Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:11 PM
Mike Rothman
Mike Rothman

A Backhanded Thanks

As we recover from the Thanksgiving weekend, let's give our brand of security thanks for all the good (and not so good) in our world

Around Thanksgiving time in the U.S., I usually take a minute or two between football overload (like that's possible) and binge eating to reflect on the year. It's hard to believe folks are putting holiday decorations up, and we're in full-fledged planning for 2013. Didn't 2012 just start? Uh, I guess not.

The only thing funnier than the onslaught of 2013 predictions that will overflow my inbox over the next few weeks is the folks giving thanks. We are security people. Our job is to look at a situation and figure out how many ways your organization will get pwned. We look for the worst and try to prepare for it. There are some unique individuals who are optimistic pessimists and can see light at the end of a brutal incident response. Or they use the reality of a public breach disclosure as a catalyst for change. The rest of us grumble through our day and wait for the other shoe to drop.

This month, let's give thanks to the other side of that equation. If there weren't bad in the world, we security folks wouldn't have anything to do. We wouldn't be able to appreciate the few times a user doesn't click on that link, or download that file, or install that malware. We may not win a lot, but we shouldn't gloss over the good that happens to us.

First, let's give thanks to the attackers and organized crime syndicates and nation-states footing the bill. Without those folks pushing the envelope on innovative attacks, we'd still be using firewalls and antivirus as the leading controls to stop advanced attacks. Wait, what? OK, never mind.

Though how much fun will it be when all of these folks being trained by nation-states to break into stuff make their way into the commercial markets? On both the good and bad sides. It'll be a lot of fun to clean up the mess when a cyber-ninja takes down a competitor inadvertently because, well, that's what they do. The idea that we'll ever get ahead of the attackers, well ... forget that.

Next, let's be thankful for PCI and compliance, in general. These mandates set the bar for security controls and pushed many organizations to do something to improve their security postures.

And for the most part, it has made a difference. The average organization did nothing about security five years ago. Now it does PCI, so that's a net positive. Let's also be thankful for the low bar that PCI represents. For those attackers just looking for low-hanging fruit (and there are a lot of them), anyone who thinks PCI is good enough is a soft target. Since that isn't you (right! right?), you should be thankful that there are organizations out there that make your security defenses look advanced.

Let's also smile on our good fortune that the compliance folks only think a prescribed control set needs to change every three years or so. Of course, nothing changes that quickly, so what's the risk of only mandating new controls every couple of years? Yeah, that's not going to work out very well for most of these organizations looking at the ROC as the end of the security journey.

We shouldn't forget the tech media that chases the latest obscure attack and creates a bunch of work for practitioners to ensure they aren't vulnerable to the latest TPM chip freeze attack, or other such nonsensical exploit. To be clear, there are times when making sure you've got a plan for a new attack vector is a good thing. But in an age of zero fact-checking, misplaced punditry, and news value success based on page views, if you are only getting your threat intelligence from the trade press, you're doing it wrong.

We also need to appreciate the increasing number of young people who choose security as a profession. They are studying in the mushrooming number of secondary education programs providing some training in information security. They take jobs to do the scut work that experienced folks don't want to do. These programs do a good job of teaching the fundamentals of attacking and protecting, but don't bother telling students that security is a thankless job ... which is good because if any of them knew what a security job was really about, they'd study Java or Rails, or something useful like cloud computing.

Speaking of being unappreciated, let's give a shout-out to our executives -- those folks who seem to have no problem remembering how to game the numbers to maximize their year-end bonuses, but can't seem to understand why they need to keep investing in information security. You know, those folks who believe that since a breach hasn't happened lately, they can reduce investment. Those are the folks who make the security job fun. And by fun, I mean like a root canal.

Of course, there aren't many other disciplines in today's economy with a negative unemployment rate. And few allow you to engage with smart adversaries and actually win sometimes. You don't find a lot of jobs where an organization suddenly gets religion and give you carte blanche to fix the problem. Nor will you find a lot of roles with a higher visibility than security right now.

So during the holiday season, as you and your teams are putting together plans for 2013, asking for money you know you won't get, and battling attackers you have little chance of stopping, just remember that you could have made a less fortunate career choice. Personally, I'm thankful that I live in interesting times, and that as long as people continue to steal from each other, I'll be able to pay my bills. And so will you.

Mike Rothman is President of Security and author of The Pragmatic CSO. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could allow unauthorized access to the driver's device object.
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could cause systems to experience a blue screen error.