I have been an information security consultant for a long time. Software dev background. 2006 start app sec consulting -> senior consultant —> principal consultant -> CTO (of small consulting firm) -> get bought by NCC start my own company 10 yrs ago -> CTO/managing principal -> sell company -> still consulting. Done so many different things but the common theme is app sec. Finding bugs and risks in software via reversing, assessment, threat modeling, and code review.
Do I still love it after 17 years? no. A lot has changed. A lot has not. I still like it most days. By far my favorite thing has been building a team and teaching others what I learned. I hit burn out here and there. I think computers and tech are different and objectively a little less fun now for this field. When I started I could find a bug in a system and write an actual exploit (actual machine code!) for it by hand in a reasonable time scale and that was always really cool. Now teams of people are required to achieve the same exact goal. Just one of many examples.
So anyway, some get off my lawn cause I am older now, some is just me changing what I like and want from life, some is tech changes. It’s still a great field as a consultant. Show up. Hack. Write report. Leave. Never be a CISO, you can’t pay me enough to do it. The end.
Yeah, ultimately the goal of infosec is to make itself obsolete. On the one hand, it seems to be working because exploiting things has become more difficult/expensive. On the other hand, cyber attacks seem more rampant than ever, because exploiting things has also become more lucrative. So are the effects of the infosec industry real? Or is it just an arms race?
Yep, memory corruption bugs on a modern OS are really hard, but still possible. That’s why sketchy firms like those that build Pegasus now pay 7 figures for a locked and loaded iOS exploit, which objectively does the same thing mine did a decade or so before. :)
It really depends on what you want to do. We hire folks from dev backgrounds all the time and many stick around and enjoy it. If you get pushed into some corporate app sec role where you aren't doing interesting problem solving, I do not recommend it. If you get to really dig into security problems and challenges using engineering and technical skills you have acquired, yes, it is still fun. You get to take apart other people's puzzles (apps/code) and there are tons of opportunities for automation, scripting, writing tools, etc. It is an awesome field to grow in when you have a lot of hard CS and development skills and can apply them meaningfully. That makes things pretty narrow in terms of roles out there that check all of the boxes I mentioned, but, yes, it is still interesting and fun. Look at all the cool things people have done with fuzzing over the last 5-10 years, starting with AFL which really changed the game. Now people do fuzzing with VMs (qemu) etc. Just a ton of really cool stuff that a solid C/C++ dev can really dig into and play with :)
I think the trick to staying happy in cyber security is to chase down niche fields in technology. Your work won't be perceived as sexy by the broader community since you're not tracking north korea, but the trade off is that you will have fun and not have to brush shoulders with so many egos. So what's green these days? That's for you to decide, but one area I think is interesting is smart contract security on blockchains. Lots of folks are pouring into that space.
Average tenure for a CISO is lowest of any C suite. You will likely take the hit in the event of a security incident and be fired. Tedious work. What to do is often obvious. Getting everyone to do it is the hard part and usually devolves into politics. Thankless job, you can only be wrong once. Just not appealing and CISO is becoming legally sketchy, requiring a lot of diligence out of a CISO to not end up in legal trouble. But if this appeals to you, it can be rewarding stuff, but it is not a great tech role IMO. Or a great management role.
You own a bunch of unsolvable risk and your head is one of the first to get lopped off if you're popped.
Honestly, the CISO role probably needs a golden parachute and a direct report to the CEO for it to be an appealing path for most anyone who's experienced it at least once. The former to incentivize owning that much risk, the latter to enable the role to drive change.
Normally you are juggling a huge amount of security technical debt, massively under-resourced, the CFO under-funding IT and having no budget for innovation in the first place is part of what caused the problem.
The security world and the compliance world are changing daily, don't track each other, and your compliance drives costs, while security drives incidents.
This really resonates with me. I'm also passionate, and most corporate gigs I've had over 20 years kill my soul. I wish there was a place I could use my skills where they weren't wasted, where I could perform at the top of my game and really make incredible things happen. The reality is I spend 90% of my time trying to work around some stupid bureaucratic limitation, and it's not uncommon for my work to be literally thrown away after months or years of work.
