“The tears of the world are a constant quantity. For each one who begins to weep somewhere else another stops. The same is true of the laugh.” – Waiting for Godot
In Samuel Beckett’s infamous absurdist play, Waiting for Godot, characters engage in pointless dialog and activity while waiting for an eponymous fellow who never arrives. I’ve always found it a tedious piece of literature, barely staying awake through the second act, which seems to exist solely for the purpose of torturing its audience. But isn’t despair the point of Theater of the Absurd?
Recently, I’ve come to realize that this play represents a perfect analogy for the daily grind of information security work. Lots of preparation for that big breach that may or may not arrive during your tenure. It often feels like the height of absurdity, going through the motions just like the two main characters, Vladimir and Estragon. Often, being in information security feels like a slow simmer of stress, sapping your energy and engagement, overwhelming you with the minutia of operational tasks: malware remediation, vulnerability management, compliance initiatives. It’s an endless exercise of cycling through superstitious behaviors that may or may not result in the reduction of risk, like throwing salt over your shoulder to keep the Devil away.
Theatrical critics have spent decades bickering over the play’s meaning, which only pales in comparison to how much information security professionals argue about how to accomplish their goals. In the end, it doesn’t really seem to matter. Organizations continue to disagree about the implementation of security controls to reduce risk; they’re breached, blaming the current leadership. A fresh team is brought in and the cycle begins again, like some reincarnation of Sisyphus rolling a stone up the hill only to be crushed by the weight of inevitable failure.