I’m in security… and it sucks.

In the back of a taxi, you trundle along to the airport, the usual discussion about how ungodly early it is and how miserable the weather has been, knowing damn well the inevitable question is approaching, filling you with dread, already you are forming your fa?ade, cover story and make believe answer to get yourself through what should be a simple question.

“So, are you going on holiday or are you away for work?” she asks. 

“Work this time, sadly”, you answer solemnly, knowing full well it’s always work, you never truly switch off and go on holiday even if this is a pure vacation trip. 

Then, like a sledge hammer, the killer question comes in, and she says:

“So what do you do for work?”

You’ve sat through this a thousand times, and you should be well versed at how you handle it, yet still, it challenges you. 

She doesn’t really care, she’s just making small talk, after all, she’s a taxi driver, you know exactly what she does, you can make a very quick broad sweeping assumption as to what her day looks like and be pretty confident you’ve got it right (you haven’t, but that’s a different discussion) and even with your introversion (regardless of wether you accept it), you should be capable of answering that one simple question, but you aren’t, it hits you like a brick wall and you fumble for the right words until eventually you blurt out

“I’m in security”

But that’s not enough, you know it isn’t, and even as she’s breathing in to ask another question, you awkwardly follow it up with

“I mean, not physical security like a door man or a security guard” it’s very important (to you) that she understands the difference, “I do cyber security.”

But that in it’s self feels inadequate, you feel the need to embellish it with more detail, and here’s where your story in terms of specifics may vary from mine, but the overall thread and theme will be the same.

“I work for a big tech company, and I try to stop hackers and bad guys from stealing information” or if I’m feeling particularly insecure that particular morning, and I do most, I might ratchet it up to “I work to stop terrorists and child abusers”. (Boom, follow that).

But you know, that’s still not enough, there is now a swirl of questions whirling around in her head is that she wants to ask you, sometimes, they’re inane, other times, they’re as assumptive about you as you have been about her chosen life and career. 

Perhaps something simple and close to home like, “Oh, I had a virus on my laptop” or “My husband had his identity stolen” right the way up to state actor involvement such as “I saw that on the news, it’s Russia doing all that isn’t it?” (It is).

The thing is, you know now, unless this person has a solid understanding for the basics of cyber security, and why should anyone really have to (yet another rant on that one to follow in another piece), this discussion cannot go anywhere, and you know that you have to spoon feed this discussion.

You see, the thing about working in security, is it’s different to most other technical roles, we don’t make anything, we don’t plug in a physical thing, what we do has no intrinsic end result, we also can’t explain it to most technical people let alone those that only have a basic grasp of computer science, we deal in magic and potential futures, we create concepts and ideas that might never come to fruition, we have to think the worst of everyone, both external threat actors (bad guys) and internal threats (our colleagues and friends), and we do it, generally, in isolation from the rest of the world and our support networks, be they colleagues, friends or families. No one else understands. 

We live a lonely existence. 

This time, thankfully, it’s a question of heads or tails that she throws at you:

“So which is more secure, Apple or Samsung?”

You resist the urge to go into a long and deep explanation of operating systems, user privileges and Sandboxing, which you know you’re more than capable of, but would take longer than the now 15 minute journey to the airport, and you settle for pulling your device out of your pocket and saying: 

“I use a [insert device of choice here]”, the implication being if it’s good enough for you, it’s good enough for everyone else. (No religious device wars in this article, I’ll leave that to you, the reader, to have at your leisure)

That’s one of the loneliest parts of working in security, you have to dumb down everything for pretty much everyone, including other technical people. 

You think differently to most people, and when you have tried to explain techniques, approaches and methodologies to others in the past you’ve faced blank stares, or worse, full blow arguments and resistance, even when you know you are right. 

“Oh I might have to look at one of those when my contract is up” she replies, then there’s a pregnant pause, one which your insecurity is urging you to fill.

And before you know it, you’ve started down the route of an explanation “They’re both good for different things” and you know there’s no stopping this train of thought and conversation now, you’re committed and slightly awkward.

