Would you perform your job if you weren’t paid? That’s the question people are often asked to measure their passion for a profession. But, it’s not that simple.
Go one step further and really consider that statement. It’s not asking you if you would work for nothing, it’s asking you if you would pay to work in your job. By choosing to work without compensation you are incurring a direct cost for equipment, commuting expenses, education, and more. You’re also incurring an indirect expense because the time spent working prevents you from earning a salary elsewhere.
So, would you pay to work in information security? You probably wouldn’t. Does that mean you aren’t passionate about infosec? I would wager that most practitioners are not. You would pay to garden, play soccer, barbecue, or play the guitar…but you wouldn’t take a financial loss to install patches, look at packets, and change firewall rules.
But, if that’s the case then why does our industry seem to revolve around passion? Nearly every blog post you read about hiring or job-seeking discusses the importance of passion and they often provide advice for how to demonstrate it. Some advice goes so far as to highlight passion as the most important characteristic you can exhibit. Infosec is described less of a job and more as a lifestyle. This sounds a lot less like job advice and more like recruitment for a cult.
In this post, I’m going to talk about passion, myths commonly associated with it, and how the cult of passion harms the practice of information security.
Passion as a Currency
Passion is commonly equated with extreme motivation surrounding a specific topic. In its simplest form passion manifests through hard work and time spent. These are both traits that are viewed admirably, especially in the US. Working from sunrise to sunset harkens back to memories of farmers earning an honest living while providing food for the masses, or to middle-class factory workers going the extra mile to provide for their families. These images are pervasive and are the backbone of society.
Of course, hard work isn’t truly a measure of passion. The farmer isn’t always passionate about farming. He’s passionate about providing a living for his family. The factory worker doesn’t love stamping car frames for 12 hours a day, but it enables the things he or she is truly passionate about.
In truth, passion isn’t reliably measurable either, because it can only be measured relative to others. In infosec hiring, an interviewer may only see someone else as passionate if they appear to exhibit passion in the same way as them and to a greater degree. Jim speaks at 12 security conferences a year, contributes to 5 open source projects, and works 16 hours a day. These are things he finds value in and how he would quantify his own passion. He is interviewing Terry, who only speaks at one or two conferences a year, contributes to one open source project, and works about 10 hours a day. Jim is likely to see Jerry as someone who isn’t very passionate. However, this is a purely relative viewpoint. It might not also consider things that Jerry does that Jim doesn’t value as a form of passion such as mentoring less experienced practitioners or doing tech-related community service.
When you attempt to evaluate people via traits that are difficult to objectively measure (like passion), you present an opportunity for undesirable results. This is something often seen with faith in religion. A false prophet commits to lead followers to the promised land if only they demonstrate appropriate faith. That faith might be prayer, tithing 10% of your income, tithing 100% of your income, or violently killing people of opposing faith. I highlight the wide range here because it shows the extremes that can arise when your currency isn’t objectively measurable.
In information security, we use passion as an unquantifiable currency to measure the potential success of someone in our field. A common piece of advice given to someone who wants to work in information security is that it isn’t simply enough for infosec to be your job. If you want to be successful in infosec, it must be the thing that gets you up in the morning. There must be more to this.
Do You Really Mean Passion?
Psychologically, passion is either harmonious or obsessive. Vallerand describes this better than I can:
Harmonious passion originates from an autonomous internalization of the activity into one’s identity while obsessive passion emanates from a controlled internalization and comes to control the person. Through the experience of positive emotions during activity engagement that takes place on a regular and repeated basis, it is posited that harmonious passion contributes to sustained psychological well-being while preventing the experience of negative affect, psychological conflict, and ill-being. Obsessive passion is not expected to produce such positive effects and may even facilitate negative affect, conflict with other life activities, and psychological ill-being.
What do people mean when they talk about passion in infosec? Rarely is it ever defined through any other mechanism but example. If you ask most to describe someone who is passionate about information security they’ll say that these people spend copious amounts of time outside of work on infosec projects, contribute to open source, go to a lot of security conferences, are actively involved in the security community, or have a blog.
