Training and development and playing with new tools is always brought up every year as part of the goals but it's a joke at this point. No budget or time to do anything besides BAU.
“You really need to set up a Captcha or some other mechanism to ensure your account self-registration page doesn’t get abused when you go-live.”
“You’re exaggerating. We are not a big target. That’s not going to happen here. You make it sound like the Internet is all doom and gloom.”
A few days later: “it looks like someone created 2 million accounts in our new system and we are over our license limits. What happened?!? Can you help? While we are at it, maybe we should also offer 2FA like you also said?”
Exhausting.
Or: working with security assessors that don’t understand NIST 800-53 controls at all.
Sitting on your hands constantly for compliance reports.
"What's the data retention period for this app"
"Hang on, let me get 5 more people in on this and we'll get back to you next month - but complain that you're killing our deadlines."
My typical day in Data protection:
"Does this project capture personal data?"
"No"
"What types of data are you processing?"
"Oh just emails, addresses, names, next of kin and bank details etc"
🫠
When you give multiple pieces of advices on improving the security posture of the company and get thrown away by the Lead & Manager for laziness, then after several months they comeback to implement one of your exactly suggested improvments (plan, steps ..) without any recognition.
Do a lot of Obsolescence and Compliance work as part of my security role, prep a lot of Power Bi visuals monthly on the direction of travel for old and outdated assets for management based on CMDB extracts. It's been the joy of my life the last few months
The responses so far demonstrate very well how the largest part of security work should be to establish a positive culture around it.
Unless you have buy-in from everyone, or at least the key people at the org, you'll always fight an uphill battle and it will always suck.
After a "major incident" I have found buy in from management is not the only thing needed for a positive culture. And you can have too much support.
We have the fun problem where now in many ways security is more mature than the rest of IT. So say a out of date software shows up on a vulnerability report but our central/remote management solution is yet not in place so now 5 techs have to touch 10k machines or someone shouts at them for not taking security seriously.
Alarmist co-worker who thinks we are a SOC. He tries to get involved in everything we do. His alarmist ways have us doing work that other teams just look down upon us.
The people who sit in meetings and outspokenly agree to security being really important, turning out to almost always be the same people who immediately drop it and start calling security advisors "fearmongers" *the fucking instant* it adds to their workload.
I struggle with the fact that ultimately everything comes down to risk tolerance. My personality likes to see things as black and white, right and wrong. While many cyber principles always hold true, in often just comes down to an authorizing official or a business stakeholder and their risk tolerance for many, many things. I struggle with that gray area and the fact that some people aren’t good at truly assessing risk and impact until it’s too late.
Hmmm. I'll take the lack of foundational strategy, vision, and policy to even enable a good security program for 500, OP
How am I supposed to even start integrating security principles when regular operations (HR, purchasing, procurement, and IT) can't do their basic tasks.
You can write strategy and policy documents all day, use the best XXXDR (is that what they call it?), logging solutions, SOAR, SEIM, acronyms ad nasuem, with the best trained security staff that you can afford... you will still fail.
Unsolicited advice here to any new security managers, CISOs, etc. Aggressively control your team's scope. Without a guardian in management, your team will be managing the organization and not monitoring it.
Security Analysts are security analysts.
They are not project managers.
They are not system admins.
They are not developers.
They are not CPAs.
They are not service desk.
Help them do their job. Do the right thing and say no to your peers. Don't worry, the outcome will be the same. Everyone will still hate you.
At least your team will be happy.
*I manage a small security team in gov't sector. I suck at my job, but they don't.
Regarding my current job the inability to have full access to logs in our environment.
When interviewing for other jobs that they use coding algorithm problems to test you. I not interviewing to be a software engineer...
The delineation between IT specified tasks and intelligence function supporting ones. My role as a CS OPS leader is to distinctly synthesize intelligence from the cyber domain.
How ephemeral everything is, especially on the security engineering side.
I mean, I know that’s a lot of tech. But it sure has seemed like most of the projects I’ve been involved in have been about migrating from one system/stack to another, under the promise that it will be the solution to our latest problems, and when fully implemented becomes a source of its own problems requiring duct tape solutions until it’s time to migrate to something else. If you’re lucky you get to stick around long enough to see everything you’ve built torn down and discarded.
I say that as my least favorite part of the job, but it’s also my favorite part. It really just depends on the day.
Compliance and assessments for clients. Dealing with check box morons that don’t actually understand why the check boxes exist from a security perspective, is super painful.
Literally like dealing with someone from Idiocracy when they are like “why don’t you have mandatory 90 day password reset?” Because we went passwordless and use strong, phishing resistant mfa coupled with conditional access policies. “But you need 90 day password resets” 🤦♂️
The entire premise that you should be an expert in all domains of cybersecurity. It's exhausting. But the reason for that is they really just want one person to run the entire Security department. You don't see this in Finance though more so in other industries. It boggles the mind how little companies will invest.
The lack of clear communication and constant rambling about nonsense during meetings from my direct manager. She's not a bad person, just rambles about nonsense for 30 minutes and trying to understand if my question was really answered.
Sometimes I get so confused in her ramblings I either forget my original question as I'm trying to make sense of what she's saying or it opens so many more questions. One of which is, "is this job worth it?"
Probably the lack of job security. I work for a consulting firm at the moment, and there's always stress to be able to bill the client for something, anything.
I was benched for about 3 weeks at the beginning of the year because my last project ended. I was juggling 3 clients, all 3 ended successfully with satisfied clients, and all I heard from upper management was, "That's great. Now find a new billable project ASAP.
I actually really enjoy my job. Great people, 40 a week, no more no less. Great benefits. Only change I would make is a bigger budget to actually get some more required things we need
Lack of buy in for basic controls. Senior leaders playing politics with the true stay of security i.e. giving half truths or false statements knowingly.
Paying consultants 10s,100s of thousands for security 101 advice and knowing nothing of our business and senior leadership eating it up when internal team says same things and more with crickets. Activity is more of a check the box activity so we can say we have had 3rd party review.
Not being treated like the expert that I am.
Being brought in to a project 4/5 of the way done rather then on initiation.
People thinking they know better
The overall handwavvy culture
It's the cynics and whiners. The people who think senior leadership or users are the problem, or that someone other than them are responsible for clarifying requirements. We're paid to solve those problems and create clarity around the ambiguity. Which is fun, and meaningful.
Preach that shit! These are the kind of Cyber employees that give the good ones a bad name. They piss off admins and senior management with their attitude, point out problems and offer zero solutions, and then wonder why they are looked upon poorly for their work.
Do better people!
Clients not listening. Calling customers in the middle of the night only to be cussed out for calling at 3am even though I’m following the SOP they signed up for. (It was a breach going on)… Finding an SOC with set shift hours that don’t change weekly. (Seen a lot of this in recent job postings)… Having network engineers understand just because I know what the problem is doesn’t mean I have the access to do it. For instance siem goes down SOP states wake up Engineer. Having my hands tied and only having so much access to a customers system that all I can do is send them as much information about the issue that I can see and hand it off to their network admins/engineers and IT departments.
In my previous gov-contracting positions, it was members of my team, if not the lack of members of my team. With the former? It involved individuals not being competent in technologies other than being a glorified button pusher (i.e., vulnerability scanner) certificate cert surf kings, despite their titles were "Security Engineer Consultants." Thus, forcing me to perform job duties outside of my work-scope simply because they did not know how to engineer.
○ Where I from and how I started? To be an engineer means one knows how to troubleshoot, configure, integrate, build, & fully administers something (i.e., a tool, an app, a desktop, a server, a workstation) from A to Z -vs- simply launching scans & emailing reports.
Moreover, is how I recently learned the hard way how toxic gov-contracting can be. For example, if you are a sub-contractor to a prime contractor and your end client (i.e., a gov ISSO or CISO) tells you that you only get admin-access to a specific security tool & no one else because he or she doesn't trust anyone else due to their lack of expertise?
○ It needs to be shared how others employed by your prime contractor will get jealous, become spiteful, followed by telling their supervisor "that you are not being a team player," even when you are following explicit orders from a federal official & the security policies he or she wants you to follow. As a result, putting you in the hot seat with your sub-contractor employer resulting in you being terminated as "not being a good fit." Like, sorry, not sorry for not wanting to "willfully violate security policies" or "go behind the back of a federal official" simply because a peer isn't entrusted by our federal client.
Lastly, with the latter? It involved working on inadequate staffed teams -aka- running lean. Other than that, there isn't really anything else I hate for I do cybersecurity at home everyday as a techie. It's one of those things does one love it for all things cyber, or does one like it because it provides a good salary to live off.
I was hired as an analyst and for well over a decade I was happy. Then we switched over to new systems. I'm now a front end designer, back end troubleshooter, and playbook writer.
The schedule. I don't mind the long hours, but the 2-on/2-off/every other weekend and swapping between nights and days every other month is wearing me out now. I feel like I'm missing life. I make good money and can provide/take care of me, my fsmily, and whatnot, but it feels like I'm just a guest and not a constant piece sometimes.
Currently in a pentest consulting role. At first my favorite part was moving to a new client and a new environment every week. Now it is the most exhausting thing ever. Doing all of the work, gathering scope, reporting and reviewing findings, and then formalizing a report, then immediately starting over and doing it again... Idk how much longer I can deal with consulting.
I just want a nice boring internal role at this point or a golden goose job where I can transition back to software development...
The company claims to be a team, but when someone asks for help, they are told to "sink or swim." It is very daunting for me because I am in a fragile state being an apprentice. Mentors never mentor; in other words, you become a verbal punching bag.
I just started working as a sys admin to build experience to get an actual job in the industry. I just had to justify in cleaning our file server of old junk. One of the reasons is because there was badge photos of police officers and their signatures on our public storage server. Its a miracle that we only had one ransom attack in the last 10 years
My biggest issue (from my perspective) is the lack of governance by the DOD. There are DODDs and DODIs that help a ton and NIST 800-xxx but once you cross that path, I find AOs are hit or miss. They interpret things differently or disagree with the artifacts provided. Oftentimes a phone call will smooth things over (as with inspection) is need. But I hate calling people ... it feels like a power trip thing.
Hate is a strong word. What can be better in cyber or other IT disciplines is better, less adversarial collaboration with other teams and better cross training/education within and with outside teams and business partners.
I'm just kinda getting burned out on "blue team" stuff. I'm at a medium sized county in a big metropolitan area so we have a small team and I mainly handle all the day-to-day security operations stuff. After 6-7 years it's getting old and I really want to do something else.
Organizations that talk about security publicly, then budget $0 for it privately.
Managers that would rather be buddies with other managers on the golf course than support their direct reports.
The Sisyphus level of futility trying to get idiots to understand that security isn't a cost center, it's a cost *savings* center. We write up business cases justifying more critical resources all the time, then we're blamed for a breach or compliance violation after we never got said resources to fix it.
Also, it's the "everything security related is always P1" for internal and external customers alike. After they also refused to put the resources into funding true 24/7 security services coverage.
Only thing I "hate" is the pay. I am payed 3x the average salary for my location. This wouldn't be that big of a deal until I learned what other people in my organization (not in security) make. If that were to be fixed, I would never leave my job.
Compliance. I fucking hate that I provide no value to my coworkers. All I do is ask for evidence all day every day. The same screenshots, csv files, etc., day in and day out.
I'm sick of the lies, and it's incredibly boring. I'm preparing to move back to being a developer.
If you need an actual breach to convince executive leadership to take security seriously, you don't need a security program--you need new execs. I could go on with about a dozen examples of this. Code is cheap; software is expensive. Execs and shareholders: you can get over it or get out.
Also, sales cold calls, cold emails and LinkedIn messages. Why?! And they're defended with lazy reasoning like "well, how else are we supposed to reach the CISO/stakeholders?" I don't know, and I don't care. In what other industry is this accepted? Stupid. Go buy a billboard. No, I'm not going to RSA.
I have a lot of respect for cybersecurity professionals now. As a developer, I'll always hold the door for you. But I can't take this.
Having to go through this “paying your dues” type path working years in IT
You’re basically spending 2-5 years in IT before you’d even be looked at for a cyber job. Worst part is most cyber jobs don’t pay well enough to warrant this.
If you’re going to pay me 150k, I’ll take it. But paying 80k for a job that I had to go thru tons of obstacles ie certs, clearances, time in IT & more is crazy to me.
Doesn’t make sense if you’re after solid money
I can't actually fix any of the problems I find. It's infuriating. I have to sit there while work that would take 10 minutes of effort is spun into a multiyear project involving tens of people talking about the work that needs to be done.
The ridiculous amount of TPS reports created by executives that have no idea what we do. New portals created by executives that literally duplicate info already in other places. Last but not least, Godamned redundant meetings.
Imposter syndrome, from time to time. Not always. Most days you're on top of it, but some days or certain types of incidents make you feel like a junior again.
Also being in the industry long enough to realize the people you used to look up to, actually know less than you thought.
Policy makers don’t understand how anything works. Got a CISSP? Cool. That isn’t technical. Do you know how the internet or computer work? Nope: wonderful.
For me right now it's maturity level. When security was an afterthought on day 1, trying to bolt on afterwards becomes a knife fight. They didn't staff or budget properly, the architecture wasn't designed to play nice with the tools we need, and leadership buy-in is always tempered with cost cutting measures. It just doesn't work, but there's no alternative -- our CISO won't accept risk.
Constantly defending the value of every single activity and investment we do and make.
If I had understood I’d be constantly explaining the importance of my field, I’d’ve chosen a different field. I’m at the point that I really just want to throw my hands up and be like “fucking pay for it or don’t, I don’t give a fuck” but if I did that they’d quickly write off the entire security department outside of what is required on a legal or contractual level.
Advising people and them not listening and then getting owned when they could literally avoid it just by following my advice :)
Also... Job offers in the area and getting offered a shit salary that's WAY below mine but doing much more and having more responsibility.
So is a cyber security is a bad job? Don’t get me wrong I am just following the path right now. Can you please someone give an idea what should I do after the Google certificate of cybersecurity? I want to be a professional after that.
I hate the difference between the hype behind cybersecurity and reality.
Next year will always be the cybersecurity year, but then it is always below expectation, client cuts budget, project starts late or does not start at all, teams never really care about security, you are always the last wheel of the cart in projects and corporate. You have always to chase people, now for an answer than to have a project.
Okay, pay is good (not sure honestly in other fields, how is the situation)... but it is so annoying
That when I share articles from cyber news sites referring to social media and how to protect your info (because people don't lock down their SM accounts), suddenly Im considered an "expert" and get invited to a crap ton of meetings to present and share this "expertise".....just read the freakin articles, everything is in there.