You see the thing is, you love to teach others, and you wish to make them safer and more secure, you see it as your duty, your raison d’être (Reason to exist). And even though, you know there is a good chance half of what you’re about to say won’t hit home or sink in, you say it anyway. 

Not just because you love to teach, and let’s be honest, show off a little, but because you’re passionate about it, and, more importantly, it’s one of the few things you can talk about, because the flip side of your role in security is keeping secrets.

Secrets, lies and subterfuge. 

Your entire career is built on learning, and keeping secrets. Small innocent tiny secrets, and whopping great huge ones. You hold so much knowledge that you can never talk about, wether it’s corporate and commercially sensitive, classified government information or personal private details.

You never get a chance to flush that information out, it’s always there and just gets added to. 

You know about breaches which have never been disclosed, vulnerabilities, back doors and outright stupid designs which mean systems are compromised and data is vulnerable to attack and theft. 

You’ve sat in meetings where decisions have been made, against your advice and judgement which you know will come back to haunt the people and organisation with whom you’re working with. 

You’ve had to learn how to lie, how to lie, to the face of others, your friends and colleague about what’s going on, you’ve had to to learn to say “I can’t talk about it” when directly asked or challenged on something, and it feels awful to have to do it. (Admittedly, some get off on the power trips that secrets give them, but if you’re this far through this article you’re not one of those people).

With all these secrets, the scariest thing is, if you have a bad day, you know you have the risk of doing a Snowden (or insert leak/whistleblower of choice). You’re a ticking time bomb. And that’s terrifying and a huge responsibility, no one ever thinks about the burden of secrets you carry, no one ever considers it, it’s your burden and yours alone to live with. 

Operating in the shadows

On top of all of that, you need to not just keep the secrets of others, but operate in secrecy, you need to work, often, alone, you need to cover your tracks, ensure no one else even your closest colleagues know what you’re doing, you’re constantly watching your back and questioning the motives and intentions of everyone around you. 

Suspicion and conspiracy are your bedfellows. They are some of your only comforts and safe spaces. With them, there are no lies, they’re consistently accusatory and discriminatory. 

You are constantly on guard from the threats around you, and not just at work, you’re scanning rooms looking for dodgy looking folk, you see lapses in airport security, you see huge holes in processes at supermarkets and in theatres, on your TV, you’re even a bit frustrated by the haphazard way that your post is handled. 

You see threats everywhere. You don’t have the blissful ignorance that everyone else around you has. A day doesn’t go by that you’re not secretly plotting and scheming, that you’re not threat modelling a problem in the real world, that you’re not raising an eyebrow at stupid and ineffective security measures and identifying huge holes in existing security procedures. You carry this weight everywhere you go and it is heavy. 

Being Human 

So, you’re in security. No one really understands what you do, and you can’t even explain it. You keep the secrets of others, and they knaw away at you. You’re constantly suspicious and see the worst in everything. 

It sucks being you.

You’re isolated, you’re alone, you have demons more than most, and that’s because it’s your job to create and combat them hypothetically and in the real world, you don’t have the same kind of support network that other people have (let’s face it most security people are weird and they’re the last people you want to open up to), you have a pretty tough time of it, and it’s all self inflicted you crazy masochist. 

But you wouldn’t change it for the world, and here’s why.

“I love my job” fills the pregnant pause as you continue, “I get to keep my family and my friends safe”. And that fills you with pride, and she smiles and says “that’s awesome” (or if she’s British she says “jolly good” as we’re a little more restrained with our assessments). 

You aren’t alone. And whilst there might not be anyone in the world you can be truly open with about the work you do, the horrors you deal with, the crap you put up with, just know, we, the other people in security, are going through it too, you are making a huge difference, we are all making a huge difference, stopping terrorists, combating human trafficking, preventing child abuse, fighting financial fraud, protecting the weak and the vulnerable, and we are all there for you, even if you can’t reach out to us, we are there for you. 

You’re in security… and it sucks. 

So am I, and I understand. 

hug