Careers & People

7/2/2018
01:00 PM
Kelly Sheridan
Kelly Sheridan
Slideshows
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail

6 Drivers of Mental and Emotional Stress in Infosec

Pressure comes in many forms but often with the same end result: stress and burnout within the security community.
1 of 7

(Image: Christian Schulz via Shutterstock)

(Image: Christian Schulz via Shutterstock)

1 of 7
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
7/9/2018 | 2:00:13 PM
Re: Psych Eval Addition to the Hiring Process Or...
Quick note about faith in humanity.  That was poorly written - what really bugs one about this subject on the cyber sec side is just how plain DUMB people can be.  Walking somebody out with many years of experience over just stupid download of data is damning indeed.  One has to really wonder if people are, AND THEY ARE, that freaking stupid.  I don't care about home computers - whatever floats your boat.  And I have seen a ton of it.  But WORK?  
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
7/9/2018 | 9:55:10 AM
Psych Eval Addition to the Hiring Process Or...
Here's the problem you're looking at, plain and simple. I mean this with the greatest respect for folks who are burning out, because I had my bout with it and ended up in the ER more than once for overwork stress. I've been using tech since I was a teen (born in the 70s) and you've either got the tech bug or you don't. No sleep, no food, no friends - often part of the gig. Too many friends, too much to drink, too much to food - can also be part of the gig. It all depends on the job at hand and the goal. But the difference between the average InfoSec professional and the opposition is psychology. You will almost never, and I mean never, have the same way of thinking about your job that they do theirs; because to them it isn't a job, it's the air they breathe. Sorry, that's just how it is.

I've hammered on this in the past. You can't train someone to do InfoSec in a straight-laced Dockers environment who doesn't already have the same mental state as the adversary and expect them to do a stellar job. Or, maybe they do a great job for a while, but then begin to burn out because of what they see (REISEN1955 alludes to fallen faith in humanity when seeing co-workers' porn habits at work). You can't care about that and expect to do well in InfoSec. Honest opinion. In fact, the best InfoSec resource is going to understand the adversary, think like them to some extent, and be just fine with all the bad stuff they see. You can't be affected by it and expect to maintain your effectiveness as an InfoSec professional.

This goes further, of course. Pen-testing is a good example. It's one area I still see in InfoSec that can never, and I mean never, go fully automated. You need a bulldog, a killer, a sadistic and driven-by-the-domination kind of mind that will not stop until they find the last hole in your system. And this is not work that can be done in a 9-5x5 work week. No way. If you can't hack that, you really shouldn't be in the game. Er, industry.

So, yeah, tech can really come down hard on some people. It's a shame, for sure. But it's the gig. I didn't break all those keyboards doing week-long all-nighters by design. That's what you sign up for - you come in knowing what it takes and you do the work. And, honestly, it's kind of the point that human nature takes dark turns that you're in the InfoSec industry, so it should come as no surprise what your co-workers get up to. Maybe take it with a sense of humor, to lighten the load.

If you want solid InfoSec performers, you may want to add a psych-eval to your hiring process, to see where they come from and if they can take the load. Or you could hire some black hatters from the battlefields who are ready to turn. Most of them aren't going to be whining about the hours, about the sad state of humanity or complaining about their work environment. But I get it. It's like war - we don't want to believe we're animals on the battlefield and we want honor in the battle. But at some point you have to face the fact that to do your job well, to beat "them" at their own game, you have to put blood into the battle, and you have to want to be the one coming home, not them.

So the short of it is, this influx of stress-related topics may want to be looked at in more than one way. Who are the people getting stressed and are they right for the industry, and if they are, are their bosses right for the industry - who is defining their work strategy and load. And on the off-chance you have a real talent who is getting crushed, better look at the battle they're fighting because the adversary might be doing something new, something effective, that needs to be studied and white-papered.

But of the human factors noted in the topics being submitted for consideration, I have no tolerance for sexual harassment or gender inequality issues. If our community of digital revolutionaries can get anything right, it's got to be inclusion. We stood for the outsider back in the day, and we can't be seen as being "like the man" today. I'd staff my team with a dozen women and trans-gender hackers in a heartbeat, all colors, all anything, because playing the game has no restrictions.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/9/2018 | 7:11:57 AM
Hard job indeed
Cybersecurity is not the easiest job in the world for many reasons.  Attacks on networks are constant and monitoring is a 24-5-365 to the second chore.  And when an attack breaches - ransomware - all tasks are dropped and put into restore mode and this is often NOT EASY because restoration plans do not exist.  With proper preparation, it is FAR easier but companies often do not have plans in place.  IT has to make it up on the spot.  Second, your faith in humanity takes a hit.  Working with staff on internet usage takes one to some pretty bad places and emotional wounding.  It is not fun to address porn issues with your colleagues who can be walked out the door.   And at the end of the day, the cyber sec professional is worried about WHAT will happen tomorrow!!
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14084
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for MKCB, an Ethereum token. If the owner sets the value of sellPrice to a large number in setPrices() then the "amount * sellPrice" will cause an integer overflow in sell().
CVE-2018-14085
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for UserWallet 0x0a7bca9FB7AfF26c6ED8029BB6f0F5D291587c42, an Ethereum token. First, suppose that the owner adds the evil contract address to his sweepers. The evil contract looks like this: contract Exploit { uint public start; function swe...
CVE-2018-14086
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for SingaporeCoinOrigin (SCO), an Ethereum token. The contract has an integer overflow. If the owner sets the value of sellPrice to a large number in setPrices() then the "amount * sellPrice" will cause an integer overflow in sell(...
CVE-2018-14087
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for EUC (EUC), an Ethereum token. The contract has an integer overflow. If the owner sets the value of buyPrice to a large number in setPrices() then the "msg.value * buyPrice" will cause an integer overflow in the fallback functio...
CVE-2018-14088
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for STeX White List (STE(WL)), an Ethereum token. The contract has an integer overflow. If the owner sets the value of amount to a large number then the "amount * 1000000000000000" will cause an integer overflow in withdrawToFounde...