October 14, 2019 By Lysa Myers 4 min read

We’ve probably all seen that “perception versus fact” meme where there’s an assortment of pictures with captions like “what my family thinks I do,” “what my boss thinks I do,” “what I think I do” and “what I actually do.” People’s understanding of what cybersecurity professionals do often bears little resemblance to the reality of what we actually do. This can lead to a number of problems, especially in terms of job security, but there are things you can and should do to correct this.

What Do You Do?

My husband recently told me that it took him about two years to really understand what I do for a living. My parents used to say they thought I played video games for a living when my job was analyzing malware. Many of my coworkers seem to think I’m something of an internet celebrity — probably because my name shows up in public places a lot.

The picture for “what I think I do” would probably be a picture of a superhero anonymously and stealthily saving the day under the cover of darkness. My husband would also choose the “superhero” picture, so clearly my influence on him is working! The picture of “what I actually do,” which tends toward a more self-deprecating view, would probably be one of a person standing on the edge of a chasm and screaming into the void.

I get the sense that a lot of business leaders (especially those who aren’t particularly technical) picture us as wizards who read mystical signs and portents and then cast pronouncements on “correct behavior.” When requirements seem as inscrutable as superstitions, this doesn’t necessarily bode well for our continued employment, especially if misfortune befalls the company on our watch.

The reality of what most of us do is probably somewhere between “superhero” and “screaming into the void,” but if we’re performing well and managing expectations correctly, there can be more days of the former than the latter. Many of us work in areas that are not seen by most of our coworkers, and the sign of a job well done is usually nothing bad happening.

In light of this, what can we do to bring our work out of the darkness of the cubicle and into the view of the corner office?

Celebrate Your Successes

Have you deflected attacks on your network? Have you decreased the number of successful phishing attempts? Have you improved your risk assessment procedures? Managers will not necessarily know this if you don’t keep them updated.

Making time to celebrate your wins certainly creates more work for you, which can be hard when your plate is already full. Many people feel uncomfortable tooting their own horn, but for security pros in particular, this is an area that’s vitally important.

While info sec is generally considered a cost center, most organizations would struggle to stay in business without our diligent efforts. But if higher-ups don’t know how much value we bring to the company, they will continue to view the cost of securing the organization as one that should be kept to a minimum.

Keep a Diary

Many job-hunting resources suggest keeping a diary of what you do on a day-to-day basis as a way of making sure your resume is both thorough and accurate. And you don’t need to wait until the day when you decide to search for a new job to benefit from this activity. Creating and sharing a list of cybersecurity job responsibilities can be helpful in letting managers know what makes you worth the paycheck — or perhaps even a promotion.

When nobody but your peers knows what cybersecurity professionals do, it’s hard for the people in charge of budgets to know how much work it takes to keep attackers from breaching the company’s systems. While this list should naturally include successes, it should also include the more mundane cybersecurity job responsibilities that require action to maintain the status quo.

Ask Your Coworkers for Help

No security practitioner is an island. You will likely be far more effective if you make a point of having regular, productive interactions with your coworkers who operate outside the security department. Ask them to help you identify data and devices when you’re performing risk assessments; encourage them to report any suspicious files or messages they receive and any accidents that may occur. Listen to and work with them to foster an environment that enables them to do their job safely.

If people in your organization can see you not as the grump who just tells them they’re doing things wrong, but as someone who is there to support them, your interactions are more likely to be constructive, and you’ll be more likely to have vocal champions throughout the company.

Educate Your Staff

Another opportunity to improve your work outcomes and strengthen your connections within your company is to hold regular security training sessions. I should caution, though, that these sessions should be brief, relevant, actionable and positive (or perhaps even fun) so your students look forward to learning. The more you include examples or techniques that are applicable both at work and at home, the more likely your coworkers will be to attend these classes voluntarily. And the more you keep your lessons fresh in their minds by making classes a regular occurrence, the more likely your students will be to remember their lessons when they’re at their desks.

Some of the work that cybersecurity professionals do involves toiling in obscurity, but that doesn’t always have to be the case. By making sure your activities are visible to your coworkers and higher-ups, you can ensure that it remains clear how valuable your work is to the health and longevity of the business.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today