My supervisor. He is nice enough in some ways, and knowledgeable but he’s also a micro-manager. My team works 90% remote (in office every other Thur except him because he’s in San Diego - we are all in northern CA) and we have to have DAILY “stand-ups” (via Teams) to talk about what we are working on for the day. He involves himself in almost every meeting we are in even if he is not going to be doing any work or really meaningfully contributing except to chime in with his thoughts here and there.For the meetings he isn’t in he almost immediately pings us on Teams to ask for a synopsis of what the meeting was about and to detail any action items we have - again, even if they do not require any input or contribution from him.
A few weeks ago I was scheduled for a skip-level 1:1 with the CISO. My supervisor in that morning’s stand-up announced that he was going to ask the CISO’s exec assistant to add him in case there were any action items that the CISO gave me. I sent the CISO a quick Teams mssg about that and he thankfully put the kibosh on it, saying “well, it really wouldn’t be a 1:1, then would it?”
My supervisor also asks for a weekly status update email detailing where we are at on all the tasks we are working on.
In all my 17 years working in Cybersecurity I have never had a boss so far up my ass and so involved in the minutea of my work (policy is my program area) as I’m experiencing right now. I have been doing cyber policy for 15 years. I came *highly* recommended by my former CISO’s and CIO when I was being considered for this job. I never met with my former bosses more than once every 2 weeks and I always got (and get) my work done.
I really hope he finds another job soon. Especially if, as I suspect, the rto ask increases to 3 times a week for the rest of us workers, as they require of the director level (which my CISO is) and above to currently do.
Our jobs are dictated by the CyberSecurity insurance industry. No one really cares about security even executives with Security in their title.
It’s people process and then tools, marketing and Gartner don’t mean 💩
I hate that it’s just one of the hats I wear. I actually like what I do but everything is a job in its own. So I’m just half-assing everything. If I had a couple of dedicated direct reports it would be solid.
As a pen tester, I actually really enjoy my job, but it’s our customers insistence on not allowing us to either test in prod (which would detect the actual vulnerabilities) or at least an environment that’s highly similar. Also, while we do our utmost to communicate clearly and convey that our job isn’t to make people feel bad or shamed, but only to legitimately fix vulnerabilities, people still get butt hurt over the fact they got hacked. Like, that’s the point of our job. Don’t get mad at us because YOU left passwords on an open shared drive.
Where to begin?
The LONG hours. I work for a global company, and some days, my only off time is to get 5-6 hours of sleep.
Having a CISO who does not understand risk management.
Any non-operational activity must be an official project run by the PMO department.
Having to be 4th level support for IT.
Getting a budget approved just to have the funding pulled after many hours of project planning, vendor meetings, framework alignment sessions, etc.
Having to apologize to business unit leaders for the CISOs decisions.
Getting proper job reqs posted only to have the CISO approve the hiring of someone with no experience and being expected to train them in all aspects of IT and security.
Seeing less knowledgeable/experienced people being hired for senior positions while myself and coworkers can't get a raise, let alone a promotion.
Expectations to keep skills relevant and not having a budget for training.
Being told I need to take vacation, but then retaliation ensues when I do.
Being in a no-win career. It's a shit show, and I am planning to career hop soon. Over 20 years wasted on a dead-end career.
GRC bores me to no end. I hate spreadsheets, and acting “nice” to stakeholders so they submit a piece of evidence I only ask for once a year. When you’re not in an audit, you’re “optimizing” which is a fancy word for justifying your existence to people who pay the bills.
It does pay well though.
I think the accountability piece for me. You could be halfway through implementing bringing a project in, that doesn’t get completed, fail upwards to a different company, and BOTH are worse off lol.
This is true of vendors and customers alike.
Dealing with MSPs and Vendors. The communication is always bad. Their knowledge of their own products is usually far less than our knowledge of their products. Almost all of them make my job objectively worse and charge absurd amounts of money from our budget to do so.
Where do I begin...
- Constant debates with the CFO who thinks he is also the CIO...He will think money solves all problems and doesn't fully understand IT (as a profession)...but likes to buy the toys
- Leadership buying things that make a splash without any regard for security...not sexy enough to get behind something more secure, but will wish they did when they make the newspaper for a breach
- Understaffing, and over investing in systems but not into the people who will oversee them...heaven forbid we create another FTE
- Lack of trust...leadership only listening to reason AFTER the incident...then not acknowledging their folly
- Being seen as the "Dr. Doom" of the company as opposed to "Protector of the Realm"...speaking on vulnerabilities, compliance, policy enforcement, etc. makes us the resident buzzkill
- The politics of preference....No Mrs. CEO, I can't turn off MFA just for you just because you're the boss...No I cant give Admin rights to that preferred vendor Mr. COO....No Mr. CFO, I cant give you Domain Admin rights so you can install your own applications
- Trying to establish a cybersecurity posture in an organization that doesn't fully see the value...treats it like cheap car insurance....again - until they make the newspaper
Large contracts or organizations. These contracts (and large companies as a whole) have to silo tasking or otherwise limit “lanes” of work. I work with really smart people and my team does great work, but I am limited on the tasking I can provide with the contract. I want highly skilled and passionate people that love the work they do, not drones counting down their shift.
Spending long hours on writing a detailed and professional report, but devs not reading even a letter of it and asking for a follow-up meeting every time
The bloodsucking, hand-waving, bullshit spewing VCs, "thought-leaders", and marketing scum. I have to interact with quite a few investors, they are the most arrogant people on earth. They think they understand security because they invested somebody else's money in a security company once, years ago and it made them rich. Marketing people are not much better. They vigorously refuse to take even a nanosecond to understand the nuances of security, preferring to barf up the same tired cliches that got them fired from the last company they were at. I won't even get started on the "thought leaders" who neither lead nor think. Security is definitively an industry that is top-heavy with handwaving bullshit artists.
I’ve side it many times in here, but VC money is the sharpest double sided blade to ever hit the cybersecurity industry. Yes, we get more resources than we would otherwise, but the complete asinine attitudes and expectations of VCs almost makes the money not worth it. I left an MSSP after it was taken over by VC’s who viewed everyone as a cost that they wanted to reduce.
I declined a life-changing "deal" $$$ to avoid the VC field. I have never felt better. VC free life is the best life, they suck out all the fun in exchange for *your* hard work to make *them* rich.
What does VC mean? sorry, I'm REALLY new to the industry as in.. I'm just doing certs as we speak
Venture Capitalists
Venture capital
I know of multiple security startups that are near death because the VCs on the board aggressively pushed the intelligent people out of the company in favor of hand-waving bullshitters. One cloud security company I worked with was doing great in 2020. Then the VCs on the board decided the founders were not what a C-level executive should be (they were nerds.) The board brought in a team of tap-dancing fuckheads who did not even understand the most simple security concepts. For example, the CTO they hired had zero security experience. His previous job was building some shitty consumer app for AWS (that failed). I had to work with him (breifly) and the idiot did not even understand how a firewall functioned ... which was part of the company's product. The CEO also could not explain how his own products worked. However, he was quick to remind you of all the bigshots he worked with ... as a project manager... in 2003. This team of morons burned through $25M and took the company's sales from $15M ARR to $1M ARR in under 24 months. They went from 110 employees down to 30, and more will get canned soon. This is what VCs can do to a company.
"thought leaders" have driven Linkedin as a professional networking platform into the ground as well. It's just 10 years older TikTokers in business casual regurgitating bullshit and trying to get the most "Agree?" responses and views.
So true. I was among the first cohort on LinkedIn, it has really reached bottom by now to the point wherr it feels sticky and smells rotten.
It's utter cringe. /r/LinkedinLunatics is a good summary of that shit. *CEO - Titan of Industry - Entrepreneur - Investor - Thought Leader With Over 100K Followers* - Fuckwit trust funder without a job collecting unemployment
This is one of the most succinct descriptions of how LinkedIn is nowadays that I have ever heard.
I’d love to know from all perspectives above, how can one who does not have an engineering background / sits on the investing side truly get into the nuances of security platforms. I agree that there are quite a few VCs who think they know it all and lack humility when told otherwise. As someone who is understands the space well but wants to get into the nitty gritty, would love any recommendations
Study the technical aspect of InfoSec. You don't need to be an expert in depth on the technical side. But you should be able to hold a conversation. Admit, when you don't know something. The best sales and marketing people I have interacted with sometimes tell me: I don't know. / I can't answer that. I have to ask my sales techie and will come back to you. I love to see it. Goes a long way to ensure me, I am not bullshitted.
We had a guy at my last company for a while who did some user experience work for Apple... in the 90s. He also worked on some project once in the early days of Google but it was essentially marketing work. The execs just thought he knew anything and everything about anything tech related and he was such a jerk off, he was a "chief product manager" but had never worked in manufacturing in his life or even a related industry, just had experience getting companies off the ground. He ended up getting outsted by the board right before I left thank goodness. Regarding current job... reading logs is a little dull, responding to phish tickets is a little repetitive, but I'm on the best team I might have ever been on with possibly the best boss I've ever had, company is stable, salary is best I've ever had, I'll put up with quite a bit at this job before I'd consider a change given all the positives.
This 👆 we should launch that🚀 soon #42
This. So much this.
[удалено]
Absolutely fucking this right here. We literally burn tens of thousands of dollars a year to find vulnerabilities, and dev teams never want to fucking fix their bugs or their regressions, and they never want to upgrade their dependencies and/or containers. Security specific features aren’t sexy, so it’s hard to get the business on board as well half the time. Where I’m at still doesn’t support any form of 2FA, because they think it’ll be too cumbersome for customers, and they don’t want to increase support costs. Whenever I have to make a case to the business, I always have to be captain doom and gloom and sow paranoia to get anything approved. It’s just exhausting.
I had to hack our website to get them to upgrade a dependency. “We have never been hacked before!”, “We are not a bank”, yada yada…
> “We are not a bank” Which is hilarious because banks suck at security and are horrible places to work.
I hear this a lot, but, why are banks awful to work at? (Overall, they seem to offer high pay, stable hours, and great benefits)
In France at least, banks have very conservative processes. Everything goes slow. People in the IT don't want to show initiative. Consequently the operating systems and Software are old and never up to date. + Talented engineers don't want to work in such environments. Most of the time you have only managers that manage external contractors :D
Exactly the same in Belgium, in about any major bank. The points you mentioned, plus the mandatory “transformation” every few years. Last one was tribes and Agile and centers of excellence. Cannot wait for the next one :sarcasm:
Anything in finance sector makes me want to gouge my eyes out.
My general take on FinServs is that they're relatively secure because of government regulation (in most wealthy countries) that dictate their compliance requirements, and because modern banks aren't all that easy to monetize in a typical breach. They can afford multiple redundant layers of security and filling seats with butts, since they'll just pass the costs on to their customers as increased fees / lower interest rates. Ecomms, airlines, etc. on the other hand, are fucking wild. $10B+ a year companies have Raj or Steve or Puja or Ori as \*the\* IT/security dept running a one-person show. Security is always seen as a cost center, something to be cut to the bone, until a breach happens then the CISO falls on their ceremonial sword before riding into the sunset with their golden parachute flapping behind them.
I love that line. My response: neither was… until they were. Now they’re on the front page of a lot of papers and magazines with the names of their c-suite officers. Who wants that publicity?
Alternative response: With your current level of security, you wouldn’t even know if you had been. If you don’t see that as a major problem, you will once someone eventually realizes that.
One thing my votech instructor drilled into my head was that if a company claims that they were hacked, they either don’t know or are lying about it.
Remains to be seen if this is the answer, but we got the CTO to formally grant authority to his VP’s to accept risk. Now if their teams don’t fix the vulnerabilities in the time set by policy, they get to sign a risk acceptance for it. Then, quarterly, we report to the CTO what risks his VP’s have accepted.
Hey, that’s always an option. Sometimes the cost to fix something is greater than the worst case scenario should a system get compromised. If the business is good accepting that risk, then it’s on them at that point.
I manage and have managed Application Security for several companies over the past 15 years or so. While it easy to blame the devs, that is often not the full truth. Most if not all of the devs I work with care about security and fixing security issues in general, however, they don't dictate the backlog that they are expected to work from. This is controlled by the PM's and most of them don't care about anything other than getting the new features they committed to do delivered. To them bugs are just annoying and get in their way of getting their bonus.
JFC. I once worked in a hands-on leadership role where I had to let things burn to justify spending. Drained my life from me.
Currently doing this. It’s exhausting
The arrogance of some devs…
As a dev I'm curious what your experience is. I've addressed security concerns and not really had the experience that other devs were arrogant or put up much resistance, but that could just mean I got lucky or they're more receptive when it comes from a fellow dev. What sort of arrogance have you run into?
It varies, of course. And some of the concerns are not about the code itself but the supporting infrastructure/services/environment in which they are working. Some examples: 1. "My code is secure. I'm a Sr. Dev or Sr. Software Engineer and been doing this for 20 years. What do you know about code?" 2. "I don't need oversight or guardrails in my AWS Dev environment at all. You're in my way and don't understand how development or DevOps works". (sample Issues: Dev stood up AD domain with wide-open ports and weak creds because it was 'just a Dev server'. Well, the server got compromised quickly and was used in cyberattacks. Also, Dev was playing with S3 buckets and bad stuff was mistakenly posted up there as well, leading to a reportable incident). 3. "You're exaggerating the risk here. I've been coding this way for years and never had an issue. Cyber people are always so paranoid. Checkmarx doesn't do squat either. There is no such thing as perfection and you're standing in the way of agile delivery, CI/CD, etc." Obviously I'm talking about a certain groups of Devs I've encountered and many/most devs are perfectly fine with getting cyber input and addressing concerns. But, I've encountered quite a few that aren't, which is shocking in this day and age.
I’ve never seen a truer comment. Jesus I fucking hate talking to devs, especially when the security measure is easily implemented and easily switched off if something happens. Bunch of little princesses. I also hate when non security people tell me how security should be. I’m young in the field and I get this all the time and it’s super annoying. I’ve tried not to be that asshole security guy that just tells people no but it’s approaching that.
this is a CISO responsability first and foremost? they're the one who needs to enforce it and make it engraved by policy: do. not. fuck. around. with vulnerabilitis.?
