Comments
6 Drivers of Mental and Emotional Stress in Infosec
Newest First  |  Oldest First  |  Threaded View
elitet3ch
100%
0%
elitet3ch,
User Rank: Strategist
7/18/2018 | 12:19:56 AM
The Personal Cost of CyberWarfare
 

Thank for headlining your daily digest with the oh-so-unsexy topic of the personal struggles InfoSec & IT Pros face.

 

In an age where we are constantly expected to do more with less [to nothing], and the Damocles' Sword of failing our customers and shareholders continuously looms overhead – should we ever fail to protect invaluable business data from determined criminals – it's refreshing to see community members start discussions about truly important matters, especially ones many people don't like talking [or hearing] about.

I believe it's imperative we drag these hard truths into the light of public discourse.  I don't know how many customers and managers thoughtfully consider the impact undue stress creates in the lives of their IT/InfoSec professionals – although we certainly hear their dissatisfaction ad-nauseam.  

Corporate political pressures and budgetary constraints aside, we are fighting a seemingly endless and unwinnable war on two fronts, expending the best part of our lives protecting someone else's data – both from well-financed, hardened criminal enterprises and well-meaning-yet-gullible, careless, security-adverse employees.  Battles are often waged at considerable personal expense, with the fallout normally contaminating personal relationships – one thing that can truly help us endure our incessant skirmishes. 

 

To some extent (though probably not enough), our soldiers and emergency service workers receive public recognition for their honourable sacrifice – made for the betterment of society and complete strangers.  We write stories praising their heroic efforts and reward them with hansom salaries, paid by members of the communities they serve. 

What we do is not that different, except we serve and protect cold, lifeless data – or at least that's what it seems.  Few people recognise the daily work [and cost] required to protect their exponentially-growing wealth of personal information.  There is no praise or glory in success – it's expected.  Only when the aforementioned parties (criminals and careless employees) succeed in damaging economy and society – using our data – are we noticed, and only then for 'our' failure.  (Incidentally, 'excuses' like precipitating budget cuts never seem to make public discussion.)

We are at war, fighting the same enemies with the same goals, fighting for the same causes, and often with the same costs (loss-of-life aside, excluding suicide).  It's time we start examining the outcomes – stress-induced mental health crises, rampant addiction to harmful substances and behaviours (many prescribed by our physicians), damaged and broken personal relationships, etc. – through the same lens as our fellow brothers-and-sisters-in-arms.  To some extent (though again, not nearly enough), Veterans and First-Responders have programs dedicated to helping them address, understand, and work through these life-altering issues.  For the most part, we have unsympathetic bosses telling us to 'leave our personal problems at home' – as if said problems weren't exacerbated by work-related stresses – and HR departments with pink slips. 

 

We're long overdue for a shift in mindset – it's time we carefully study and candidly discuss the personal impact fighting the Information & CyberSecurity War has on our lives – and look for ways to support and help each other survive with sanity and families intact.

 

Matthew Arnold   ::   linkedin/in/MatthewPaulArnold

 

P.S.  This is not intended to be a rant, nor am I trying to raise problems without solutions.  I do know that some companies work hard to create environments that enable their technology professionals to thrive, despite the pressure.  However, industry-wide, these are few and far between.  I have spent almost 20a working in IT-related positions, the last five at HR & Employment Services organisations, interacting with job seekers and hiring managers – many of my own experiences have been confirmed by others in similar situations.  There are disturbing trends occurring in industries determined to stockpile as much personal information as possible, while simultaneously using the smallest possible budget to secure it.  Long-term, there can be no winners in this environment.

 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/9/2018 | 2:00:13 PM
Re: Psych Eval Addition to the Hiring Process Or...
Quick note about faith in humanity.  That was poorly written - what really bugs one about this subject on the cyber sec side is just how plain DUMB people can be.  Walking somebody out with many years of experience over just stupid download of data is damning indeed.  One has to really wonder if people are, AND THEY ARE, that freaking stupid.  I don't care about home computers - whatever floats your boat.  And I have seen a ton of it.  But WORK?  
No SOPA
100%
0%
No SOPA,
User Rank: Ninja
7/9/2018 | 9:55:10 AM
Psych Eval Addition to the Hiring Process Or...
Here's the problem you're looking at, plain and simple. I mean this with the greatest respect for folks who are burning out, because I had my bout with it and ended up in the ER more than once for overwork stress. I've been using tech since I was a teen (born in the 70s) and you've either got the tech bug or you don't. No sleep, no food, no friends - often part of the gig. Too many friends, too much to drink, too much to food - can also be part of the gig. It all depends on the job at hand and the goal. But the difference between the average InfoSec professional and the opposition is psychology. You will almost never, and I mean never, have the same way of thinking about your job that they do theirs; because to them it isn't a job, it's the air they breathe. Sorry, that's just how it is.

