• United States




Are we drowning in a sea of negative security press?

Nov 04, 20165 mins

Credit: Thinkstock

It would seem from news accounts that the increase in the number of new vulnerabilities and security issues in devices, software and systems is escalating out of control. Consider the significant vulnerabilities and security issues reported in just the past two weeks: 

Some weeks ago, Steve Gibson, speaking on the Security Now program, mentioned a “sublime” vulnerability he called Flip Feng Shui, a somewhat obscure exploit of a known weakness in DRAM memory, and not one that most people, probably Gibson included, would worry much about. This week, the same vulnerability has been discovered in a variety of Android devices, and is apparently being exploited.

It is undeniable that the time from the discovery of a security weakness to its exploitation by bad actors is getting shorter. As such, the problem is a real one. 

In the past, vulnerabilities and security issues were reported mostly in trade publications, known primarily to information security professionals. Today, such news is covered by all of the major consumer news sources. 

The volume of new vulnerabilities, exploits and exposures seems to be increasingly impacting those inside and outside of the security world. For the consumer and nontechnical business person, the overwhelming volume of bad security news is causing “security fatigue,” as identified by the National Institute of Standards and Technology (NIST) in a recent study. The study shows that people become so overwhelmed with news about vulnerabilities and security issues, they in many cases surrender and accept a less secure existence. 

For those of us in the information security industry, the effect is somewhat different. We tend to wake up in the morning feeling like we are fighting a losing battle. We tend to be busy remediating a vulnerability discovered weeks ago, even as five new ones are reported. I fear that the present shortage of security employees is going to get worse, not just because of growth in demand, but increasingly due to the loss of people who just can’t handle another day of a losing battle. 

While the situation is bad, I think the recent interest by the “mainstream” media in all things security has blown it a bit out of proportion. The fact that we in the industry must read various trade sources daily to keep abreast of the latest issues and then go home to get blasted by consumer media on the same topic, has many of us down. 

There is probably not one set of rules and practices for staying sane, encouraged and secure in this time of unprecedented security upheaval. I can share with you, however, what works for me: 

Keep calm and carry on. I recognize at this point that the popular media loves reporting about breaches and vulnerabilities. Once the political news dies down, it will likely get worse. I don’t let all of this news discourage me. Rather, I use it to strengthen my resolve. 

Be convinced that we will win. I get up every morning with renewed determination that we will ultimately win this battle. It may seem like a lost cause many days, but I truly believe that we can ultimately achieve safe and secure computing environments. Perhaps history will show that I am wrong on this point, but if I give in to that feeling, I have no incentive to keep going. 

Sort out the important news. Author Stephen Covey, in his well-known book “The 7 Habits of Highly Effective People,” refers to a category of items he calls “urgent but not important,” often noted as “time-sensitive distractions.” I would suggest that much of the security “crises” mentioned by the media belong in this category. I have learned to automatically filter security news as I hear it. 

Seek reliable sources of information. I find it important to have sources of information I can turn to quickly to understand what is truly urgent in the security world. When I get wind of a major security issue, i check those sources first to get an idea about what is really going on. 

Track the important stuff. Trying to keep a list of critical issues and vulnerabilities in my head has become impossible, and attempting to do so just increases my stress level. Instead, I always use some form of tracking system for the concerns I feel need to be addressed. I no longer have the stress of trying to remember and prioritize them, and I always have a record of the items in need of attention. 

Bottom line: If we succumb to the overwhelming number of negative stories, vulnerability reports and bad news, we will lose the cybersecurity battle before we even begin to fight. I urge you to renew your resolve to win, and hit the ground running tomorrow morning.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author