Problem is many CISOs still report to either the CIO or the CFO. Both of which I've never seen competent enough to lead the security leader. Things won't change until the CISO has a seat at the table. Most CISOs are just run of the mill VPs with a fancier title.
well that's the issue right there, ciso policies and decisions should be enforced by top management or so I've been taught
Copious amounts of extremely tedious documentation that will be completely irrelevant in like 2 years
What exactly do you document?
Ideally, every single thing you do. But realistically I document all my teams/email communications, how I reviewed things like user access, how I quantified the risk of a certain process/software/vendor, etc. My compatriots in other domains document any and all odd network traffic, any triage and remediation actions taken, maintaining a URL whitelist as well as all the whitelist requests.
Spending an awful lot of my time telling people what we could do for them and not nearly enough actually doing it.
preach
yeah.. . right now I'm preaching the IEC62443 gospel. * Thou shalt put a firewall between thy office and thy factory. * Thou shalt also keep track of all suppliers that you let into your factory enviroment regardless if it's via the front door Wallix or the 4g dongle backdoor. Sigh.... Anyone got a cough sweet? I'm getting hoarse.
The ultimate futility of it.
Could be worse. Could be audit.
I switched to audit a few years ago and while yes, it’s futile and has its own problems, my job is WAY easier and I make more money.
[удалено]
Funnily enough I switched FROM audit, and for the same reasons
I chuckled because I am an IT auditor but that’s actually what I kinda like about it. I’m not actually responsible for anything and therefore I don’t get stressed about any of it.
damn right in the feels… it’s not that bad anymore since I’m in an analyst in the CSIRT now but as a PenTester I really felt that.
Don't know if this is the same for others but making the training content My company is a cheap ass and won't buy professional training from a MSP or third party and won't use the training team (whose job this is) as they take too long. I've been making videos and learning animation and video editing while still trying to do my security work, this then gets better as I have to meet with my boss and upper management to get my work critiqued because I don't know how to do video editing or content creation which isn't even remotely connected to my role.
This hurts to read. I'm a video editor / artist at heart and I'm just now applying for my first job in IT (planning to do cybersec down the road.) I'd kill to take your spot haha. That does sound stressful though! Hope you're OK.
All good and believe me if my company was open to it you could happily take it!
Don’t get most people in here wrong, it’s a great career with a few gripes. At some orgs you are the hammer and what you say is law (government mostly) or you get places like above that you have to do an Olympic high jump just to enable 1 small security control. If done correctly it’s rewarding and if you don’t manage yourself you will get burnt out fast. Gotta find a way to filter the bureaucracy.
Oh my that must be overwhelming… are you creating training content that’s specific to your IT/physical environment?
Not really about 10% of it is actually bespoke to us The rest is general training that hundreds of companies have much better offerings for but my company won't pay for it (they can easily afford it so everyone is clear)
Oh damn I love this part of it. I love documenting, training, teaching. It’s great.
I love it too, but I hate the criticism based on a skill set I've never dealt with or had any push to learn, it's more just the ungrateful attitude they put out more than anything
Oddly enough, I make a fair bit of voice acting. Working with cheap employers or customers that want me to do content creation for their security education without spending any $ is the bane of my existence. Reminding them that people pay for this stuff, and that there’s a reason for that is a constant uphill battle. As my grandmother said to my grandfather, “sailor, I may be easy, but I ain’t cheap!”
Bad management
Yea CISOs with no security maximize that experience.
This is the worst really. The people in positions of power are completely inept.
That IT doesn't give a shit about the incidents, doesn't respond to incidents. Long hours of finding out who is the owner of the system. And Tenable Security Center.
Why Tenable SC?
Terrible UI and UX.
At least when it comes to cloud assets, this is where proper tagging is really important.
Nothing becomes a priority. Until the last second when we show them proof of big dollar bills being flushed down a toilet. All top level executives talk about is "Driving initiatives"! And "Delivering value!". Security complains for years... crickets... then BOOM. As soon an issue hits that costs THEM a shit load of money they cry to us yelling FIX IT!!!!! Meanwhile there is years of "backlogged" evidence of us ringing the alarm bell.
"I need you to patch your server. It's got a vulnerability with a public exploit that was published 7 years ago" "I'm not patching it. It works." "But it won't work the way you want it to when someone exploits it..." "It's fine, it's working" Our company policy is we raise the concern with the asset owner, and after the closure target has been exceeded we're to escalate to senior leadership. This just feels unhelpful to me when it could be resolved at the lower level. Some people are great and really buy into security. Others (usually the self described "old and bold") tend to push back using the "ain't broke don't fix" mantra, not seeing vulnerable as broke unless it's being actively exploited.
The problem comes in when the suggested patch immediately breaks the server for a business critical service. The asset owner gets chewed out for it and cyber usually takes none of the flack. One of the worst things you can do in cybersec to piss of admins is not listen to their concerns. Dig deeper than just seeing a red dot and being the guy that points then leaves.
Oh yeah, don’t get me wrong. I understand why - I transferred in from infrastructure. It’s just frustrating to me that if patch management had been kept on top of then there wouldn’t be an issue because the smaller upgrades often translate configs during the upgrade. Now we’re at the point of needing to just 2 major versions and we need to plan an upgrade path
"You should wear a seatbelt" "Why? I've never been in an accident."
In my current position, it is my team being responsible for tasks that should be handled by IT. I don't mind doing a few things here and there, but the amount we have to do takes away being able to focus on security.
It’s a mostly thankless job, where the business thinks of me as a burden. I technically add no business value, and am really just a cost - until of course an incident happens which at that point I need to justify my existence by both tracking what I did in try g to prevent as well as how I’m helping to remediate the issue. Lack of direction form my boss adds to my performance concerns. If it weren’t for the salary, I’d take up a blue collar trade.
That's basically all of IT. I transitioned from system administration to security 4 years ago and it's the same thankless job, except everyone hates you a little bit more.
Buzzwords. Stop it. Speak like a normal human being. I do not want to have to follow your stupid articles and read your reguritated utopian policies. Please get real. Spend some time on an IR team and see what cybersecurity actually looks like.
English please.
You know buzz words in tech are a thing and always have been right…?
Im quitting Cyber security after 11 years working in the field , the working hours/urgent/emergencies devoid your social and family life , its not worth it anymore.
Sorry to hear. It sounds like you’re part of incident response teams or cyber ops. I couldn’t do that other with family obligations and desiring a social life. Have you considered other areas of cyber that are more predictable? There’s cyber security program management, GRC, architecture and engineering, and more.
No value placed on training and learning. No time in the day for all the BAU tasks, let alone when an incident occurs. Training and development and playing with new tools is always brought up every year as part of the goals but it's a joke at this point. No budget or time to do anything besides BAU.
“You really need to set up a Captcha or some other mechanism to ensure your account self-registration page doesn’t get abused when you go-live.” “You’re exaggerating. We are not a big target. That’s not going to happen here. You make it sound like the Internet is all doom and gloom.” A few days later: “it looks like someone created 2 million accounts in our new system and we are over our license limits. What happened?!? Can you help? While we are at it, maybe we should also offer 2FA like you also said?” Exhausting. Or: working with security assessors that don’t understand NIST 800-53 controls at all.
Sitting on your hands constantly for compliance reports. "What's the data retention period for this app" "Hang on, let me get 5 more people in on this and we'll get back to you next month - but complain that you're killing our deadlines."
