In 2021, the National Institute of Cybersecurity Education (NICE, a department of NIST) published an infographic which highlighted a major deficit in cyber security professionals in the modern workforce. This figure got me thinking on potential reasons for this shortage and my own experience entering the cyber security industry.

The purpose of this post is to provide some context and support for individuals who are entering or have recently entered the cyber security industry. It’s to help with the emotional, rather than the technical, process of understanding what it means to work in security.

With the state of security posture in the world where news feeds are filled with ransomware attacks and data breaches, it is probably no surprise that the emotional process relates exactly to… the five stages of grief.

It sounds macabre, but stick with me!

Phase 0

In Phase 0, new and aspiring cyber security professionals are learning all the things. You will consume information about what information security is and how cyber attacks work. You’ll get a fire hose full of network architecture, web application security, operational security, incident handling, forensics, compliance, breach handling, etc. The list goes on!

No matter what, you will also learn just how fragile a lot of the world is.

This is because the internet and the infinitely diverse set of devices that connect to it are complicated. And humans are bad at complicated.

It’s true, and it’s a truth that is hard to accept. There are, to this day, thousands of AWS EC2 instances hosting data that may be valuable to an individual or organization, and they are exposed to the public internet just waiting to be popped.

What happens to we individuals of cyber security once we have attained this knowledge? How does this knowledge affect how we feel about life, the universe, and everything?

Note: The phases described below appear to be linear, but they can happen in any order at any time. Even after reaching the final phase, it’s still possible to return to previous phases. I like to think of this as the Weird Wiggly Infinite Loops of Grief more than the Line of Grief.

Denial and Isolation

In response to this newly attained knowledge about the fragility of the world, I found myself in disbelief. I was already several years into my technical career, and I always got the impression that those security people knew what they were doing and that things were pretty darn impenetrable. After seeing the size of the holes in the sieve, I found myself in denial.

“There’s no way things can be set up this way. I refuse to believe this.”

It’s frequently simple security practices that are overlooked or ignored. Practices like using unique passwords for local accounts on different systems or disabling the wifi feature on a printer that doesn’t use it. 

The lack of application of these practices can have major implications for the systems, people, and organizations affected by their exploitation. One password can be used to take down entire networks. 

It’s scary. 

And I wanted to hide away from this new knowledge.

But at some point, I had to accept this fundamental truth. Nothing is 100% secure, and a lot of things are hilariously far away from being 100% secure.

Anger

Anger can show up unexpectedly, and may appear at any time during the emotional process of joining the security community.

This anger may show up because a misconfiguration or an exploited legacy system led to a major crisis in your job. It may show up when your partner sets up a server in AWS with default credentials, it gets popped, and the attacker consumes a ton of very expensive cloud resources. Goodbye date night; hello mac and cheese at home.

Needless to say, you will also find that anger is the least useful emotion in your cyber security emotion cart. If there is need for it, it is extremely rare. In my experience, it is best to process anger away from the situation and return only when the cooler portion of your head prevails.

In nearly every case, every person wants to participate in good security practices. Anger alienates those who need help from the very people who can help them (hint: you!).

Bargaining

Bargaining usually comes hand in hand with a sudden burst of energy and conviction that you have the power to change people, to help them with good security practices. You may even go so far as to do a big project with an awareness team or go out of your way to educate your friends and family about simple things they can do to improve their personal security.

Inevitably, you will find that some people will choose not to listen or educate themselves. They will go on blithely, confident in their own ability or in the low-value they believe their data holds (all personal data is valuable… but that’s a discussion for another day).

When you encounter a person like this, no doubt you will go through the bargaining process. You will point to common sense security policies like “apply security patches to your systems” and beg people to follow them.

Please just read the policy and follow it. It’s really not hard to follow! I’ll be here for you through the whole thing. Please! …. pleeeasseeeeeee

Depression

If you are not experiencing some level of depression from the global pandemic, your introductory cyber security career and education have you covered.

I distinctly recall saying to my partner once, “Security sucks. I want to go back to when I didn’t know these things.”

Knowing how an attacker thinks can be both fascinating and depressing. Sometimes depressing in the depth of the malice, and sometimes depressing in how shockingly simple it is for attackers to bypass security controls (because humans are very exploitable… but that’s another discussion for another day).

Depression is likely to come and go in a cyber security career, and all we can do is hope that we have long periods of high tide in between low tides. When the tide is low, reach out to your team, social supports, and professional health services for guidance navigating these moments.

A good security team is present for one another emotionally as much as they are in collaborating to improve the security posture of an organization. They may be the best people around to empathize and perhaps cheer you up with stories that put your current experience in context.

Oh you have a few devices that need forensic analysis? Let me tell you of the time when I had to run forensics on a data center full of Windows 2003 servers back in 2017…

Acceptance

Ultimately, acceptance is all that a person can do with the knowledge of our fragile world. With acceptance of this knowledge also comes acceptance that a thing once seen cannot be unseen.

As with all great and terrible knowledge, it comes with a responsibility to use it for the good of all. No matter your role in the spectrum of cyber security, you are a part of making the world a better place by applying, exemplifying, and evangelizing good cyber security practices in all that you do.

While in the depression stage, I considered leaving my security career behind in favor of a previous role. Acceptance came shortly after a realization that I will forever now be a person who leads with a security mindset. No matter what job I do, no matter who I am helping in my professional and personal life, I will be thinking about how the choices I and others make affect the security posture of our organization and personal digital spaces. 

There’s no going back, and I accept that this is a good thing.

RedBlue42.com is brought to you by the deeply talented and knowledgeable Code42 Security and Research squad.