Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/16/2018
02:00 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

In Security & Life, Busy Is Not a Badge of Honor

All security teams are busy, but not all security teams are productive. The difference between the two is huge.

Busy, busy, busy. Everyone is busy. No time for anything. Being busy has become a badge of honor of sorts in modern society. I'm not one who shies away from going against conventional wisdom, so I'll come right out and say that I see this as something that is rather unfortunate. Further, I see the idolization of busyness as something detrimental to security as a profession. 

I often come across those I call busy people. People who feel the need to constantly tweet about how busy they are or how much work they have to get through. People who feel the need to tell you that they are buried in emails and can't keep their in-box clean. People who don't have time to respond to your emails and will tell you as much when you happen to run into them in person. People who tell you that they have one hour free over the next three months during which they can meet with you. People who can't spare five minutes for a phone call when you have a question for them. The list of such behaviors goes on and on.

For some reason, modern society encourages and even champions such behavior. But what do I see when I encounter this type of behavior? Failure. Sound provocative? While I am not an expert in human behavior, a few things seem to cause this obsession with busyness:

  • Insecurity: "I don't believe enough in myself and the importance of what I'm doing, so I feel a need to make sure everyone knows I am busy."
  • Disorganization: Often, busyness results from wasting a tremendous amount of time on looking for things, working in an interruption-driven manner, and/or trying to remember what needs to be done.
  • Inability to separate the wheat from the chaff: Every decision we make in life necessitates evaluating certain data points. Sometimes it seems like life is more about filtering out what is irrelevant than it is about paying attention to what is relevant. Those who can quickly isolate the important factors of a decision and filter out the noise are able to come to a decision and move forward much more quickly than those who cannot.
  • Inability to prioritize: No one has time to do everything that crosses his or her mind. That's why prioritization is key. People make time for what is important to them. If someone told you that if you sat on a park bench from 11:00 a.m. to noon tomorrow he would give you $10 million, I'm sure you would find the time to be there.

If you still have any doubt, it should be fairly clear from the points above that being busy is quite different from being productive. There are many productive people who still find time for what is most important to them in life, whatever that may be. So, what lesson can we take from this in security?

Unfortunately, I would describe the state of many security programs as "busy" but not "productive." The difference between those two words is enormous. Many security organizations are geared toward measuring, rewarding, and even priding themselves on busyness rather than productivity. The end result of this approach, sadly, is that it weakens their overall security posture. Let's take a look at a few examples of this:

  • Ticket obsession: Many organizations pride themselves on how many tickets they open and close in a given day, week, or month. It's a meaningless metric that many organizations use to show how hard they are working. But is this really something to take pride in? It is certainly true that people in these organizations are working hard, but are they working smart? The only way to know the answer to that question is to understand how the tickets that are being opened and closed contribute toward mitigating and reducing risk. If they directly contribute toward that end, this is a productive activity. If they don't, it's a busy one.
  • Alert fatigue: I've heard far too many people proudly and bombastically tout the number of alerts they "handle" on a daily, weekly, or monthly basis. But how many of those alerts were false positives? How many were relevant to threats the organization is concerned about? Did the volume of alerts create a noise level so high that the organization missed events that it should have paid attention to? If you're plowing through thousands of alerts on a daily basis, you are busy. Only when you improve the signal-to-noise ratio, enrich alerts with the necessary contextual information, and prioritize appropriately can you overcome alert fatigue and move from alerts making you busy to alerts making you productive.
  • Seeing the forest for the trees: Sometimes the fact that people are too busy to come up for air is precisely the reason that they need to come up for air. Time-consuming duties can serve as an indication that specific areas of a process need to be re-examined. Perhaps the hours spent on a given task don't add any value to the security program? Perhaps leveraging technology could greatly reduce the time spent on certain duties? Maybe automating certain manual processes could also save time? Not every activity that takes time is worth that time, which is a concept that is key to moving from busy to productive.
  • Root cause: Maybe the reason the security team is so caught up with playing whack-a-mole is because there are certain root causes that have not been identified and addressed appropriately. Productive organizations identify and address root cause, which saves them time later in the process. Busy organizations let root cause remain unaddressed and then sink a tremendous amount of time (and money) into dealing with the mess that results from that.

I've never come across a security organization that has idle time. All security teams are busy. But not all security teams are productive. The difference between the two is huge. Aim to be a productive security organization. Leave the busyness for those organizations that just don't get it.

Related Content:

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0258
PUBLISHED: 2020-02-17
Multiple incomplete blacklist vulnerabilities in the avatar upload functionality in manageuser.php in Collabtive before 2.1 allow remote authenticated users to execute arbitrary code by uploading a file with a (1) .php3, (2) .php4, (3) .php5, or (4) .phtml extension.
CVE-2015-6922
PUBLISHED: 2020-02-17
Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 does not properly require authentication, which allows remote attackers to bypass authentication and (1) add an administrative account via crafted request to LocalAuth/setA...
CVE-2020-9043
PUBLISHED: 2020-02-17
The wpCentral plugin before 1.5.1 for WordPress allows disclosure of the connection key.
CVE-2020-1704
PUBLISHED: 2020-02-17
An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privi...
CVE-2019-12954
PUBLISHED: 2020-02-17
SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, NetPath 1.1.3) allows XSS by authenticated users via a crafted onerror attribute of a VIDEO element in an action for an ALERT.