Cybersecurity's Insidious New Threat: Workforce Stress

This week's Black Hat event will highlight job-related stress and mental health issues in the cyber workforce. From a report: The thousands of cybersecurity professionals gathering at Black Hat, a massive conference held in the blistering heat of Las Vegas every summer, are encountering a different type of session this year. A new "community" track is offering talks on a range of workplace issues facing defenders battling to protect the world from a hacking onslaught. With titles like "Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community" and "Holding on for Tonight: Addiction in Infosec," several of the sessions will address pressures on security teams and the negative impact these can have on workers' wellbeing.

"A lot of people in this space feel strongly about wanting to protect their users," says Jamie Tomasello of Duo Security, who is one of the speakers. "Where this becomes challenging is when people are under sustained high stress. That increases the risk of depression and mental illness." The impact on cyber defenders' lives is deeply concerning, as are the broader implications for security. In spite of a push for greater automation, many tasks in cyber defense are still labor intensive. Workers experiencing mental health issues are more likely to make mistakes and to have performance issues that require colleagues to pick up the slack, increasing the likelihood they will make errors too.

What does the word "hack" even mean now?

[Zontar_Thing_From_Ve]

So in the main article it talks about "Mental Health Hacks". What does "hack" mean any more? It seems that it can mean almost anything. I've seen people talk about, for example, putting hot sauce on vanilla ice cream as a "hack". I wouldn't think that a topic as important as somebody's mental health would involve hacking, yet here we are. It reminds me of what a smart guy I worked with said once - when something is everybody's responsibility, it's nobody's responsibility. Similarly, I guess now that

It means the same thing it always did

[rsilvergun]

ever since it was used to describe the rats nest of wires under an MIT model train setup: it's a complex and clever solution to a problem.

Re:

[ole_timer]

I agree - a hack is an elegant solution to an old problem - since securing IT is an old problem a hack gets around controls - fits perfectly

Re:

[NicknameUnavailable]

I agree - a hack is an elegant solution to an old problem - since securing IT is an old problem a hack gets around controls - fits perfectly

That's the exact opposite of what a hack is. A hack is an inelegant shit solution to a problem. Hacks are defined by the absolute lack of skill on the part of their creator, be it in sloppy code to get something hacked together quickly and barely functional with no potential for future adaptation or someone so pathetic they take the easy route of breaking stuff instead of creating things. Hacks are by definition inelegant abominations.

Re:

[ole_timer]

maybe from where you are - but not me - a hack is elegant - an inelegant solution is definitely not a hack - although many people claim it is - as you do

Re:

[Colin Castro]

Hacking is breaking something up, like hacking up a tree. Hacking is breaking the code so I can get access.

Re:

[ole_timer]

"hack" has many meanings - I choose elegant even though the dictionary does not - from the oxford dictionary: 1[with object] Cut with rough or heavy blows. ‘I watched them hack the branches’ [no object] ‘men hack at the coalface’ More example sentences Synonyms 1.1 Kick wildly or roughly. ‘he had to race from his line to hack the ball into the stand’ More example sentences 2[no object] Gain unauthorized access to data in a system or computer. ‘they hacked

Re:

[ole_timer]

you're thinking of a kludge - see "The Soul of a New Machine" by Tracy Kidder...

Re:

[Misagon]

The word "hack" applied to computers and electronics is an analogy to using a hacksaw to a table leg, hence the name.
Therefore, it is indeed about a quick and simple solution to a problem.

If it should be considered elegant or not to cut the table's other leg shorter to make it less wobbly ... that's anyone's opinion.

Re:

[ole_timer]

...to get my sinclair zedx80 computer to display on my tv was a hack and it was elegant too ;) ...to write code on the wang word processor so the upper drive displayed a banner was a hack and it was elegant too...

Re:

[NicknameUnavailable]

The table analogy is probably a bit oversimplified, a non-hack solution would be to take the leg off, measure it against another, and cut it straight instead of some hand-made angle with a hacksaw, or to lengthen the other 3 legs. Realworld object analogies don't really work that well for software. (Cue the horde of plebs talking about building houses.)

