So much of IT security coverage can be pretty dismal and cynical. But amongst all the security incidents and records lost, there are silver-lining stories that give security practitioners, researchers, and consultants a reason to smile. In honor of the holiday this week, Dark Reading reached out to the security community to hear about all the big and little things they're thankful for in their professional lives.
Lots of breach coverage
Sure, breaches are hardly something to be thankful about, but the media attention that they've dredged up has been good for a lot of organizations that choose to pay attention.
"Media coverage brings the reality and severity to the front lines, and executive management and board members become very supportive of IT security and pending projects," says Samantha Boles, president and COO of consultancy Automated Security IS. "Budgets are suddenly pushed aside, and opinions of IT professionals become relevant at the highest level of all organizations."
This kind of coverage is building forward momentum for security executives to finally gain a meaningful dialogue with boards of directors and CEOs.
"We are thankful that CEOs and boards of directors now understand and are aware of the importance of cyber security as a result of high profile breaches," says Craig D'Abreo, vice president of security operations for Masergy.
According to Jason Clark, chief security and strategy officer for Accuvant, 2014 saw a sea change in board-level attention for CISOs.
"Many CISOs are getting a pat on the back or thank you from the CEO saying, great job this year, keep it up," Clark says. "We didn't get hacked this year!"
Just remember, says D'Abreo, this can be a double-edged sword, "because there will be more people than ever asking for reports on security, breaches, and cost."
Well-documented security processes
That kind of scrutiny is something Dave Frymier, CISO at Unisys, doesn't sweat about. He says he's most thankful for the time his team took five years ago to develop what they call an Information Security Concept of Operations document.
"We update this document annually, and it describes -- in non-specific, generic terms, over 12 pages -- what we do for information security. Organization, apps, vendors, major processes -- the whole ball of wax," he says. "Whenever I hand or send a copy to somebody and see the look of amazement on their face that we have such a thing, I smile inwardly"
Bug bounty programs
Many technology experts say they're thankful for bug bounty programs. On the industry-wide level, these programs help "accelerate the process of security raising the cost to the bad guys," says TK Keanini, CTO at Lancope.
Meanwhile, Mark Richards, founder and CEO of Homeboy, a vendor that creates Internet-enabled security cameras, is personally thankful for bug bounties. He says the bug bounty program his company put in place using Bugcrowd's Flex bounty program was instrumental for peace of mind.
"It's a Catch-22 to expect implicit user trust in us and our product without making sure our cameras are, indeed, secure," Richards says. "The testing process was intensive, and justifiably so -- it gave us peace of mind to know we were putting our best foot forward. After all is said and done, we can't imagine going through the launch process without the aid of bug bounty."
Freely shared knowledge
So much of the security game depends on knowledge, says Rafal Los, director of Accuvant's Office of the CISO.
"So, what I'm thankful for this holiday season is the professionals who work tirelessly to develop, curate, and share knowledge and expertise for the greater community benefit -- not rock star status," he says.
In particular, Tom Cross, director of security research at Lancope, says that he's thankful for the knowledge that security researchers dig up and responsibly disclose.
"Often, their work is uncompensated, other than a credit at the bottom of an advisory, and sometimes they incur personal risks when they encounter vendors who react by threatening to sue them in order to keep vulnerability information under wraps," Cross says. "I think we owe them a great deal of thanks.”
As a security advisor for many clients, Rich Silva says he's very thankful for those clients who do install an image-based backup system. Not only is it a good practice, but it helps protect them from the growing category of crypto-viruses that has had so many businesses pay out big ransoms to recover data that was never backed up.
"I sit back when I hear and read about these stories and am thankful for having a means to recover my clients' data quickly and without needing to pay the ransom," says Silva, founder and president of Pain Point IT Solutions. "It's always a matter of when and not if when it comes to IT security, and those clients of mine who elected to be ready will be thankful too."
The end of Windows XP
It's never good for security when old operating systems linger around, which is why Lysa Myers, security researcher at ESET, is very thankful for the end of support of Windows XP.
"Windows XP was much beloved, and a lot of people had a very hard time letting it go, despite its many security issues," she says. "Microsoft ended support for XP this April, prompting people to -- slowly but surely -- finally get off the antiquated operating system."
Myers points to XP's market share shrinking below 20% as a great sign that people are putting an end to that era.
Security's social circle
Security chatter on social media outlets has done a lot to foster knowledge-sharing and strong relationships across the industry, which is why Keanini says he's very thankful for social media channels.
"So many passionate people share their feelings unfiltered," he says. "This level of early warning on security issues has also functioned as a neighborhood watch type of benefit because sometimes the adversaries' attack does not like us sharing notes and watching out for one another."
A wish for future thanks
As a security consultant, Kevin Lawrence, senior security associate at Bishop Fox, says that many of his clients are most thankful when they get a long leash to make decisions in the heat of the moment. Call it a get-out-of-jail-free card.
"Practitioners must know that so long as they have a logical and supported case they can do whatever it takes to protect the company without fear of getting in trouble," he says. "Examples could include the authority to isolate an entire business site, including production operations if that site is compromised. It’s better to isolate the site immediately than risk the attack spreading to the rest of the company."
An end to the workday
And, finally, Brad Reinboldt, senior product manager with Network Instruments JDSU says that for such a tireless (and sometimes thankless) job, many security folks are glad there's such a thing as a non-infinite day.
"IT security can be thankful there are only 24 hours in a day, otherwise, we'd be 28/7," he says.