I've been in this position a few times throughout my career. Try looking around and see what else is out there. Maybe consider a smaller company that doesn't have the level of politics that you've described. Wish you the best!
I recommend smaller companies were you take an architect type role where you build the systems, or at least have a domain you control and are accountable for. I've been doing exclusively that since about 2005. It has it's own problems, mainly pressure to constantly get things done, which is fine, but it can be unrelenting sometimes.
The soul sucking large corporate entities, I couldn't agree more. Stay away from that if you can. You really only need one big company household name to spice up your resume and you probably have that already. I have mine and never went back.
I have a multi-decade career, and for like the first decade or decade and a half or so, i tried to stay as long as reasonably possible at whatever big compoany i worked for....being raised to think that loyalty, and working a long number of years at the same employer was a sort of weird badge of honor. I got hit by bureacratic BS/blocks on such a constant basis, and then got hit by my first layoff...then i thought: "oh man, its me, i'm the problem, maybe i'm not as good as i thought, etc." Then I got yet another corporate job....and then another layoff...which by the way both layoffs were to due to re-orgs, and impoacted many people, and not specific to my performance. But, you know, the ego and heart gets hit hard.
So, i tried 1 year (during the middle of the pandemic) to work for a non-profit...thinking that maybe i can use my passion and people and tech skills for some good causes...Nope, never again! The sample size is of course so small (I only worked for a single non-profit), but i encountered the same corporate blocks as in the for-profit world, but with a vastly reduced paycheck. I still love my peers in the non-profiut, and while i was there i actually made a difference in thousands of people's lives, as well as gaining accoloades from IRS for a model and taxpayer experidnc e that i developed foir some web potals that i lead the dev. for. And, i still very much believe in what the non-profit where i worked does...But wow was the org. crazy disfunctional! Anyway, over the last couple of years since then, i keep jumping from one big company to another....and after all these decades i feel i have more passion than ever before for the tech and the problem spaces! ...BUT...now i have less patience for corporate buracratic BS/blocks...so i jump more often nowadays; which i dont like doing. Maybe i will try small, for-profit firms and see how things go....but, man, corporations really do know how to hamper those among us who have the passion, drive, and technical chops to really make a difference. Passion and competency - at least at the big boys/girls where i worked - seem to count for nothing nowadays.
It's a marathon. When you don't enjoy it, start a new one. There will always be bureaucracy, just deal with it and disconnect at the end of the day so you can do the things you love with the people you love.
Stuck out to me as well—author uses it only once apart from the title, and it's in scare quotes. Are they calling attention to the fact that it's not the usual form of the word, but then failing to explain why that's important to the subject of the post?
In any case, TIL that although "quit" is most common for past tense/past participle, "quitted" is sometimes included in dictionaries as an alternative.
The author is French, the usage of quitted is more likely a mistake outright. As for the quoted version it's explained next to it, he's quitting professionally but likely will continue as a hobby, in French you'd use quotes to highlight the fact it's not to be taken literally.
It is valid in English to use quitted in this manner, but it does look and sound odd. Most dictionaries list quitted as an alternative simple past/past participle of to quit, but admittedly it's uncommon to see it in modern English. Usually quitted is used in the sense departed or left (following French usage), which, while perhaps archaic, is perfectly valid in English as well.
If you're looking to avoid burnout, it helps to think of your profession as something entirely separately from your identity. I'm not an "aerospace engineer" or a "project manager", I am merely a man who plies the trades of engineering and project management during the day. That's the service I provide to society in exchange for food, fuel, land, tools, weapons, medicine, textiles, etc. (I don't think it's a fair trade but that's out of the scope of this discussion.) The parts of life that I actually consider meaningful parts of my identity occur outside of work and mostly revolve around my family, friends, religion, storytelling, and art.
This may kind of seem tautological, but I think adding the extra degree of mental separation (I am a man/woman who practices X profession vs. I am X profession) can help clear your head and open new life avenues to you. If you spend 8 years grinding for a graduate degree and enter into an obscenely competitive job market and find little success, it's easy to feel claustrophobic and like you've failed if you take a job outside your field. However if you think "for 8 years I performed statistics, writing, lecturing, and reading, and now in order to make my fortune I'll try another trade" you feel feel less indebted to your past self and make more clearheaded decisions about what to do in life.
