Last week, we asked a number of experts in the field of security the following question:
“If you had one wish for the infosec community this holiday season, what would it be and why?”
Our post largely reflected the answers of infosec professionals looking out into the world. As such, many of those responses explored the types of relationships security personnel should maintain with organizations and with end-users.
We now follow up with our second post in this two-part series, where infosec folks look within and share their thoughts on what is best for the security community going forward.
Bob Loihl | Software Engineer | Tripwire
My wish for the infosec community this holiday season is that less drama can accompany our efforts to deal with serious vulnerabilities.
I follow both security feeds and political feeds to get my news, and I wish we could be less like the latter. I think that it makes life harder for us as a community when there is a huge news story and it drives us away from other initiatives. I am not saying I don’t think we shouldn’t respond quickly to new vulnerabilities or that the pace of discovery should slow down. (OK, maybe it can slow down a little.) Rather, I want to emphasize the fact that the visibility of issues in the press can create unnecessary panic in the larger community. Illustrating this point, I recently responded to questions from my family members about how worried they are that the web is NO LONGER secure (hahahaha) after Heartbleed hit the media. These kinds of big news stories make money for the media. They do not necessarily help us as a community.
More concerning, though, is how some vulnerabilities inevitably force companies to invest valuable resources in conducting research, modifying their solutions, and reassuring the world how their products are safe from exploits. This in itself isn’t the worst problem; it is that we have to interrupt normal business and redirect our energies. Sure, some companies have a process in place to control the disruption of business, but not all enterprises have such measures in place or can afford to divert their attention towards what’s in the media.
And even then, there’s no saving the software industry. These large media splashes leave the tech field with one black eye after another in face of the larger public, oftentimes for what turn out to be incidents that don’t affect the majority of people. No one catches the follow-up story, either, about how vulnerability X has been mitigated and we no longer have to worry about it. It doesn’t make front page news, so it’s no wonder my cousin still thinks that Heartbleed means the sky is falling.
Ultimately, it’s kind of like wishing for the media to stop following politicians until they actually discuss a policy position instead of a good sound byte. It would help the infosec community out, and it help keep the public more informed.
Martijn Grooten | Editor | Virus Bulletin
If I had one wish for the UK infosec community, it would be to rely less on spreading fear, uncertainty and doubt and more on building on the many successes we have made in the past.
From the inside, it may seem that everything is broken, but we’ve actually become really good at seriously mitigating what is an immensely complex problem.
Michael Hanley | Head of R&D | Duo Security
This season, my hope for the security professional is that there’s a little something extra under the tree to support continued education and professional growth in 2016. With the rapid pace of change in this field, it can be tough to step back and develop new skills, revisit old ones, and retrain to meet the needs of the independently changing user and threat landscapes. It’s critical that security professionals maintain a balanced skillset that supports the business and helps drive informed decision-making. Without a culture of continual learning in a security group, the prospect of being able to make the right decisions that best match the actual threats and problems a business faces is poor at best.
Brian Jackson | Sales Account Executive | Tripwire
We need more qualified infosec professionals. As we all know, there is a shortage of qualified personnel in the security field. Our industry needs more white hats to stay ahead of the black hats.
Tony Martin-Vegue | Cyber Risk Manager
There’s a perception within the infosec community that to be a really good security professional, one must be an expert coder, hardware engineer, or come from a very technical background. Information security is a complex field with very complex problems that aren’t easily solved by the old way of doing things. In 2016, my one wish would be a recognition that good security people come from a variety of backgrounds and fields: economics, business, sociology, and risk management, just to name a few. If we expand our idea of what it means to be ‘in security’ and embrace new ideas and different types of people, we will be able to face new challenges head-on.
Cheryl Biswas | InfoSec IT Coordinator, Senior Writer and Business Development
It is a powerful thing to believe in yourself, and it is an empowering thing to believe in others. Our community is filled with extraordinary, talented, and dedicated people who are willing to share their wealth of experience and knowledge, and it is a real gift to be part of this world every day. My wish for all of us is this: to draw a bigger circle around our orbit so that we can bring in more people with diverse backgrounds and unconventional experience. We need to share our passion and calling to be here; this would help us grow our strengths where they don’t yet reach.
Jane Frankland | Consultant
If I could have one wish for the cyber security community this holiday season, it would be to improve how cyber security is seen as a profession. The reason I wish for this is gender equality. Despite the increasing number of cyber security roles available and rising salaries, most women still do not consider a career in cyber security. According to an (ISC)² report that surveyed nearly 14,000 professionals worldwide, only 10% are female, and the figure hasn’t risen from the year before.
Gender equality is hugely important. If we achieved full gender equality by 2025, we’d actually add $28 trillion to global gross domestic product (GDP) and potentially be closer to ending world poverty. However, cyber security still suffers from a geeky, hard-core tech, isolationist image, which leaves many women feeling uninspired and uninterested in entering the profession. Things will improve only when cyber security is positioned as more of a business discipline that places importance on individuals who’ve a sound understanding of technology; analytical, strategic and creative thinking abilities; and a strong grasp of a business’ key drivers and culture.
Hudson Harris | Chief Privacy Officer
I always hate cliche answers, but I wish for unity and peace. After a year’s worth of conferences, meetings, and conversations with people from all over the infosec industry, one prevailing theme has emerged: division. Too many organizations live with a house divided between privacy, security, and legal. The number of passive aggressive or blatant power grab stories I heard this year is truly saddening.
To be sure, the BEST privacy and security programs out there are driven by teams, not individual departments. By uniting the three factions I mentioned above, you will help to bring unity to your company. This will lead your clients to thank you for their privacy and security.
Sarah Clarke | Consultant and Blog Writer | Infospectives
Having an easy ride that’s on-call would be nice if you’re one of the unlucky ones this holiday season. I’ve been there; I’ve worked through those snowy nights.
Otherwise, I suppose a short story can summarize my other wish. Taking a note from The Christmas Carol, the “bah humbug” of tight margins robs poor Tiny (Data) Tim of his guardian’s protection and of the security he deserves. The Ghost of Christmas Past offers some hindsight to Scrooge, who was left by his cherished partner when he was young because his profit focus made him destructively shortsighted. This leads us to the Ghost of Christmas Future, who reveals that the poor mite is no more. The ripples of Tim’s departure in turn have a significant, far-reaching impact. By contrast, in the brighter future where Tiny Tim is cared for, lessons are learned via honest conversations and thoughtful actions. Scrooge and Bob Cratchit share experience and stories around a welcoming table, thereby forging a collaborative relationship that yields rewards that exceed any monetary value.
The infosec community could learn a thing or two from this story.
Neira Jones | Consultant
My wish for the infosec community this holiday season is for a Babel Fish for everyone. This would instantaneously turn every infosec professional into the kind of communicator that Churchill or Martin Luther-King would be proud of!
Imagine, the CISO might want to say ‘I stopped 2732 cyber attacks last week’, but what would come out of his or her mouth would be ‘Out of the numerous cyber attacks we stopped last week, (because that’s our day to day job), five, if successful, would have resulted in a 10 hour downtime each on our core systems, which would have equated to a £1.7M direct loss. In addition, one attack could have subjected us to cyber extortion if it hadn’t been nipped in the bud, and the potential losses are unquantifiable at this stage.’
At the same time, the Marketing Director would have heard from the CISO, ‘My customer database would have been inaccessible, and I would have been unable to run and monitor my Black Friday campaign. My customers would have been unable to order online; the number of customer services complaints would have risen exponentially.’
Bob Covello | Infosec Analyst
I went to an orchestral concert the other night, and I was amazed at how the group of musicians came together to create such a uniform landscape of sound. It is even more interesting to watch some of the lesser-featured instrumentalists, such as the bass clarinetist, waiting silently before adding just a few notes. During these tacit moments, at no time do the other musicians complain that the bass clarinetist is not doing enough. If these types of complaints do occur, they happen off-stage, out of the viewing eyes of the public. The public hears unity.
If I had one wish for the infosec community, it would be that we learn to function with the same unity as a world-class orchestra. We need to stand together as a community and support each other. If you are new to the infosec community, take some time to learn from the elders. If you are an elder in the community, mentor to help the newcomers strengthen their knowledge and skills. Let’s all be a part of the music that will advance the profession.
Jessica Barker | Consultant
My wish revolves around the fact that we are all the same. By ‘we’ I mean people–techies, execs, designers, developers, ‘users’. Yes, we all have different levels of knowledge, skills and understanding, as well as differences in lots of other ways, but there’s really not an ‘us’ and ‘them’. Underneath it all, we are all fighting battles most people don’t see, overcoming anxieties and worries we don’t share and hoping for happiness and success in whatever way we define that.
This year, I’m going to ask my infosec community genie for three wishes, all of which relate to kindness. Firstly, please be kind to the ‘users’. I know you want to pull your hair out when they use terrible passwords and click phishing links, but they’re busy and stressed, just like you are. For most, security is not their number one priority, and the workings of the Internet are a bit of a mystery. Please don’t see your ‘users’ as a problem to be fixed, but instead please recognize them as an asset to be nurtured.
Secondly, please be kind to each other. One of the many things I love about this industry is how supportive it can be, but for everyone lifting someone onto their shoulders, there’s someone else pulling them down. The twitter spats and one-upmanship help no one in the end. Let’s build each other up and gain strength from our community.
Finally, please be kind to yourself. As research like that presented by Chris Sumner and Jack Daniel at BSides London shows, rates of burnout and stress in this industry are pretty high. You’re working hard, fighting fires, and seeing the same problems coming back like boomerangs. It can take its toll, so please give yourself a break. Go outside, rest, take a holiday. Remember that life actually is about more than attack and defend.
Lori MacVittie | Principal Technical Evangelist | F5 Networks
In the spirit of the season, which brings with it a message of hope, I wish for the infosec community to carry with it the hope that we can, in fact, succeed at our task of securing information and apps. Let us not despair in the face of increasing breaches and often what appear to be apathetic approaches to security. Let’s remember that those with malicious intent are unbounded and without constraints, making their task much easier than ours, which must be necessarily conducted within the bounds of our budgets and operational constraints. Keep up the good fight, stay vigilant, and hold onto the hope that as technology advances, so will our ability to detect and prevent the attacks that try to wear us down each and every day.
To read the first post in our two-part series, please click here.
Title image courtesy of ShutterStock