Advanced persistent stress: Why security pros need rituals

The security community is well aware of the term advanced persistent threat, or continuous hacking attempts. My new term for what silently haunts security teams, advanced persistent stress, refers to the human beings who must manage the internal stress of being under constant cyber attack, including advanced persistent threats.

For information security professionals, the issue has been somewhat taboo. Security pros must exercise unheard of levels of confidentiality, manage legal holds, or deal with the scourge that is the Internet. At the same time, looking to fill the talent gaps—the cybersecurity shortage in 2018 is at an all-time high at 51%—security pros put on a smile and explain how amazing being a security professional is.  

Recently I have found myself saying that the career can be extremely rewarding, but depending on the focus of information security you practice, it can carry a major downside of having an always-on mentality, because you have no opportunity to call the hackers of the world and ask for a long weekend. It’s not impossible to staff a reasonably well-managed function, but many organizations are still working through the challenges of rightsizing their security functions.

These personal rituals can help you deal with advanced persistent stress.

State of Security Operations 2018

Get continuously aware

Fundamentally when a new zero-day or CVE drops, it is your role to be continuously aware and, having effectively analyzed the organization's risks, to be able to handle the various levels of conversation along these lines:

“Are we vulnerable?”

“How secure are we?”

 “How do we look compared to our peers?”

Then, when there is a truly impactful vulnerability, you must develop rapidly evolving remediation plans—you can reflect on Spectre/Meltdown, WannaCry for recency. I personally reflect back to the famous attack Heartbleed and how much of a game-changer it was when a security researcher established a logo, admittedly a really slick logo. There are countless vulnerabilities and the rate at which we must deal with them shows no signs of slowing down, as I recently wrote about.

At the end of the day, information security professionals must carry a significant amount of residual weight when handling multiple security incidents, massive backlogs of vulnerabilities, or the harsh realities of handling enterprise risk registers.

Understand the struggle

The commonly asked questions “What keeps you up at night?” and “What is the first thing that you think about when you get up?” miss the mark; the extreme burdens of stress that are frustrating infosec professionals warrant asking the question “What makes you wake up in the middle of the night?”

Many security professionals take their roles with extreme pride, which can lead to many unstoppable thought cycles that persistently go through threat modeling analysis or risk measurements to calculate the organizational risk tolerance. The challenge is finding the mechanism to stop, but we have all probably experienced that stressful thought of: 

“Did I do enough? Did I uncover every vulnerability that a threat could exploit, and summarize the risk effectively?”

Unfortunately, dealing with advanced persistent stress isn’t a simple three-step process. It is something that you need to refactor individually to understand what you need to achieve balance based on your personal situation.  

What I can offer is the concept of personal rituals to deal with high-risk scenarios; specifically, I offer my own personal approach and that of a professional colleague whom I hold with the utmost respect, Tony Martin-Vegue. Tony is an information security risk professional who spent many years within the financial services space, managing various risk programs and enterprise risk metrics. 

Tony's ritual is simple, but for him very effective: meditation, reflection, and pausing to have a moment of clarity. He stated:  

“I find time to meditate. It doesn’t matter where I am doing or how hectic things get, I find the time each day to pause and meditate. If the situation calls for it, I will meditate in my closet.”

Find your reset button

In my case, it has not been a single answer but several commingled efforts that allow me to achieve balance and pay respect to my needs: three martial arts (Muay Thai, kickboxing, and boxing) sessions a week, one yoga session a week, two photography or media projects a month, and really good coffee. For my personality, the balance with security work is more mental, and I find a great amount of relief in physical exertion.

Beyond that, being a student and teacher of martial arts allows different areas of my brain to be tapped and lets me laser-focus my energy on something outside of my job. As I have relocated for various roles within organizations, I have also had to adapt my approach, although this has been the formula for varying levels of success.

The formula for me is about fine-tuning things I am great at, while I find appreciation in learning and trying new things—nothing brings me greater joy in the mastery of a subject than having the opportunity to share that with new friends, and more recently with friends in my profession.

"Nothing brings me greater joy in the mastery of a subject and having the opportunity to share." 

The term advanced persistent stress transcends information security professionals, but I find that many stresses can weigh on those of us who deal with threats, incidents, and legal cases, and we need to find our personal rituals to manage them effectively.

Topics: Security