6 hard truths security pros must learn to live with

The life of a security practitioner isn’t easy. You’re on the front lines, fighting the good fight against a patient, smart, determined enemy that always seems to be one step ahead. But there are great rewards as well. The security community has tremendous camaraderie, security pros can feel good knowing they are doing something important for their company. And security salaries are among the highest in the IT industry.

As they go about their daily lives in the trenches, here are 6 hard truths that security practitioners must learn to accept and deal with.

Hackers are probably inside your network right now

We’ve all heard the old adage that there are two types of companies, those that have been hacked and those that have been hacked and don’t know it yet. There’s a grain of truth to that. On average it takes companies an astounding 200 days to identify a security breach, according to a study conducted by the Ponemon Institute for IBM. That’s more than six months of an attacker rooting around in your network.

Nearly 70% of CISOs reported that they discovered malware hidden on their networks for an unknown period of time — in some cases over a year, according to a survey commissioned by  

Nominet, which runs the UK’s domain name registry and offers cybersecurity services.

Even tech companies aren’t immune. For example, Citrix, in a letter to the California Attorney General, said hackers were inside its network from Oct. 2018 to March 2019, removing files that may have contained names, Social Security numbers and financial information.

Once a hacker has breached your defenses, they can take their time, methodically gaining elevated credential and admin permissions that allow them to access valuable data stored on corporate servers, and stealthily exfiltrate that data in a way that avoids detection. And there have even been cases in which hackers were able to ‘listen in’ to corporate communications relative to the hack, so the invaders knew what countermeasures the company was taking and were, therefore, able to evade them.

What you can do: Consider deploying threat hunting tools that create honeypots and use other advanced techniques to catch attackers before they can do damage.

You can do everything right and a careless end user can ruin everything

This is a tough one to swallow. You conduct extensive end user training; on a regular basis, you even send out fake phishes and then follow up by notifying the offenders that they clicked on a bad link in the hopes that they will learn from their mistakes.

And still someone takes the phishing or spear-phishing bait, putting the entire organization at risk.

The statistics are truly frightening. According to the Verizon Data Breach Investigations Report, 32% of all data breaches involve phishing. And when organizations went back and investigated the root cause of cyber-espionage incidents and the installation and use of backdoors, phishing was present in 78% of cases.

One in 25 emails is a phish, and virtually every company (83% percent of global information security respondents according to ProofPoint’s State of the Phish report) has experienced phishing attacks.

Of course, end users can compromise security in other ways, including losing their device, having it stolen, or falling victim to social engineering scams in which they share passwords or other credential information with unauthorized users.

What you can do: There are third-party anti-phishing services that try to stay one step ahead of the latest phishing tricks.

You face critical staffing and skills shortages

According to the International Systems Security Certification Consortium (ISC²), the top concern among cybersecurity professionals (36%) is lack of skilled/experienced staffers. The ISC²’s  latest report rings the alarm loud and clear — the global security workforce gap has reached 4 million jobs, primarily in the Asia-Pacific region (2.6M). But things aren’t much better in North America, where the shortage of security pros is estimated at around 550,000 workers.

Two-thirds of organizations in the ISC² survey indicated that they have a shortage of cybersecurity staffers and more than half of organizations (51%) said the shortage of security talent is putting the organization at moderate to extreme risk.

Those findings are backed up by a survey conducted by the Information Systems Security Association (ISSA) and the analyst firm Enterprise Strategy Group (ESG). Seventy percent of respondents said the skills shortage has had an impact on their organization and 62%, an increase of almost 10% from last year, said they are falling behind in providing an adequate level of training for their security staffers.

What you can do: Experts recommend that companies relax their sometimes rigid requirements that an applicant have specific certifications or years of experience. Organizations should also try to recruit and train employees from other parts of the company. Cross-training is important, as is the integration of security teams with other groups, such as DevOps or networking. If security becomes part of everyone’s job, that takes some of the burden off of the designed security professionals.

IoT creates new and unforeseen security problems

The advantages of IoT technology are apparent in both enterprise and consumer environments — 3D printing, augmented and virtual reality, collaborative robots, drones, remote sensors, Industry 4.0, self-driving vehicles, smart homes, security cameras. A new forecast from IDC estimates that there will be 41.6 billion connected IoT devices, or “things,” generating 79.4 zettabytes (ZB) of data in 2025.

But it’s not the number of devices that can create security nightmares, it’s the way that these unsecured devices can impact your security defenses. Are employees checking corporate email on their smartwatch? Are they connecting to their home security system from their work laptop? When they are working from home, tunneled into the corporate network via VPN, are they toggling back and forth between corporate apps and their nannycam?

According to an analysis of cloud traffic conducted by Zscaler, the cloud-based security provider was blocking 2,000 pieces of IoT-based malware per month in May 2019; that number increased seven-fold to 14,000 malware attempts blocked per month by the end of 2019.

In many cases, security pros might not even be aware of some of the devices generating IoT traffic and therefore creating new IoT-based attack vectors for cybercriminals. But attackers are certainly aware of these potential vulnerabilities. In the case of the Mirai botnet of 2016, attackers exploited the fact that consumers rarely change the default password on IP cameras and home routers in order to launch a denial of service attack that took down a big chunk of the internet. And new exploits that target IoT devices are popping up all the time, targeting cameras, DVRs and home routers.

What you can do: Security pros should focus on gaining visibility into the existence of unauthorized IoT devices that are already inside the network (Shodan can help here), putting IoT devices on a separate network, restricting access to the IoT device from external networks, changing default credentials, requiring strong passwords, and applying regular security and firmware updates.

You sometimes feel misunderstood and underappreciated

Security teams often face an uphill battle in a number of key areas:

• Funding: Companies naturally want to invest in areas that cut operating costs, improve margins, create new revenue streams, unlock innovation and boost customer satisfaction. Security is oftentimes viewed as an expense that doesn’t produce a measurable payback, and therefore security budgets don’t keep pace with the threat landscape.
• Executive support: At the highest levels of the company, security threats might not be fully understood. Some companies have security-savvy execs sitting on the Board of Directors, but many don’t.
• Business unit cooperation: Business units often view security as an inhibitor rather than an enabler. This results in departments going around IT and signing up for their own productivity, collaboration or storage applications, which, of course, creates additional security issues.
• Employee resistance: Employees often view security procedures, such as frequent password resets, two-factor authentication, or other standard security practices, as annoyances to be ignored or evaded.

What you can do: Security pros should make a concerted effort to reach out to every corner of the business, building bridges, creating cross-disciplinary teams and pounding home the message that security is everyone’s responsibility and should be embedded in every business process.

Stress, anxiety and burnout come with the territory

Add up all of the hard truths listed above and you get a profession subject to a high level of stress, anxiety and burnout. According to the Ponemon Institute, 65% of SOC professionals say stress has caused them to think about quitting.

In the Nominet survey, 91% of CISOs said they suffer moderate or high stress and 60% add that they rarely disconnect. Even more troubling, a quarter of CISOs surveyed think the job has had an impact on their mental or physical health and their personal and family relationships.

High burnout rates contribute to high turnover, which exacerbates the skills shortage, making life harder for the remaining security professional. It’s a vicious cycle.

What you can do: There’s no easy answer for this one, but security practitioners need to open up and talk about stress with their colleagues and make a determined effort to improve their work-life balance.