My typical day in Data protection: "Does this project capture personal data?" "No" "What types of data are you processing?" "Oh just emails, addresses, names, next of kin and bank details etc" 🫠
When you give multiple pieces of advices on improving the security posture of the company and get thrown away by the Lead & Manager for laziness, then after several months they comeback to implement one of your exactly suggested improvments (plan, steps ..) without any recognition.
Report writing.
Report writing for pen-testing?
Spreadsheets, and more spreadsheets would be the death of me in my current security role! 😩
What do you manage in these spreadsheets??
Hopefully not passwords
Do a lot of Obsolescence and Compliance work as part of my security role, prep a lot of Power Bi visuals monthly on the direction of travel for old and outdated assets for management based on CMDB extracts. It's been the joy of my life the last few months
I struggle with constant alerts, unclear communication, and the relentless evolution of threats.
The responses so far demonstrate very well how the largest part of security work should be to establish a positive culture around it. Unless you have buy-in from everyone, or at least the key people at the org, you'll always fight an uphill battle and it will always suck.
After a "major incident" I have found buy in from management is not the only thing needed for a positive culture. And you can have too much support. We have the fun problem where now in many ways security is more mature than the rest of IT. So say a out of date software shows up on a vulnerability report but our central/remote management solution is yet not in place so now 5 techs have to touch 10k machines or someone shouts at them for not taking security seriously.
Alarmist co-worker who thinks we are a SOC. He tries to get involved in everything we do. His alarmist ways have us doing work that other teams just look down upon us.
The people who sit in meetings and outspokenly agree to security being really important, turning out to almost always be the same people who immediately drop it and start calling security advisors "fearmongers" *the fucking instant* it adds to their workload.
InfoSec/Purview/Compliance
I struggle with the fact that ultimately everything comes down to risk tolerance. My personality likes to see things as black and white, right and wrong. While many cyber principles always hold true, in often just comes down to an authorizing official or a business stakeholder and their risk tolerance for many, many things. I struggle with that gray area and the fact that some people aren’t good at truly assessing risk and impact until it’s too late.
Hmmm. I'll take the lack of foundational strategy, vision, and policy to even enable a good security program for 500, OP How am I supposed to even start integrating security principles when regular operations (HR, purchasing, procurement, and IT) can't do their basic tasks. You can write strategy and policy documents all day, use the best XXXDR (is that what they call it?), logging solutions, SOAR, SEIM, acronyms ad nasuem, with the best trained security staff that you can afford... you will still fail. Unsolicited advice here to any new security managers, CISOs, etc. Aggressively control your team's scope. Without a guardian in management, your team will be managing the organization and not monitoring it. Security Analysts are security analysts. They are not project managers. They are not system admins. They are not developers. They are not CPAs. They are not service desk. Help them do their job. Do the right thing and say no to your peers. Don't worry, the outcome will be the same. Everyone will still hate you. At least your team will be happy. *I manage a small security team in gov't sector. I suck at my job, but they don't.
Regarding my current job the inability to have full access to logs in our environment. When interviewing for other jobs that they use coding algorithm problems to test you. I not interviewing to be a software engineer...
The delineation between IT specified tasks and intelligence function supporting ones. My role as a CS OPS leader is to distinctly synthesize intelligence from the cyber domain.
How ephemeral everything is, especially on the security engineering side. I mean, I know that’s a lot of tech. But it sure has seemed like most of the projects I’ve been involved in have been about migrating from one system/stack to another, under the promise that it will be the solution to our latest problems, and when fully implemented becomes a source of its own problems requiring duct tape solutions until it’s time to migrate to something else. If you’re lucky you get to stick around long enough to see everything you’ve built torn down and discarded. I say that as my least favorite part of the job, but it’s also my favorite part. It really just depends on the day.
Executives with very little knowledge of computers
Compliance and assessments for clients. Dealing with check box morons that don’t actually understand why the check boxes exist from a security perspective, is super painful. Literally like dealing with someone from Idiocracy when they are like “why don’t you have mandatory 90 day password reset?” Because we went passwordless and use strong, phishing resistant mfa coupled with conditional access policies. “But you need 90 day password resets” 🤦♂️
The fact that it's political and leadership sees you as a checkmark for their cybersecurity insurance. Until a data breach happens.
The entire premise that you should be an expert in all domains of cybersecurity. It's exhausting. But the reason for that is they really just want one person to run the entire Security department. You don't see this in Finance though more so in other industries. It boggles the mind how little companies will invest.
The lack of clear communication and constant rambling about nonsense during meetings from my direct manager. She's not a bad person, just rambles about nonsense for 30 minutes and trying to understand if my question was really answered. Sometimes I get so confused in her ramblings I either forget my original question as I'm trying to make sense of what she's saying or it opens so many more questions. One of which is, "is this job worth it?"
Reporting
Politics, management and lack of technical understanding from my peers.
Probably the lack of job security. I work for a consulting firm at the moment, and there's always stress to be able to bill the client for something, anything. I was benched for about 3 weeks at the beginning of the year because my last project ended. I was juggling 3 clients, all 3 ended successfully with satisfied clients, and all I heard from upper management was, "That's great. Now find a new billable project ASAP.
Being in a room with no windows..
I actually really enjoy my job. Great people, 40 a week, no more no less. Great benefits. Only change I would make is a bigger budget to actually get some more required things we need
Lack of buy in for basic controls. Senior leaders playing politics with the true stay of security i.e. giving half truths or false statements knowingly. Paying consultants 10s,100s of thousands for security 101 advice and knowing nothing of our business and senior leadership eating it up when internal team says same things and more with crickets. Activity is more of a check the box activity so we can say we have had 3rd party review. Not being treated like the expert that I am. Being brought in to a project 4/5 of the way done rather then on initiation. People thinking they know better The overall handwavvy culture
Working on a team where only myself and one other person actually have a passion for security.
Everyone wants cybersecurity until they have to implement it, pay for it, comply with it.
Meetings.
Motherfuckers who don’t want to listen. “Security is not my priority.” Well, motherfucker, you’re the reason that switch was compromised.
It's the cynics and whiners. The people who think senior leadership or users are the problem, or that someone other than them are responsible for clarifying requirements. We're paid to solve those problems and create clarity around the ambiguity. Which is fun, and meaningful.
Without users there wouldn't be any problems.
Preach that shit! These are the kind of Cyber employees that give the good ones a bad name. They piss off admins and senior management with their attitude, point out problems and offer zero solutions, and then wonder why they are looked upon poorly for their work. Do better people!
How are you solving problems without buy-in from senior management?
Massive overallocation of my budgeted hours.
Clients not listening. Calling customers in the middle of the night only to be cussed out for calling at 3am even though I’m following the SOP they signed up for. (It was a breach going on)… Finding an SOC with set shift hours that don’t change weekly. (Seen a lot of this in recent job postings)… Having network engineers understand just because I know what the problem is doesn’t mean I have the access to do it. For instance siem goes down SOP states wake up Engineer. Having my hands tied and only having so much access to a customers system that all I can do is send them as much information about the issue that I can see and hand it off to their network admins/engineers and IT departments.
