Vulnerabilities / Threats

1/16/2018
02:00 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

In Security & Life, Busy Is Not a Badge of Honor

All security teams are busy, but not all security teams are productive. The difference between the two is huge.

Busy, busy, busy. Everyone is busy. No time for anything. Being busy has become a badge of honor of sorts in modern society. I'm not one who shies away from going against conventional wisdom, so I'll come right out and say that I see this as something that is rather unfortunate. Further, I see the idolization of busyness as something detrimental to security as a profession. 

I often come across those I call busy people. People who feel the need to constantly tweet about how busy they are or how much work they have to get through. People who feel the need to tell you that they are buried in emails and can't keep their in-box clean. People who don't have time to respond to your emails and will tell you as much when you happen to run into them in person. People who tell you that they have one hour free over the next three months during which they can meet with you. People who can't spare five minutes for a phone call when you have a question for them. The list of such behaviors goes on and on.

For some reason, modern society encourages and even champions such behavior. But what do I see when I encounter this type of behavior? Failure. Sound provocative? While I am not an expert in human behavior, a few things seem to cause this obsession with busyness:

  • Insecurity: "I don't believe enough in myself and the importance of what I'm doing, so I feel a need to make sure everyone knows I am busy."
  • Disorganization: Often, busyness results from wasting a tremendous amount of time on looking for things, working in an interruption-driven manner, and/or trying to remember what needs to be done.
  • Inability to separate the wheat from the chaff: Every decision we make in life necessitates evaluating certain data points. Sometimes it seems like life is more about filtering out what is irrelevant than it is about paying attention to what is relevant. Those who can quickly isolate the important factors of a decision and filter out the noise are able to come to a decision and move forward much more quickly than those who cannot.
  • Inability to prioritize: No one has time to do everything that crosses his or her mind. That's why prioritization is key. People make time for what is important to them. If someone told you that if you sat on a park bench from 11:00 a.m. to noon tomorrow he would give you $10 million, I'm sure you would find the time to be there.

If you still have any doubt, it should be fairly clear from the points above that being busy is quite different from being productive. There are many productive people who still find time for what is most important to them in life, whatever that may be. So, what lesson can we take from this in security?

Unfortunately, I would describe the state of many security programs as "busy" but not "productive." The difference between those two words is enormous. Many security organizations are geared toward measuring, rewarding, and even priding themselves on busyness rather than productivity. The end result of this approach, sadly, is that it weakens their overall security posture. Let's take a look at a few examples of this:

  • Ticket obsession: Many organizations pride themselves on how many tickets they open and close in a given day, week, or month. It's a meaningless metric that many organizations use to show how hard they are working. But is this really something to take pride in? It is certainly true that people in these organizations are working hard, but are they working smart? The only way to know the answer to that question is to understand how the tickets that are being opened and closed contribute toward mitigating and reducing risk. If they directly contribute toward that end, this is a productive activity. If they don't, it's a busy one.
  • Alert fatigue: I've heard far too many people proudly and bombastically tout the number of alerts they "handle" on a daily, weekly, or monthly basis. But how many of those alerts were false positives? How many were relevant to threats the organization is concerned about? Did the volume of alerts create a noise level so high that the organization missed events that it should have paid attention to? If you're plowing through thousands of alerts on a daily basis, you are busy. Only when you improve the signal-to-noise ratio, enrich alerts with the necessary contextual information, and prioritize appropriately can you overcome alert fatigue and move from alerts making you busy to alerts making you productive.
  • Seeing the forest for the trees: Sometimes the fact that people are too busy to come up for air is precisely the reason that they need to come up for air. Time-consuming duties can serve as an indication that specific areas of a process need to be re-examined. Perhaps the hours spent on a given task don't add any value to the security program? Perhaps leveraging technology could greatly reduce the time spent on certain duties? Maybe automating certain manual processes could also save time? Not every activity that takes time is worth that time, which is a concept that is key to moving from busy to productive.
  • Root cause: Maybe the reason the security team is so caught up with playing whack-a-mole is because there are certain root causes that have not been identified and addressed appropriately. Productive organizations identify and address root cause, which saves them time later in the process. Busy organizations let root cause remain unaddressed and then sink a tremendous amount of time (and money) into dealing with the mess that results from that.

I've never come across a security organization that has idle time. All security teams are busy. But not all security teams are productive. The difference between the two is huge. Aim to be a productive security organization. Leave the busyness for those organizations that just don't get it.

Related Content:

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.