Why our bad mental diet leads us to question if security even matters

“I guess that just proves that what we do in security doesn’t matter. Maybe we don’t matter.”

This sort of response tends to pop up when the industry is presented with evidence that security breaches don’t create any or lasting harm for companies and consumers.

Does the evidence in those reports suggest we don’t matter?

Hardly.

But it can be discouraging. We all seek purpose in our work. Evidence that contradicts what we expect is sometimes hard to grapple with. In trying to make sense of the findings, we question ourselves.

It’s natural. Perhaps we need to consider some of the other factors at play here.

You can’t out train a bad diet

It’s a maxim from gyms and fitness programs that you simply cannot out train a bad diet. To maximize your performance requires eating a proper diet. In my experience, sleep is equally, if not more important.

Good advice for the gym is also smart for security leaders.

Your performance in the office is connected to how well you take care of your physical body. Sleep deprived, stressed-out, and making poor dietary choices influences our perception of events and how we think.

What about your mental diet?

You can’t outperform a bad mental diet, either

Security is surrounded by negativity.

The headlines routinely focus on and amplify the failures of security. Admittedly, it is perceived as more challenging to measure and demonstrate the good of security, while the mistakes and failures are obvious. Especially in hindsight.

Consider the impact of consuming a steady diet of news that suggests shortages of talent, lack of respect, and low compliance. Then cap it off with evidence that what we’ve been preaching might not be as dire.

What happens to your thinking when surrounded by such negativity?

It makes for a bad day and a poor outlook.

Even if you don’t think you’ve bought in, how does it impact your ability to forge the relationships and lead the transformation organizations need?

Is security really all about the negative?

“Without risk, there is no reward.”

Security has a natural tendency to focus on the downside of risk. It’s what we experience. Security professionals gain a rare understanding of what can go wrong. We’re expected to consider the scenarios of what can go wrong in an effort to offer solutions to prevent or reduce our exposure to negative risk.

Few of us get to experience the upside of risk.

As such, our perspective gets a bit skewed. Sometimes in our haste to sense the downside, we overlook the upside to put the risk balance in perspective. Instead, we focus on the controls and actions we can take to prevent anything bad from happening.

It’s exhausting work.

And if we end up focusing on an interesting, but ultimately small downside risk — when compared to the upside — it is often unrewarding work, too. It contributes to the negative perceptions we place on ourselves and allow others to ascribe to us.

Security is far from negative. Especially when it works. The key is to look for, and celebrate, the upside of risk and the role security played.

Take time to celebrate the good in security

Do you ever get to the end of the week, look at the unfinished tasks on your impressive and impossible task list from Monday, and feel like you got nothing done?

I used to. Then I started making time each Friday to purposefully consider what I accomplished on the week. I avoid focusing on what went wrong, what I didn’t finish, and other negative items. Instead, I take time to consider what went right.

I build the list and take a few moments to just reflect on it. Then I actually share the list with my team and some trusted advisors. It does a few things for me:

• I realize that despite an unrealistic list and sometimes impressive demands on my time, I completed important work.
• I consider if anything I created or completed was actually necessary. By focusing on the good stuff I got done, I get a glimpse into what I can crowd out next week to allow even more of the good stuff to happen.

This simple act allows me to celebrate the good of the week. I end the week strong and gain important insights for a better next week.

What if you ended your week doing the same with your team?

Does security even matter?

Without question, security matters. More importantly, your work in security matters.

As our environments change and attackers rapidly adapt, it’s easy to feel defeated. When evidence suggests little harm from breaches, sometimes it feels like we got punched in the face.

It’s time to reframe and refocus.

We’re at a transition point in security. Discomfort is a part of change. It’s important to make the time to consider and reframe events in security.

The evidence is pointing us in a different direction.  It’s time to lay down the bias for prevention.

We have to stop thinking in terms of gaps. Instead of presenting gaps — the things we’re missing — focus on how we need to work together with others to address the changing nature of our work and our risks.

It’s not all on our shoulders.

By taking time to celebrate the good work we’re doing and changing up the diet — physical and mental — we consume, we’ll be better off. So will the companies we serve.

Share some of your good things this week with me on twitter (@catalyst) or leave a comment. The more we focus on progress, the more we’ll experience.