• United States




Conserve your passion for the sake of your IT career

Aug 21, 20096 mins
Data and Information SecuritySecurity

Emotion has its place at work, but facts and reason are better tools for making a security case

I cringed when I heard my knowledgeable coworker call my boss an idiot and tell him his ideas would doom the company to security failure.

See, I’ve been that guy. And in a 22-year-plus career, I’ve sometimes regretted it. There is almost always a better way of presenting your case than telling your boss you won’t do something or won’t participate in a particular way. I can understand denying participation in something illegal (which I’ve also had to do a few times), but frequently, the emotion comes about because the security person strongly disagrees with a particular technical decision.

[ Here are two more ways to set yourself apart from your peers. | Get better at doing security with InfoWorld’s free . | Subscribe to InfoWorld’s free weekly Security newsletter to stay informed of the latest threats and fixes. ]

It’s all right to oppose something you feel strongly about, but oftentimes these principle stands end up being career-limiting moves. As a passionate worker, you think you’re helping to correct the boss’ mistaken factual understanding, but you fail to understand that the boss just marked you as a “problem employee.” That will show up somewhere in your next annual review or around bonus time — or these days, when the boss is decides who gets to keep their job.

At 42 years old (almost 43), I’ve learned that presentation has a lot more value than I used to believe. How you say it is as important as what you say, perhaps more if you want to win the technology argument.

I’ve learned that passion is a good thing, but best when used sparingly in public. What might be great enthusiasm in a speech or presentation comes off as a little overly excited in a one-on-one meeting with your boss or in a team gathering. It’s even OK to be passionate to the boss when you support one of his or her ideas or a direction in which the company is already headed.

Passion is risky when going against the flow. In college and education ads, they always say we should be aggressive risk-takers and speak the truth as loudly as possible whenever possible. But if you want to see a person that has been with the same company for 25 years, I’ll show you someone that most likely did what they were told. The hard reality is that taking passionate risks and constantly being outspoken can more easily threaten your career than simply following instructions and being passive. It’s called risk for a reason.

Taking risks means you are going against the general flow. And even if you’re right, you may not get credit, or you won’t get credit until after you’re gone. Suppose you believe that your company needs to spend an enormous amount of money on XYZ firewall to remain perfectly protected. Even though XYZ firewall is a huge expense, you argue your case with management, and after much blood on the ground, you win and get approval to buy and install that firewall.

There is a good chance that if the firewall does its job perfectly and your company suffers no successful attacks, management will think that it overbought and perhaps didn’t need such great protection. I can assure you some other team that is making money for the company will complain how your stupid ideas are constraining the organization from making even more revenue and could even be losing customers.

Or suppose malware comes in another way — say, on an employee’s USB key — and infects the company. Management will definitely wonder why it spent all that money on the firewall when you should have been better managing USB keys.

[ A top 10 security list will help keep you and the rest of the company focused on the biggest threats. ]

This is not to say that passion isn’t a good thing. I’m a very passionate person and could no more remove strong emotions from my core than I could my own DNA. Every great idea, every new paradigm starts with a single passionate person promoting something others either didn’t believe or fought against. But it’s a good gut check to ask yourself if your passion is translating into eventual action in your favor or being ignored by management.

If you want to rise in your career, channel your passion appropriately. Here are a few hints. First, if you are a passionate advocate, try to avoid being passionate all the time. Choose your moments, and when you decide to be passionate, try to be less passionate even then. Use your strong passion for when you know you can do the most good, with the best chance of success, and with the least amount of animosity thrown your way. Surprisingly, I’ve had good luck being passionate with senior executives, even when disagreeing, but used sparingly.

Second, when writing or speaking, words such as “never” and “always” should be stricken. Instead, use phrases such as “would make it more difficult to secure,” “would make it more difficult to minimize security risk,” “increases the risk of compromise,” and so on. The reality is, these statements are probably more accurate than a passionate plea of “never” and “always.”

Lastly, and most importantly, instead of emotions alone, come loaded with metrics, facts, links, and citations to back up your passionate claims. Note: One magazine article doesn’t a fact make. Today’s bosses can do Internet searches, too, and any search is likely to bring up facts to support both sides of the argument. Comparative metrics and behaviors from market leaders in your own industry are better, and your own company’s metrics are best.

If you take a look around at the security leaders you admire most, I bet you’ll see a good mixture of passionate and emotional conservatism. These are the types of people that we want as leaders and bosses, and these are the types of people most likely to get promoted in most organizations. I say this as passionately as I can.

Related content:

What’s on your top 10 security list?

Ranking your top security priorities keeps everyone focused on the real problems

Two ways to be a super IT security admin

Thinking strategically and presenting solutions to problems can set you apart from your peers

Don’t blow your next IT security job interview

A security certification won’t get you a job. You need to prove you really know how to keep a company safe


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author