05:15 PM
Connect Directly

10 Ways Security Gurus Give Thanks

From board-level awareness to bug bounty programs and everything in between, the security world's maturation offers security practitioners something to be thankful for.

So much of IT security coverage can be pretty dismal and cynical. But amongst all the security incidents and records lost, there are silver-lining stories that give security practitioners, researchers, and consultants a reason to smile. In honor of the holiday this week, Dark Reading reached out to the security community to hear about all the big and little things they're thankful for in their professional lives.

Lots of breach coverage
Sure, breaches are hardly something to be thankful about, but the media attention that they've dredged up has been good for a lot of organizations that choose to pay attention.

"Media coverage brings the reality and severity to the front lines, and executive management and board members become very supportive of IT security and pending projects," says Samantha Boles, president and COO of consultancy Automated Security IS. "Budgets are suddenly pushed aside, and opinions of IT professionals become relevant at the highest level of all organizations."

Board-level attention
This kind of coverage is building forward momentum for security executives to finally gain a meaningful dialogue with boards of directors and CEOs.

"We are thankful that CEOs and boards of directors now understand and are aware of the importance of cyber security as a result of high profile breaches," says Craig D'Abreo, vice president of security operations for Masergy.

According to Jason Clark, chief security and strategy officer for Accuvant, 2014 saw a sea change in board-level attention for CISOs.

"Many CISOs are getting a pat on the back or thank you from the CEO saying, great job this year, keep it up," Clark says. "We didn't get hacked this year!"

Just remember, says D'Abreo, this can be a double-edged sword, "because there will be more people than ever asking for reports on security, breaches, and cost."

Well-documented security processes
That kind of scrutiny is something Dave Frymier, CISO at Unisys, doesn't sweat about. He says he's most thankful for the time his team took five years ago to develop what they call an Information Security Concept of Operations document.

"We update this document annually, and it describes -- in non-specific, generic terms, over 12 pages -- what we do for information security. Organization, apps, vendors, major processes -- the whole ball of wax," he says. "Whenever I hand or send a copy to somebody and see the look of amazement on their face that we have such a thing, I smile inwardly"

Bug bounty programs
Many technology experts say they're thankful for bug bounty programs. On the industry-wide level, these programs help "accelerate the process of security raising the cost to the bad guys," says TK Keanini, CTO at Lancope.

Meanwhile, Mark Richards, founder and CEO of Homeboy, a vendor that creates Internet-enabled security cameras, is personally thankful for bug bounties. He says the bug bounty program his company put in place using Bugcrowd's Flex bounty program was instrumental for peace of mind.

"It's a Catch-22 to expect implicit user trust in us and our product without making sure our cameras are, indeed, secure," Richards says. "The testing process was intensive, and justifiably so -- it gave us peace of mind to know we were putting our best foot forward. After all is said and done, we can't imagine going through the launch process without the aid of bug bounty."

Freely shared knowledge
So much of the security game depends on knowledge, says Rafal Los, director of Accuvant's Office of the CISO.

"So, what I'm thankful for this holiday season is the professionals who work tirelessly to develop, curate, and share knowledge and expertise for the greater community benefit -- not rock star status," he says.

In particular, Tom Cross, director of security research at Lancope, says that he's thankful for the knowledge that security researchers dig up and responsibly disclose.

"Often, their work is uncompensated, other than a credit at the bottom of an advisory, and sometimes they incur personal risks when they encounter vendors who react by threatening to sue them in order to keep vulnerability information under wraps," Cross says. "I think we owe them a great deal of thanks.”

Cryptowall-proof backups
As a security advisor for many clients, Rich Silva says he's very thankful for those clients who do install an image-based backup system. Not only is it a good practice, but it helps protect them from the growing category of crypto-viruses that has had so many businesses pay out big ransoms to recover data that was never backed up.

"I sit back when I hear and read about these stories and am thankful for having a means to recover my  clients' data quickly and without needing to pay the ransom," says Silva, founder and president of Pain Point IT Solutions. "It's always a matter of when and not if when it comes to IT security, and those clients of mine who elected to be ready will be thankful too."

The end of Windows XP
It's never good for security when old operating systems linger around, which is why Lysa Myers, security researcher at ESET, is very thankful for the end of support of Windows XP.

"Windows XP was much beloved, and a lot of people had a very hard time letting it go, despite its many security issues," she says. "Microsoft ended support for XP this April, prompting people to -- slowly but surely -- finally get off the antiquated operating system."

Myers points to XP's market share shrinking below 20% as a great sign that people are putting an end to that era.

Security's social circle
Security chatter on social media outlets has done a lot to foster knowledge-sharing and strong relationships across the industry, which is why Keanini says he's very thankful for social media channels.

"So many passionate people share their feelings unfiltered," he says. "This level of early warning on security issues has also functioned as a neighborhood watch type of benefit because sometimes the adversaries' attack does not like us sharing notes and watching out for one another." 

A wish for future thanks
As a security consultant, Kevin Lawrence, senior security associate at Bishop Fox, says that many of his clients are most thankful when they get a long leash to make decisions in the heat of the moment. Call it a get-out-of-jail-free card.

"Practitioners must know that so long as they have a logical and supported case they can do whatever it takes to protect the company without fear of getting in trouble," he says. "Examples could include the authority to isolate an entire business site, including production operations if that site is compromised. It’s better to isolate the site immediately than risk the attack spreading to the rest of the company."

An end to the workday
And, finally, Brad Reinboldt, senior product manager with Network Instruments JDSU says that for such a tireless (and sometimes thankless) job, many security folks are glad there's such a thing as a non-infinite day.

"IT security can be thankful there are only 24 hours in a day, otherwise, we'd be 28/7," he says.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sara Peters
Sara Peters,
User Rank: Author
12/1/2014 | 10:12:32 AM
Re: employment
@andregironda   Good point. Unfortunately the people beneath the C-suite never seem to get the salary increases and bonuses that their work deserves. I think that's true of all companies and all roles, though, not just security.

That said, research shows that infosec staff on average make quite a bit more than other IT staff, and that the salary has been trending upwards.
Sara Peters
Sara Peters,
User Rank: Author
12/1/2014 | 10:04:35 AM
Re: Board-level attention
@Marilyn  True!  On the other hand, there's this:  ""Many CISOs are getting a pat on the back or thank you from the CEO saying, great job this year, keep it up," Clark says. "We didn't get hacked this year!""  Ten years ago I don't think anyone in information seecurity expected that to EVER happen. 
User Rank: Strategist
11/26/2014 | 10:41:59 AM
Re: employment
I'm not super thankful of this. It means long hours and less time to focus on family in the short term. In the long term, you think that infosec professional salaries would double every two years like those do of CISO salaries. Yet they are flat. I wonder why that is? Not a lot to be thankful for there!
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/26/2014 | 9:24:20 AM
Board-level attention
That is, until their network and data are the target of a major breach and the blame game begins.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
11/25/2014 | 5:32:43 PM
They should be thankful for perpetual demand. Computer systems will never be secure so they will always have a job, somewhere.
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
Cybercriminals Think Small to Earn Big
Dark Reading Staff 3/12/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.