I've hammered on this in the past. You can't train someone to do InfoSec in a straight-laced Dockers environment who doesn't already have the same mental state as the adversary and expect them to do a stellar job. Or, maybe they do a great job for a while, but then begin to burn out because of what they see (REISEN1955 alludes to fallen faith in humanity when seeing co-workers' porn habits at work). You can't care about that and expect to do well in InfoSec. Honest opinion. In fact, the best InfoSec resource is going to understand the adversary, think like them to some extent, and be just fine with all the bad stuff they see. You can't be affected by it and expect to maintain your effectiveness as an InfoSec professional.

This goes further, of course. Pen-testing is a good example. It's one area I still see in InfoSec that can never, and I mean never, go fully automated. You need a bulldog, a killer, a sadistic and driven-by-the-domination kind of mind that will not stop until they find the last hole in your system. And this is not work that can be done in a 9-5x5 work week. No way. If you can't hack that, you really shouldn't be in the game. Er, industry.

So, yeah, tech can really come down hard on some people. It's a shame, for sure. But it's the gig. I didn't break all those keyboards doing week-long all-nighters by design. That's what you sign up for - you come in knowing what it takes and you do the work. And, honestly, it's kind of the point that human nature takes dark turns that you're in the InfoSec industry, so it should come as no surprise what your co-workers get up to. Maybe take it with a sense of humor, to lighten the load.

If you want solid InfoSec performers, you may want to add a psych-eval to your hiring process, to see where they come from and if they can take the load. Or you could hire some black hatters from the battlefields who are ready to turn. Most of them aren't going to be whining about the hours, about the sad state of humanity or complaining about their work environment. But I get it. It's like war - we don't want to believe we're animals on the battlefield and we want honor in the battle. But at some point you have to face the fact that to do your job well, to beat "them" at their own game, you have to put blood into the battle, and you have to want to be the one coming home, not them.

So the short of it is, this influx of stress-related topics may want to be looked at in more than one way. Who are the people getting stressed and are they right for the industry, and if they are, are their bosses right for the industry - who is defining their work strategy and load. And on the off-chance you have a real talent who is getting crushed, better look at the battle they're fighting because the adversary might be doing something new, something effective, that needs to be studied and white-papered.

But of the human factors noted in the topics being submitted for consideration, I have no tolerance for sexual harassment or gender inequality issues. If our community of digital revolutionaries can get anything right, it's got to be inclusion. We stood for the outsider back in the day, and we can't be seen as being "like the man" today. I'd staff my team with a dozen women and trans-gender hackers in a heartbeat, all colors, all anything, because playing the game has no restrictions.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
7/9/2018 | 7:11:57 AM
Hard job indeed
Cybersecurity is not the easiest job in the world for many reasons.  Attacks on networks are constant and monitoring is a 24-5-365 to the second chore.  And when an attack breaches - ransomware - all tasks are dropped and put into restore mode and this is often NOT EASY because restoration plans do not exist.  With proper preparation, it is FAR easier but companies often do not have plans in place.  IT has to make it up on the spot.  Second, your faith in humanity takes a hit.  Working with staff on internet usage takes one to some pretty bad places and emotional wounding.  It is not fun to address porn issues with your colleagues who can be walked out the door.   And at the end of the day, the cyber sec professional is worried about WHAT will happen tomorrow!!


Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18519
PUBLISHED: 2018-11-19
BestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.
CVE-2018-19355
PUBLISHED: 2018-11-19
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfi...
CVE-2008-7320
PUBLISHED: 2018-11-18
** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision.
CVE-2018-19358
PUBLISHED: 2018-11-18
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig...
CVE-2018-19351
PUBLISHED: 2018-11-18
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHand...