Ron W posted a comment to one of Andy's blog posts that gets to the reality of being an information security officer so well that it deserves its own post. Here it is:



Often, we in Security need to deal with

C - Criticism

R - Rejection

A - A$$h0l3s

P - Pressure



The keys are perseverance, attitude, and the realization that you're not alone.

Criticism is the corner stone of progress, as long as it is delivered in a constructive fashion. I am a firm believer in peer-review and stakeholder-buy-in.

Rejection is something that happens everywhere, but it is also not always a bad thing. Our role as information security officers is to point out risks to business owners and leave the final decision up to them. If they disagree with our recommendations, we can start looking to reduce the risk somewhere else in our organization and mitigate the exposure some other way.

A$$h0l3s are everywhere

Pressure is a good tool, but it must be used very, very cautiously. Once pressure is applied, it is very hard to let go without losing control.

Realizing you're not alone is paramount. Information security is an extremely young discipline, and as a result, we must always be reaching out to our peers to learn from them. Visit conferences, local chapter meetings, training, etc. Although it may momentarily distract you from your "real work", it will pay off down the road when you can just pick up a phone and call a colleague to ask for advice.