October 14, 2019 By Lysa Myers 4 min read

We’ve probably all seen that “perception versus fact” meme where there’s an assortment of pictures with captions like “what my family thinks I do,” “what my boss thinks I do,” “what I think I do” and “what I actually do.” People’s understanding of what cybersecurity professionals do often bears little resemblance to the reality of what we actually do. This can lead to a number of problems, especially in terms of job security, but there are things you can and should do to correct this.

What Do You Do?

My husband recently told me that it took him about two years to really understand what I do for a living. My parents used to say they thought I played video games for a living when my job was analyzing malware. Many of my coworkers seem to think I’m something of an internet celebrity — probably because my name shows up in public places a lot.

The picture for “what I think I do” would probably be a picture of a superhero anonymously and stealthily saving the day under the cover of darkness. My husband would also choose the “superhero” picture, so clearly my influence on him is working! The picture of “what I actually do,” which tends toward a more self-deprecating view, would probably be one of a person standing on the edge of a chasm and screaming into the void.

I get the sense that a lot of business leaders (especially those who aren’t particularly technical) picture us as wizards who read mystical signs and portents and then cast pronouncements on “correct behavior.” When requirements seem as inscrutable as superstitions, this doesn’t necessarily bode well for our continued employment, especially if misfortune befalls the company on our watch.

The reality of what most of us do is probably somewhere between “superhero” and “screaming into the void,” but if we’re performing well and managing expectations correctly, there can be more days of the former than the latter. Many of us work in areas that are not seen by most of our coworkers, and the sign of a job well done is usually nothing bad happening.

In light of this, what can we do to bring our work out of the darkness of the cubicle and into the view of the corner office?

Celebrate Your Successes

Have you deflected attacks on your network? Have you decreased the number of successful phishing attempts? Have you improved your risk assessment procedures? Managers will not necessarily know this if you don’t keep them updated.

Making time to celebrate your wins certainly creates more work for you, which can be hard when your plate is already full. Many people feel uncomfortable tooting their own horn, but for security pros in particular, this is an area that’s vitally important.

While info sec is generally considered a cost center, most organizations would struggle to stay in business without our diligent efforts. But if higher-ups don’t know how much value we bring to the company, they will continue to view the cost of securing the organization as one that should be kept to a minimum.

Keep a Diary

Many job-hunting resources suggest keeping a diary of what you do on a day-to-day basis as a way of making sure your resume is both thorough and accurate. And you don’t need to wait until the day when you decide to search for a new job to benefit from this activity. Creating and sharing a list of cybersecurity job responsibilities can be helpful in letting managers know what makes you worth the paycheck — or perhaps even a promotion.

When nobody but your peers knows what cybersecurity professionals do, it’s hard for the people in charge of budgets to know how much work it takes to keep attackers from breaching the company’s systems. While this list should naturally include successes, it should also include the more mundane cybersecurity job responsibilities that require action to maintain the status quo.

Ask Your Coworkers for Help

No security practitioner is an island. You will likely be far more effective if you make a point of having regular, productive interactions with your coworkers who operate outside the security department. Ask them to help you identify data and devices when you’re performing risk assessments; encourage them to report any suspicious files or messages they receive and any accidents that may occur. Listen to and work with them to foster an environment that enables them to do their job safely.

If people in your organization can see you not as the grump who just tells them they’re doing things wrong, but as someone who is there to support them, your interactions are more likely to be constructive, and you’ll be more likely to have vocal champions throughout the company.

Educate Your Staff

Another opportunity to improve your work outcomes and strengthen your connections within your company is to hold regular security training sessions. I should caution, though, that these sessions should be brief, relevant, actionable and positive (or perhaps even fun) so your students look forward to learning. The more you include examples or techniques that are applicable both at work and at home, the more likely your coworkers will be to attend these classes voluntarily. And the more you keep your lessons fresh in their minds by making classes a regular occurrence, the more likely your students will be to remember their lessons when they’re at their desks.

Some of the work that cybersecurity professionals do involves toiling in obscurity, but that doesn’t always have to be the case. By making sure your activities are visible to your coworkers and higher-ups, you can ensure that it remains clear how valuable your work is to the health and longevity of the business.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today