“You have to be passionate to succeed in cybersecurity”
It’s a belief that seems almost universally accepted across our industry and an idea that has spawned a million Linkedin posts. But does that make it true?
Don’t you need passion in every job?
You’re supposed to be passionate about every job. Or at least you will struggle to find a job advert that doesn’t list passion as a prerequisite.
I started my working life at KFC. The job description said I needed passion and I said in the interview that I had it (I was also the only person who had ever taken my GCSE certificates to the interview - thanks Mum). 14 years later, I can admit that I was not especially passionate about putting bits of dead birds in hot oil. I did like cooking chips, but it never felt like my calling in life.
I also worked in a bank, where the job description said I needed passion. I discovered no great interest in counting other people’s money. Nor did I particularly enjoy being personally blamed for the 2008 global financial crisis. Although one pleasure I’ve never been able to recreate is being separated from other people by bulletproof glass.
So after my first two jobs, I was 0-2. I did not have the required passion. But was I bad at those jobs?
No. Between late 2007 and early 2009, I was better at cooking fries than probably anyone in Scunthorpe and its surrounding villages. I also developed the morale-boosting party trick of sticking my tongue to the inside of the big freezer without injuring it, which brought great joy to my co-workers.
I was good at being a bank cashier too. I was fast and accurate at counting money and, despite having spotted several security loopholes, I never stole any money.
In my life before cybersecurity, lacking passion didn’t make me bad at my job. So is cybersecurity different somehow? And is passion actually necessary for any job, or is it just a convenient way of encouraging people to work for free?
Cybersecurity and Me
I fell into cybersecurity after University. It chose me. The KPMG Graduate Scheme at the time operated much like the Hogwarts Sorting Hat and I was thrust into a career I knew very little about.
Thus followed nine years of working in cybersecurity. And it’s been good. I’ve learnt a lot and I’ve done a lot of interesting work. I’ve done well out of cybersecurity. I get paid more than I deserve. I’ve seen more of the world than a boy from Scunthorpe could reasonably expect to see. There are even some people I’ve worked with that are still willing to speak to me.
But I can’t claim to wake up every morning and burst into song and I don’t necessarily subscribe to many of the ideas about why cybersecurity is so important. I think the vast majority of the work we do as cybersecurity professionals is intended to protect the wealth of very rich people. Many of whom are destroying the planet. Many of whom are responsible for many of society’s ills. Many of whom do not deserve for their wealth to be protected.
But people keep telling me that cybersecurity is a special calling, filled with incredibly important people doing essential work.
I’m sure those people genuinely believe that and it gives many of them a sense of purpose. Personally, I think that cybersecurity is no different to any other career and telling ourselves that we’re doing something which is so much more important than everyone else is, at best, a bit patronising, and at worst, actively deluded.
Go with me on a simple thought exercise. Imagine your entire cybersecurity team didn’t go to work for an entire week with nobody to replace you. What would happen? Not “what is the worst thing that might possibly happen if you were really unlucky”, but what would most likely happen? What would be the actual impact beyond some spreadsheets not getting filled in?
Now imagine that the people who stack the shelves in your local supermarket didn’t show up to work for an entire week with nobody to replace them.
Should we still feel so important?
Examining the role of passion in cybersecurity
Let’s remove the entirely subjective question of whether cybersecurity is as important as any of us think and focus on the role of passion in our individual careers.
The received wisdom says that you can’t be successful without passion and even that you can’t be good at your job without it. This received wisdom is generally propagated by people who want you to be impressed by how much they LOVE cybersecurity.
You can recognise those people because they say stuff like this:
“I used to hack computers when they were made out of tinfoil, wood and soil! Why isn’t everyone like me?”
“I wrote an AV programme while I was still breastfeeding. Nobody loves security as much as I do.”
“If you can’t hack the Pentagon, you will never find love or happiness.”
“There are two types of people in this industry - the people that wake up thinking about cybersecurity and the people who want the terrorists to win.”
*For the avoidance of doubt, these are exaggerated ideas that I made up. So don’t complain that I’ve copied your real Linkedin post. But… if your real Linkedin post can be confused with something that I made up to mock toxic passion, I’m probably not the bad guy here.*
Enough fun. Let’s examine the argument that passion is necessary to be good at your job.
Does passion help you fill in a spreadsheet?
Are your pointless meetings less pointless because you were so passionate about them?
Can passion configure a firewall? Or write a report? Or convince a developer to code securely?
Do they give out ISO27001 certificates to the most passionate ISMS Managers?
Passion is great, but productivity, talent, skill, humility and willingness to learn are all so much more important.
My real problem with passion is that it’s so often the death of pragmatism. There’s a famous Bill Gates quote about hiring lazy people because they’ll find the easiest way to do things.
The opposite can be true of passionate people. Passion can sometimes emerge as enthusiasm and commitment. But it can also make people dogmatic, inflexible and argumentative. One of the most important skills in cybersecurity is being able to negotiate and compromise - if you’re too dogmatic about everything being perfect, guess what - you’re not good at your job.
Passion is good. But more than passion, we need people who are willing to do some work. We need people who are willing to start at zero and learn. We need people who are willing to find solutions and accept that perfect security doesn’t exist. We need people who can accept that 5% is better than 0%.
Give me a pragmatist who will make small but legitimate improvements. Keep your passion.
So what now?
I genuinely admire people who have found a deep sense of meaning in their work and I think that is something to be celebrated. But that doesn’t mean feeling like that should be a prerequisite, or that we should suggest that people are failures if they don’t feel that way.
Maybe the answer is that we need a mixture of people. We need passionate people in our industry, but we also need to accept that for a lot of people, this is just a job. And that’s okay.
Our industry - like virtually every other industry - would not survive without those people, so let’s not pretend they’re not valuable. Let’s not pretend that they can’t thrive in cybersecurity.
Let’s focus on the quality of people’s work, not how much they smile while they’re doing it.