Don’t take vacation.

Work long hours.

Always be on call.

Don’t complain you’re tired.

Don’t show any weakness.

Don’t go to the doctor.

It’s all bullshit.

So my whole working life I’ve had this drilled into me. That taking time off is slacking. That calling in sick or taking care of yourself is weakness. That if you’re not working all the time, not doing overtime, you’re not pulling your weight. You’re letting your team down.

It’s all bullshit.

The technology industry is particularly bad at this it seems. Everyone is expected to go above and beyond. All the time.

You can’t live that way. If you’re lucky you’ll survive. Many aren’t lucky.

So far I count myself to be relatively lucky. I’ve burnt out a couple of times in the past, it’s not fun. It’s difficult to recover from if you don’t have the support around you to identify the issues and work to resolve them.

One time I broke down in tears in the office & quit because I couldn’t handle the pressure. Luckily the office manager at the time recognized it, and helped steer me in the right direction. It still took a while to get myself right again.

Not long after that I started seeing various high profile people I follow on twitter talking about self-care, what it means, why it’s important. It’s easy to read those kinds of things and think it will never happen to you. Chances are, if you’ve been in the industry for any good length of time it already has, or you’ve come close.

I’ve been trying hard over the past couple of years to keep an internal check on my state of mind. It’s not easy. Often I’ve identified times when I’ve been overdoing it, and can see burnout approaching and have been able to dial things back a bit and take some time. A half day here, a long weekend there. It helps a little.

More recently, I’ve found it harder and harder to keep burnout at bay. I’ve found more frustration at work that I have previously. Changes in leadership & staff issues all around me. Stress outside work as well feeding into it all.

Earlier this year, I found myself standing in the middle of the full office yelling at my executive about some issues he wasn’t addressing. That’s a pretty big red flag. I’m lucky I didn’t get fired. I pretty much immediately took a week off to try to sort myself out before I did something really stupid.

A week off, with no on-call. No laptop. Forced myself to not check email. It helped, but didn’t solve any of the issues. Two days after returning to work, the frustration and anger was already building back up.

Now, most of the time I overdo things, I get sick long before my mental state goes out the window. In the past, that meant I’d be out for 4-5 days with some kind of cold or flu like symptoms every couple of months. It took me a LONG time to recognize this pattern for what it was.

As I started addressing that, I hit this point less often, however I’ve come to realize more recently that this simply means that my mental state has bigger blocks of time to devolve before my body tells me to stop.

I also grew up with somewhat expensive (non-emergency) healthcare, so going to the doctor was something you only did when you REALLY needed to. This naturally leads to a lack of normal maintenance. Which builds up. This also results in a stigma attached to going to the doctor. You only go when you’re weak. You don’t go just because you’re not feeling great, or to prevent issues. The stigma around mental health was even worse. Only crazy people go to therapy.

Now that I’m here in the US, I’ve found myself to have good health coverage through my employer, and have started overcoming this stigma and trying to catch up on normal healthcare maintenance. Turns out it’s a lot when you’ve mostly ignored it for 20 years. Trust me on this one – it’s a lot better to do it than to ignore it.

I’ve also finally been convinced that therapy is actually a thing that can help anyone. More than likely can help MOST people. I’ve started going, and it’s definitely helping me. Still a long way to go, however I’m getting to the point where I can discuss issues now, identify points of friction in my life, and starting to gain some tools to be able to address these issues before they become major problems.

While I don’t necessarily feel different externally, it appears that my demeanor has improved a bit too over the past few months as I’ve been working on things. Several people have made comments to that effect, which is eye-opening.

This tech industry, and infosec in particular, will take all it can from you if you let it. You need to build support networks, once you recognize the need, you seen the building blocks out there. Infosec twitter has been super helpful for me as a resource. While I still don’t participate a great deal, a lot of the prominent people there have talked about these, and other related, issues, and have helped me a great deal with the resources and discussions they’ve shared.

Even if you’re feeling fine, try to take a step back and look at yourself. There is always room for improvement, and self-care is 100% a necessity these days. Making the time for self-care can be tough, but a lot of tech companies have provision for support, or at least the flexibility to allow you to practice self-care.

It really does help, with your state of mind; with your relationships; with your work productivity. Burnout is not fun, and you should be doing all you can to avoid it.

Postscript
So I wrote the above a couple of weeks ago, but couldn’t post it for a various reasons, none of which are particularly relevant. Some of it doesn’t seem entirely coherent to me now, but I want to leave it as I originally wrote it. Perhaps there is some value in seeing writing from a different state of mind.

Since then, I’ve had a week off the grid to recharge a bit. I don’t think it was long enough, but it was the best I was able to manage at the moment, and hopefully keeps me going for a while longer.

On re-reading this now right before I post, and in light of a few things I’ve seen on twitter in the last few days, I have a couple of additions I think I should make. Some of these will likely duplicate what I previously wrote. We’ll see. I won’t be going back over it & editing it this time around, so please bear with me.

Mental health is important
If you’re not careful, it can get away on you without you realizing. This can have devastating effects on yourself and the people around you.
Burnout is a mental health issue
Make no mistake, burnout comes at the cost of either or both of your mental and physical health. It is a lot more common that most people realize, although the discussions around this are happening more and more openly.
Ask for help
Don’t be afraid to reach out to those who are openly discussing the issues, in my experience, the ones being vocal about the issues are also some of the most willing to help others who are unable or as-yet unwilling to be open about their experiences.
The tech industry can be toxic
The tech industry in general, and particularly the infosec industry, has a lot of work to do before we are fully accepting of a lot of things, D&I being one of the big issues, and this somewhat overlaps with mental health issues as well. The stigma around mental health issues in the industry is definitely still a major issue, but is being shoved out into the light be more and more people willing to discuss it openly.
If you are lucky enough to have health insurance that covers it – go and get therapy
Whether you think you need it or not, if you are able to find a good therapist, it will most likely improve your wellbeing. I absolutely, without a doubt, KNEW I had no need for therapy. I was wrong. I wish I had realized this some years ago.

As most people in a technical role, by which I mean specifically tech industry roles, and likely many others have found, an open plan office is the exact opposite of efficient when it comes to being able to focus and get work done.

I know I’m not alone in coming to the realization that working from home for half a day is easily as good, if not more productive, than an entire day in a noisy open plan office.

Honestly, at this point, the only reason for me to be in the office is for social reasons, or business networking. I haven’t quite yet worked out an efficient way to do this over email, chat, or video calls. Office politics seems to be best played in person.

Regardless of this, there are many tech companies – the one I work for included – that very much prefer to see people “working” in the office. Despite all evidence to the contrary, this still seems to be evidence to some managers that their staff are “doing their jobs”.

There are many reasons that people put up with this kind of environment, that is not the point of this post. While a lot of people are completely mobile, many aren’t. For a number of valid reasons. Some are yet to realize their value, and ability to easily move to a better environment. Some are simply lazy, and want to cruise in a role where they don’t need to over-perform & compete – largely due to better staff leaving.

Personally, I have one of those valid reasons. Those who know me know what it is, those who don’t … don’t.

I’ve spent a fair bit of time watching mobile, competent colleagues move in & out of the company. It’s hard to watch, and hard to deal with as they move on to greener pastures, and leave those remaining to train their replacements. I don’t at all blame them for this.

So the way the cards currently lie, I’m a long-serving senior engineer at my company, and as one of the many hats I’ve acquired, I regularly mentor junior staff, and even senior staff that are new to our environment. This results in a lot of interruption on any given day. Since I’ve also been around longer than exactly ALL of our executive team, and almost all of our upper management, I also get tapped for information on a regular basis from those above me. It’s a slightly weird situation, but it’s definitely giving me opportunities to push myself that I likely wouldn’t get elsewhere.

Obviously, this results in constant interruptions, from all corners of the business. Context switching consumes a large proportion of the average day for me. For example, overnight security escalations bright and early, followed by a chunk of tool dev work, and ending the day with building some finance-related powerpoint slides that will be presented to the board. With usual daily work & interruptions all throughout.

I’ve gone through a few iterations of trying to fend of interruptions. I’ve tried working out of a conference room, wearing headphones all day, putting up signs saying I’m busy, blocking out my calendar.

The only (mostly) successful way I’ve found to avoid interruptions is to simply not be in the office environment.

As a result of this, I’ve learned to deal with constant context switching. Most people who interrupt me now know to start the conversation with the platform, customer, and department they need to discuss. This was a major struggle to get people to do this, I felt like a dick for a long time. Everytime someone would interrupt me & ask a question I would stare at them blankly for a few seconds as my brain switched gears and then have to ask them to repeat the question with the relevant information front and center.

I don’t know too many people that are in such a weird position as I am currently. I have yet to fully determine if it is a good experience or not. Many times it leaves me fried at the end of the day, which is definitely not good.

It was only very recently that I came to the conclusion that it is likely this constant context switching and constant interruption that is causing me to be exhausted all the time, and I’m still looking at ways to address it properly. Exercise helps. Being outside helps. Working less probably would if I could work out how to do that. Alcohol helps in the VERY short term, but rapidly makes it worse. I don’t recommend it as a long-term fix.

And yes, I recognize some of these are signs of burnout. I fully believe that is a legitimate thing, and am aware of, and actively trying to mitigate it in my daily life. I’ve come to the realization there is more than a little cross-over between this post & the many posts people have written about burnout. I’m not sure I can add to those in any meaningful way, but if I can, it will likely become a post at some point

For the moment I am not mobile, but this may change sometime later this year, and then I’ll hopefully be able to properly address the issues I’m facing, but until then …

How do YOU deal with constant interruptions? I’d love any advice people have, and certainly open to any ideas that would allow me to have more of a life outside work where my brain isn’t totally fried at the end of the day.

First off, I’d like to preface this with a disclaimer, in the hopes of calming down those who are already angry simply from the title of this post, and won’t read any further before responding: I DO NOT BELIEVE COMPLIANCE = SECURITY.

However this is not something I see talked about very often, and from the few discussions I have had with people around this topic, I believe it to be more widespread than many would expect given how little it is openly discussed.

For the purposes of this argument, I will narrowly define “real” security as focusing on the larger, more in-depth frameworks (things like ISO27001, NIST Cybersecurity Framework, NIST 800-53, FedRAMP, FISMA). Companies that do things like threat detection, invest in their security team, build out their own SOC. You know, “security in depth”. Often it is larger companies that post about how they do this – Google, Amazon, Facebook – the ones that have the financial backing to pour money into the Security cost-center. A lot of smaller companies can struggle with this. Simply put – Security is Expensive. Whether it is hiring in highly experienced staff, building and training a team from scratch, building out your security toolkit and purchasing the technology to do so, or outsourcing to the many vendors that offer these services (AlienVault, Rapid7, AlertLogic, Splunk, etc). For those companies willing to invest in Security, selling these technologies and cultures, along with the associated costs, is relatively easy. Often it is not necessary to provide a direct link between the costs and the increase in revenue.

With that out of the way, one thing I have learnt over my time in the industry is that when it comes to security – and more specifically, getting budget for security – a lot of executives are not interested in “real” security. They have compliance goals in mind, and get a lot of pressure from customers, usually via the sales team, and from the board/shareholders to meet these compliance requirements.

This is not to say all companies are like this, or all executives are like this. Not even that this is limited to a certain size of company. My experience so far has been mixed with regards to this, both large, small & mid-size companies, with everything from extremely security-minded executives through to compliance-oriented and also some completely non-caring executives.

Depending on the corporate culture, and I suspect the market vertical (I have been largely within the software market for most of my career), the success and tenure of the security-minded executives can often be frustrating and short-lived.

Before moving on, a little about me, because I rarely post anything more than vague tweets. While my focus has long been on security, I am within the Operations organization within my company. DevOps, SysOps, DevSecOps, is there such a thing as ComplianceOps? I seem to have a varied role currently. I’m privileged enough to have been with my current company long enough that I am one of the longest-tenured employees at present. This has given me the ability to be a little more outspoken within the organization than I likely would be at my level in another organization. As we are a relatively small to mid-size organization I am often brought into many discussions and decision making processes that would normally be made at a upper management level, which makes for some interesting learning opportunities. I am currently working to extract myself somewhat from the day-to-day operations side, and move into a more dedicated Security & Compliance role.

I spend a lot of time reading what others in the industry write, and try to absorb the learnings so as to try to avoid causing similar issues. One side effect of that is that I get a lot of ‘i-told-you-so’ moments, as new management rotate in to the company, and don’t listen to things I say that seem obvious to me (having been there as long as I have). While complex, the enterprise information security industry doesn’t seem to be rocket surgery for the most part, as long as you pay attention to what is going on, both within and outside your organization, and can get some reasonable level of visibility into the workings of your organization, a lot of decisions seem to make themselves, or at the very least narrow the number of choices you need to make.

Some of the above will no doubt trigger some “exciting” feedback. Be respectful please, but I welcome it. I am definitely still learning, and have a lot of likely-incorrect opinions about things still. I feel like I’m now approaching the point where I know just enough to know I don’t know much.

Back to the story though.

