Apr 03 2011

QSA Burnout

Published by at 8:07 am under PCI,Risk

I know it’s something I talk about at least once a year, feeling burnt out in my career path.  Like many people, I feel stressed by the huge amount of information that comes our way as security professionals, especially when I start reading about security breaches that potentially affect clients of mine.  It’s hard to feel like you’re winning the battle when you hear about a supposedly secure company that was compromised and had all their data exfiltrated.  It’s even worse when that data is probably going to be a lot of credit card information and there’s a ton of questions about the company’s last PCI assessment.

So there’s a little stress associated with being an assessor.  No matter how well you get along with the client, they know as well as you do that your job is to review their security configurations and setup, make a judgment call, and tell them whether they pass the assessment or not.  They didn’t want to deal with PCI in the first place, they don’t agree with many of the requirements, you’re the authority figure in charge of enforcing the requirements and almost invariably, you can’t meet with the time lines the client wants, usually due to circumstances beyond your control.  And who can blame them, since PCI is forcing so many merchants to spend time and money on security measures they didn’t want or didn’t feel they needed in the first place.  No one wants a third party telling them they have do put in AV or face having a higher exchange rate on each and every transaction.

It’s not an easy job, and while I am whining about it a little, what’s really surprised me lately is the number of QSA’s I know who’ve left the field in the last few months.  It’s not like people are telling me “I hate our company, I’m leaving for a better company”.  What I’m hearing is, “I hate PCI, I’m going back to some other aspect of security”.  For some it’s been the cyclic nature of PCI and going back to the same companies year after year and seeing the same exact issues show up each and every time. For others it’s been the lack of any significant changes in the PCI requirements since they came out and at least three more years before there’s much chance for change.  And in a few cases, it’s been the need to restrain themselves from commentary or criticism of PCI since it’s the main source of income.  Not a single one of the people I’ve talked to has said, “Oh, I’m sorry I left PCI, I want back in.”  And I don’t expect to hear that from anyone any time soon.

I don’t know if there’s a solution, other than training the next set of QSA’s. Companies are improving their security, some more than others, and it shows.  Unluckily, the bad guys appear to be able to bypass those security measures more adeptly than we are at putting them in place.  More security professionals are subscribing to the idea of “compliance through security, not security through compliance”, but it’s a slow process and too late to keep QSA burnout at bay.  Getting involved with the special interest groups (SIG) who work on many of the aspects of networking and security for PCI is a way to affect change, but it’s a slow process as well, and one fraught with it’s own perils and stresses.  You might be able to affect change eventually, but given the glacial pace that the SIGs have been releasing guidance, the chances are slim you’ll feel like you’re actually being effective at any point in the process.  And criticizing PCI, the PCI Council or any other aspect of the whole compliance effort is something that is always going to require careful thought and judgment no matter what role you take in the industry, something that’s not going to change.  Ever.   If you have a voice in the community, it can and will affect your job if you say the wrong things or say the right things in the wrong way.  Being right is no defense if you offend the wrong person in the compliance industry.  Not that I would know anything about that.

I suspect that we’re looking to see a spike in the burnout rate over the next year or so.  A lot of the people who have been involved exclusively in PCI since the early waves of compliance are reaching their pain threshold and looking for ways to get out.  Which is hard, since the skill set of a QSA (I know, oxymoron) is in high demand and pays well.  Even that hasn’t been enough to keep some people, since you eventually reach a point where the money isn’t worth it anymore.  People are going to continue to quit this segment of the industry, leaving holes that will have to be filled by less experience, though not necessarily less knowledgeable, assessors.   Which will in turn add to the stress most assessors are feeling.

I don’t personally have any plans in place to leave the PCI arena any time soon.  It’s hard, but fighting the stress, fighting the anxiety of being an assessor is something that can be dealt with for now, if not forever.  People I thought would never abandon PCI have left the field for other opportunities, so I know that I will also leave eventually.  And maybe this is just part of a natural career progression that occurs; learning a new skill, mastering it, then burning out and moving on.  But as opposed to leaving your company to go work in a different role elsewhere, most QSA’s leave one company to do the exact same thing at another company, until they burn out and leave entirely.  And I’m pretty sure that’s not a healthy career progression.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

One Response to “QSA Burnout”

  1. lyalcon 03 Apr 2011 at 1:16 pm

    Being a QSA is a little like being a CSO for 100 organisations, rather than 1 – and they all have virtually the same security issues, = highly similar PCI non-compliance issues.
    Storage protection (encryption, physical controls etc)
    Testing – vulnerability, penetration testing
    User management
    Hardening servers
    Network diagrams that are up to date.
    Scope creep – stuff out of scope this year is now in-scope because of some other initiative affecting PCI compliance.
    So I agree, its hard, and feels pointless sometimes.
    But it helps to have fresh eyeballs looking at a client and a) saying the same things you have said for the past 4 years; and b) having a different viewpoint of solution options.
    PCI is a journey, not a destination – both for the client and us QSAs.

%d bloggers like this: