Giraffes, Ostrich and Six Mental Health Survival Skills for New Cyber Security Managers

Giraffes can’t talk, but if they could they’d tell you they were tired. Really tired. You see, giraffes are so consumed with being on the lookout for predators they have evolved to only sleep for a few seconds at a time. They have to continually wake up and look for predators thus missing out on some of their basic requirements.

Ostriches, I suspect are much happier. They live an abyss of ignorance where at the first sign of a predator they can put their head in the sand and have nothing to worry.

As a Security manager, you don’t really have the luxury of being an ostrich. We are continually bombarded with an unpredictable amount of audit findings, intrusion detection alerts and vulnerabilities that have to be addressed within a set budget and headcount. The challenge is that finding will always happen at a faster rate than fixing giving you a never-ending list of top priorities. This pushing the rock up the hill can lead to job stress and burn-out.

Over the years I have developed some giraffe survival skills that I’d like to pass along to you folks new to security management:

  1. Know your risks. If you don’t have a deep understanding of your organization’s risks you will never be able to properly prioritize your work and everything will become your #1 priority.
  1. Don’t get distracted by low hanging fruit. A quick fix often feels like a quick win. But if you continually focus on low-value activities you’ll never tackle the important stuff and never actually make progress. I know, this runs counter to every self-help book ever written.
  1. Embrace the messenger. As hard as it is some days to have one more issue come across your desk, when people stop coming to you you’ve lost the battle.
  1. Network with other Security people. No matter how well you work with the rest of your non-security colleagues they’ll never understand what it’s like to know what you know and carry the responsibility.
  1. Work where you’re wanted. I don’t care how good you are, you won’t be successful implementing security at an organization that doesn’t want security.
  1. Have realistic expectations. Know up front you can’t fix everything, and what you can fix takes a long time.

(Cross posted to