The hardest problem in cybersecurity isn't technical

The security mindset, existentialism, and cybersecurity despair

Cybersecurity is a deeply technical field, and anyone working as a cybersecurity professional has already gone far down multiple rabbit holes acquiring expertise. It is easy, therefore, to think that cybersecurity is a purely technical, or even primarily technical, discipline. Based on twenty years of experience, I would argue instead that the hardest problem in cybersecurity is not technical at all.

It is easy to acquire technical skills. You do the work and you learn the thing. Maybe it's incorrect to assume that everyone is like this—I suppose many are not—but I certainly am. Apply brain to problem: solve it: learn it. Keep going.

But no matter how much technical skill I acquire, I am still confronted by what I'll call "cybersecurity despair," a feeling of hopelessness caused by 1) uncertainty of known unknowns and 2) social failure to understand and appreciate the seriousness of cybersecurity issues.

Do not confuse this with the security mindset. The security mindset is the knack, which can be cultivated but is largely something you either have or you don't, that makes it easy for you to see the world from an attacker's perspective. To people without the security mindset, the internet looks like a solid construction built on concrete. To someone with the security mindset, you see holes, flaws, bugs, loopholes everywhere.

So the security mindset is the prerequisite to even have the problem I'm talking about. If you don't see the security problems, and lack the technical understanding of how systems work, then how can you suffer anxiety, dread, and hopelessness about the terrible state of information security today?

Security professionals suffer a much higher degree of alcoholism, drug addiction, and burnout compared to other roles in IT. For instance, compared to developers, I think you'd find the stress levels of security professionals to be significantly higher.

It's really easy to measure a developer's work, both as an employer and as a developer themselves. Did you build it? Did it work? Job well done. Congrats. Have some equity.

But security professionals lack meaningful KPIs because measuring and quantifying cybersecurity risk is a mostly unsolved problem in computer science. As a result, we are in pain as a profession, and we aren't talking about it. Maybe it's time we do so.

I'd like to hear about your experiences. Has your experience been similar to mine? Let me know in the Substack comments below, or on Twitter.