Many individuals entering the security industry have a shared aspiration: to make impactful and positive decisions. They envision themselves catching the bad guys, safeguarding intellectual data, and making the internet a safer place. Yet, there’s another side to this coin—the individuals who exploit cybersecurity as a corporation’s greatest weakness.

Recently, I went into a Reddit blackhole, seeking insight into why cybersecurity professionals are facing severe burnout, especially given today’s complex tech environments. One comment struck a chord:

“The problem with cybersecurity as a business is that it’s a virtue. The problem with cybersecurity as a virtue is that it’s business.”

In my role as a cybersecurity professional, part of my responsibility involves evaluating security software against specific criteria:

• Does it ensure 24/7/365 coverage for our infrastructure?
• Does it offer an API or other means to transmit logs to a SIEM?
• Will its installation as an agent cause performance issues on any hardware?
• Is it reasonably priced?

And the list goes on. Cybersecurity software companies often market the virtue of their products, blurring the line between business and security. However, testing within sandbox environments can only reveal so much. Many companies lack the financial resources to invest in sandbox infrastructure, leading to more frequent testing within production instances—a reality not readily acknowledged. Furthermore, some software, while aimed at enhancing security, might inadvertently stifle business growth. Balancing these considerations is complex. At times, it feels easier to loosen the reins, even if that isn’t the optimal solution. When cybersecurity is perceived purely as a virtue, it can harm businesses, sow frustration, and ultimately lead to burnout.

This brings me to a troubling consideration: when burnout evolves into something more. “Black Hat Hackers” exploit vulnerabilities for profit. Groups like Lazarus Group, Anonymous, and Conti come to mind. I’ve pondered whether hacktivism groups emerged from burned-out corporate professionals who initially believed in cybersecurity as a virtue, only to confront the harsh reality that it’s primarily a business. If their original goals remained unattainable, what did it all mean?

Security professionals wield tools similar to those used by hackers, holding immense power over the data they protect. It’s a precarious line—one that can be tempting to cross at times. Yet, it’s this boundary that distinguishes us as the guardians of good from those otherwise inclined. Organizations can interpret this information as they wish—whether a warning or a mundane memo. Nevertheless, this vulnerability persists and can be exploited. They’re only saying the quiet part out loud.