IT and Security are both high-growth industries. It’s easy to understand that times change, technologies change, and vendors change. It inevitable, and a certain degree of change is always expected. As IT and Security professionals, we expect that continuous education is just part of the job. But how much is too much? How do you avoid burnout? Or better still, how do you avoid the feeling that you’ll never catch up?
Let’s talk about it…
The motivation for this post comes from my personal conversations with hundreds of IT and Security students, professionals, and teachers over the years. Most of these intelligent and well-meaning individuals express the same concerns: No matter how much they learn, they always seem to be behind and missing something. In some cases, it’s a matter of personal emotions, but in other cases, people are actively looking for other careers because they’re just not able to keep up and the stress has finally mounted too high.
I’ve not only felt all of this personally, I’ve also been in the position to mentor a lot of colleagues that have felt the same over the years. In all this, I’ve found three areas of very real concern that I’d like to highlight:
- Misalignment in expectations (for leaders)
- Lack of fundamental education (for workers)
- Not prioritizing your life (for everyone)
I want to touch on each of these here with real examples from real people. Each of these stories has a personal meaning to me, because I’ve lived them myself and heard them over and again from others.
Misalignment in Expectations
Nothing causes more stress in people’s lives than a misalignment of expectations. Think about any argument or fight you’ve ever had in your life. If you really think about it deeply, you’ll realize that the core underlying premise of that fight was that you expected something of someone else, and they didn’t see it the same way. Most often, in the case of relationships and work, these expectations aren’t just unmet, they’re actually unknown!
How many times have you been in an argument only to find out the person you’re arguing with has been holding on to issues and not telling you about them? Or, how about the time when your boss got upset because you didn’t complete a project on time, but you had no idea what the deadline was or no actual requirements to work off of?
We see these issues all the time in the modern workforce. In the case of IT and Security, this can manifest itself in very unproductive and maddening ways.
I was mentoring an early-career student who was working for a Managed Service Provider – We’ll call him Joe. Joe was a member of the IT services helpdesk at his company and had all the usual helpdesk woes: angry calls, repeatedly telling users to reboot, and being accountable for customers problems. His day consisted mostly of logging into people computers and remotely and fixing issues that, frankly, either weren’t real issues or were usually caused by someone not reading directions. (If you’ve been on a helpdesk, you understand).
Joe was a “go-getter” as they say. He was always trying to do more and build his career. After a lot of persistence, Joe’s supervisor approved him to do some light systems administration work. But this is where the problems began. Even though he was doing valuable work for his company, he would get in trouble for not “being on the helpdesk.” It got so bad, that at one point, Joe was “written up” at the same time he was doing work for one of the company founders.
Joe and his supervisor never communicated their shared expectations. Personally, I blame his supervisor, but having worked on many helpdesks myself, I’m admittedly biased. The reality is that communication goes both ways. Just imagine what one, simple conversation around reducing helpdesk hours could have avoided? Instead, Joe quit and went on to work at a competitor, where he’s now a security manager.
Take 5 minutes to have a conversation before you commit – that goes for all employees and managers. While this ended up working out well for Joe, think about all the opportunities he and his company missed out on because they simply did not have a conversation about expectations.
Lack of Fundamental Education
This is a big one, and like most things that are good for us – tough to swallow…
Over the last decade, there has been a big push towards bootcamps and trade schools for IT and Security. On the surface, there’s really nothing wrong with these methods, but they have one overarching limitation: They won’t make you an expert in your craft nor will they make you an engineer. You will certainly learn how to complete tasks, but you rarely learn why those tasks exist in the first place.
Now, it’s easy to say that these kinds of courses teach you the fundamentals and your first jobs will teach you the real-world, but is that actually true? Do they actually teach you the fundamentals? I’d argue no – they do not (and I’d also argue that most employers don’t commit to teaching, either)
This problem has extended to more traditional educational environments, too. As schools have had to tighten budgets and compete for students even more, they’re start going down the path of national accreditations so they can be an “academic center of excellence for…[insert name here].” The problem here, just like the boot camps and trade schools, is that the emphasis once again turns to completing tasks, not understanding WHY a task needs to be completed.