I work to provide food for my children and me. I am not my work. Even if I like development, I do more interesting types of development outside of my job.
I had watched a few courses on information security and noticed that those working in the more management / corporate related infosec roles seemed to be massively overweight, almost all of them (I am too, btw). Not saying that to shame anyone, just: Does the job make you miserable or stressed out?
I have been forced to do the infosec role as a "side thing" in a couple of jobs now, mainly because nobody else was around that even had the basic skills. One of the things that discouraged me from going further in that field is that it doesn't seem to make people all that happy and fulfilled. Again, I may be wrong on that, as an outsider looking in.
I'm very interested in security vulnerabilities and clever hacks. Because of that I thought I'd be good in a security role. Then I discovered that defending against security problems is awful.
The biggest security weaknesses are people. Employee get socially engineered or phished. Management doesn't take security seriously so they put only a tiny budget toward security. Lazy sysadmins don't keep their systems patched. Software developers can't be bothered to learn how to write secure software, and this is mostly because their bosses don't incentivize them to. Security vendors often hype up their snake oil products. Good security protocols and technologies aren't adopted because people don't want to change.
Dealing with these human problems is awful, demoralizing, and generally unsolvable.
Oh, yes. Infosec has all the downsides of being an ER/ICU nurse at a miserably understaffed hospital, with ~none of the upsides of saving people or genuine patient/family gratitude.
* real, genuine infosec requires deeper knowledge of OS's, protocols, tools, programming & scripting, etc. Gotta be a little more experience to get that, and even more experienced to move away from it into mgmt or higher level roles. In other words, older office worker, and that means more gut.
If you prevent all the security threats, nobody notices, and the bosses wonder why they even pay you. If a security issue gets through, the bosses wonder why they even pay you.
Meditation could be helpful. Maybe the "Muse" EEG headset might be something for you.
Medication shouldn't be out of the question to stop the stress from killing you. I don't need to know any specifics but just when you say "stress" and "overweight" I can tell you to get checked for at the very least sleep apnea and diabetes. Both can and will ruin your day if you don't catch them early enough, and most people don't.
You're always, always going to be playing catch-up with criminals. It's a defense-only game. It's also like the scenario that caused the development of police radar detector-detectors, etc.
> The main warning I might just give to people is to keep proper distances between work and personal life
I've been thinking about this a lot lately. As a millennial, I've tied so much my self-worth into my career and recently, started questioning this belief and I think the next generation (i.e. Gen Z) might be on to something around quiet quitting, their generation placing extra emphasis on pursuing things that make them happy and viewing work as .... well, work.
For me, paid work is a means to achieve what I personally want to achieve. If I can achieve what I want during work hours that's great, stars are aligned. If not, work is just a way of getting the money I need to achieve what I want, and should never drain me.
I don't care about career, I care about being paid enough to do what I want to do of my life. I won't sacrifice personal life for it.
Work is a good chunk of the time so it should also be enjoyable as best as possible.
Of course, advancing your carrier can help get paid even more / enjoy even better, if so it might be good thing to do. It's just that it's a means, not a goal, like it seemed to be for some of our parents or grand parents.
> IT in Europe here and we work 8-5 with 1h lunch...
Similar in the US, I've never actually seen an office that works 9-5, despite that being the phrase. It's always 8:30-5 or 8-5.
It may once have been A Thing here in the US, with a 30-minute lunch and two 15-minute breaks coming out of a total of eight hours at work, since there are legally-mandated break periods for ordinary wage or hourly workers—but it seems like everyone's "exempt" now and so has far less legal protection, plus I'm sure enforcement's nearly non-existent. I assume it did actually exist, once, though, for "9-to-5" to have entered the language to begin with.
Millennial here as well, it's really excited to see our generation and the next generation reject "making money for someone else" as a way of finding meaning in life. I'm chewing on a lot of blog posts about this, regarding for example how the concept of "retirement" is terrifying. I was on a cruise recently and talking with a bunch of old people, and the subject often came up about how people were "finally taking the trips they always wanted to," or "finally exploring xyz hobby they never had time for."