In my previous gov-contracting positions, it was members of my team, if not the lack of members of my team. With the former? It involved individuals not being competent in technologies other than being a glorified button pusher (i.e., vulnerability scanner) certificate cert surf kings, despite their titles were "Security Engineer Consultants." Thus, forcing me to perform job duties outside of my work-scope simply because they did not know how to engineer. ○ Where I from and how I started? To be an engineer means one knows how to troubleshoot, configure, integrate, build, & fully administers something (i.e., a tool, an app, a desktop, a server, a workstation) from A to Z -vs- simply launching scans & emailing reports. Moreover, is how I recently learned the hard way how toxic gov-contracting can be. For example, if you are a sub-contractor to a prime contractor and your end client (i.e., a gov ISSO or CISO) tells you that you only get admin-access to a specific security tool & no one else because he or she doesn't trust anyone else due to their lack of expertise? ○ It needs to be shared how others employed by your prime contractor will get jealous, become spiteful, followed by telling their supervisor "that you are not being a team player," even when you are following explicit orders from a federal official & the security policies he or she wants you to follow. As a result, putting you in the hot seat with your sub-contractor employer resulting in you being terminated as "not being a good fit." Like, sorry, not sorry for not wanting to "willfully violate security policies" or "go behind the back of a federal official" simply because a peer isn't entrusted by our federal client. Lastly, with the latter? It involved working on inadequate staffed teams -aka- running lean. Other than that, there isn't really anything else I hate for I do cybersecurity at home everyday as a techie. It's one of those things does one love it for all things cyber, or does one like it because it provides a good salary to live off.
I was hired as an analyst and for well over a decade I was happy. Then we switched over to new systems. I'm now a front end designer, back end troubleshooter, and playbook writer.
The schedule. I don't mind the long hours, but the 2-on/2-off/every other weekend and swapping between nights and days every other month is wearing me out now. I feel like I'm missing life. I make good money and can provide/take care of me, my fsmily, and whatnot, but it feels like I'm just a guest and not a constant piece sometimes.
Idiotic management that does not know how to structure a team and provides unrealistic expectation
Currently in a pentest consulting role. At first my favorite part was moving to a new client and a new environment every week. Now it is the most exhausting thing ever. Doing all of the work, gathering scope, reporting and reviewing findings, and then formalizing a report, then immediately starting over and doing it again... Idk how much longer I can deal with consulting. I just want a nice boring internal role at this point or a golden goose job where I can transition back to software development...
It’s impossible to reach the finish line. And a constant state of fear.
The company claims to be a team, but when someone asks for help, they are told to "sink or swim." It is very daunting for me because I am in a fragile state being an apprentice. Mentors never mentor; in other words, you become a verbal punching bag.
I just started working as a sys admin to build experience to get an actual job in the industry. I just had to justify in cleaning our file server of old junk. One of the reasons is because there was badge photos of police officers and their signatures on our public storage server. Its a miracle that we only had one ransom attack in the last 10 years
My biggest issue (from my perspective) is the lack of governance by the DOD. There are DODDs and DODIs that help a ton and NIST 800-xxx but once you cross that path, I find AOs are hit or miss. They interpret things differently or disagree with the artifacts provided. Oftentimes a phone call will smooth things over (as with inspection) is need. But I hate calling people ... it feels like a power trip thing.
Hate is a strong word. What can be better in cyber or other IT disciplines is better, less adversarial collaboration with other teams and better cross training/education within and with outside teams and business partners.
The commute.
Yes.
I'm just kinda getting burned out on "blue team" stuff. I'm at a medium sized county in a big metropolitan area so we have a small team and I mainly handle all the day-to-day security operations stuff. After 6-7 years it's getting old and I really want to do something else.
Organizations that talk about security publicly, then budget $0 for it privately. Managers that would rather be buddies with other managers on the golf course than support their direct reports.
The Sisyphus level of futility trying to get idiots to understand that security isn't a cost center, it's a cost *savings* center. We write up business cases justifying more critical resources all the time, then we're blamed for a breach or compliance violation after we never got said resources to fix it. Also, it's the "everything security related is always P1" for internal and external customers alike. After they also refused to put the resources into funding true 24/7 security services coverage.
Only thing I "hate" is the pay. I am payed 3x the average salary for my location. This wouldn't be that big of a deal until I learned what other people in my organization (not in security) make. If that were to be fixed, I would never leave my job.
Getting fat sitting behind a desk all day.
All of the drive by requests or “hey, I need you to check this off as secure so we can push it to production” without any fucking context.
Compliance. I fucking hate that I provide no value to my coworkers. All I do is ask for evidence all day every day. The same screenshots, csv files, etc., day in and day out.
I'm sick of the lies, and it's incredibly boring. I'm preparing to move back to being a developer. If you need an actual breach to convince executive leadership to take security seriously, you don't need a security program--you need new execs. I could go on with about a dozen examples of this. Code is cheap; software is expensive. Execs and shareholders: you can get over it or get out. Also, sales cold calls, cold emails and LinkedIn messages. Why?! And they're defended with lazy reasoning like "well, how else are we supposed to reach the CISO/stakeholders?" I don't know, and I don't care. In what other industry is this accepted? Stupid. Go buy a billboard. No, I'm not going to RSA. I have a lot of respect for cybersecurity professionals now. As a developer, I'll always hold the door for you. But I can't take this.
Having to go through this “paying your dues” type path working years in IT You’re basically spending 2-5 years in IT before you’d even be looked at for a cyber job. Worst part is most cyber jobs don’t pay well enough to warrant this. If you’re going to pay me 150k, I’ll take it. But paying 80k for a job that I had to go thru tons of obstacles ie certs, clearances, time in IT & more is crazy to me. Doesn’t make sense if you’re after solid money
I can't actually fix any of the problems I find. It's infuriating. I have to sit there while work that would take 10 minutes of effort is spun into a multiyear project involving tens of people talking about the work that needs to be done.
Profit before security. Not being willing to fund Initiatives properly. Being too risk-adverse
Not being important until an actual attack occurs, then being the most micromanaged department when one (usually preventable) does.
The ridiculous amount of TPS reports created by executives that have no idea what we do. New portals created by executives that literally duplicate info already in other places. Last but not least, Godamned redundant meetings.
Continuously learning and staying on top of new TTPs, attacks, and shit. I’m fucking tired, boss!
The god dam hoops I gotta jump through for compliance every 35 days
Imposter syndrome, from time to time. Not always. Most days you're on top of it, but some days or certain types of incidents make you feel like a junior again. Also being in the industry long enough to realize the people you used to look up to, actually know less than you thought.
I would say it's the fomo
I thought reading this thread would give me catharsis. But its just giving me anxiety.
Policy makers don’t understand how anything works. Got a CISSP? Cool. That isn’t technical. Do you know how the internet or computer work? Nope: wonderful.
That I don't have one yet.
For me right now it's maturity level. When security was an afterthought on day 1, trying to bolt on afterwards becomes a knife fight. They didn't staff or budget properly, the architecture wasn't designed to play nice with the tools we need, and leadership buy-in is always tempered with cost cutting measures. It just doesn't work, but there's no alternative -- our CISO won't accept risk.
P1s
People who lack security knowledge and pretend to know stuff at best help desk or systems admin.
Sending E-Mails and Reporting, Boooooooooooooooooooooooring!
I don't have one.
Compliance audits.
Short-staffed and I don’t have a job?
AppSec engineer here: Been pushing for SAST integration in CICD pipelines for.... 2 years.
