QOTD from securityburnout.org

Published: 2012-02-28
Last Updated: 2012-02-28 05:34:57 UTC
by Russ McRee (Version: 1)
7 comment(s)

 In the "too good to pass up on" category we find an article by Iain Thomson in El Reg regarding a survey of stress levels among IT security staff. Iain reports on Jack Daniel's (founder of the Security B-Sides conference) well attended presentation at RSA this morning. The article and the findings speak for themselves, but I had to share one quote with apologies in advance to any CSOs in the readership to whom this may be applicable. Josh Corman, regarding some of the stress-causing factors for security professionals indicated that management is likely part of the problem and suggested the following:

"As an experiment, explain to your children what it is you're trying to explain to your chief security officer. If they get it and he doesn't, then the problem isn't with you."

For the record, I haven't encountered this personally in more than five years (I count myself among the lucky). That said, I have a few friends in the consulting industry who have a much higher ratio of minion to CSO contact than most and have absolute horror stories to share. So let's hear a few, ye who count yourselves as those on the "ragged edge of burnout and cynicism." A few ground rules, and they are absolute: no bad language, no personal or business names, no false statements or exaggeration. As Sgt. Joe Friday said, "Just the facts, ma'am." The comments form is open...

Russ McRee @holisticinfosec


Keywords: QOTD
7 comment(s)


I heard Richard Thieme's briefing at Black Hat last year, "Staring into the Abyss," and it hit home in ways I didn't even realize.

Based on Nietzsche's "Stare into the abyss and the abyss stares back" concept, he talks about the emotional and psycological toll the Infosec community is subjected to. Security folks are hammered in three ways:

1) Obviously, the bad guys are knocking at the door. I don't care how good you are, your door will get knocked in one day, and it won't feel good.

2) Management is going to set expectations high. They do NOT expect to have security incidents, after all, that's why you're there. To prevent them.

3) Vendors are constantly up in your grill about their solutions, and how they are the silver bullet, all your problems will be solved if you just implement their tool.

My last job, I was fortunate enough to have representation in Senior Management circles who understood that InfoSec demended a different line of thinking than traditional business logic. You'd think having the road paved in terms of budget and projects would make my life a little easier, but in fact, I felt just the opposite. Knowing that I could fast-track a solution meant I felt even more pressure from #2.
I worked for an "IT Security Officer" who didn't have a clue about Security. Or IT. Or anything else, as far as I could tell. Here are a few fondly-remembered moments from our time together:

- I did a vulnerability scan for a particular app's servers and reported the results along with a summary showing High, Medium, & Low findings for each machine. He said, "This is OK, but you need another column that says whether the server is Secure or not."

- He requests pie charts showing progress in closing out issues. When things are 100% complete, he seems troubled. "This is just a circle. What's that, like... a whole pie?"

- I mention that I browse through the web server logs periodically looking for hinkiness, although security monitoring is not strictly my job. He tells me to stop immediately: if I'm monitoring the logs, and something goes wrong, and I don't catch it, I could be held responsible! So, head in sand it is then...
I worked for a dot com that had many remote offices all over the globe. Employee-wise it was smaller (under 50) but it managed nearly 10k IPs. When I asked the newly appointed CTO (we did not have a CISO/CIO/CSO) why we do not use antivirus on our workstations, the response was "antivirus software only catches 20% of actual viruses, so its not worth our time." Needless to say I no longer work there.

You should submit that story to "Computer Stupidities" at


This isn't one that happened to me personally (thankfully!) but I do recall a few years back reading about a senior executive calling up the IT security staff and saying "I think you need to turn down the settings on the firewall -- my office is too hot."
If indeed this happened I imagine it actually may have served to relieve stress with the uncontrolled laughter that inevitably ensued.
I will repeat one of my own famous quotes:

Q: What's the first rule of consulting?
A: There's a problem; if there wasn't a problem, you wouldn't be here.

Q: What's the second rule of consulting?
A: Its always a people problem; the technical problems are easy.
We recently setup a NIDS at my dayjob and I even hooked it into the ticketing system so when someone's computer was compromised it'd automatically open a ticket with desktop support. However, to better deal with the volume of tickets their procedure is now to watch if a given machine continues to cause more tickets to be opened every day. If not, they simply close the ticket with "no activity since ..." I guess if a windows desktop gets compromised it's ok so long as it doesn't get re-compromised by someone else and doesn't phone home on some well-known C&C channel once a day? (sigh)

Diary Archives