How terrifying is that, busting ass from your 20s to mid to late 50s, and then getting hopefully another 30 years to "enjoy life?" I mean I'm sure many people find enjoyment along the way but damn that just seems so depressing.
Maybe it wasn't bad when that generation was working, I know many had a very nice quality of life for relatively less effort due to higher purchasing power and lower housing costs.
In their 20s and 30s, my siblings pursued their own interests and desires, but unfortunately, this approach did not lead to success. Now in their late 50s and early 60s, they find themselves lacking the necessary skills and experience to keep up with the rapidly changing job market. As a result, they are limited to unskilled labor, with no significant savings or retirement plans. Despite having pursued their dreams when they were younger, they are not particularly content.
> How terrifying is that, busting ass from your 20s to mid to late 50s
Agreed. I'm all onboard with delayed gratification. I'm onboard with "putting in the work." But waiting (literally) decades before living it up... sounds totally backwards.
> busting ass from your 20s to mid to late 50s, and then getting hopefully another 30 years to "enjoy life?"
Its just slavery which the older generations thought was appropriate, much like having a large family to look after you was a thing before family sizes came down.
It sounds cliched, but have a bucket list of things you want to do and try to do some of them. Put yourself first and your job second because the days of businesses looking after their staff and a job for life is long gone as every recession demonstrates.
The leading edge of Gen Z has taken to concepts like quiet quitting, but they still seem to have tied their personal lives to their jobs, often having few physical world friends outside of the workplace and still falling for the "we're a family" line, even if now they want to play to part of kid who doesn't take out the trash if their allowance isn't high enough (which it might not be). Doubt that's healthy and seems a lot like the recreation of a dysfunctional family.
The success of this approach hinges on the assumption that no one else is doing it. However, even those who quietly quit still rely on others to provide the goods and services they desire. There is a concern that this could lead to a snowball effect and result in food scarcity and famine, but the timeline for such an outcome is uncertain.
In terms of adding extra items to improve their happiness, it appears that this strategy is generally ineffective. Despite their efforts, the quiet quitters I met do not appear to be any happier
Millenials still had cause to buy into the Regan-era story of hard work and hyper capitalism leading to a glorious future for the common person. Zoomers have never been able to buy into that lie because they were born into a world where it is so obviously untrue.
Zoomers aren't even old enough to determine that yet. They're in their early 20's at most and no one that age has the experience to definitively say anything regarding this.
The alternative to hard work is doing nothing and that certainly will get you no where at all. The idea that a younger generation might have had it slightly better (which I think is pretty subjective anyway, previous generations have all had their fair share of bad shit) so you won't do anything to get ahead is just asinine.
Yes. You always want to be part of a profit center, where (directly or indirectly) there is revenue associated with what you do, rather than being part of a cost center where you are just an expense for the company.
Likewise if you work for a company that sells a security product you're in a profit center, which is good. What's bad is that those sales are extremely difficult to make because what your company is selling is avoidance of loss which is much harder to sell than a product that increases revenue.
This is more true if you're a small startup selling a security product. It's less true if you're one of the top 5 companies in the field.
I agree that is it more lucrative that way. But I super disagree with the happiness part. I don't know anyone working at an IT security company, but know many many lawyers and a handful of accountants. 90% of them ditched big law firms/Big 4 accounting firms as soon as their resume was sufficient to do so because the quality of life was terrible. Very very long hours, demanding clients and political atmospheres (As you go up) around bringing in business. By and large the folks that stayed are workaholics who highly valued money and status.
1 good friend of mine, was a super driven lawyer at a huge world-class firm in NYC. She got cancer, and had to take a leave. Fortunately she recovered fully and quit basically the first moment she got back. This isn't one of those 'she left to follow her passion in the arts' cases - she LOVES being a lawyer, but she realized she wasn't living a life. Now she's in-house at a multi-national brewing company.
Anyhow, all that to say - you may be more valued, but it's much easier to be the client!
work for a company where you are developing the comapny's main product, and where the product can be substantially improved by further development. For example, working to develop a website for a supermarket chain, or an app for dominoes pizza, will always have a limit and little respect
I'm probably oversummarizing, but this seems to boil down to burnout caused by (from the post):
> But why don’t they just patch? It’s not that complicated after all.
