Risk
11/25/2014
05:15 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

10 Ways Security Gurus Give Thanks

From board-level awareness to bug bounty programs and everything in between, the security world's maturation offers security practitioners something to be thankful for.

So much of IT security coverage can be pretty dismal and cynical. But amongst all the security incidents and records lost, there are silver-lining stories that give security practitioners, researchers, and consultants a reason to smile. In honor of the holiday this week, Dark Reading reached out to the security community to hear about all the big and little things they're thankful for in their professional lives.

Lots of breach coverage
Sure, breaches are hardly something to be thankful about, but the media attention that they've dredged up has been good for a lot of organizations that choose to pay attention.

"Media coverage brings the reality and severity to the front lines, and executive management and board members become very supportive of IT security and pending projects," says Samantha Boles, president and COO of consultancy Automated Security IS. "Budgets are suddenly pushed aside, and opinions of IT professionals become relevant at the highest level of all organizations."

Board-level attention
This kind of coverage is building forward momentum for security executives to finally gain a meaningful dialogue with boards of directors and CEOs.

"We are thankful that CEOs and boards of directors now understand and are aware of the importance of cyber security as a result of high profile breaches," says Craig D'Abreo, vice president of security operations for Masergy.

According to Jason Clark, chief security and strategy officer for Accuvant, 2014 saw a sea change in board-level attention for CISOs.

"Many CISOs are getting a pat on the back or thank you from the CEO saying, great job this year, keep it up," Clark says. "We didn't get hacked this year!"

Just remember, says D'Abreo, this can be a double-edged sword, "because there will be more people than ever asking for reports on security, breaches, and cost."

Well-documented security processes
That kind of scrutiny is something Dave Frymier, CISO at Unisys, doesn't sweat about. He says he's most thankful for the time his team took five years ago to develop what they call an Information Security Concept of Operations document.

"We update this document annually, and it describes -- in non-specific, generic terms, over 12 pages -- what we do for information security. Organization, apps, vendors, major processes -- the whole ball of wax," he says. "Whenever I hand or send a copy to somebody and see the look of amazement on their face that we have such a thing, I smile inwardly"

Bug bounty programs
Many technology experts say they're thankful for bug bounty programs. On the industry-wide level, these programs help "accelerate the process of security raising the cost to the bad guys," says TK Keanini, CTO at Lancope.

Meanwhile, Mark Richards, founder and CEO of Homeboy, a vendor that creates Internet-enabled security cameras, is personally thankful for bug bounties. He says the bug bounty program his company put in place using Bugcrowd's Flex bounty program was instrumental for peace of mind.

"It's a Catch-22 to expect implicit user trust in us and our product without making sure our cameras are, indeed, secure," Richards says. "The testing process was intensive, and justifiably so -- it gave us peace of mind to know we were putting our best foot forward. After all is said and done, we can't imagine going through the launch process without the aid of bug bounty."

Freely shared knowledge
So much of the security game depends on knowledge, says Rafal Los, director of Accuvant's Office of the CISO.

"So, what I'm thankful for this holiday season is the professionals who work tirelessly to develop, curate, and share knowledge and expertise for the greater community benefit -- not rock star status," he says.

In particular, Tom Cross, director of security research at Lancope, says that he's thankful for the knowledge that security researchers dig up and responsibly disclose.

"Often, their work is uncompensated, other than a credit at the bottom of an advisory, and sometimes they incur personal risks when they encounter vendors who react by threatening to sue them in order to keep vulnerability information under wraps," Cross says. "I think we owe them a great deal of thanks.”

Cryptowall-proof backups
As a security advisor for many clients, Rich Silva says he's very thankful for those clients who do install an image-based backup system. Not only is it a good practice, but it helps protect them from the growing category of crypto-viruses that has had so many businesses pay out big ransoms to recover data that was never backed up.

"I sit back when I hear and read about these stories and am thankful for having a means to recover my  clients' data quickly and without needing to pay the ransom," says Silva, founder and president of Pain Point IT Solutions. "It's always a matter of when and not if when it comes to IT security, and those clients of mine who elected to be ready will be thankful too."

The end of Windows XP
It's never good for security when old operating systems linger around, which is why Lysa Myers, security researcher at ESET, is very thankful for the end of support of Windows XP.

"Windows XP was much beloved, and a lot of people had a very hard time letting it go, despite its many security issues," she says. "Microsoft ended support for XP this April, prompting people to -- slowly but surely -- finally get off the antiquated operating system."

Myers points to XP's market share shrinking below 20% as a great sign that people are putting an end to that era.

Security's social circle
Security chatter on social media outlets has done a lot to foster knowledge-sharing and strong relationships across the industry, which is why Keanini says he's very thankful for social media channels.

"So many passionate people share their feelings unfiltered," he says. "This level of early warning on security issues has also functioned as a neighborhood watch type of benefit because sometimes the adversaries' attack does not like us sharing notes and watching out for one another." 

A wish for future thanks
As a security consultant, Kevin Lawrence, senior security associate at Bishop Fox, says that many of his clients are most thankful when they get a long leash to make decisions in the heat of the moment. Call it a get-out-of-jail-free card.

"Practitioners must know that so long as they have a logical and supported case they can do whatever it takes to protect the company without fear of getting in trouble," he says. "Examples could include the authority to isolate an entire business site, including production operations if that site is compromised. It’s better to isolate the site immediately than risk the attack spreading to the rest of the company."

An end to the workday
And, finally, Brad Reinboldt, senior product manager with Network Instruments JDSU says that for such a tireless (and sometimes thankless) job, many security folks are glad there's such a thing as a non-infinite day.

"IT security can be thankful there are only 24 hours in a day, otherwise, we'd be 28/7," he says.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/1/2014 | 10:12:32 AM
Re: employment
@andregironda   Good point. Unfortunately the people beneath the C-suite never seem to get the salary increases and bonuses that their work deserves. I think that's true of all companies and all roles, though, not just security.

That said, research shows that infosec staff on average make quite a bit more than other IT staff, and that the salary has been trending upwards.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/1/2014 | 10:04:35 AM
Re: Board-level attention
@Marilyn  True!  On the other hand, there's this:  ""Many CISOs are getting a pat on the back or thank you from the CEO saying, great job this year, keep it up," Clark says. "We didn't get hacked this year!""  Ten years ago I don't think anyone in information seecurity expected that to EVER happen. 
andregironda
50%
50%
andregironda,
User Rank: Strategist
11/26/2014 | 10:41:59 AM
Re: employment
I'm not super thankful of this. It means long hours and less time to focus on family in the short term. In the long term, you think that infosec professional salaries would double every two years like those do of CISO salaries. Yet they are flat. I wonder why that is? Not a lot to be thankful for there!
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/26/2014 | 9:24:20 AM
Board-level attention
That is, until their network and data are the target of a major breach and the blame game begins.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
11/25/2014 | 5:32:43 PM
employment
They should be thankful for perpetual demand. Computer systems will never be secure so they will always have a job, somewhere.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.