Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:15 PM
Connect Directly

10 Ways Security Gurus Give Thanks

From board-level awareness to bug bounty programs and everything in between, the security world's maturation offers security practitioners something to be thankful for.

So much of IT security coverage can be pretty dismal and cynical. But amongst all the security incidents and records lost, there are silver-lining stories that give security practitioners, researchers, and consultants a reason to smile. In honor of the holiday this week, Dark Reading reached out to the security community to hear about all the big and little things they're thankful for in their professional lives.

Lots of breach coverage
Sure, breaches are hardly something to be thankful about, but the media attention that they've dredged up has been good for a lot of organizations that choose to pay attention.

"Media coverage brings the reality and severity to the front lines, and executive management and board members become very supportive of IT security and pending projects," says Samantha Boles, president and COO of consultancy Automated Security IS. "Budgets are suddenly pushed aside, and opinions of IT professionals become relevant at the highest level of all organizations."

Board-level attention
This kind of coverage is building forward momentum for security executives to finally gain a meaningful dialogue with boards of directors and CEOs.

"We are thankful that CEOs and boards of directors now understand and are aware of the importance of cyber security as a result of high profile breaches," says Craig D'Abreo, vice president of security operations for Masergy.

According to Jason Clark, chief security and strategy officer for Accuvant, 2014 saw a sea change in board-level attention for CISOs.

"Many CISOs are getting a pat on the back or thank you from the CEO saying, great job this year, keep it up," Clark says. "We didn't get hacked this year!"

Just remember, says D'Abreo, this can be a double-edged sword, "because there will be more people than ever asking for reports on security, breaches, and cost."

Well-documented security processes
That kind of scrutiny is something Dave Frymier, CISO at Unisys, doesn't sweat about. He says he's most thankful for the time his team took five years ago to develop what they call an Information Security Concept of Operations document.

"We update this document annually, and it describes -- in non-specific, generic terms, over 12 pages -- what we do for information security. Organization, apps, vendors, major processes -- the whole ball of wax," he says. "Whenever I hand or send a copy to somebody and see the look of amazement on their face that we have such a thing, I smile inwardly"

Bug bounty programs
Many technology experts say they're thankful for bug bounty programs. On the industry-wide level, these programs help "accelerate the process of security raising the cost to the bad guys," says TK Keanini, CTO at Lancope.

Meanwhile, Mark Richards, founder and CEO of Homeboy, a vendor that creates Internet-enabled security cameras, is personally thankful for bug bounties. He says the bug bounty program his company put in place using Bugcrowd's Flex bounty program was instrumental for peace of mind.

"It's a Catch-22 to expect implicit user trust in us and our product without making sure our cameras are, indeed, secure," Richards says. "The testing process was intensive, and justifiably so -- it gave us peace of mind to know we were putting our best foot forward. After all is said and done, we can't imagine going through the launch process without the aid of bug bounty."

Freely shared knowledge
So much of the security game depends on knowledge, says Rafal Los, director of Accuvant's Office of the CISO.

"So, what I'm thankful for this holiday season is the professionals who work tirelessly to develop, curate, and share knowledge and expertise for the greater community benefit -- not rock star status," he says.

In particular, Tom Cross, director of security research at Lancope, says that he's thankful for the knowledge that security researchers dig up and responsibly disclose.

"Often, their work is uncompensated, other than a credit at the bottom of an advisory, and sometimes they incur personal risks when they encounter vendors who react by threatening to sue them in order to keep vulnerability information under wraps," Cross says. "I think we owe them a great deal of thanks.”

Cryptowall-proof backups
As a security advisor for many clients, Rich Silva says he's very thankful for those clients who do install an image-based backup system. Not only is it a good practice, but it helps protect them from the growing category of crypto-viruses that has had so many businesses pay out big ransoms to recover data that was never backed up.

"I sit back when I hear and read about these stories and am thankful for having a means to recover my  clients' data quickly and without needing to pay the ransom," says Silva, founder and president of Pain Point IT Solutions. "It's always a matter of when and not if when it comes to IT security, and those clients of mine who elected to be ready will be thankful too."

The end of Windows XP
It's never good for security when old operating systems linger around, which is why Lysa Myers, security researcher at ESET, is very thankful for the end of support of Windows XP.

"Windows XP was much beloved, and a lot of people had a very hard time letting it go, despite its many security issues," she says. "Microsoft ended support for XP this April, prompting people to -- slowly but surely -- finally get off the antiquated operating system."

Myers points to XP's market share shrinking below 20% as a great sign that people are putting an end to that era.

Security's social circle
Security chatter on social media outlets has done a lot to foster knowledge-sharing and strong relationships across the industry, which is why Keanini says he's very thankful for social media channels.

"So many passionate people share their feelings unfiltered," he says. "This level of early warning on security issues has also functioned as a neighborhood watch type of benefit because sometimes the adversaries' attack does not like us sharing notes and watching out for one another." 

A wish for future thanks
As a security consultant, Kevin Lawrence, senior security associate at Bishop Fox, says that many of his clients are most thankful when they get a long leash to make decisions in the heat of the moment. Call it a get-out-of-jail-free card.

"Practitioners must know that so long as they have a logical and supported case they can do whatever it takes to protect the company without fear of getting in trouble," he says. "Examples could include the authority to isolate an entire business site, including production operations if that site is compromised. It’s better to isolate the site immediately than risk the attack spreading to the rest of the company."

An end to the workday
And, finally, Brad Reinboldt, senior product manager with Network Instruments JDSU says that for such a tireless (and sometimes thankless) job, many security folks are glad there's such a thing as a non-infinite day.

"IT security can be thankful there are only 24 hours in a day, otherwise, we'd be 28/7," he says.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sara Peters
Sara Peters,
User Rank: Author
12/1/2014 | 10:12:32 AM
Re: employment
@andregironda   Good point. Unfortunately the people beneath the C-suite never seem to get the salary increases and bonuses that their work deserves. I think that's true of all companies and all roles, though, not just security.

That said, research shows that infosec staff on average make quite a bit more than other IT staff, and that the salary has been trending upwards.
Sara Peters
Sara Peters,
User Rank: Author
12/1/2014 | 10:04:35 AM
Re: Board-level attention
@Marilyn  True!  On the other hand, there's this:  ""Many CISOs are getting a pat on the back or thank you from the CEO saying, great job this year, keep it up," Clark says. "We didn't get hacked this year!""  Ten years ago I don't think anyone in information seecurity expected that to EVER happen. 
User Rank: Strategist
11/26/2014 | 10:41:59 AM
Re: employment
I'm not super thankful of this. It means long hours and less time to focus on family in the short term. In the long term, you think that infosec professional salaries would double every two years like those do of CISO salaries. Yet they are flat. I wonder why that is? Not a lot to be thankful for there!
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/26/2014 | 9:24:20 AM
Board-level attention
That is, until their network and data are the target of a major breach and the blame game begins.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
11/25/2014 | 5:32:43 PM
They should be thankful for perpetual demand. Computer systems will never be secure so they will always have a job, somewhere.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.