Re:

[Colin Castro]

Hacking away at a tree. It's to break something up. Or break through something.

Re:

[NicknameUnavailable]

What have we learned today?

That English majors don't know dick about computer jargon (or much else.)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

No revenge? Your story lacks Shakespearean arc, 3/10 stars.

Re:

[ole_timer]

...Methinks thou dost protest too much...

Re:

[ArhcAngel]

And this CYA mentality leads to all kinds of overzealous directives. The company I work for does not allow mapping to network shares when on VPN. I have no tools to help someone who is unable to connect to VPN so I'm left walking them through steps over the phone. We cannot initiate or receive video conference calls through the firewall. And the list goes on. The only way to be "secure" is to never connect to a network. If the security you implement adversely affects the business' ability to get work done y

Re:

[eth1]

I became so jaded eventually that my job morphed from protecting users from malicious actors, to just keeping a running CYA log of poor leadership decisions and whom to attribute them to when the shit hit the fan. no hardened binaries? no standardized two factor? no problem. Just dont expect me to sit quietly in the meeting.

Clueless developers and always getting, "it's too expensive" are what we have to deal with around here. All you can do is the best you can with the resources you have, and make sure keep a record of every stupid order you get from above. Every once in a blue moon, explicitly demanding something in writing (in writing) is enough to make management think twice, because most of them can smell a buck pass from miles away.

Unfortunately, actually getting compromised is about the only way to get the money you need

Re:

[fyonn]

> keeping a running CYA log of poor leadership decisions and whom to attribute them to when the shit hit the fan.

abso-bloody-lutely!

I just wanted to thank you for that rant which resonated pretty strongly...

It's just over work

[rsilvergun]

and it's happening everywhere. Companies are cutting staff and forcing the ones left to work longer hours. 80% of Americans are living paycheck-to-paycheck (google it). _Everybody's_ stressed out. It's just that when your cyber security guys get that way and start making the mistakes folks under high pressure 24/7 tend to do then your network gets hacked and you've got a PR disaster on your hands.

Re:

[desdinova 216]

I was under the impression that the talent situation was one where there's not enough people willing to do the job at the price that companies are wanting to pay.

Re:

[HiThere]

In my experience, the "feeling of entitlement" is much more true of managers than of those they manage, and this differential is maintained at every level of the hierarchy.

The old way of describing this is "the servant problem".

InfoSec is not stress unless you're doing it wrong

[ole_timer]

...if mgt is placing unrealistic pressure it's time to switch jobs...

Re:

[gweihir]

It can also be pretty stressful if you are an outside consultant being brought in after others have done it wrong for some time. I do agree that management is the main root-cause of the problems in almost all cases though.

Jack Daniel has a great keynote on this

[pierceelevated]

Check out his analysis and stories of incredible alcohol consumption at security conferences: http://www.irongeek.com/i.php?... [irongeek.com]

Re:

[cavis]

A lecture about drinking presented by Jack Daniel? :-|

The response for stress in IT Security isn't any different than those in other high-stress careers like Fire. EMS, or Law Enforcement, but the local peer support group is much smaller in the IT field. If a firefighter has bad EMS or fire call, I have 30 guys in my own station that are going through or have went through the same thing. How many people in your organization can emphasize with your IT security stress?

Source: Firefighter/EMT with 28 years

Re:

[wyHunter]

I'm a volunteer EMS and Fire Guy. Do you know what an EMT makes? $10 OR LESS for the most part. No thanks, I'll keep cranking code.

Blistering heat?

[smooth wombat]

110 with ~10% humidity is much preferable than 90 with 65% humidity.

Perhaps not wearing black in the sun might help.

waiting to fail is always stressful

[ka9dgx]

The fact is that thanks to Ambient Authority, nothing is safe, and can't be made safe. Anyone who works in infosec and thinks otherwise is nuts. The shitstorm is going to come, just hope it doesn't happen on your watch, or that you can deflect the blame enough to survive.