Have you ever done something that you were completely unprepared for?

A few years back I was working in an IT department and I was asked to move a SQL database from one server to another. This SQL database was for a gift card system (it was all custom code). I knew some DB stuff (I was a Sharepoint admin) but it definitely wasn’t my forte. My boss said it wasn’t that hard, just run a full backup the day before, bring the system down, then an incremental, do a restore, blah blah blah it would go fine.

Narrator voice: it would not go fine.

I started around 10:00 PM (I had to go into the office to do this, which was an forty minute drive from my home, so I actually just stayed at work after working a full day), did the backup. Moved the data. Did the restore. Ran some setup stuff and eventually tested the card and, miracle of miracles, it worked! At this point it was about ten o’clock the next morning. So I went home, ate some lunch and took a shower. As I was getting out of the shower I got a call. Something was wrong and I needed to come back in and fix it. I glanced longingly at my bed, then got in my car and drove back to the office. I spent the entire drive wondering what I’d done wrong. My boss had used the word “catastrophe” on the phone. I had a lead weight in my stomach and the longer I drove the heavier it got. By the time I pulled into the parking lot I was convinced I was going to get fired.

I got in and my boss let me know we’d lost a day or two worth of transactions and now a bunch of gift cards that had been filled were empty, and a bunch that had been emptied had all their money back. I needed to fix it or someone would get fired. I got to work.

Transactions had been going on since I brought it back up so I couldn’t just restore from backup again — that would overwrite all the new data and lose ANOTHER day of data. I had to find a way to manually move all the data from the old server (still there, just powered off) to the new one. I had to write a script to do this that, for a SQL expert, would’ve been a cinch. But I’d never written a single line.

I was not confident. I worked on it until 8:00 PM and then everyone else went home except one coworker (Dave, and I have been grateful to him forever for just sticking around with me even though it wasn’t his mess to clean up. If you read this, Dave, thank you). Eventually we figured it out, got the tables merged and restored all the data. By the time we finished it was the next morning, everyone was back in the office and I finally went home and slept after working almost 48 hours straight.

All IT is stressful

Almost any position in IT is stressful to some degree because businesses rely on IT. A helpdesk person who inputs the wrong command can temporarily bring down an organization. An engineer can do a lot more damage. A developer can insert mistakes into code that make everyone’s day terrible.

(I managed a development team once and our primary project was a website for a theatre. After a major redesign we were patting ourselves on the back right up until we got a call from the theatre that people were coming in to watch movies and there were already people in their seats. Somehow we’d set it up to allow selling one seat multiple times, and it was causing chaos. Luckily the fix was fairly quick)

But there is one common thread between all these roles. Generally it’s doing stuff that causes issues. It’s very stressful to know that if you make a wrong move you can cause problems, but at least you’re aware of it and you’re very, very careful.

What about Cybersecurity?

But Cybersecurity isn’t like that. Cybersecurity is actually more like management, because it’s the actions of other people that can cause problems. Even if you, as a cybersecurity analyst or engineer or whatever, do everything right there can still be problems caused by a user clicking the wrong link, or a partner getting hacked, or a library that a developer is using getting compromised.

Remember that lead weight in the pit of my stomach I mentioned in the story above, where I was worried I was going to get fired? When I first started working in cybersecurity I basically felt that all the time. I felt exposed — like I was doing the best I could, but something could still happen that I had no control over and someone would call me up and say it was a catastrophe, and that they needed me to come back into the office so they could talk to me, and before I knew it I’d be walking to my car with a cardboard box full of all my stuff.

Now, I have some good news and bad news. The good news: that feeling has definitely decreased the longer I’ve done this, and I’ll talk about why next. But the bad news is that it never goes away completely. There is always this awareness that there are people out there trying to hack your organization 24/7, and I’m always wondering if I should be doing something more. It’s kind of like leaving your house and wondering if you left the burner on — you’re pretty sure you didn’t but maybe you did and, if you did … hoo boy. Probably nothing bad will happen but if something bad did happen it could be really bad.

How to decrease the stress

These are things that worked for me, and I know everyone is different, but maybe this will be helpful to some people. So here’s a few things that help me lighten that lead weight.

1. Do stuff that reduces stress — a lot of that stress is a fight for flight response, and if I get out and do something physical, or even just play some drums for a while, I’ll generally feel better. This isn’t cybersecurity specific. Every job has stress, and you should find the ways you best manage it and then do those things.
2. Never stop building your skills — there is lots of demand for cybersecurity staff, and it’s kind of comforting to know that, should something happen and I end up losing my job, as long as I’ve continued building my skills I could find another one. If you’re in one job and you let your certifications lapse or your skills atrophy you might feel trapped — like that job is all you have. That just compounds the stress and makes the potential to lose that job more terrifying, so avoid that. Never stop building your skills.
3. Do your absolute best work — This may seem obvious, but I’ve found it really helps me. When I work, I work. I focus and plan and research and build my skills and do the very best that I can. My goal is to ask myself, on the way home everyday “Could I have done something more today?” and always answer with “No, I did everything I could.” Knowing that, I can put work mostly out of my mind until the next day.
4. Engage with the cybersecurity community — everyone I’ve communicated with on linkedin or at conferences or just via text occasionally in the cybersecurity community is supportive and helpful. Your peers understand your stress more than anyone. They can give you more tips, they can be a listening ear, or they can help you know that what you’re doing IS your best work and that you shouldn’t expect to be doing a bunch more.

These seem astonishingly simple having written them out, but they’ve been helpful for me. Maybe they’ll be helpful for someone else.

If you’re thinking about getting into cybersecurity, though, you should go in with your eyes open. It’s stressful. I’d say more stressful than many other branches of IT — so maybe start with helpdesk or system administration and then see how you feel.

And if you are in cybersecurity make sure you manage your stress. As Greg McKeown put it: protect the asset. Yourself.