Assuming you’ve found someone who does all of those things, can you guarantee that means they are passionate about infosec? How would you be able to differentiate them from someone who is passionate about being successful, or making money, or being recognized for being an expert? Finally, how do you differentiate harmonious and obsessive passion? That is a very challenging proposition.
Passion is very difficult to attribute to a source. In fact, most people aren’t good at identifying the things they are passionate about themselves. The vast majority of security practitioners are not passionate about information security itself. Instead, they’re passionate about problem-solving, being an agent of justice, being intelligent, being seen as intelligent, actually being intelligence, solving mysteries, making a lot of money, or simply providing for their families.
In most cases, I don’t think the trait people are looking for is actually passion. Instead, they’re looking for curiosity. Curiosity has a motivational component and is often described simply as “the desire to know.” It is rooted in our ability to recognize a gap between our knowledge on a topic and the amount of available knowledge out there. When we recognize that gap, we make a subconscious gamble about the risk/reward of pursuing the knowledge and eventually decide to try and close the gap or not. This is called information gap theory, and through this theory we can gain a better understanding of trait and applied curiosity that can improve our ability to teach and hire people.
Diverging from Cult Mentality
Passion has its place. I know some people who truly are passionate about the practice of security, and they are among the top practitioners in our field. However, it is unwise to constantly compare yourselves to these people. I offer the following:
For information security practitioners…
Hard work matters, but you can work hard and not allow this industry to pull you into the cult of passion. Choose where and how you spend your time so that your work enriches your personal life, and enjoy a personal life that enriches your work. If you fall victim to the thought that information security must be your life, you will eventually burn out. You will suffer, and if there is anybody left around you, they will suffer too.
Here are professions of people who work 8-10 hours a day and go home and don’t think about work: doctors, lawyers, engineers, scientists, researchers. Do the top 5% of practitioners in these fields think about work all the time? Probably. But you also probably aren’t one of those people. Not everyone is extraordinary and that’s okay. There is this myth that we all must be the best. As Ricky Bobby famously said, “If you ain’t first, your last!”. But, by constantly trying to be the best it breeds things like imposter syndrome, self-doubt, and depression. In an industry where so many have substance abuse problems and we’ve lost far too many friends, these are feelings we should actively avoid promoting.
For hiring managers…
It isn’t just limiting to only hire people who make infosec their life, it’s exclusionary. You’re missing out on people with diversity of interests that will enrich your security program. You’re also preventing people who have more important personal life issues from finding gainful employment.
To pursue the knowledge that exists in the curiosity information gap I discussed earlier, a person should be aware the gap exists. Otherwise, they don’t know what they don’t know. This implies that a job candidate needs to know a little about a topic to be strongly motivated to pursue knowledge in it and sustain that pursuit. The last part is important. Sure, the journey of a thousand miles begins with a single step, but that first step is also usually the easiest. It’s quite a few miles in where we normally lose people. This is one reason why the notion of trying to hire TRULY entry level people based on passion in infosec is a fool’s errand. Someone with no experience in this field does not have a proper footing to be passionate about it. If they are passionate about infosec, then that passion can’t be trusted to be sustained. You’re hiring based on a mirage.
A key to maintaining interest is a constant stream of novel information. For a novice, most things within a field can be novel because the key is to building passion is exploration. To transition to expertise, an individual must find novelty in the nuance of specific topics. Someone who enjoys nuance is best set up to be an expert. Most people will never truly be world-class experts in something, but again, that’s perfectly fine.
For job seekers…
Much to my dismay, most people will never read this article, truly understand passion, and cultivate an ability to notice genuine curiosity. That means you have to play the game that is hiring. People will keep asking about passion, but reframe the question under your own terms. Tell them you see passion as a term used to describe curiosity and motivation. Try to identify what really motivates you and how your curiosity pushes to toward goals. Relate to people at a personal, human level. A lot of candidates talk about how they eat/breathe/sleep infosec. You don’t have to do that. Instead, talk about how you critically think about important problems and optimize your time so that you don’t have to be work 16 hour days to be successful. Hard work is important, but working smart is much more important, and is actually sustainable.
