On Community

Some few of us, primarily in consultancy and professional services, are in the position to work in a place surrounded by other Information Security people but for most of us the ratios are a little different. To speak from personal experience, at my previous company there were 6 of us out of a total IT staff of about 170. Based on conversations with others my experience seems somewhat typical, or maybe even high. Currently the ratio is a little skewed since I am the information security staff, although we are admittedly a small company. Being part of such a small team means it can be awfully hard to keep from falling into familiar patterns.

There's also quite a lot to be said for having a support network. We are often seen as the road block, the group who can always be relied on to say no. We frequently find ourselves ignored by management. We spend one day installing software patches and the next investigating some rather ...let's say disheartening activity. We're a group who are required to always imagine as many of the worst case possible scenarios and hope we can come up with a way to avoid them. Hell it's often said, half-jokingly I'd like to hope, that cynicism is a necessity to succeed. At the end of the day is it any wonder that InfoSec Burnout is enough of a thing that conferences are hosting panel discussions on the matter and have spawned sites like Information Technology Burnout Project.

That's not to say we're at all unique in this respect, all careers have their own flavor of stress points. Randall Monroe does a good job of illustrating the Cross born by our Operations siblings here.

but it's nice to know that it stands between the forces of darkness and your cat blog's servers.

The difference, I would argue, is that in most situations they are more likely to be able to stalk out of their office and find a kindred soul to steam at. Given that we're more likely to work alone all we can do is carry those problems home and hope sleep, or drink, them away. Quite honestly, I need a better solution.

This past weekend I attended BSidesCleveland. According to the organizers we had just under 200 people between attendees, speakers, and staff all housed in a fantastically relaxed venue. That's nearly 200 people who have the same problems, same concerns, and most importantly rarely the same opinions. Driving home I was left feeling tired but also refreshed and with a couple of new projects in mind. I learned a few things, adjusted my perspective on others, and spent quality time talking to a few people that I hope to keep in contact with.

The real lesson is that events like this are critical for us. They provide a neutral location where none of us have to feel like we're on display and can treat each other like the kindred spirits we really are.

I highly encourage you to look in your local area for professional events to attend. In the Columbus area we have SecurityMBA and CMHSecLunch, both of which are monthly social events targeting the Information Security community. I've also really enjoyed the events put on by our League of Professional Systems Administrator chapter. While not InfoSec specific there is a good crew of compliance and security related people mixed in with the Operations folks. If you're not local to me, and will forgive the self-promotion, check out InfoSec Happenings and see if you can find an event in your area. Don't forget the power of social media. Twitter is rotten with us people.