Risk

11/25/2014
05:15 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

10 Ways Security Gurus Give Thanks

From board-level awareness to bug bounty programs and everything in between, the security world's maturation offers security practitioners something to be thankful for.

So much of IT security coverage can be pretty dismal and cynical. But amongst all the security incidents and records lost, there are silver-lining stories that give security practitioners, researchers, and consultants a reason to smile. In honor of the holiday this week, Dark Reading reached out to the security community to hear about all the big and little things they're thankful for in their professional lives.

Lots of breach coverage
Sure, breaches are hardly something to be thankful about, but the media attention that they've dredged up has been good for a lot of organizations that choose to pay attention.

"Media coverage brings the reality and severity to the front lines, and executive management and board members become very supportive of IT security and pending projects," says Samantha Boles, president and COO of consultancy Automated Security IS. "Budgets are suddenly pushed aside, and opinions of IT professionals become relevant at the highest level of all organizations."

Board-level attention
This kind of coverage is building forward momentum for security executives to finally gain a meaningful dialogue with boards of directors and CEOs.

"We are thankful that CEOs and boards of directors now understand and are aware of the importance of cyber security as a result of high profile breaches," says Craig D'Abreo, vice president of security operations for Masergy.

According to Jason Clark, chief security and strategy officer for Accuvant, 2014 saw a sea change in board-level attention for CISOs.

"Many CISOs are getting a pat on the back or thank you from the CEO saying, great job this year, keep it up," Clark says. "We didn't get hacked this year!"

Just remember, says D'Abreo, this can be a double-edged sword, "because there will be more people than ever asking for reports on security, breaches, and cost."

Well-documented security processes
That kind of scrutiny is something Dave Frymier, CISO at Unisys, doesn't sweat about. He says he's most thankful for the time his team took five years ago to develop what they call an Information Security Concept of Operations document.

"We update this document annually, and it describes -- in non-specific, generic terms, over 12 pages -- what we do for information security. Organization, apps, vendors, major processes -- the whole ball of wax," he says. "Whenever I hand or send a copy to somebody and see the look of amazement on their face that we have such a thing, I smile inwardly"

Bug bounty programs
Many technology experts say they're thankful for bug bounty programs. On the industry-wide level, these programs help "accelerate the process of security raising the cost to the bad guys," says TK Keanini, CTO at Lancope.

Meanwhile, Mark Richards, founder and CEO of Homeboy, a vendor that creates Internet-enabled security cameras, is personally thankful for bug bounties. He says the bug bounty program his company put in place using Bugcrowd's Flex bounty program was instrumental for peace of mind.

"It's a Catch-22 to expect implicit user trust in us and our product without making sure our cameras are, indeed, secure," Richards says. "The testing process was intensive, and justifiably so -- it gave us peace of mind to know we were putting our best foot forward. After all is said and done, we can't imagine going through the launch process without the aid of bug bounty."

Freely shared knowledge
So much of the security game depends on knowledge, says Rafal Los, director of Accuvant's Office of the CISO.

"So, what I'm thankful for this holiday season is the professionals who work tirelessly to develop, curate, and share knowledge and expertise for the greater community benefit -- not rock star status," he says.

In particular, Tom Cross, director of security research at Lancope, says that he's thankful for the knowledge that security researchers dig up and responsibly disclose.

"Often, their work is uncompensated, other than a credit at the bottom of an advisory, and sometimes they incur personal risks when they encounter vendors who react by threatening to sue them in order to keep vulnerability information under wraps," Cross says. "I think we owe them a great deal of thanks.”

Cryptowall-proof backups
As a security advisor for many clients, Rich Silva says he's very thankful for those clients who do install an image-based backup system. Not only is it a good practice, but it helps protect them from the growing category of crypto-viruses that has had so many businesses pay out big ransoms to recover data that was never backed up.

"I sit back when I hear and read about these stories and am thankful for having a means to recover my  clients' data quickly and without needing to pay the ransom," says Silva, founder and president of Pain Point IT Solutions. "It's always a matter of when and not if when it comes to IT security, and those clients of mine who elected to be ready will be thankful too."

The end of Windows XP
It's never good for security when old operating systems linger around, which is why Lysa Myers, security researcher at ESET, is very thankful for the end of support of Windows XP.

"Windows XP was much beloved, and a lot of people had a very hard time letting it go, despite its many security issues," she says. "Microsoft ended support for XP this April, prompting people to -- slowly but surely -- finally get off the antiquated operating system."

Myers points to XP's market share shrinking below 20% as a great sign that people are putting an end to that era.

Security's social circle
Security chatter on social media outlets has done a lot to foster knowledge-sharing and strong relationships across the industry, which is why Keanini says he's very thankful for social media channels.

"So many passionate people share their feelings unfiltered," he says. "This level of early warning on security issues has also functioned as a neighborhood watch type of benefit because sometimes the adversaries' attack does not like us sharing notes and watching out for one another." 

A wish for future thanks
As a security consultant, Kevin Lawrence, senior security associate at Bishop Fox, says that many of his clients are most thankful when they get a long leash to make decisions in the heat of the moment. Call it a get-out-of-jail-free card.

"Practitioners must know that so long as they have a logical and supported case they can do whatever it takes to protect the company without fear of getting in trouble," he says. "Examples could include the authority to isolate an entire business site, including production operations if that site is compromised. It’s better to isolate the site immediately than risk the attack spreading to the rest of the company."

An end to the workday
And, finally, Brad Reinboldt, senior product manager with Network Instruments JDSU says that for such a tireless (and sometimes thankless) job, many security folks are glad there's such a thing as a non-infinite day.

"IT security can be thankful there are only 24 hours in a day, otherwise, we'd be 28/7," he says.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/1/2014 | 10:12:32 AM
Re: employment
@andregironda   Good point. Unfortunately the people beneath the C-suite never seem to get the salary increases and bonuses that their work deserves. I think that's true of all companies and all roles, though, not just security.

That said, research shows that infosec staff on average make quite a bit more than other IT staff, and that the salary has been trending upwards.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/1/2014 | 10:04:35 AM
Re: Board-level attention
@Marilyn  True!  On the other hand, there's this:  ""Many CISOs are getting a pat on the back or thank you from the CEO saying, great job this year, keep it up," Clark says. "We didn't get hacked this year!""  Ten years ago I don't think anyone in information seecurity expected that to EVER happen. 
andregironda
50%
50%
andregironda,
User Rank: Strategist
11/26/2014 | 10:41:59 AM
Re: employment
I'm not super thankful of this. It means long hours and less time to focus on family in the short term. In the long term, you think that infosec professional salaries would double every two years like those do of CISO salaries. Yet they are flat. I wonder why that is? Not a lot to be thankful for there!
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/26/2014 | 9:24:20 AM
Board-level attention
That is, until their network and data are the target of a major breach and the blame game begins.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
11/25/2014 | 5:32:43 PM
employment
They should be thankful for perpetual demand. Computer systems will never be secure so they will always have a job, somewhere.
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.