Along my pursuit to understand passion I’ve learned that it’s a highly contentious topic. People hate to have their passion questioned, and I’m sure this article will stoke that fire. I wonder why that is? I would wager that many quantify their own ability and maybe even their own self-worth in their subjective self-evaluation of their own passion. Once again, passion is a good thing and measuring yourself based on some degree of it is probably fine. It’s when we choose to measure others based on our subjective views of their passion that we get into trouble and create cult-like scenarios. We can do better.
My goal with this article was to share my understanding of passion, how it’s often misinterpreted, and how that can negatively affect our industry. Once of the most liberating moments of my life was when I figured out that I wasn’t passionate about information security, it was just infosec that allowed me to achieve other things I was passionate about. If others can relate then I hope they can feel the same liberation someday through a better understand of passion. If you are truly passionate about infosec itself, then that’s great too, we need you!
I enjoyed this article. However, I think you’re leaving out one critical piece of the puzzle.
I think a lot of people use the term passion to summarize what could be paragraphs encompassing many of the other things you did mention like hard work and curiosity. This is similar to the discussion we are always having about certifications and how they relate to recruiting and hiring. We summarize some basic knowledge by saying I have threes SANS certifications. Similarly, we summarize hard work and curiosity by saying I am passionate about the subject.
No one can make it through the HR drone process without having special keywords, especially as a less experienced candidate.
Now, I do completely agree with you in your desire to clarify the things we are talking about and make the hiring and work the process better for everyone. Passion is a non-measurable quality being applied to measure something else that is also non-measurable.
What would you recommend an entry-level candidate emphasizing on their resume instead of passion?
I definitely considered what you’re talking about, but I don’t think it’s a valid excuse to say that passion is used to describe curiosity and the other things I’ve talked about. I know this because I talked to a bunch of people while researching this article and asked them to describe how they define and measure passion. It was very scattered and being passionate was mostly described as something directly related to the amount of hours you put in and how much your job becomes your lifestyle. Passion and curiosity are completely different things and if you use a word without understanding what it really means, that’s dangerous too.
For entry level folks, as I mentioned I think they still have to play the game to get through HR. The truth is that it’s VERY difficult to show passion on a resume and stand out, particularly if you are entry level. I would rather see these people emphasize how they are learning and who they are learning from. If a resume shows me that someone has worked through all the labs in Practical Malware Analysis, or that they are a student of Edward Tufte, those are actionable things that mean something. What have you learned? How have you applied it? Those are things I want to see. That said, I interview almost EVERY entry level resume I get when hiring those positions. A resume isn’t a very useful tool for hiring entry level people, you need to talk to them. That’s one reason I wrote this aimed at hiring managers too.
I’m not an interviewer in this position, but when I get back there I am going to remember your advice. 🙂
In my resume reviewing, I haven’t really come across explicit outlines of passion, though maybe I haven’t seen enough yet. For entry-level candidates, I think that passion – in the way you define it – could be expressed through volunteer work, contributions to coding projects or personal writings on topics that candidate finds interesting. When I read those items on a resume, it gives me a sense of knowing the person is, to use what Chris outlined, curious and motivated. Beyond the resume, I often see that “passion” seep out during an interview in the form of excitement and willingness to share information.
First I would like to thank you for all the work you’ve done throughout the years for the community. Your book practical packet analysis is a treasure.
I would respectfully disagree with your assessment about passion. While you may not be passionate about infosec, and have still been able to perform all the great things you’ve done in the field; it may just be an indication of your aptitude in this field. In my experience most people are not curious nor put the work in to become proficient network security. There are a huge amount of people in the government sector that are just taking up space and care more about getting the next cert in order to make more money than improving their skillset.
I would definitely argue your point about lawyers and doctors doing only 8-10 hours a day, every lawyer and doctor I know does more like 16 or more. In addition, they are most definitely thinking about work when they go home, especially if the doctor just lost a patient or the lawyer lost a big case.
