Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

SEC BURNOUT and The Psychology of Security

with 7 comments

baby-crying

 

 

Recent Days of Whine and Wiping of Noses:

Recently I have had my sensibilities assaulted by the whining on my Twitter feed coming from soundbites from Source Boston as well as others talking about INFOSEC Burnout and community communication issues. What really grinds my gears is the sense that we are all  just helpless mental geniuses that need to learn how to communicate better to do our jobs more effectively as well as the whole “Woe is me no one listens to me” bullshit I keep seeing it reverberate across the community. Well I am here to tell you right now to stop blubbering and put on your big girl/boy/transgendered pants and cut it out.

Last week I had a long back and forth with someone who is “studying” INFOSEC burnout and throughout the conversation (yes hard really in 140 chars per yes yes yes I know Beau) I could not get them to nail down exactly how they were “studying” it as well as what would be the efficacy of doing so. What are the ends that justify the means of this study? Was there to be a self help book? Or are you just having a kumbaya “I’m in INFOSEC and no one listens to me!” bitch session at each conference?

At the end of the day people got hissy and I began to think more and more about just how entitled this community thinks they are as well as how smart they “think” they are. So smart that they can’t get past a problem that properly studied would likely give you all some perspective and solace perhaps and this chaps my ass. While some of you out there are being vocally the new INFOSEC Dr. Phil’s others just go about their day in the war and do their jobs without whining about it.

Not all of us have INOFSEC Jesus complexes.

The Problem Statement:

So here’s the general feeling I get from what I have seen (yes I went to an infosec burnout presentation) from the community on this whole burnout thing.

  • We can’t win the war and it’s hard to even win battles
  • The job is hard because the adversaries have no rules while we do
  • We are constrained by our managements
  • Our end users are morons
  • We’re the God damned smartest people in the room and no one listens to us!
  • We are just perceived as an obstacle to be bypassed or ignored

I am sure there are other complaints that weigh heavily upon the INFOSEC brow but these are the biggies I trust. Perhaps a real study with a real psychological questionnaire is required to get some analytical data to use for a proper problem statement but to date I have seen none. While I agree we work in a tough field from the perspective of “winning” the day and yes we are looked upon by the masses as an impediment and a cost centre this is not the problem set we need to work on. I propose that this problem set is the most self centered and useless one making the rounds today and smacks of every bad pop psychologist’s wet dream of making it big.

In other words; You are all problem solvers. Solve the god damned problem by studying the root causes and then implement what fixes you can come up with. What you are dealing with is human nature, the mechanics of the human brain, and the psychology that goes along with all of this. Apply that laser like focus you all claim you have out there on the problem set and you will in fact come to some conclusions and perhaps even answers that will make you see the problem in a pragmatic way. Once you do this you can then rationalize all of these problems at the end of day and hopefully get past all this self centered bullshit.

Then again this is a community full of attention seekers and drama llama’s so your mileage may vary.

The Psychology of Security:

Once, a long time ago, I found Bruce Schneier relevant. Today I don’t so much think of his mumblings as at all useful however he did write an essay on Psychology and Security that was pretty damn prescient. I suggest you all click on that link and read his one piece on this and then sit back and ponder for a while your careers. What Bruce rightly pointed out is that our brains are wired for “Fight or Flight” on a core level when we lived on the great savannah and that Amygdala (lizard brain) is often at odds with the neocortex, (the logical brain with heuristics) that often times helps us make shortcuts in decision making out of pattern recognition and jumping to conclusions to save the brain cycles on complex data that is always coming at it.

What Bruce and others out there have pointed out is that all of our experiences in security, good and bad, are predicated on the fact that primates at the keyboards are the problem set at the core of the issues. We create the hardware and software that is vulnerable. We are the ones finding and creating vulnerabilities that are exploited by bad people. We are the ones who at a core level cannot comprehend the security values and problems because we are not wired to comprehend them on average due to the way the brain formed and works even today. There are certain problems psychologically and brain wiring wise on the one hand and then there are the social and anthropological issues as well that also play a part in the problem statement. All of these things can and do hinder “security” being something that generally is comprehended and acted upon properly as a society and a species that play into our day to day troubles as INFOSEC workers and we need to understand this.

So, when I hear people decrying that security is hard and that they are burned out because you can’t win or that the client/bosses/those in charge do not listen to you please step back and think about Schneier’s essay. The cognitive issues of comprehending these things is not necessarily the easiest thing to do for the masses. Perhaps YOU are just the Aspergers sufferer who’s wired differently to get it, had you ever considered that?

Security is a complex issue and you INFOSEC worker, hacker, Aspergers sufferer, should look upon all of this as a tantalizing problem to solve. Not to whine about and then turn it on it’s ear that you need to be more soft, and listen to your clients/bosses to hear their woes. We all have problems kids. It’s just a matter of looking at the root of the issues and coming up with solution statements that work. In the case of the brain and cognition we have our work cut out for us. Perhaps someday someone will come up with a nice framework to help us all manipulate the brain to understand the issues and cognate it all efficiently… Perhaps not. Until then, just take a step back and think about the issues at hand.