One of the things that has slowly been building up in my mind is the difference in how a Security team must operate in organizations with a Compliance = Security culture, versus companies that believe in “real” information security.

However you want to name the Security organization within your company – Security, Information Security, IT Security, whatever – the fact remains that it is, from a financial viewpoint, a cost-center. At best it is a form of insurance. The Information Security organization is there to identify the risks to the company from a technical standpoint. Often this will go so far as physical security for the company, but I’ve found this often falls to “IT” or property services type organizations, depending on the size of the company.

As a member of your company’s Security organization, it is your job to identify and surface these risks, and determine the threat vectors, the likelihood of exploitation, and (usually, but not always) the potential financial impact were one of these risk to be exploited.

When it comes to a company that does “real” security this is often relatively straightforward. For a company that believes Compliance=Security (or Compliance over Security) this is significantly more complex.

When it comes to Compliance-based organizations (I’ve worked, or am currently working through: PCI-DSS, HIPAA, GDPR), there is often a mandate to tie the “security” costs back to increased revenue. This really comes in the form of Compliance attestations the sales team can put in front of customers to sell your products, or Compliance concerns that potential customers have surfaced as show-stoppers as they come down the sales pipeline.

This means things like FIM, IDS/IPS, vulnerability scanning, penetration testing are easier to sell to the organization. You can directly tie these back to PCI (PCI Section 11). Data flow diagrams, PII protections (encryption, obfuscation, pseudonymization) can be tied back to GDPR requirements. Official security policies and security training for staff can be tied back to all of these.

However once you start looking at more in-depth defenses, it gets harder to justify the costs to the company, as technically you likely have already “ticked the box” for the compliance target.

Things like building out a SOC to fully monitor your security & vulnerabilty alerting can be super expensive, and even outsourcing this is often more than a company that is purely Compliance-focused is willing to accept.

Even “basic” things like fully encrypting all devices, particularly if it hasn’t been done consistently in the past, can be hard to do. The impact to staff can be intolerable, especially if your company has a lot of remote employees. Even things like SDLC, while definitely a compliance requirement, often only get enough company/culture buy-in to pass the lowest possible bar required for compliance.

One thing that seems to come up in non-cloud-native companies, or those with a mixed environment, is that some of the basic security and compliance requirements often require ensuring your hardware and software is reasonably modern. Once you have a significant legacy codebase this becomes a lot of work, especially if your codebase ties in to hooks for specific Operating Systems that may have changed over the years. I’ve come to realize that a lot of organizations only spend enough to stay online, and focus the spending on the next shiny new feature they can sell. This results in aging infrastructure and unmaintained codebases that may suddenly have compliance requirements thrust upon them, and it almost always falls to the Security team to drive the fixes.

Cloud native companies often find the costs for keeping up with compliance requirements to be lower as a lot of the heavy lifting is done by the cloud provider. Also most (I hope) cloud native companies were built with security in mind, as they have grown up in the relatively recent past, with better security being more widely discussed, and (perhaps I’m being too naive here) something that should be considered table-stakes these days.

The result of this can be that the Security team gains a reputation as “those people” that “block development” or “make us do things we don’t want to do”. I understand no-one wants to be the one who has to go back and decipher undocumented, or, arguably worse, incorrectly documented code and systems, however this is not just a Software Engineering problem. It falls to the Systems Engineers as well – to make sure everything is brought up to scratch. Both teams need to work together.

I certainly struggle with the Compliance=Security mindset and how to sell “real” security to Compliance-oriented executives to meet their compliance mandate while still providing the best security posture possible for the company. This is something I’m actively working on, and welcome any feedback or reading recommendations.

While Security should be everyone’s concern, generally the Security team (and, to go a little further, the InfoSec community at large) need to be aware that “educating the user” will only take us so far, and it’s is up to the community to drive the improvements in any way possible, without relying on blaming the end-user for security concerns.

This is starting to ramble on, so I’ll end with one last thought that has been developing more in my head over the last few weeks:

Compliance requirements do not stem from a company’s Security team. They are business requirements that stem from the company executive strategy. If this is not clearly communicated by the executive team to the organization as a whole, the Security team will have massive resistance to overcome driving the necessary changes, and will become the sacrifical lamb if the compliance requirements are not met.

A few relevant references (no doubt there are better ones, these are just one’s I already have handy):

https://www.pcisecuritystandards.org/document_library

https://gdpr-info.eu/

https://www.hipaajournal.com/hipaa-compliance-checklist/

https://www.nist.gov/cyberframework