IMHO, it takes passion for a person who is not exceptionally gifted at logic like yourself to truly become proficient in security. You have to dedicate hours and hours of your personal time to learn how to install and configure systems in any OS. To learn how to interpret the data coming from the network and host, it’s almost an art especially the way you do it Chris.
I would say how many hours did it take to create your personal lab? How has it evolved since the first time you set it up? Do you really believe someone just curious about info sec or a particular problem, would sacrifice their personal time to develop a lab and tweak it as the need arise?
I wish you continue success in all your endeavors.
I appreciate the kind words on my book!
I think you’ve misinterpreted the article and my assessment of passion. Passion is fine, and everyone needs to be passionate about something. However, it’s typically not infosec, it’s the things infosec allows them to do. Solve problems, earn a living, serve justice, be creative, etc. Those are the things that drive people. Infosec may be the canvas, but it’s not what compels you to pick up the brush. In my research, curiosity is a significantly better measure of potential success in infosec. I’ve collected a lot of data on this and feel very confident in that assessment.
One more thing here — I don’t want you thinking that this article was based only on self-reflection. Quite the opposite. I spoke with dozens of people, reviewed a LOT of empirical (quantitative and qualitative) research on the topic, and did some personal reflection. Even when referring to the medical portion of this, I did my research. My wife is a physician, and through her network I have access to many other physicians operating at various levels in their career. I spoke with a lot of them. I would encourage you to increase your sample size. I’d also add that I am not exceptionally gifted, for me to believe that would be an excuse and would likely prevent me from being successful. Furthermore, for others to look at my success and say it’s mostly because of a God-given gift only serves to limit them.
I think a lot of people in the industry hide behind requiring “passion” instead of digging deeper into the root issues. I’ve seen few lump work ethic and being able to accomplish tasks/goals as passion, which I think is a misapplication. I’ve seen more who use the term believe the cult like consumption is necessary while overlooking that the person couldn’t complete simple tasks. When I have been at the table interviewing potential new hires, I do ask them about their driving forces/passions. However the question is geared towards trying to determine if they fit the job or the culture. (i.e. Candidate that was dying to break into a red team role interviewing for a position that had zero red team responsibilities.) Passion does have a role to play in any hiring decision, but I think you are right in calling the weight of it into question. As stated earlier, in my experience as a technical consultant, I heard it used it used in a variety of ways. My conclusion is that our industry is still trying to mature itself through all levels of the organization (still a lot of nontechnical managers and C levels running technical shops). While there will still be issues our industry has to work out as it becomes more mature, I think these vague intangibles will become more defined and assigned appropriate weight. First step is to have conversations like this.
I agree regarding people hiding behind the notion of passion. Very often, people will say that the thing that differentiates them is their passion. Well, passion for what? Since it’s not entirely measurable and we don’t know how to attribute it, it’s hard to put much value into this. Often times we say we want passionate people when we really just mean we want hard working people. Certainly, a passionate person probably works hard, but a hard worker isn’t necessarily passionate.
Great article and a much needed discussion!
Going back to some earlier comments, IMO it isn’t about curiosity or passion by itself. Einstein said “I have no special talent. I am only passionately curious.” He didn’t *just* say he is curious nor did he simply say he was *just* passionate. As Einstein describes it, gaining a thorough understanding of anything (expert-level) requires a combination of the two. I believe Chris explains this well in the article, but said another way, passion can be lost easily shortly after someone dives in head-first and they encounter difficulty, but curiosity will drive them to continue swimming upstream. Similarly, the inverse is true and necessary as well.
I love the comment about missing out on other talents… beyond *just* technical. Technical skills are important, but I feel too many in our industry are quick to dismiss soft skills. They are both necessary! Without any business acumen, an amazing idea will sit on a shelf. In that scenario, at some point you have to move from the lab to the market. Unfortunately, soft skills are highly subjective and difficult to quantify. Regardless, whether you live in start-up world or not, if you have a strong technical background it’s in your best interest to befriend someone who understands the business side of things.