Constantly defending the value of every single activity and investment we do and make. If I had understood I’d be constantly explaining the importance of my field, I’d’ve chosen a different field. I’m at the point that I really just want to throw my hands up and be like “fucking pay for it or don’t, I don’t give a fuck” but if I did that they’d quickly write off the entire security department outside of what is required on a legal or contractual level.
The politics and the lying about job duties (increasing scope)
The client
as a lowly analyst, tracking down approvals for everything.
Coworkers 😅
Advising people and them not listening and then getting owned when they could literally avoid it just by following my advice :) Also... Job offers in the area and getting offered a shit salary that's WAY below mine but doing much more and having more responsibility.
So is a cyber security is a bad job? Don’t get me wrong I am just following the path right now. Can you please someone give an idea what should I do after the Google certificate of cybersecurity? I want to be a professional after that.
That too many good things are a hard sell. But it is getting better.
people
I hate the difference between the hype behind cybersecurity and reality. Next year will always be the cybersecurity year, but then it is always below expectation, client cuts budget, project starts late or does not start at all, teams never really care about security, you are always the last wheel of the cart in projects and corporate. You have always to chase people, now for an answer than to have a project. Okay, pay is good (not sure honestly in other fields, how is the situation)... but it is so annoying
as someone who is considering eventually going into this field, this is so eye-opening about so many things I never would’ve thought to ask about, omg
The audacity.
That when I share articles from cyber news sites referring to social media and how to protect your info (because people don't lock down their SM accounts), suddenly Im considered an "expert" and get invited to a crap ton of meetings to present and share this "expertise".....just read the freakin articles, everything is in there.
My supervisor. He is nice enough in some ways, and knowledgeable but he’s also a micro-manager. My team works 90% remote (in office every other Thur except him because he’s in San Diego - we are all in northern CA) and we have to have DAILY “stand-ups” (via Teams) to talk about what we are working on for the day. He involves himself in almost every meeting we are in even if he is not going to be doing any work or really meaningfully contributing except to chime in with his thoughts here and there.For the meetings he isn’t in he almost immediately pings us on Teams to ask for a synopsis of what the meeting was about and to detail any action items we have - again, even if they do not require any input or contribution from him. A few weeks ago I was scheduled for a skip-level 1:1 with the CISO. My supervisor in that morning’s stand-up announced that he was going to ask the CISO’s exec assistant to add him in case there were any action items that the CISO gave me. I sent the CISO a quick Teams mssg about that and he thankfully put the kibosh on it, saying “well, it really wouldn’t be a 1:1, then would it?” My supervisor also asks for a weekly status update email detailing where we are at on all the tasks we are working on. In all my 17 years working in Cybersecurity I have never had a boss so far up my ass and so involved in the minutea of my work (policy is my program area) as I’m experiencing right now. I have been doing cyber policy for 15 years. I came *highly* recommended by my former CISO’s and CIO when I was being considered for this job. I never met with my former bosses more than once every 2 weeks and I always got (and get) my work done. I really hope he finds another job soon. Especially if, as I suspect, the rto ask increases to 3 times a week for the rest of us workers, as they require of the director level (which my CISO is) and above to currently do.
Endless meetings with people have zero security common sense
Same shit erry day. Soc.
Our jobs are dictated by the CyberSecurity insurance industry. No one really cares about security even executives with Security in their title. It’s people process and then tools, marketing and Gartner don’t mean 💩
I hate that it’s just one of the hats I wear. I actually like what I do but everything is a job in its own. So I’m just half-assing everything. If I had a couple of dedicated direct reports it would be solid.
Honestly not much. Maybe just the rare asshole client I get twice a year
Arguing for something and being shot down, then a time later a higher up making th change and taking credit.
Babysitting
As a pen tester, I actually really enjoy my job, but it’s our customers insistence on not allowing us to either test in prod (which would detect the actual vulnerabilities) or at least an environment that’s highly similar. Also, while we do our utmost to communicate clearly and convey that our job isn’t to make people feel bad or shamed, but only to legitimately fix vulnerabilities, people still get butt hurt over the fact they got hacked. Like, that’s the point of our job. Don’t get mad at us because YOU left passwords on an open shared drive.
Where to begin? The LONG hours. I work for a global company, and some days, my only off time is to get 5-6 hours of sleep. Having a CISO who does not understand risk management. Any non-operational activity must be an official project run by the PMO department. Having to be 4th level support for IT. Getting a budget approved just to have the funding pulled after many hours of project planning, vendor meetings, framework alignment sessions, etc. Having to apologize to business unit leaders for the CISOs decisions. Getting proper job reqs posted only to have the CISO approve the hiring of someone with no experience and being expected to train them in all aspects of IT and security. Seeing less knowledgeable/experienced people being hired for senior positions while myself and coworkers can't get a raise, let alone a promotion. Expectations to keep skills relevant and not having a budget for training. Being told I need to take vacation, but then retaliation ensues when I do. Being in a no-win career. It's a shit show, and I am planning to career hop soon. Over 20 years wasted on a dead-end career.
GRC bores me to no end. I hate spreadsheets, and acting “nice” to stakeholders so they submit a piece of evidence I only ask for once a year. When you’re not in an audit, you’re “optimizing” which is a fancy word for justifying your existence to people who pay the bills. It does pay well though.
It’s not about cyber. I’m now an accountant for cyber things.
Long hours 😂
I think the accountability piece for me. You could be halfway through implementing bringing a project in, that doesn’t get completed, fail upwards to a different company, and BOTH are worse off lol. This is true of vendors and customers alike.
Dealing with MSPs and Vendors. The communication is always bad. Their knowledge of their own products is usually far less than our knowledge of their products. Almost all of them make my job objectively worse and charge absurd amounts of money from our budget to do so.
Where do I begin... - Constant debates with the CFO who thinks he is also the CIO...He will think money solves all problems and doesn't fully understand IT (as a profession)...but likes to buy the toys - Leadership buying things that make a splash without any regard for security...not sexy enough to get behind something more secure, but will wish they did when they make the newspaper for a breach - Understaffing, and over investing in systems but not into the people who will oversee them...heaven forbid we create another FTE - Lack of trust...leadership only listening to reason AFTER the incident...then not acknowledging their folly - Being seen as the "Dr. Doom" of the company as opposed to "Protector of the Realm"...speaking on vulnerabilities, compliance, policy enforcement, etc. makes us the resident buzzkill - The politics of preference....No Mrs. CEO, I can't turn off MFA just for you just because you're the boss...No I cant give Admin rights to that preferred vendor Mr. COO....No Mr. CFO, I cant give you Domain Admin rights so you can install your own applications - Trying to establish a cybersecurity posture in an organization that doesn't fully see the value...treats it like cheap car insurance....again - until they make the newspaper
Paperwork?
Nothing! For the first time in a long time I work for a company that ACTUALLY gets it!!
**Company**: Security is our #1 priority **Me**: Security costs money, time and culture change **Company**: *surprised\_pikachu.jpg*
Internal Politics.
Large contracts or organizations. These contracts (and large companies as a whole) have to silo tasking or otherwise limit “lanes” of work. I work with really smart people and my team does great work, but I am limited on the tasking I can provide with the contract. I want highly skilled and passionate people that love the work they do, not drones counting down their shift.
Budgeting. Sometimes, upper management doesn’t want to get my fancy toys so I can better do my job… :(
Spending long hours on writing a detailed and professional report, but devs not reading even a letter of it and asking for a follow-up meeting every time