Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

What Has Cybersecurity Pros So Stressed -- And Why It's Everyone's Problem
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
10/30/2019 | 1:07:10 PM
It's Not the Bad Guys Who Are the Biggest Problem in Security
While all of the points in this article have validity - I can tell you what the biggest stressor is for many cyberpros. It's not coming from the "outside" - it's coming from the inside of corporations. Cyber people can deal with the criminals and even the hapless users who are human and make mistakes. They may be an annoyance - but we have the know how and can address those risks.

They're not the biggest problem.

The real stress is coming from C-level people who are more interested in speed than in (honestly) keeping their organization secure. It's the utter hypocrisy that allows lip-service to say  "we take security seriously" publicly - but starves the security team of the basic resources they need to do their jobs. (Case in point: I am an appsec architect, but there is no money for code assessment/scanning tools. I'm supposed to do it all manually, I guess. And, of course, that is impossible.)

The problem, of course, is that the above attitude rolls through the organization. It's the "security" meetings you don't receive invitations for (even though you're the only rep for security in the entire company). It's the decision to use a vendor before security reviews are even requested - because the CEO "knows" somebody. It's the request to review an vendor or an application immediately - because "we're going live tomorrow". It's the formal processes that you finally get into place, that are ignored. It's the issues you raise on a Slack channel that mysteriously go "private" when you inject that security should really be involved in the issue...and then comes back three days later "solved". It's lurking on Slack channels just to discover that four new vendors are being brought on board that you've never heard of. . .

I could go on and on. 

In other words, let us do our jobs, give us more than lip-service as support, fund us - and we will deliver and perform and be very happy.

But, create an environment like the above - and expect us to start looking for a company that does value our skills, experience and expertise. Because that WILL reduce our "stress".

[email protected],
User Rank: Apprentice
10/24/2019 | 9:50:02 AM
Pretty much summarized the true nature of current tech industry
THANK YOU for publishing this article. You have pretty much summarized what's going on in the Information Security world. While there are some notable exceptions, this is our story in almost all business. Unfortunately, the management from "Business" who SHOULD be reading this article will likely not get to read this.

Another trend I have been noticing is that there are currently a lot of 'new' security-minded people suddenly being born. 'Product sales manager' suddenly becoming 'security sales expert,' 'Business liaison' to 'security liaison,' 'project manager' to 'security guru'... list goes on and on. It would have been beneficial for the future of business and our industry if all these people with new security title learned about their job before starting to talk about it in front of any C-suite team.

Well, I am already getting tired of seeing the show-off both online and offline; enough that I have erased most of my security-related skillsets from online profiles.



COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.