We’ve probably all seen that “perception versus fact” meme where there’s an assortment of pictures with captions like “what my family thinks I do,” “what my boss thinks I do,” “what I think I do” and “what I actually do.” People’s understanding of what cybersecurity professionals do often bears little resemblance to the reality of what we actually do. This can lead to a number of problems, especially in terms of job security, but there are things you can and should do to correct this.

What Do You Do?

My husband recently told me that it took him about two years to really understand what I do for a living. My parents used to say they thought I played video games for a living when my job was analyzing malware. Many of my coworkers seem to think I’m something of an internet celebrity — probably because my name shows up in public places a lot.

The picture for “what I think I do” would probably be a picture of a superhero anonymously and stealthily saving the day under the cover of darkness. My husband would also choose the “superhero” picture, so clearly my influence on him is working! The picture of “what I actually do,” which tends toward a more self-deprecating view, would probably be one of a person standing on the edge of a chasm and screaming into the void.

I get the sense that a lot of business leaders (especially those who aren’t particularly technical) picture us as wizards who read mystical signs and portents and then cast pronouncements on “correct behavior.” When requirements seem as inscrutable as superstitions, this doesn’t necessarily bode well for our continued employment, especially if misfortune befalls the company on our watch.

The reality of what most of us do is probably somewhere between “superhero” and “screaming into the void,” but if we’re performing well and managing expectations correctly, there can be more days of the former than the latter. Many of us work in areas that are not seen by most of our coworkers, and the sign of a job well done is usually nothing bad happening.

In light of this, what can we do to bring our work out of the darkness of the cubicle and into the view of the corner office?

Celebrate Your Successes

Have you deflected attacks on your network? Have you decreased the number of successful phishing attempts? Have you improved your risk assessment procedures? Managers will not necessarily know this if you don’t keep them updated.

Making time to celebrate your wins certainly creates more work for you, which can be hard when your plate is already full. Many people feel uncomfortable tooting their own horn, but for security pros in particular, this is an area that’s vitally important.

While info sec is generally considered a cost center, most organizations would struggle to stay in business without our diligent efforts. But if higher-ups don’t know how much value we bring to the company, they will continue to view the cost of securing the organization as one that should be kept to a minimum.

Keep a Diary

Many job-hunting resources suggest keeping a diary of what you do on a day-to-day basis as a way of making sure your resume is both thorough and accurate. And you don’t need to wait until the day when you decide to search for a new job to benefit from this activity. Creating and sharing a list of cybersecurity job responsibilities can be helpful in letting managers know what makes you worth the paycheck — or perhaps even a promotion.

When nobody but your peers knows what cybersecurity professionals do, it’s hard for the people in charge of budgets to know how much work it takes to keep attackers from breaching the company’s systems. While this list should naturally include successes, it should also include the more mundane cybersecurity job responsibilities that require action to maintain the status quo.

Ask Your Coworkers for Help

No security practitioner is an island. You will likely be far more effective if you make a point of having regular, productive interactions with your coworkers who operate outside the security department. Ask them to help you identify data and devices when you’re performing risk assessments; encourage them to report any suspicious files or messages they receive and any accidents that may occur. Listen to and work with them to foster an environment that enables them to do their job safely.

If people in your organization can see you not as the grump who just tells them they’re doing things wrong, but as someone who is there to support them, your interactions are more likely to be constructive, and you’ll be more likely to have vocal champions throughout the company.

Educate Your Staff

Another opportunity to improve your work outcomes and strengthen your connections within your company is to hold regular security training sessions. I should caution, though, that these sessions should be brief, relevant, actionable and positive (or perhaps even fun) so your students look forward to learning. The more you include examples or techniques that are applicable both at work and at home, the more likely your coworkers will be to attend these classes voluntarily. And the more you keep your lessons fresh in their minds by making classes a regular occurrence, the more likely your students will be to remember their lessons when they’re at their desks.

Some of the work that cybersecurity professionals do involves toiling in obscurity, but that doesn’t always have to be the case. By making sure your activities are visible to your coworkers and higher-ups, you can ensure that it remains clear how valuable your work is to the health and longevity of the business.

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…