And you kinda see this later on when the author talks about what they worked on post-transition out of infosec as a mainline career:
> I finally joined Michelin in December 2016 where I started working in the CERT team where my main mission was to automate scanning and reconnaissance phases [emphasis added] on internet-facing assets and this was my real first experience on the other side of the story - defending infrastructure and where I finally experienced change management (and the complexity behind it), impact evaluation and so on.
It seems like the author burned out not because of the work but because wherever he ended up, there was no strategic initiative to streamline and automate patching to a point where it's largely invisible. It's also a hard problem given the risks of patching bringing reliant services down and the need to automate a slew of testing to validate that said patches won't torpedo production and mission critical systems.
The bit above is important not just because it solves a problem but because (I'm convinced that) people like knowing they actually built something and enacted lasting change. And security may be one of the least likely engineering disciplines where you'll experience building a tangible product as an IC.
At least in software security it's a bit easier with build and deployment pipelines offering an opportunity to block when patches are outstanding, but I can see where the burnout would arise when a strategic effort to invisibly ensure patching isn't in place or well funded. No one gets to build anything, and likewise, nothing gets solved because nothing was built.
---
So if I could add another takeaway:
• if your job involves running around and putting out fires, consider recommending up the chain and across the aisle all the ways to prevent the fires. And if those recommendations don't catch fire (so to speak), may be worth exploring alternative means to address the burnout risk long term with the current role.
> It seems like the author burned out not because of the work but because wherever he ended up
Don't get me wrong and maybe I was not clear enough (my bad). The infosec part I mostly contributed to was within some consulting companies where I was hopping from one assignment to another one, having different clients every week.
I saw some clients with some really strong security posture, I mean it. The "burn out" I experienced was clearly not related to that but pretty much from hacking, writing report, sleep & repeat.
Readit News
Do I still love it after 17 years? no. A lot has changed. A lot has not. I still like it most days. By far my favorite thing has been building a team and teaching others what I learned. I hit burn out here and there. I think computers and tech are different and objectively a little less fun now for this field. When I started I could find a bug in a system and write an actual exploit (actual machine code!) for it by hand in a reasonable time scale and that was always really cool. Now teams of people are required to achieve the same exact goal. Just one of many examples.
So anyway, some get off my lawn cause I am older now, some is just me changing what I like and want from life, some is tech changes. It’s still a great field as a consultant. Show up. Hack. Write report. Leave. Never be a CISO, you can’t pay me enough to do it. The end.
When I first started any idiot could back a web application because nearly all of them had a silly exploits like SQL injection.
Can you share why?
You own a bunch of unsolvable risk and your head is one of the first to get lopped off if you're popped.
Honestly, the CISO role probably needs a golden parachute and a direct report to the CEO for it to be an appealing path for most anyone who's experienced it at least once. The former to incentivize owning that much risk, the latter to enable the role to drive change.
The security world and the compliance world are changing daily, don't track each other, and your compliance drives costs, while security drives incidents.
The soul sucking large corporate entities, I couldn't agree more. Stay away from that if you can. You really only need one big company household name to spice up your resume and you probably have that already. I have mine and never went back.
Yep, this is the direction i wish to take next. ;-)
I have a multi-decade career, and for like the first decade or decade and a half or so, i tried to stay as long as reasonably possible at whatever big compoany i worked for....being raised to think that loyalty, and working a long number of years at the same employer was a sort of weird badge of honor. I got hit by bureacratic BS/blocks on such a constant basis, and then got hit by my first layoff...then i thought: "oh man, its me, i'm the problem, maybe i'm not as good as i thought, etc." Then I got yet another corporate job....and then another layoff...which by the way both layoffs were to due to re-orgs, and impoacted many people, and not specific to my performance. But, you know, the ego and heart gets hit hard.
