The Quiet Craft of Keeping Things Working
By Carlos G. Sháněl, Center for Cybersecurity Studies, Casla Institute
A few days ago, a colleague I respect — a seasoned IT professional, sharp, experienced, the kind of person who seems to have an answer for every obscure systems problem — said something that caught me off guard.
We were talking about how IT professionals should charge for their time. Not in the abstract, but in the practical, occasionally uncomfortable way working people do. What counts as billable? What is someone paying for when the problem turns out not to be a problem at all? What if you drive out, investigate, spend an hour diagnosing the situation, and discover that nothing is broken? Or that the real issue lies outside your specialty?
He reached for an analogy.
What about a plumber? he said. If a plumber shows up, inspects the problem, and finds that nothing is actually wrong — or realizes the issue belongs to someone else — should he still expect to be paid for his time?
I pushed back immediately. I told him, more sharply than I meant to, that I did not like the comparison.
It was not because I look down on plumbers. Quite the opposite. I respect the trades, probably more than many people who claim to. Plumbing is skilled work, hard work, necessary work. What irritated me was something less flattering and more revealing: I had long liked to think of cybersecurity as belonging to a more rarefied world. More cerebral. More sophisticated. More glamorous, even. Pipes and drains felt ordinary. Cybersecurity, at least in my imagination, belonged to another category altogether.
Part of that reaction, I have realized, came from the investment I had made in becoming fluent in this field. Over the years, I had studied for industry certifications, earned a diploma in cybersecurity from Penn State University, and gone through specialized IT training through U.S. military and government programs. I had spent long hours learning how networks fail, how attackers move, how evidence hides, how influence works, how systems break quietly before they break loudly. None of that effort was imaginary. It took discipline, time, and a willingness to keep learning in a field that does not stay still.
So, when I heard the word plumber, some part of me heard reduction. It felt, in that instant, as though all that study was being flattened into a service call. The more I have thought about it, though, the more I have come to see that the comparison touched something deeper than irritation.
Cybersecurity has a way of flattering the imagination. It comes wrapped in language that sounds consequential. We speak of threat actors, attack surfaces, zero-days, advanced persistent threats, adversarial environments. There are nation-states, criminal syndicates, intelligence agencies, digital espionage, invisible battles being fought across cables and clouds. It is easy, inside that vocabulary, to imagine oneself participating in something not just technical, but somehow elevated.
Sometimes that elevation is real. There are moments in this field that are genuinely dramatic: a hospital hit by ransomware, a power grid probed by a foreign adversary, a company brought to a halt because someone clicked the wrong link at the wrong moment. The stakes can be enormous. The consequences can be public, expensive and, in certain cases, geopolitical.
But most of the work is not like that. Most of it is quieter. Less cinematic. More repetitive. More diagnostic. More grounded in discipline than in drama.
That may be why the plumber comparison bothered me so much. It stripped away the mythology.
Like a plumber, the cybersecurity professional works on systems most people never see and do not want to think about. They live behind walls, under floors, inside ceilings, under dashboards, in server closets, in admin portals, in obscure logs, in permissions no one remembers setting. The system is not admired for being elegant. It is expected to function. And when it functions, it disappears from view.
That invisibility is not a sign of lesser importance. It is the condition of modern life.
A city depends on water reaching the tap. A business depends on email working, files syncing, accounts authenticating, backups restoring, firewalls holding, alerts firing, patches applying, privileges staying where they should and nowhere else. Families, schools, banks, hospitals, airports, governments — all of them now rely on hidden technical systems with an almost physical intimacy. We move through them the way previous generations moved through plumbing and electricity: trusting them without seeing them, assuming their continuity until that continuity breaks.
And when it breaks, the break feels strangely personal.
One of the quiet truths of cybersecurity is that much of the profession consists not in grand acts of defense, but in patient acts of interpretation. You look at symptoms. You ask questions. You trace cause and effect. You distinguish signal from noise. You learn what normal looks like so that abnormality becomes legible. Sometimes the job is to fix something. Sometimes it is to prove that nothing is wrong. Sometimes it is to explain that the outage is not really an outage at all, but a disconnected cable. Sometimes the real problem sits three layers deeper than anyone first assumed.
We tend to think knowledge reveals itself in answers. Often it reveals itself in diagnosis: in knowing where to look first, in recognizing patterns before they become disasters, in understanding that two identical symptoms may have entirely different causes, in resisting the temptation to perform certainty when what the moment really requires is careful observation.
That, too, is craftsmanship.
A craft is not defined by glamour. It is defined by the practiced relationship between a person, a problem and a system. It requires apprenticeship, judgment, repetition, error, correction, and the slow accumulation of tacit knowledge that cannot be fully captured in a manual. The craftsperson develops not just skill, but feel: a sense for how things fail, a memory for weak points, an intuition for where pressure is building even when the surface still looks calm.
Cybersecurity, at its best, belongs in that tradition.
The problem is that modern societies do a poor job of honoring maintenance. We romanticize invention, disruption, visibility, and scale. We celebrate the founder, the strategist, the visionary, the public thinker, the person with the elegant abstraction or the bold new model. We are less interested in the people who keep systems from collapsing. Their success is difficult to narrate because it often looks like nothing happened.
No flood. No outage. No breach. No catastrophe. Just another day in which millions of hidden dependencies held.
There is something unfair about that. But there is also something clarifying in it. A profession built around prevention will always struggle for the kind of recognition that follows visible rescue. We admire the firefighter rushing into a burning building more readily than the inspector who enforced the code that prevented the fire in the first place. We admire the surgeon performing the emergency procedure more readily than the sanitation worker, the public health official, or the lab technician who prevented an outbreak from spreading. We admire visible intervention more than the invisible discipline that makes intervention unnecessary.
Perhaps that is because prevention offers so little theater. It denies us the satisfying image of the hero arriving just in time. It asks us to value competence without spectacle.
And yet most of civilization rests on exactly that kind of work.
The more I think about cybersecurity in those terms, the less interested I am in treating its sophistication as what gives it dignity. The technical depth is real. The training is real. The effort required to do the work well is real. But its value does not come from sounding more advanced than other professions. It comes from the fact that people depend on it, often without realizing how much they do. The dignity of the work lies there: in knowing how a system functions, how it fails, and how to keep it running for the people who rely on it.
That does not make cybersecurity less intellectually demanding. If anything, it makes the work seem more grounded. Less like performance, more like stewardship.
Stewardship is not a fashionable word. It lacks the sound of innovation. But it names something essential. To work in cybersecurity is, in large part, to care for systems that other people inhabit without understanding. It is to inherit complexity, manage risk, clean up after neglect, and try to leave things sounder than you found them. It is to live in a world of hidden joints and pressure points, where small oversights can become major failures and where the best work is often the work no one ever sees.
That is why the plumber comparison stayed with me.
I resisted it because I thought it lowered the profession. What I eventually realized is that it did the opposite. It returned the work to earth. It reminded me that craft is not diminished by being practical. It is proved by it. The person who can diagnose what others cannot see, who understands the system beneath the surface, and who prevents damage before it spreads is practicing something honorable whether the medium is copper pipe or network traffic.
Cybersecurity and plumbing operate in very different worlds. One deals in code, credentials, logs, and adversaries. The other deals in valves, pressure, corrosion, and flow. But both professions share something fundamental: they maintain systems people depend on every day and rarely think about until those systems stop working.
That is not an insult.
It may be the clearest description of the job there is.