As many of us have, I came into infosec from an IT background. Though similar in nature, I feel IT is more developed than infosec so this “process” has been fleshed out a bit more. That is, sometimes you need a janitor instead of a rock star. The reason I mention this is you have to understand what position you are hiring for. If you want someone who is “passionately curious” about infosec to parse logs day in and day out, you are either going to drive them into the ground or they are going to quickly move on. Use the rock stars where needed, but don’t expect everyone to be one. Quite honestly, there is a good chance you need something different anyway.
Thank you. I enjoyed this article and agree with your statements, especially about burning out; it’s happened to me several times.
I’m an opinionated guy so I’d like to throw my personal opinion in on this… Passion, to me, is shown by you striving to perform or accomplish something without being paid, it doesn’t mean that you can’t do something you are passionate about and get paid. For instance, in 1994 while working as a Software Developer, I built/bought computers and an ISDN line in order to learn and contribute to the Internet. In 1998 I ran a small ISP out of my home with a T1 line, and I hosted websites/email for small businesses. I had no intention of making money, I was doing it because I was passionate in the potential of connecting everyone through the Internet; and I wanted to learn more. When my ISP got hacked in 2000, I decided to learn more about CyberSecurity and try to prevent such events from happening to others. In 2001 I joined a startup called TippingPoint and we built an Intrusion Prevention System (IPS). Ever since I have been getting paid for a passion I have, to help protect people on networks from being hacked. I know that I’m passionate about these things because I continually pursue it and get satisfaction from successful ventures, and I don’t give up when I fail at something; I keep trying. I’m very fortunate to get paid to do something that I feel can have a positive impact on society.
I don’t ask people whether they are passionate about CyberSecurity in an interview. However, when someone says they are passionate about CyberSecurity, I ask them what they do to further their advancement in CyberSecurity outside of work. If they don’t do anything, or say they do have time, then that tells me that they are not truly passionate about CyberSecurity. That doesn’t mean they are not a good candidate.
In the end, since I’m striving to create and build products that I hope will have a positive impact on this Cyber world and in turn help people safely use technology and connect, I want to work with people that are driven in a similar way. I cannot completely surround myself with only 1 or the other(all passionate or all just doing it for salary), it will be a mix; but all of them must be accountable and have a good work ethic.
First of all, pardon to my English as it is my non-native or second language.
Your article about “Passion” is insightful and it resonates with me very well. I really like your clarification for the difference between “Passion” and “Curiosity Due to Information Gap”. Prior to reading your article, I always blamed myself for being not passionate and lacking of perseverance to pursue knowledge or skill of a field which at first stimulated my curiosity and interest but later on abandoned by me.
I had experience of switching to different courses before I settled down with accounting course. Of course, at times I still feel like giving up and at times I persevere. Now, I have two more years to complete my accounting degree. By the way, this is not the main point.
Since I was in high school, I already had interest in cybersecurity. Unfortunately, my country has yet to recognize the importance of cybersecurity and the trainings or courses provided are not as advanced as US ones. Anyway, I just want to say that It is the curiosity due to information gap that has been motivating me to crave for skills and knowledges from basic security countermeasures to advanced ones such as reverse engineering and network security monitoring. Current and prospective mainstream security issues are also one of the motivators. This is how my passion over cybersecurity has been being developed and stabilized over the years even though I have multiple and diverse interests in many things due to my impulsive personality.
Good insight. Asking for passion always felt vague somehow – asking for curiosity is so much better. Curiosity also points better to what exactly a person wants to achieve – will lead to a more sensible discussion.
Thanks! Learned something.
Come to think of it, people are not “passionate” about malware. They are curious how it works, and wether they’re good enough to find out the tricks of the spies who planted it.
A network guy isn’t passionate about 10GBit, he is curious about how to solve the issues related to so much traffic, without spending an arm and leg.
And we tactical folks are not passionate about IoT. We are curious about how it will be set on fire, how long it burns and who where all the idiots with the matches.