Self-Inflicted Pain and Artificial Adversity in InfoSec
I was reflecting on Jackie Bow’s recent Keynote at BSidesSF 2022 when I heard a new episode from the Hidden Brain podcast on "What We Gain from Pain,” exploring whether adversity is the secret sauce to success.
Jackie’s presentations entitled, “We Need More Mediocre Security Engineers,” touched on the common (& wildly unrealistic) expectation within our industry of perfection, from ourselves and others. “We expect ourselves to be unicorns,” Jackie said. She also called out the unhealthy assumption that we must be doing security not only for work, but that we’re hacking on side projects, participating in CTFs, reading white papers, keeping up with InfoSec Twitter, and going to conferences on Saturdays.
“Basically, we have this perception that in order to be a great security engineer or practitioner, security has to be your life. There seems to be this idea that by living and breathing and only doing security we’re making ourselves better professionals and making the world more secure… Our extreme expectations of ourselves and each other drive burnout, not excellence.”
YAS, Jackie! 🔥
She continued to discuss the effects of burnout and security’s predisposition to it, particularly because we’ve allowed our work to have 24/7 accessibility to our lives as a standard expectation of our role. [Editor's note: we teach others how to treat us.]
You really should watch Jackie’s entire keynote because it’s awesome: https://www.youtube.com/watch?v=3YmixOGqylY.
InfoSec’s Obsession with Pain
On the episode of Hidden Brain from July 4, host Shankar Vedantam speaks with psychologist Eranda Jayawickreme at Wake Forest University, whose research finds that while suffering can have benefits — they’re not necessarily the ones we expect.
As a young immigrant to the United States, Jayawickreme noticed many American protagonists, including our superheroes like Batman and Spiderman, are forced to experience extreme trauma as a prerequisite for greatness–the idea being that suffering is necessary for growth.
Finding opportunities in the challenges we face or in having a positive outcome during difficult times can be an effective way to cope with trauma. However, what Jayawickreme is talking about is a cultural expectation that we become the best version of ourselves only by vanquishing some kind of adversity that has been bequeathed to us. It’s an aspect of what is referred to as “post-traumatic growth” or the idea that people can experience positive psychological changes by going through stressful life experiences.
In InfoSec, we’re bombarded with this message through countless marketing and recruiting messages implying that we’ve been enlisted into an elite fellowship to save the world. In reality, you do not need to join the Avengers or develop mutant powers to have a successful career in security, grow as an individual, or have a meaningful impact on society. I believe the superhero, warrior, and patriot tropes we see all too often in our industry are actually adding to the increasing reports of anxiety and burnout.
The popular saying “what doesn’t kill you makes you stronger” isn’t a guarantee. Traumatic or stressful situations can still destroy trust and motivation, cause irreparable damage to our health, and push people out of the profession. The importance of safe and secure technology in our day-to-day lives is stressful enough. We don’t need to add the unreasonable presumption that we should be available 24/7 to save billionaires from themselves or protect governments who don’t protect us.
As the saying goes, you are not required to set yourself on fire to keep others warm.
- - -
Sign up for our monthly newsletter for more insights on security communications!
https://discernibleinc.com/newsletter-signup
