A few days ago, Bruce Schneier actually wrote a slightly interesting piece for Fusion. I say that with surprise because most of his articles are engaging and well-written, but he rarely shares new ideas or concepts. Most of my professional circle is already very familiar with a given topic, and Schneier largely enjoys a reputation for his insight because he has a considerable following and they read about it there first. In this case, it wasn’t so much that Schneier’s piece was new information (he did quote and cite a 1989 reference on the topic that was new to me), it was that he flirted with a much more interesting topic that is somewhat aligned with his point.
In ‘Living in Code Yellow’, Schneier quotes a handgun expert who described a specific mind-set. From his article:
In 1989, handgun expert Jeff Cooper invented something called the Color Code to describe what he called the “combat mind-set.” Here is his summary:
[..]
In Yellow you bring yourself to the understanding that your life may be in danger and that you may have to do something about it.
Reading on, Schneier brings up the psychological toll that such a mindset can have, and that concept should not be new to anyone that has been in InfoSec for a few years.
Cooper talked about remaining in Code Yellow over time, but he didn’t write about its psychological toll. It’s significant. Our brains can’t be on that alert level constantly. We need downtime.
While not new a concept, this one flirts with another type of psychological toll that some in the industry are not familiar with, based on my conversations over the last year. It only took a few minutes of Twitter discussion for others to recognize the same thing. While the point I want to bring up is similar to a degree, I want to stress that is also significantly different based on profession. I am not comparing InfoSec people to the people that typically face this condition. That said, quoting Wikipedia’s entry on ‘Compassion Fatigue‘:
Compassion fatigue, also known as secondary traumatic stress (STS), is a condition characterized by a gradual lessening of compassion over time. It is common among individuals that work directly with trauma victims such as, therapists (paid and unpaid) nurses, psychologists, first responders, health unit coordinators and anyone who helps out others.
This is another important aspect for some InfoSec professionals, but clearly not all (or most?) of them. Personally, I feel this is a condition that can manifest in people who truly care about their work, and as the article says, people who “help out others”. Many in our industry technically help, to some degree, but are driven by profit and fame. I do not think they suffer from, or will ever suffer from such a condition. On the other hand, there are certainly many InfoSec professionals who strive to help their clients, the public, and anyone they can. Money is a nice perk, but they are likely the ones that would do it even if it meant a paltry salary. Unfortunately, I think that many of them are newer to the industry as it speaks directly to compassion fatigue and the effects it can have on an individual. From Wikipedia again:
Sufferers can exhibit several symptoms including hopelessness, a decrease in experiences of pleasure, constant stress and anxiety, sleeplessness or nightmares, and a pervasive negative attitude. This can have detrimental effects on individuals, both professionally and personally, including a decrease in productivity, the inability to focus, and the development of new feelings of incompetency and self-doubt.
First, I don’t think our industry suffers from the last detrimental effect. It is brimming with egotistical idiots that never have those feelings, even if they should. Second, while I doubt anyone in our industry will suffer nightmares, the rest can and likely hold true to varying degrees. More specifically, hopelessness and a negative attitude. I will be the first to admit that I fall into this category when it comes to InfoSec. I have a serious level of apathy and disillusionment with the effectiveness of our industry. I have several draft blog posts on this topic and may finish one some day. All of the evidence is right there, showing we fail over and over in the bigger picture. Those who argue otherwise are idealists or new to the industry. Either they haven’t seen the evidence, or they refuse to believe it. It is easy to miss when you live the life. But there is a steady level of ‘systematic desensitization’ as @VRHax calls it, and that is spot on. For anecdotal comparison, think back to the frog in boiling water story, even if not true. It happens to us all, even if we aren’t fully cognizant of it.
While compassion fatigue can have a much more serious toll on some of the professions listed above, I believe that it likely has an interesting way to manifest for our industry. Rather than lose the desire to help, or feel it is hopeless, I think that it slowly wears down an individual in a different way. They lose that desire to help out of a truly noble cause, and inch toward doing it only for the salary and lifestyle that many of us enjoy. As such, they become hopeless as far as original intent, don’t enjoy their work as much, develop a base level of stress, and grow an increasingly negative attitude, yet do it because it pays well.
Unfortunately, when you join the industry, you aren’t warned about this to any degree.
If you volunteer at an animal rescue / rehabilitation shop, you are likely to be warned of this during your orientation on day one. And for good reason! When you spend your time trying to help a sick or wounded animal, do everything in your power to help it, and it doesn’t make it… it is devastating. That warning is what prompted me to read more on the topic originally, and it took Schneier’s blog to make me realize just how true it was in our industry, one that largely helps out of selfish gain rather than altruistic desire. So I am grateful for his blog missing the mark as usual, but doing so in a way that prompted this blog and discussion. Is there a solution to this, for InfoSec professionals? Not that I can figure out. Many that see the problem still operate under this assumption that we can magically fix things, if only we could figure out! They rarely give merit to the possibility we are in an untenable position and there is no way to win. Perhaps they should watch Star Trek again and consider the value of the Kabayashi Maru challenge. In the mean time, I will offer you a simple but slightly twisted way to help deal with compassion fatigue in our industry; by going outside of it. Dare to face it in another world while you help others unrelated to technology. I’ve found great reward in doing it every week, even if I may ultimately face the same problem.
One response to “Compassion Fatigue in an industry largely devoid of compassion.”
Sorry about the late response but I am guessing you will understand. This is an excellent post, IMHO. I think your own cynicism still creeps in when you say things like, “…I don’t think our industry suffers from the last detrimental effect. It is brimming with egotistical idiots that never have those feelings” referring to “new feelings of incompetency and self-doubt.” Although I agree with the egotistical idiots comment, I do not believe that precludes that those individuals may still suffer from “new feelings of incompetence and self-doubt.” In fact, such egotism may be a defense mechanism when those individuals subconsciously understand that they lack the creative adaptability to actually *do something* about the chronic lack of value-add within corporate InfoSec teams. Again, IMHO (OK probably not so humble, but…) what you describe could be called “vigilance fatigue” and I believe is actually rampant in our profession and in other disciplines that have adopted the “war metaphor” for their professional lives. In InfoSec, we probably are “at war.” Although you can always start an argument with such a comment when others have a much different view of what they imagine “war” must be, the fact is that most of us have woefully inadequate controls and processes in place, feel attacked every day, worry that we may already be “pwned” and not know it, and have no hope of the budget or help to overcome any of this, but expect to be held personally accountable if the worst happens. I do not have an antidote for this but believe that acknowledging it is probably necessary for healing. To use an extreme analogy, in Victor Frankl’s “Man’s Search for Meaning” is described the author’s experience as a boy in the Nazi Concentration Camps and afterward as a Holacaust Survivor. Frankl basically taught himself to survive by adopting what today would be called a “positive mental attitude.” I am paraphrasing the author’s profound insights and I am by no means comparing today’s InfoSec to being in a concentration camp, but if we really are under constant attack and a typical career is 40 years in length, then some effort to reframe how we view each day will probably become necessary. If Frankl can do it, we should be able to as well?