October 14, 2019 By Lysa Myers 4 min read

We’ve probably all seen that “perception versus fact” meme where there’s an assortment of pictures with captions like “what my family thinks I do,” “what my boss thinks I do,” “what I think I do” and “what I actually do.” People’s understanding of what cybersecurity professionals do often bears little resemblance to the reality of what we actually do. This can lead to a number of problems, especially in terms of job security, but there are things you can and should do to correct this.

What Do You Do?

My husband recently told me that it took him about two years to really understand what I do for a living. My parents used to say they thought I played video games for a living when my job was analyzing malware. Many of my coworkers seem to think I’m something of an internet celebrity — probably because my name shows up in public places a lot.

The picture for “what I think I do” would probably be a picture of a superhero anonymously and stealthily saving the day under the cover of darkness. My husband would also choose the “superhero” picture, so clearly my influence on him is working! The picture of “what I actually do,” which tends toward a more self-deprecating view, would probably be one of a person standing on the edge of a chasm and screaming into the void.

I get the sense that a lot of business leaders (especially those who aren’t particularly technical) picture us as wizards who read mystical signs and portents and then cast pronouncements on “correct behavior.” When requirements seem as inscrutable as superstitions, this doesn’t necessarily bode well for our continued employment, especially if misfortune befalls the company on our watch.

The reality of what most of us do is probably somewhere between “superhero” and “screaming into the void,” but if we’re performing well and managing expectations correctly, there can be more days of the former than the latter. Many of us work in areas that are not seen by most of our coworkers, and the sign of a job well done is usually nothing bad happening.

In light of this, what can we do to bring our work out of the darkness of the cubicle and into the view of the corner office?

Celebrate Your Successes

Have you deflected attacks on your network? Have you decreased the number of successful phishing attempts? Have you improved your risk assessment procedures? Managers will not necessarily know this if you don’t keep them updated.

Making time to celebrate your wins certainly creates more work for you, which can be hard when your plate is already full. Many people feel uncomfortable tooting their own horn, but for security pros in particular, this is an area that’s vitally important.

While info sec is generally considered a cost center, most organizations would struggle to stay in business without our diligent efforts. But if higher-ups don’t know how much value we bring to the company, they will continue to view the cost of securing the organization as one that should be kept to a minimum.

Keep a Diary

Many job-hunting resources suggest keeping a diary of what you do on a day-to-day basis as a way of making sure your resume is both thorough and accurate. And you don’t need to wait until the day when you decide to search for a new job to benefit from this activity. Creating and sharing a list of cybersecurity job responsibilities can be helpful in letting managers know what makes you worth the paycheck — or perhaps even a promotion.

When nobody but your peers knows what cybersecurity professionals do, it’s hard for the people in charge of budgets to know how much work it takes to keep attackers from breaching the company’s systems. While this list should naturally include successes, it should also include the more mundane cybersecurity job responsibilities that require action to maintain the status quo.

Ask Your Coworkers for Help

No security practitioner is an island. You will likely be far more effective if you make a point of having regular, productive interactions with your coworkers who operate outside the security department. Ask them to help you identify data and devices when you’re performing risk assessments; encourage them to report any suspicious files or messages they receive and any accidents that may occur. Listen to and work with them to foster an environment that enables them to do their job safely.

If people in your organization can see you not as the grump who just tells them they’re doing things wrong, but as someone who is there to support them, your interactions are more likely to be constructive, and you’ll be more likely to have vocal champions throughout the company.

Educate Your Staff

Another opportunity to improve your work outcomes and strengthen your connections within your company is to hold regular security training sessions. I should caution, though, that these sessions should be brief, relevant, actionable and positive (or perhaps even fun) so your students look forward to learning. The more you include examples or techniques that are applicable both at work and at home, the more likely your coworkers will be to attend these classes voluntarily. And the more you keep your lessons fresh in their minds by making classes a regular occurrence, the more likely your students will be to remember their lessons when they’re at their desks.

Some of the work that cybersecurity professionals do involves toiling in obscurity, but that doesn’t always have to be the case. By making sure your activities are visible to your coworkers and higher-ups, you can ensure that it remains clear how valuable your work is to the health and longevity of the business.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today