Incident Response Plans for our Careers?

At the recent “Security Summer Camp” in Vegas I got to chatting with a guy who was employed as an intermediate-level security analyst. As we discussed our backgrounds he reluctantly disclosed that he had been a former Info Sec executive. Doing my best to not pry I hinted about why an Exec chose to be an analyst fully expecting to hear that he missed having a technical role, something I struggle with frequently.

His story, however, had nothing to do with a need to return to the trenches. He had been responsible for security at a company that had a semi-famous breach. As he explained it, once his name had been tarnished by the breach he could not find anyone to take a chance on him. He referred to himself as “damaged goods.”

As a sad piece of short-sighted irony, after talking to him I can tell you there is no one who has thought more about breach prevention than he had. His perseverating on the incident in the months following gave him a remarkable insight that any organization with digital assets to protect could benefit from.

After we parted and went our separate ways it occurred to me that while we work hard to create incident response plans for our organizations we do little about an IR plan for our career should an incident leave our names tarnished.

While a termination may not necessarily constitute an incident, the weeks following this person’s termination clearly met the criteria. His initial assessment of the damage to his career was dire. He was losing LinkedIn contacts daily and his calls to his peers were not being returned. He had never planned for such an event and the incident and termination left him too beaten down to take much action. In essence, he had failed to have an incident response plan for his career.

Feeling isolated and shunned, he wanted to reach out to key contacts. However, with the intensity of building his career he failed to form friendships within the profession and had certainly never discussed this type of situation with any colleagues. In essence, he had failed to create his incident response team.

The interaction left me wondering- in Info Sec are we too quick to label someone as damaged goods once their organization has been breached? While we put plans in place to respond to reputational damage to our organizations do we also need plans for our own reputations? In this post-Google world should we think of ourselves more as brands than a workforce pool?

The story you have just read is mostly true. Some details were changed to protect the innocent.



Being in Cyber Security is a lot like being a goalie in soccer- no one remembers all of the attacks you blocked but they never forget the one you missed.