Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/16/2018
02:00 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

In Security & Life, Busy Is Not a Badge of Honor

All security teams are busy, but not all security teams are productive. The difference between the two is huge.

Busy, busy, busy. Everyone is busy. No time for anything. Being busy has become a badge of honor of sorts in modern society. I'm not one who shies away from going against conventional wisdom, so I'll come right out and say that I see this as something that is rather unfortunate. Further, I see the idolization of busyness as something detrimental to security as a profession. 

I often come across those I call busy people. People who feel the need to constantly tweet about how busy they are or how much work they have to get through. People who feel the need to tell you that they are buried in emails and can't keep their in-box clean. People who don't have time to respond to your emails and will tell you as much when you happen to run into them in person. People who tell you that they have one hour free over the next three months during which they can meet with you. People who can't spare five minutes for a phone call when you have a question for them. The list of such behaviors goes on and on.

For some reason, modern society encourages and even champions such behavior. But what do I see when I encounter this type of behavior? Failure. Sound provocative? While I am not an expert in human behavior, a few things seem to cause this obsession with busyness:

  • Insecurity: "I don't believe enough in myself and the importance of what I'm doing, so I feel a need to make sure everyone knows I am busy."
  • Disorganization: Often, busyness results from wasting a tremendous amount of time on looking for things, working in an interruption-driven manner, and/or trying to remember what needs to be done.
  • Inability to separate the wheat from the chaff: Every decision we make in life necessitates evaluating certain data points. Sometimes it seems like life is more about filtering out what is irrelevant than it is about paying attention to what is relevant. Those who can quickly isolate the important factors of a decision and filter out the noise are able to come to a decision and move forward much more quickly than those who cannot.
  • Inability to prioritize: No one has time to do everything that crosses his or her mind. That's why prioritization is key. People make time for what is important to them. If someone told you that if you sat on a park bench from 11:00 a.m. to noon tomorrow he would give you $10 million, I'm sure you would find the time to be there.

If you still have any doubt, it should be fairly clear from the points above that being busy is quite different from being productive. There are many productive people who still find time for what is most important to them in life, whatever that may be. So, what lesson can we take from this in security?

Unfortunately, I would describe the state of many security programs as "busy" but not "productive." The difference between those two words is enormous. Many security organizations are geared toward measuring, rewarding, and even priding themselves on busyness rather than productivity. The end result of this approach, sadly, is that it weakens their overall security posture. Let's take a look at a few examples of this:

  • Ticket obsession: Many organizations pride themselves on how many tickets they open and close in a given day, week, or month. It's a meaningless metric that many organizations use to show how hard they are working. But is this really something to take pride in? It is certainly true that people in these organizations are working hard, but are they working smart? The only way to know the answer to that question is to understand how the tickets that are being opened and closed contribute toward mitigating and reducing risk. If they directly contribute toward that end, this is a productive activity. If they don't, it's a busy one.
  • Alert fatigue: I've heard far too many people proudly and bombastically tout the number of alerts they "handle" on a daily, weekly, or monthly basis. But how many of those alerts were false positives? How many were relevant to threats the organization is concerned about? Did the volume of alerts create a noise level so high that the organization missed events that it should have paid attention to? If you're plowing through thousands of alerts on a daily basis, you are busy. Only when you improve the signal-to-noise ratio, enrich alerts with the necessary contextual information, and prioritize appropriately can you overcome alert fatigue and move from alerts making you busy to alerts making you productive.
  • Seeing the forest for the trees: Sometimes the fact that people are too busy to come up for air is precisely the reason that they need to come up for air. Time-consuming duties can serve as an indication that specific areas of a process need to be re-examined. Perhaps the hours spent on a given task don't add any value to the security program? Perhaps leveraging technology could greatly reduce the time spent on certain duties? Maybe automating certain manual processes could also save time? Not every activity that takes time is worth that time, which is a concept that is key to moving from busy to productive.
  • Root cause: Maybe the reason the security team is so caught up with playing whack-a-mole is because there are certain root causes that have not been identified and addressed appropriately. Productive organizations identify and address root cause, which saves them time later in the process. Busy organizations let root cause remain unaddressed and then sink a tremendous amount of time (and money) into dealing with the mess that results from that.

I've never come across a security organization that has idle time. All security teams are busy. But not all security teams are productive. The difference between the two is huge. Aim to be a productive security organization. Leave the busyness for those organizations that just don't get it.

Related Content:

Josh (Twitter: @ananalytical) is currently Director of Product Management at F5.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye.  Prior to joining nPulse, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23347
PUBLISHED: 2021-03-03
The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user.
CVE-2021-25315
PUBLISHED: 2021-03-03
A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 ...
CVE-2021-27921
PUBLISHED: 2021-03-03
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.
CVE-2021-27922
PUBLISHED: 2021-03-03
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.
CVE-2021-27923
PUBLISHED: 2021-03-03
Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.