All work and no play makes Jack a dull boy.


All Work And No Play Makes Jack A Dull Boy.

I assure you, good reader, that I am not writing from the Overlook or the much closer inspiration Stanley Hotel; nor am I going off the mental deep end. Rather, I am considering the plight of organizations and information security personnel around the globe. Cyber Security Awareness Month (NCSAM 2018), as in the past, is framed around a theme and key messages:

Overarching theme

  • Cybersecurity is our shared responsibility and we all must work together to improve our Nation's cybersecurity

Key messages

  • Strengthen the nation's cybersecurity ecosystem
  • Cybersecurity is a cross-cutting, cross-sector challenge, so we must tackle it together
  • Increase and strengthen the cybersecurity workforce across all sectors
  • Secure critical infrastructure from cyber threats

There is an unstated commonality across the NCSAM 2018 messages clearly visible in operations. It comes across in interactions with the majority of information security professionals we meet. Look at your organization and it is likely present there as well. A distinct lack of resources available and allocated to security. 

These conversations tend to follow one of four common threads:

  1. We don’t have resources
  2. We have some resources, but they are spread too thin (most common)
  3. We have resources, but they aren’t managed properly
  4. We have ideal resources (least common)

In this instance, resources can reference people, hardware and software, a base of knowledge, or the all-powerful money. In many cases, it applies to all of the above. 

People represent a huge factor. In April, the US Bureau of Labor Statistics was reporting a decrease in IT unemployment, at 1.9%. Many recent sources are stating 0% unemployment and massive job growth within the information security subcategory. This could be used as an excuse to stretch current staff too thin: “We can’t find any qualified people.” An alternate view is that the statistics indicate just how valuable information security personnel are and, to that end, everyone can and should be cross-trained and responsible for aspects of security. By sharing this knowledge and responsibility, we can reduce the overload on ‘Jack the Security Guy’ trying to research, build, and secure everything. Security can and should be built into all systems and processes from the ground up. If cybersecurity is our shared responsibility and built into everything we do, all systems inherently become more secure. 

Now that Jack isn’t alone, his madness isn’t necessarily gone. There’s still that Alder typewriter… The hardware and software provided for security research, testing and monitoring has to be up to snuff as well. While budgets certainly need to be considered to keep an organization in the black, it isn’t 1990’s pricing anymore. 

Providing reasonable, stable architecture is foundational to securing an organization and determining how to keep it safe in the future. While it may seem a black-hole for funds to disappear with ‘no return’, just consider the potential cost of extended DDoS (~$40K/HR), a breach of PII/PHI (~$380/Record), a fraudulent wire transfer from Business Email Compromise (BEC), or theft of internal secrets. 

The Overlook might still be there if they had invested in clearing the snow from the highway instead of pushing one man past the breaking point. Take the time to review resources allocated to security across all segments of your organization and ensure they are setting you up for success, rather than a blown-up boiler.