A Pragmatic Approach To Your Woes:

So with the problem statement made above what does one have to do to deal with the cognitive problems we face as well as our own feelings of inadequacy in the face of them? The pragmatist would give you the following advice:

  • It is your job to inform your client/bosses of the vulnerabilities and the risks
  • It is your job ONLY to inform them of these things and to recommend solutions
  • Once you have done this it is up to them to make the decisions on what to do or not do and to sign off on the risks
  • Your job is done (except if you are actually making changes to the environment to fix issues)

That’s really all it’s about kids. YOU are a professional who has been hired to be the canary in the coal mine. You can tweet and twitter all you like that the invisible gas is headed your way to kill you all but if the miner doesn’t listen …Well you die. If you want to change this problem statement then you need to understand the problems cognitively, socially, and societally (corporately as well) to manipulate them in your favour at the most. At the least you need to understand them to deal with them and not feel that burnout that everyone seems to be weeping about lately.

Look at it this way, the security issues aren’t going to go away. The fact of the matter is they will only increase as we connect every god damned thin to the “internet of things” so our troubles around protecting ourselves from the digital savannah and that “cyber tiger” *copyright and trademark to me…derp** are not going to diminish. Until such time as the brain re-wires or we as a society come to grips with the complex issues of the technologies we wield today we as security workers will need to just deal with it. Either we learn to manipulate our elephants or we need to get out of the business of INFOSEC and just go hack shit.

Catharsis:

Finally one comes to a cathartic state when you realize that only YOU can fix your problems coping with your work. Sure, people can feel better if this sit around and bitch about their problems but that won’t stop their problems from being problems will it? Look at the issues as a problem statement Mr. or Miss/Mrs security practitioner as a problem to hack. Stop being a whiny bunch of bitches and work it out.

HACK THE GOD DAMNED SYSTEM!

Failing that, come to accept the problems and put yourself in the place where you are just the Oracle at Delphi. You impart your wisdom and say “You’re mileage may vary” and be done with it. Until such time as you manipulate the means that you get this across to the companies management and they make a logical decision based on real risk you just have to accept it. If your place of work has no real risk acceptance process then I suggest you get one put in place or perhaps find a new job. You are not Digital Jesus. You can’t fix everything and you cannot fix those who are broken like Jesus did in healing the blind and making a hell of a lot of fish sandwiches from one tuna can.

Either understand and come up with a way to fix the problem or accept it for what it is and move on.

Stop the whining.

K.

 

Written by Krypt3ia

2014/04/13 at 12:22

7 Responses

Subscribe to comments with RSS.

  1. Agree with what you have said in this post. Our jobs are to warn and let the management stiffs make the decision on risk. I have used the canary in a coal mine analogy but have recently settled on Chinese water torture instead. I just keep dripping on them and they get to decide if I should be listened to or not.

    Beej

    2014/04/14 at 18:26

  2. I wholeheartedly agree with your sentiment expressed here. It is really why I stopped going to security conferences. There is a lot of rock star attitude that disregards working together or why technology is cool. This attitude is more than likely expressed at work as well – which would turn everyone off.

    I think a lot of the burnout is due to an overactive ego, in the way ego is described here:

    http://deoxy.org/egofalse.htm

    Why does a person need to have their thoughts and ideas validated? Does the world owe this to you? It feels like security rock stars think the world owes them in a big way – and I used to be like this.

    The world owes nobody.

    I now think of myself as a mercenary for hire. I do the job you pay me to do. I will do anything as long as it doesn’t get me into legal trouble. I don’t care if the task is stupid. I don’t care if the tools are inadequate. It isn’t my job to tell you how I think you are stupid, but it is my job to tell you you probably aren’t going to get what you want with task list X or tool set Y.

    I only care that you pay me for my services at the end of the day.

    Dan

    2014/04/14 at 21:34

  3. I’d add CYA to this. Keep records of who you informed, what you told them, so if your advice is ignored and things blow up as you predicted, you can prove you aren’t to blame.

    A.Lizard (@alizardx)

    2014/04/15 at 12:52

  4. Agreed. That ran through my head as I was writing but I was on a screed and didn’t stop and breathe.

    Krypt3ia

    2014/04/15 at 12:57

  5. Strong language carrying a great message. I’d add to that: understand your business and translate threats into business risks. CVE 7.8 doesn’t get attention, possible loss of $150.000 does.
    Our industry loves the ‘secret language’ sometimes too much and then wonders why no-one outside of ‘the circle’ understands a GD word you are saying! We are mostly supporter and enabler, rarely product developer. Get used to it or get out.

  6. Presumably “become one of the decision makers” is also an option? I was surprised not to see it listed here, but maybe not being able to stop and breathe covers that😉

    Nick

    2014/04/28 at 23:10

  7. If one wants to move from doing to approving sure.

    Krypt3ia

    2014/04/28 at 23:34


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: