As Security professionals we constantly face high-pressure demands and a series of seemingly impossible challenges. As the various research reports and surveys get published, the picture they paint is often bleak.
Yet we persist.
Talks about burnout are more frequent at conferences. Headlines focus on how and why people just don't understand. Some folks declare that "attackers are winning," and "we are losing the battle."
The focus on the negative makes it a bit hard to smile some days. More, by positioning ourselves into a constant battle, sometimes everyone feels like a foe, including our colleagues.
"No one is to be called an enemy, all are your benefactors, and no one does you harm. You have no enemy except yourselves." - Francis of Assisi
What if this approach of focusing on the negative works against us?
Without question, the experiences and insights we gain as security professionals give us a unique perspective on what can go wrong. The more practice we get looking at the downside of risk often blinds us to the upside of risk. It gets personal, and our mission focuses on how we can stop all the bad things from happening.
Noble, but is it working?
When we treat it like a game (or worse, a war), then we obligate ourselves to keep score. We focus on each detail to maximize our impact. We move with urgency, sometimes in conflict with those we support.
When the game feels short and the pressure is high, we hyper focus on winning. Sometimes at all costs.
Seth Godin recently wrote a post that questioned how long our "long-game" really was? A short read (check it out here), Seth suggests in addition to short and long, we consider the infinite game.
"In the infinite game, though, something completely different is going on. In the infinite game, the point is to keep playing, not to win. In the infinite game, the journey is all there is. And so, players in an infinite game never stop giving so they can take. Players in this game throw a slower pitch so the batter can hit it, because a no-hitter shutout has no real upside."
I realize that many of us would be delighted to pitch continual shut-outs to the attackers who prey on our systems and information. "Perfect games" are rare in sports. "Perfect security" is an impossible dream.
Instead of winning or losing, consider security part of a continual journey. Investments in the people and business we serve improve the journey for everyone. As Seth explains:
"You certainly know people who play this game, you may well have been touched by them, inspired by them and taught by them. The wrong question to ask is, "but how do they win?" The right way to understand it is, "but is it worth playing?""
Instead of asking how we win, what if we focused on making sure security was worth engaging. It places emphasis on connecting with individuals and providing useful information that leads to better decisions.
We can't prevent all the bad things from happening. Determined attackers find a way. The key is finding the balance. Embrace the reality that some loss is acceptable (due to theft, fraud, waste and the like). Instead of trying to protect everything, we need to work with others to protect the right things, the right amount.
Working with people to identify the biggest risks and the highest priorities takes a longer view. It requires an investment in understanding. More conversation and even some time for thinking.
The key is working with others to clearly define what is acceptable and what needs protection. In the process, the team grows bigger. Our burdens, in many cases, are shouldered by more people. In turn, we offer to help them alleviate theirs.
Take a few days, maybe a few weeks, and consider setting aside the notion of winning and losing. See what happens when you invest time in understanding others, "slowing down the pitches" of security to make them more understandable, and working to help others make better risk decisions.
By setting aside winning and losing, we are likely to find better results in a more pleasurable career.