From misconfiguration of technical controls, process failure or misalignment of job function, failure is inevitable. It is important to turn that failure into opportunity, as explained by a panel of experts at ISC2 Security Congress, who shared their largest career missteps with the goal of embracing failure.
Moderated by Ken Fishkin, CISSP, CCSP, HCISSP, associate director of information security at Lowenstein Sandler, the curiously titled Everyone Has a Plan Until They Are Punched in the Mouth panel comprised: Tran Cheung, MBA, CISSP, CCSP, director of IT Risk, compliance and governance at the New Jersey Institute of Technology; Matt Lang, CISSP, CCSP, director of the cybersecurity practice of SVAM International; and Mallik Prasad, Lead Security Architect for Ericsson.
As the title suggests, the aim was for the group to discuss, as Fishkin put it: “how they've dealt with the traumatic experiences within their career or with their job professionally,” – in a cyber sense, of course. As he put it: “We all have scars throughout our career, and we want to make sure that we are able to show them to other people, so that we can pass them on and people can learn and grow from our experiences”.
Dealing With a Major Financial Breach
Fishkin turned to Prasad for a start. The latter was part of an outsource agency running the systems for a Fortune 100 financial institution when, in his words: “this financial institution [was] massacred, sacrificed … hundreds of million dollars of money brought out through the ATMs all over the world”. How did he and the team cope, inquired Fishkin. “It was a very difficult situation,” was the response. “You know, tireless, 24x7 … days and nights. On behalf of the team I had to take a lot of flack”. He continued: “Personally, I suffered a lot. Emotionally, I suffered a lot. 24x7 you are on the calls on the hotline”. After much analysis the attack turned out, rather topically given some of the incidents we have read about recently, to have been perpetrated through a trusted third party: “They were able to use a back door attack vector from a compromised partner organization somewhere in Asia”.
Prasad was also brutally honest about the effect on his job and his family life. “I was fearing the worst, including losing the job … but I was put into knowledge management. It was sort of a demotion, yes, and of course, family time was almost zero at that time”. This incident was the beginning of the end of Prasad’s time in security operations, which Fishkin noted can be a 24x7 job. “Yes, the work activity is just perfect”, said Prasad. “You know, you're doing something which is meaningful as well as impactful, but at the same time, it takes it all on you. You can do it for a few years, but after that, you have to give it up”. Prasad’s next step was toward security architecture, particularly looking at end-to-end security across enterprises. It expanded his knowledge in security, provided an escape from the always-on operations role, and presented him with a role in which he had “the ability to make an impact and move the needle significantly by [doing] the enterprise security architecture correctly”.
When Hiring Goes Wrong
Fishkin then turned to the next panelist. Lang’s story was from his time as CTO of a smaller organization with a national brand in the U.S. that had custom-built an ecommerce system. There was a pressing need to hire developers for a fairly esoteric, non-mainstream platform. “We had to bring in someone to do this work,” he said. “In that hiring process, there was a lot of discussion around how to bring in the right person. There was a lot of opinion on how that was all going to go, but the startup mentality really dominated there. That kind of ‘move fast, take risks’ mentality. That's why we got where we are and that led us into a situation where we hired what can only be described as a unicorn developer”. The pressing need to hire caused some fairly solid HR processes that had been implemented to be sidelined to get the new developer in place, whose “opinions dominated a lot of the requests that would come in, to what we wanted to see on the platform”. Lang therefore needed to “own” (his word) the new developer and deal with the mismatch.
Lang had to change his focus completely. “There was a lot of management. I went from being a very technical person to having to really to manage personnel through the organization. I was having to balance all that out while actually keeping a deliverable going which was working. The toll of that … it's a very difficult balance to deal with someone who's probably clinically not stable and then dealing with an organization that needed things delivered. So, it was a very tough balance to make sure those things all got pushed”. Then in 2020 COVID-19 happened and that just further divided the organization and that culture. Lang noted. After a while the “unicorn developer” was beginning to call the shots and Lang was being told: “this person wants you to leave”. Lang’s solution: he gave two months’ notice and left, thankfully able to rely on his network of contacts and former employers for work opportunities.
How is the company doing, inquired Fishkin? It’s still around, answered Lang, though they changed direction regarding the platform and the software it was built on. Wrapping up, Lang noted that: “I don't want to say learn from insanity, because I don't think that's the best way to learn, but learning from others insane stories is a great way to learn”.
Poorly Resourced Auditing
Finally, Fishkin turned to Cheung whose story was different again: she had moved from a consulting position into a full-time internal audit role at a large university but with minimal tools to help her carry it out. “In this role was I was alone”, she said, “as in, I had to do my audit from beginning to end, all by myself, from creating the work product, figuring out the framework – and it was all spreadsheets, very manual – doing multiple concurrent audits at the same time”. The role took her into a spiral of spending more time attempting to achieve the unachievable. “I threw more hours into it, nights, weekends, just to get the product done,” she told the group. “After two years, it just didn't change no matter what, it's just never ending. And I felt like: I enjoy the work, but I didn't enjoy the product [enough] to get to the end, the manual process was just dragging me down”. The mental impact was tangible, but the futility was not clear to her. “I think the mental impact that I want to share was actually thinking that by throwing more time into it, that I can't fail. I haven't failed. How can I not get this? How can I not get it perfect? Why, after two years of this, I'm still feeling like I can't catch up. I’ll never get there and never be perfect enough”.
Added to this, training had to be done in additional time that Cheung somehow had to find. “They recommended that I should take my CISA certification. So, I did that, but I didn't have the time to study during the work day, so I had to add that into my nights and weekends on top of my workload. My family was not happy with me for two years, because my CISA was within my first year there, then I did my GSNA – that's the system network auditing certification – the year after, so it was a continuous workload to continue studying”.
Fishkin asked what motivated Cheung to call a halt. The answer was shocking. “December of 2023 was when I actually broke down. I've never cried over any job before, and I realized that it actually took a toll and I didn't know until my physical body told me, and that's when I decided I need to do something”. Changing priorities was the key factor, as Cheung realized that: “Family became third because: work, chapter and then family, so they are not happy with me. I needed to reprioritize”. A change of role has changed the situation completely: “My boss is amazing … she would tell me to stop working, which is good. She helped me create that boundary for myself, and I have more hours of sleep back. So, that's been good. I think the balance is there also, because I have the support system and I do a job that I love that doesn't wear me down”.
Finding a Way Through
The three speakers’ strongly contrasting stories will ring true with most people reading this: even if we have not been subjected to such extreme situations, there will be parts of all three stories that sound familiar – either in our own careers or those of one or more of our friends, family or colleagues. The reassurance comes from the fact that all three of the panelists have emerged successfully and are much more comfortable with what they are doing now than with what they did in the past.
The session finished with audience questions and one in particular was: “How do you navigate burnout when quitting or pivoting is not a current option?”
Family or community support was one suggestion. Taking up a distraction such as extreme hiking or extreme biking was another. Getting a pet and doing more exercise as a result was a third. But as Fishkin answered to the question of how you navigate burnout: “Not very well. It doesn't really work, if you can't change the job situation in any way”.
