It’s not always fun, but it’s not always bad, either. I’ll discuss how security mirrors many familiar parts of our lives, including life itself.
Dr. John H. Watson: Well, how... how does the, uh, the thing work?
Sherlock Holmes: Electricity. The high priest of false security.
Sherlock Holmes and The Pearl of Death, Universal Pictures, 1944.
One evening a few years ago, I was perusing the pulpiest dime store classic Rethinking Risk: How Companies Sabotage Themselves And What They Must Do Differently by Joseph Koletar. If my wife only knew what I was getting into on the internet, right? In a chapter on why risk management efforts fail there are a couple of takeaways in the section about unaddressed risk. #1 is pretty obvious, “If a control or risk problem is not dealt with in a timely manner, it almost never gets better, and it often gets worse.”
Time and time again we see this in politics, business, disaster preparedness, not laying out school clothes before bedtime, et al. However, it was the second one that jumped off the page. “If you ever encounter a spreadsheet used to move data between two automated systems that do not mesh, you may be in for some bad news.” Whoa! How many of you in either finance, audit, HR, or security see this commonly?
It’s frightening the number of clients I’ve worked with that have this sort of arrangement. What makes it worse is when the organization purchases a software tool to “fix” this issue without giving any thought to the business process itself or the challenges posed by implementing the alleged cure-all solution.

Usually the solution comes with a giant price tag or an even bigger cost in a maintenance contract added on, hiring a third party contractor to work on it, or pulling valuable staff off of the critical duties that you pay them for the daily care and feeding of the “cure-all fix”. I have seen organizations do all three, only to go back to spreadsheets because “at least that worked”.
I tell my grad students to run far away from these kinds of things. An organization that will not change is in for bad news; it’s just a matter of time. I’ve turned this into an easy to remember phrase: “Always be aware of the challenges the solutions present.”
In the security world things are rarely ever good, but it can suck less. Whether it’s the thrill of solving problems, protecting people and systems, constant opportunities for learning, a tangible positive impact on society, and community and collaboration, there is value and fulfilment in achieving these things.
The first thing you learn is that security is simply too big with too many domains for one person to master; it takes a team, some specialists, some generalists. Others are major collaborators who work well in groups, and still others are lone wolves. The special thing about lone wolves is they are solid contributors if you assign them something they’re good at, give them the resources they need, and get out of their way. Like Han Solo, they’ll be there at the most critical moment.
The infosec landscape is a wild, ever-shifting jungle—new threats sprout like weeds, and the tools to fight them evolve just as fast. One day you’re diving into the guts of a quantum-resistant encryption algorithm; the next, you’re dissecting a slick phishing campaign that mimics a CEO’s email down to the typos. Every challenge is a chance to flex your brain, conquer the unknown, and emerge sharper. It’s a relentless, exhilarating ride that keeps you hooked on the next breakthrough.