So, i tried 1 year (during the middle of the pandemic) to work for a non-profit...thinking that maybe i can use my passion and people and tech skills for some good causes...Nope, never again! The sample size is of course so small (I only worked for a single non-profit), but i encountered the same corporate blocks as in the for-profit world, but with a vastly reduced paycheck. I still love my peers in the non-profiut, and while i was there i actually made a difference in thousands of people's lives, as well as gaining accoloades from IRS for a model and taxpayer experidnc e that i developed foir some web potals that i lead the dev. for. And, i still very much believe in what the non-profit where i worked does...But wow was the org. crazy disfunctional! Anyway, over the last couple of years since then, i keep jumping from one big company to another....and after all these decades i feel i have more passion than ever before for the tech and the problem spaces! ...BUT...now i have less patience for corporate buracratic BS/blocks...so i jump more often nowadays; which i dont like doing. Maybe i will try small, for-profit firms and see how things go....but, man, corporations really do know how to hamper those among us who have the passion, drive, and technical chops to really make a difference. Passion and competency - at least at the big boys/girls where i worked - seem to count for nothing nowadays.
In any case, TIL that although "quit" is most common for past tense/past participle, "quitted" is sometimes included in dictionaries as an alternative.
Deleted Comment
This may kind of seem tautological, but I think adding the extra degree of mental separation (I am a man/woman who practices X profession vs. I am X profession) can help clear your head and open new life avenues to you. If you spend 8 years grinding for a graduate degree and enter into an obscenely competitive job market and find little success, it's easy to feel claustrophobic and like you've failed if you take a job outside your field. However if you think "for 8 years I performed statistics, writing, lecturing, and reading, and now in order to make my fortune I'll try another trade" you feel feel less indebted to your past self and make more clearheaded decisions about what to do in life.
I have been forced to do the infosec role as a "side thing" in a couple of jobs now, mainly because nobody else was around that even had the basic skills. One of the things that discouraged me from going further in that field is that it doesn't seem to make people all that happy and fulfilled. Again, I may be wrong on that, as an outsider looking in.
The biggest security weaknesses are people. Employee get socially engineered or phished. Management doesn't take security seriously so they put only a tiny budget toward security. Lazy sysadmins don't keep their systems patched. Software developers can't be bothered to learn how to write secure software, and this is mostly because their bosses don't incentivize them to. Security vendors often hype up their snake oil products. Good security protocols and technologies aren't adopted because people don't want to change.
Dealing with these human problems is awful, demoralizing, and generally unsolvable.
I decided 10 years ago to never work in a role/company where my job didn't contribute to the bottom line. It's much more satisfying.
* can be demanding or irregular in terms of hours
* real, genuine infosec requires deeper knowledge of OS's, protocols, tools, programming & scripting, etc. Gotta be a little more experience to get that, and even more experienced to move away from it into mgmt or higher level roles. In other words, older office worker, and that means more gut.
Medication shouldn't be out of the question to stop the stress from killing you. I don't need to know any specifics but just when you say "stress" and "overweight" I can tell you to get checked for at the very least sleep apnea and diabetes. Both can and will ruin your day if you don't catch them early enough, and most people don't.
You have to make sure you manage your relationship with your job carefully, or you will burn out as the author did.
Deleted Comment
I've been thinking about this a lot lately. As a millennial, I've tied so much my self-worth into my career and recently, started questioning this belief and I think the next generation (i.e. Gen Z) might be on to something around quiet quitting, their generation placing extra emphasis on pursuing things that make them happy and viewing work as .... well, work.
For me, paid work is a means to achieve what I personally want to achieve. If I can achieve what I want during work hours that's great, stars are aligned. If not, work is just a way of getting the money I need to achieve what I want, and should never drain me.
I don't care about career, I care about being paid enough to do what I want to do of my life. I won't sacrifice personal life for it.
Work is a good chunk of the time so it should also be enjoyable as best as possible.
Of course, advancing your carrier can help get paid even more / enjoy even better, if so it might be good thing to do. It's just that it's a means, not a goal, like it seemed to be for some of our parents or grand parents.
Please do not use this phrase.
Working 9-5 is called "doing your job"
IT in Europe here and we work 8-5 with 1h lunch...
Similar in the US, I've never actually seen an office that works 9-5, despite that being the phrase. It's always 8:30-5 or 8-5.
It may once have been A Thing here in the US, with a 30-minute lunch and two 15-minute breaks coming out of a total of eight hours at work, since there are legally-mandated break periods for ordinary wage or hourly workers—but it seems like everyone's "exempt" now and so has far less legal protection, plus I'm sure enforcement's nearly non-existent. I assume it did actually exist, once, though, for "9-to-5" to have entered the language to begin with.
Quite a lot of people stay after 18, mainly because of historical/ tradition reasons.
How terrifying is that, busting ass from your 20s to mid to late 50s, and then getting hopefully another 30 years to "enjoy life?" I mean I'm sure many people find enjoyment along the way but damn that just seems so depressing.
Maybe it wasn't bad when that generation was working, I know many had a very nice quality of life for relatively less effort due to higher purchasing power and lower housing costs.
They constantly ask me for money now.
Agreed. I'm all onboard with delayed gratification. I'm onboard with "putting in the work." But waiting (literally) decades before living it up... sounds totally backwards.
Care to share some of your favorite findings?
Its just slavery which the older generations thought was appropriate, much like having a large family to look after you was a thing before family sizes came down.
It sounds cliched, but have a bucket list of things you want to do and try to do some of them. Put yourself first and your job second because the days of businesses looking after their staff and a job for life is long gone as every recession demonstrates.
In terms of adding extra items to improve their happiness, it appears that this strategy is generally ineffective. Despite their efforts, the quiet quitters I met do not appear to be any happier
The alternative to hard work is doing nothing and that certainly will get you no where at all. The idea that a younger generation might have had it slightly better (which I think is pretty subjective anyway, previous generations have all had their fair share of bad shit) so you won't do anything to get ahead is just asinine.
E.g.,
- Don't be an internal company accountant, go work for Big 4 accounting firm to sell your skills
- Don't be in internal company IT Security, go work for a company who sells that skill
It's all about moving up in the value chain. By moving up in the value chain, you're more "valued" / appreciated / sought after.
You're general happiness will be much better as a result, and you'll also make much more money.
This is more true if you're a small startup selling a security product. It's less true if you're one of the top 5 companies in the field.
1 good friend of mine, was a super driven lawyer at a huge world-class firm in NYC. She got cancer, and had to take a leave. Fortunately she recovered fully and quit basically the first moment she got back. This isn't one of those 'she left to follow her passion in the arts' cases - she LOVES being a lawyer, but she realized she wasn't living a life. Now she's in-house at a multi-national brewing company.
Anyhow, all that to say - you may be more valued, but it's much easier to be the client!
> But why don’t they just patch? It’s not that complicated after all.
And you kinda see this later on when the author talks about what they worked on post-transition out of infosec as a mainline career:
> I finally joined Michelin in December 2016 where I started working in the CERT team where my main mission was to automate scanning and reconnaissance phases [emphasis added] on internet-facing assets and this was my real first experience on the other side of the story - defending infrastructure and where I finally experienced change management (and the complexity behind it), impact evaluation and so on.
It seems like the author burned out not because of the work but because wherever he ended up, there was no strategic initiative to streamline and automate patching to a point where it's largely invisible. It's also a hard problem given the risks of patching bringing reliant services down and the need to automate a slew of testing to validate that said patches won't torpedo production and mission critical systems.
The bit above is important not just because it solves a problem but because (I'm convinced that) people like knowing they actually built something and enacted lasting change. And security may be one of the least likely engineering disciplines where you'll experience building a tangible product as an IC.
At least in software security it's a bit easier with build and deployment pipelines offering an opportunity to block when patches are outstanding, but I can see where the burnout would arise when a strategic effort to invisibly ensure patching isn't in place or well funded. No one gets to build anything, and likewise, nothing gets solved because nothing was built.
---
So if I could add another takeaway:
• if your job involves running around and putting out fires, consider recommending up the chain and across the aisle all the ways to prevent the fires. And if those recommendations don't catch fire (so to speak), may be worth exploring alternative means to address the burnout risk long term with the current role.
> It seems like the author burned out not because of the work but because wherever he ended up
Don't get me wrong and maybe I was not clear enough (my bad). The infosec part I mostly contributed to was within some consulting companies where I was hopping from one assignment to another one, having different clients every week. I saw some clients with some really strong security posture, I mean it. The "burn out" I experienced was clearly not related to that but pretty much from hacking, writing report, sleep & repeat.
Yeah, this tracks. I rescued myself from this by switching to in-house security teams with ownership of security infrastructure.
Similar to what you did.