QOTD from securityburnout.org
In the "too good to pass up on" category we find an article by Iain Thomson in El Reg regarding a survey of stress levels among IT security staff. Iain reports on Jack Daniel's (founder of the Security B-Sides conference) well attended presentation at RSA this morning. The article and the findings speak for themselves, but I had to share one quote with apologies in advance to any CSOs in the readership to whom this may be applicable. Josh Corman, regarding some of the stress-causing factors for security professionals indicated that management is likely part of the problem and suggested the following:
"As an experiment, explain to your children what it is you're trying to explain to your chief security officer. If they get it and he doesn't, then the problem isn't with you."
For the record, I haven't encountered this personally in more than five years (I count myself among the lucky). That said, I have a few friends in the consulting industry who have a much higher ratio of minion to CSO contact than most and have absolute horror stories to share. So let's hear a few, ye who count yourselves as those on the "ragged edge of burnout and cynicism." A few ground rules, and they are absolute: no bad language, no personal or business names, no false statements or exaggeration. As Sgt. Joe Friday said, "Just the facts, ma'am." The comments form is open...
Comments
Based on Nietzsche's "Stare into the abyss and the abyss stares back" concept, he talks about the emotional and psycological toll the Infosec community is subjected to. Security folks are hammered in three ways:
1) Obviously, the bad guys are knocking at the door. I don't care how good you are, your door will get knocked in one day, and it won't feel good.
2) Management is going to set expectations high. They do NOT expect to have security incidents, after all, that's why you're there. To prevent them.
3) Vendors are constantly up in your grill about their solutions, and how they are the silver bullet, all your problems will be solved if you just implement their tool.
My last job, I was fortunate enough to have representation in Senior Management circles who understood that InfoSec demended a different line of thinking than traditional business logic. You'd think having the road paved in terms of budget and projects would make my life a little easier, but in fact, I felt just the opposite. Knowing that I could fast-track a solution meant I felt even more pressure from #2.
FoolOnTheHill
Feb 28th 2012
1 decade ago
- I did a vulnerability scan for a particular app's servers and reported the results along with a summary showing High, Medium, & Low findings for each machine. He said, "This is OK, but you need another column that says whether the server is Secure or not."
- He requests pie charts showing progress in closing out issues. When things are 100% complete, he seems troubled. "This is just a circle. What's that, like... a whole pie?"
- I mention that I browse through the web server logs periodically looking for hinkiness, although security monitoring is not strictly my job. He tells me to stop immediately: if I'm monitoring the logs, and something goes wrong, and I don't catch it, I could be held responsible! So, head in sand it is then...
downtrodden
Feb 28th 2012
1 decade ago
Matt
Feb 28th 2012
1 decade ago
You should submit that story to "Computer Stupidities" at
http://rinkworks.com/stupid/
Robert R
Feb 28th 2012
1 decade ago
If indeed this happened I imagine it actually may have served to relieve stress with the uncontrolled laughter that inevitably ensued.
DM
Feb 28th 2012
1 decade ago
Q: What's the first rule of consulting?
A: There's a problem; if there wasn't a problem, you wouldn't be here.
Q: What's the second rule of consulting?
A: Its always a people problem; the technical problems are easy.
Moriah
Feb 29th 2012
1 decade ago
B.B.
Feb 29th 2012
1 decade ago