The Network Administrator
Robert is a network administrator for a healthcare technology firm. He had a Bachelors in IT, about 5 years of experience, and a couple certifications under his belt. In working with him, I noticed his continual frustration with the work I was doing (security consulting) and – one day – he finally exploded. He was incredibly frustrated that a consultant was coming in and telling him that he should be using new technologies that he wasn’t familiar with.
I remember it clearly – “I just got this network the way it should be, and now I have to rip it all out and redo all the VPNs!” I wasn’t really sure how to react, because frankly, I was there to help Robert get more budget and make his life easier! After he cooled off a little, I had the chance to dig into the problem a little deeper…
It turns out that Robert had spent the last 6 months getting his corporate VPNs to talk to one-another properly and had just managed to get it to work. After some gentle prodding, I came to realize that Robert didn’t actually understand how VPNs work – although he DID know how to make two Sophos UTMs connect. To make matters worse, he didn’t really fully grasp core networking technologies like how routing and even DNS works.
No one spends the time to learn specifically how to deploy all networking hardware from every vendor – but if you know the fundamentals (like VPNs), you realize that they ALL work the same.
Robert had a great job dropped on him and he decided to just “make it happen.” His thin understanding of networking, something he could have remediated with a couple online courses, was what was ultimately holding him back. He finally got to the point where it was all too much and now feels like he can never catch up.
There’s a lot here, and I’m trying not to sound like an old man just ranting. Here’s the tough part – you have to invest your time into learning NOT just the technology in front of you, but also how it works. It doesn’t mean you know everything, but what it DOES mean is that you understand how all these technologies work together and where to find help when you need it. If your solution to an error message is to google it and start typing stuff into the console that StackOverflow tells you, you need to take some time to learn.
Not Prioritizing your Life
Life is more than your 9 to 5 job. Most of us got into IT or Security because we enjoy the technology and the challenges of security. For me personally, this is my career AND my hobby. When I’m not busy working, I’m usually busy thinking about the next cool IT or Security thing I can play with or setting up some new open source software in my home-lab. But that may not be what your passion is, and that’s okay!
Several years ago, I was consulting for a Fortune manufacturing company. Their Security Architect, “Jeff”, was one of those people who is always frustrated and angry about his company and the world around him. Jeff was, while a miserable person to be around, a super-hero. He was incredibly smart, both IT and Security, and was the glue holding a lot of things together.
One Thursday afternoon, Jeff and I were sitting in a meeting with a number of mid-level executives discussing how we could implement and roll-out a new project. This was one of those tense discussions where half of the people in the room we’re going to have to change their processes if we moved forward with the project. The meeting went on as usual, until someone very strongly voiced opposition to the plan. Jeff took that opportunity to berate this person and try make him look stupid in front of his peers. He didn’t realize he was talking to a very highly-regarded VP.
I never saw Jeff again after that day…
What happened? It turns out, this was something that had been getting worse over the years. I had lengthy discussions with his manager after that and found out that in the last 3 years Jeff worked at the company, he didn’t take a single day of PTO, worked most holidays, never asked for help, and worked even when he was sick. He made his job his identity and any challenge to his job became personal. Our meeting had ended at 3PM and Jeff had been fired at 3:30 that same day.
Remember that your job is something you do, not something you are. If you don’t take time to step away and care for yourself, it could ultimately cost you everything. The things you do in your job can also be your hobby, but they’re not the same thing.
I’ve written and re-written this post at least a dozen times over the past 3 months wondering if I should really share all of this or if it will just sound like an old man shaking his fist. Unfortunately, these problems are still pervasive and growing.
There is no single answer, here. Not taking time to learn, set expectations, and take care of yourself is a recipe for burnout and disaster.