By Rick McElroy
Information security. We love this job. We have to.
We fight upstream in a world where no one really cares; or, at least, no one cares enough to do the bare minimum. We peek behind the curtain and see all the really bad stuff. We obsess. We work long hours with little breaks—because we care. We sacrifice friendships, family relationships and personal growth, all to be better at this profession.
I often ask fellow peers: “What are you up to?” and it’s followed by “the latest research effort,” “the latest project,” or “the latest certification or education.” It is very rare—and you know who you are—to have a conversation that exists outside of a security discussion. It is even more rare to hear something like: “I am super happy, my life is great, and I love where I am right now.”
We are a driven bunch. We are focused. We break ourselves to achieve security. This is why I love this community—but it’s also killing some of us...literally.
I want to start a much broader discussion on the mental health of the professionals in our industry, and I am not the only one. I have seen, albeit rarely, this topic discussed at conferences. Shout out to Chris Nickerson for being the first person I can remember give a “real” infosec talk that was very personal and very reflective on 20 plus years in this industry.
I hope Chris’ example inspires more of us to do the same.
I used to get really obsessed about the latest hack or being the first on something. I saw this as a way to prove I belonged in the industry. I am less technically gifted than lots of people in cybersecurity, but as a former Marine, I decided I would outwork anyone. I’d stay later. I’d come in sooner. In pure Marine speak, I would “suck it up” to accomplish the mission and deal with whatever at a later date.
Well, the check is always due. Whether it’s the twice-a-week physical therapy sessions I have to go to from two decades of hunching over a keyboard or realizing that you simply cannot be effective sleeping only four hours a night and swilling coffee by the gallon, along with a growing waist line. These were just the physical impacts. Mentally, I can’t describe all of them.
Anxiety—how could one not have it with some of the jobs we do and the pressure in this industry, cleaning up personal relationships because I was always busy? Check.
I noticed these happening and was lucky enough to have great friends ask me: “What are you doing for you?” My response at the time was: “Nothing. I don’t have time.”
When I finally decided that for me to stick around and have the impact I wanted, I needed to take care of myself as much as I did my profession. A breakthrough occurred.
I’ve been happier. I’ve been fulfilled. I don’t drive myself and others around me crazy with constantly talking about the latest hack or threat. My life is in balance and I hope by sharing some of the things I do, this will help each of you take steps to live a happier life.
Things I have found helpful when I get too wrapped up around the infosec wheel
Far be it for me to tell each person what they should do outside of work, but my advice is do something completely outside of infosec. This means spending time with people outside of the industry too. Get a hobby outside of infosec. I don’t care what it is. I fish. Guess what? There is no Wi-Fi or mobile service out on the Pacific—and that’s fine by me.
Unplug. Put away all the electronics. Take a trip to the middle of the desert (Anza Borrego has helped me reflect greatly over the years)—even if it's just for a day. Take time to reflect. I don’t care where you go, just go and get away from the electronics for a bit.
Find a group of friends to talk to. Share. I promise, we are out there and I am very lucky to have found the friends I have. We can share anything. Without judgement. None of us can carry this burden alone. Sometimes it's great to unload and have some laughs about the craziness of infosec. I guarantee someone is going through the same thing you are. Maybe it takes that one person in a group to speak up first and start the conversation. Be a leader and start one.
Laugh more. For real…laugh more. I was once told by a VP at a company that I didn’t take my job very seriously. If you know me then you know how crazy that statement is. If you know me then you also know how much fun I like to have at work. Just because the work is important doesn’t mean you can’t have fun while doing it.
Let yourself off the hook for failing. It’s the only way we learn. We are pressured by the nature of our job to be perfect all the time. That is impossible. Learn from failure, but make it OK to fail.
Admit you don’t know everything. Literally say the words: “‘I don’t know.” Watch the space that gets opened up because you as a leader say that. Guess what? No one has all the answers. We shouldn’t pressure ourselves into having answers all the time. I went a long time in my career thinking I had to have all the answers. It actually held me back greatly.
Invest in your own personal growth. I have taken a number of courses over the years focused on personal development. I can tell you emphatically that these courses helped me more than any technical training I have ever been to. I won’t endorse one or another as these are all personal choices that should be made. Whatever you choose, do something for yourself.
Be mindful of the conversations you have. If you find yourself always talking infosec...STOP. If people ask, that’s one thing. But, every conversation does not need to be about what we do. WHO we are should not be defined by WHAT we do. If too much of your identity is wrapped up in your job, you are “infosecing” all wrong. If your conversations—and everyone around you—are negative, guess what; you will wind up being negative too. Try to find people up to ”big things” in life. Bad things happen. Constantly dwelling on them is a recipe for unhealthiness.
I challenge each of us to ask each other “How are you really doing?” We have it in our power to help each other and that is something I know this community is committed to. We do for others all the time. It’s time we took some time for ourselves. After all, an ounce of prevention is worth a pound of cure.
About Rick McElroy
Rick McElroy, security strategist for Carbon Black, has more than 17 years of information security experience educating and advising organizations on reducing their risk posture and tackling tough security challenges. He has performed services for the U.S. Department of Defense, and has held positions in several industries, including: retail, insurance, entertainment, cloud-computing, and higher education.