#SecTorCa: The Paramedic’s Guide to Surviving Cybersecurity

As a trained paramedic, Rich Mogull has helped to save lives. Mogull is also a cybersecurity professional and he sees a number of parallels between his two professions.

Mogull is the CEO of security analyst firm Securosis and provided his insights in a session at the virtual SecTor security conference. Mogull noted that he’s led parallel lives, one in emergency services and the other in cybersecurity and the lessons he has learned from one profession have helped in the other. In particular, he noted that there are many similarities between the two professions in terms of burnout and mental health challenges.

“I think the reason these two fields are so similar is that they share one really core aspect – the job is never done,” Mogull said. “We are pushing the rock uphill; we’re always treating the next patient, solving the next incident or securing the next technology."

Both Professions Start with Enthusiasm

The initial phase in both emergency services and cybersecurity is a period where individuals are enthusiastic about the job. People are eager and excited to learn new skills, typically have a flexible mindset and are task-focused.

The big challenge during the initial enthusiasm phase is that individuals often learn skills without context. There are new tools that both professions get to use and new entrants into the profession are eager to use those tools.

“When I got out of paramedic school I couldn’t wait to start IVs (intravenous drip feeds) and when you come out of security training you can’t wait to use those latest tools and run a penetration test against your organization,” he said.

The other challenge during the enthusiasm phase is that people tend to pick the wrong role models to emulate and that can lead to bad outcomes in the future.

“People who are burnt out and cynical, they have a particular magnetism to them,” Mogull explained. “They come across as the old crusty seen it all, done it all, they are the Han Solo characters that we try to emulate.”

When Burnout Sets In

Mogull said that it typically takes three to five years to mature as a paramedic and then burnout will often set in during the five to seven year period. The burnout happens for a number of reasons in both professions, including the fact that the same types of incidents keep recurring time after time.

“You’re just caught in this endless cycle, seeing the same things over and over and responding the same way,” he added.

Avoiding the risk of burnout requires a combination of mindset and process, Mogull continued. There is a need to eat healthy, exercise and sleep. There is also a need for peer support, so colleagues help each other out. Having the right peers is critical for that process to work.

“If you hang out with the cynical and burned out crowd, you’re going to be cynical and burnt out,” he said.

Towards a Just Culture

There is also a need to compartmentalize the different aspects of life to enable some form of work-life balance. Having the ability to do context shifting to keep work at work is how Mogull said he’s able to have some balance.

Beyond just having a life outside of work, it’s important to have a positive environment, that Mogull referred to as a Just Culture. He explained that Just Culture is the opposite of blame culture and it’s important for both emergency services and cybersecurity. Rather than looking for someone to blame for a given issue, the basic idea behind Just Culture is to figure out how to improve the system and not necessarily to always be looking for someone to blame.

“If you use the term shadow IT, you don’t have a Just Culture, you’re blaming users for using technologies they think they need to get their job done,” Mogull argued. “In some cases it could be recklessness, but in other cases maybe we’re just not giving them the right tools or understanding their needs.”

What’s Hot on Infosecurity Magazine?