I have a good friend whose son plays baseball. The son just moved from rec ball at the local park to a pretty serious team. They practice four times a week, have a few optional (but not really optional) practices on the off days, and play in tournaments over the weekends a few times a month. The coach is a 20-year retired Air Force guy, and his approach is all about discipline, fundamentals, and achievement. Each of the kids needs to earn his way onto the field. Nothing is given to them.
Only 75 percent of the kids take the field in each tournament. The other kids sit and root for their teams. At first that seemed a little harsh because the kid is only 12. But when I heard about the focus on discipline and fundamentals and the opportunity to get on the field through hard work and performance, I get it. And I like it. Because that's the way life is.
Let's use an analogy from the NFL. This upcoming week is the last week of the off-season and that means roster cut downs. Some guys (maybe 50 percent of the preseason roster) have significant guaranteed money or are key veterans, so they'll make the team unless they get hurt. The other 40 fight for maybe 10 available spots on the 53-man roster. They've got to bring it in every practice and film study session. They earn their right to be on the field for the games through hard work and performance. If they don't perform, then you can bet there is someone else waiting to take their spot.
That's life. You always have someone coming up behind you, working his ass off every day to be where you are. If you don't meet your employer or customer's needs, someone else sure will. And you'll be gone. That's how market-based economies work, and that's not going to change.
What does this have to do with security? And why does this concept get me hacked off? Because some folks don't understand about making choices. A little Twitter fight broke out recently over the increasing trend to start conferences on Sunday. Obviously that impinges on the weekend and maybe on family time. Some folks whined about it. Others told them to stop whining, that it's not unreasonable to expect executives (warranting six-figure salaries) at times need to travel on Sundays. We've been talking about burnout in security for years. This isn't a new issue.
It's all about choices. I don't blame the conference organizers. If they can maximize revenue by having a day of training on Sunday, then why wouldn't they? If people are going to show up, then Mr. Market says to meet the demand. I don't blame companies that will take everything their employees have to give. And then ask for more. That's what companies do -- why is that a surprise?
The issue is that some folks don't know where to draw the line. Maybe they are too scared by that guy coming up from behind to say no. In this kind of economy, it's hard to say no. In fact, I know because there was a time when I was that scared guy, with a big mortgage and a young family and a demanding job. I attended a monthly weekend management meeting, which killed my Saturday. I answered the phone at all hours of the night to deal with "situations." I'd get to work early and stay late, to make sure my car was in the parking lot when the CEO would be checking. I'd travel on Sundays. I'd miss ballgames.
But I always had a line. I don't miss birthdays. I don't miss annual physicals for the kids. I don't miss school conferences. I certainly don't miss my wedding anniversary. Sure, I work for a small company and am responsible for my own schedule, so it's easier for me now. But I did the same stuff when I worked for bigger companies. I drew the line. If someone asked me to cross that line, then I said no.
I made my choices and maybe that adversely impacted my job security at certain jobs. I was OK with that. In reality, it was my sparkling personality that was a much bigger issue for my employers than my unwillingness to miss stuff at home. It's tough to find that balance, and I've struggled with it since I got married. To be clear, I work
To further clarify, there are times when you need to do the work. Like when I was involved in the potential sale of my company. I worked late every night for two weeks and criss-crossed the country trying to get a deal done. Or if you do incident response and find the bad guys in your stuff, you work until the problem is solved. As long as that doesn't happen every week, it's fine. Again, you have to know where to draw the line.
And you know what else? I stopped worrying about the guy coming up from behind. He's always there. You need to accept that. There will always be someone trying to take your job, win your customers, break into your stuff, and steal your data. If they take my spot because I wasn't willing to fly somewhere and miss my kid's birthday, I'm OK with that. It's not a place I want to work anyway. It's not a customer I want to work with. You need to understand what you're willing to do and what you're not.
Making tough choices. Exercising free will. It's not easy, but instead of bitching about the unfairness of it all, maybe just say no. Set the boundaries and be clear with your employer and/or your customers about what you will and what you won't do. Understand they may choose to work with someone who will meet their unreasonable (in your opinion) expectations. And someday you'll realize you were better because they did. In the long run, you can win by losing.
Mike Rothman is President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio