Cybersecurity's Insidious New Threat: Workforce Stress

This week's Black Hat event will highlight job-related stress and mental health issues in the cyber workforce. From a report: The thousands of cybersecurity professionals gathering at Black Hat, a massive conference held in the blistering heat of Las Vegas every summer, are encountering a different type of session this year. A new "community" track is offering talks on a range of workplace issues facing defenders battling to protect the world from a hacking onslaught. With titles like "Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community" and "Holding on for Tonight: Addiction in Infosec," several of the sessions will address pressures on security teams and the negative impact these can have on workers' wellbeing.

"A lot of people in this space feel strongly about wanting to protect their users," says Jamie Tomasello of Duo Security, who is one of the speakers. "Where this becomes challenging is when people are under sustained high stress. That increases the risk of depression and mental illness." The impact on cyber defenders' lives is deeply concerning, as are the broader implications for security. In spite of a push for greater automation, many tasks in cyber defense are still labor intensive. Workers experiencing mental health issues are more likely to make mistakes and to have performance issues that require colleagues to pick up the slack, increasing the likelihood they will make errors too.

What does the word "hack" even mean now?

[Zontar_Thing_From_Ve]

So in the main article it talks about "Mental Health Hacks". What does "hack" mean any more? It seems that it can mean almost anything. I've seen people talk about, for example, putting hot sauce on vanilla ice cream as a "hack". I wouldn't think that a topic as important as somebody's mental health would involve hacking, yet here we are. It reminds me of what a smart guy I worked with said once - when something is everybody's responsibility, it's nobody's responsibility. Similarly, I guess now that hack apparently can mean anything, it means nothing. Maybe writers need to stop being cute and try for understandability instead. What a concept.

Re:What does the word "hack" even mean now?

What does "hack" mean any more?

As far as I'm aware, it means the same things it did in the 80's ....

A hack is something clever and unexpected you do with something beyond its original purpose.

A hack is a quick code change, or a marathon coding session.

A hack is finding an exploit.

A hack is hanging a VW Beetle off a bridge or building in the middle of the night.

A hack can be an inelegant fix to something for expediency.

A hack is finding a time/work saver by using something in an usual way to do the task.

The word hack has always been a fairly broad term, which has many different applications depending on the context.

I find it hilarious to hear people whinging that the word has no meaning, because they clearly weren't around when the term came into existence, and now insist on the ret-con bullshit of trying to name is a 'crack'. The term as it originated has always included several different things.

So to all you kids who want to say "yarg, it's teh cracking not teh hacking" ... you weren't fucking there, and stop trying to redefine words some of us have used for 30+ years.

"community" track

what color hair do the xers leading these talks have

Re:"community" track

shaved bald, like a faggot (gender unspecified)

its always been a problem

[nimbius]

disclosure: I left infosec for the relatively calmer career path of system administration.
infosec is under enormous pressure to deliver a product that cant be hacked, and take the blame for when products are hacked. Developers routinely leapfrog infosec for exceptions to upgrades or coding standards and when theyre caught with their pants around their ankles theres no accountability, only blame. 'IS director' is a revolving door of burnouts that are exhausted from the constant assault and bettery from sales insisting every credit card is a good credit card, and managers insisting you need to stand down from every product meeting or just not attend at all because it somehow negatively affects 'agility.'

I became so jaded eventually that my job morphed from protecting users from malicious actors, to just keeping a running CYA log of poor leadership decisions and whom to attribute them to when the shit hit the fan. no hardened binaries? no standardized two factor? no problem. Just dont expect me to sit quietly in the meeting.

Re:its always been a problem

No revenge? Your story lacks Shakespearean arc, 3/10 stars.

Re:its always been a problem

[ArhcAngel]

And this CYA mentality leads to all kinds of overzealous directives. The company I work for does not allow mapping to network shares when on VPN. I have no tools to help someone who is unable to connect to VPN so I'm left walking them through steps over the phone. We cannot initiate or receive video conference calls through the firewall. And the list goes on. The only way to be "secure" is to never connect to a network. If the security you implement adversely affects the business' ability to get work done you are not just a cost center but a cost sink. It's a tricky position to be in for sure. I certainly have no desire to be in cyber security.

Re:its always been a problem

[ole_timer]

...Methinks thou dost protest too much...

Re:its always been a problem

If the security you implement adversely affects the business' ability to get work done

If the way the business' work must be done requires non-secure implementations, then the business is doomed. It will eventually get uber-hacked and should start selling everything.
The CYA mentality the GP described wasn't a "let's be safe at all costs" but a "I told you that you can't run connect to a server with rsh from 0.0.0.0 without allowing everyone else on the Internet" or "I told you that you can't leave IIS unpatched on the production system for two years straight after the vulnerability was discovered."

Re:its always been a problem

[eth1]

I became so jaded eventually that my job morphed from protecting users from malicious actors, to just keeping a running CYA log of poor leadership decisions and whom to attribute them to when the shit hit the fan. no hardened binaries? no standardized two factor? no problem. Just dont expect me to sit quietly in the meeting.

Clueless developers and always getting, "it's too expensive" are what we have to deal with around here. All you can do is the best you can with the resources you have, and make sure keep a record of every stupid order you get from above. Every once in a blue moon, explicitly demanding something in writing (in writing) is enough to make management think twice, because most of them can smell a buck pass from miles away.

Unfortunately, actually getting compromised is about the only way to get the money you need to do anything. My coworkers and I have jokingly said we could best secure the company by hacking it ourselves just to scare management before someone else does... They won't pay for MDM? Start bringing in phones infected with the "Email the CEO's browsing history to everyone" worm. "Well, we brought this risk to your attention last year, but you said there was no money..."

Re:its always been a problem

[fyonn]

> keeping a running CYA log of poor leadership decisions and whom to attribute them to when the shit hit the fan.

abso-bloody-lutely!

I just wanted to thank you for that rant which resonated pretty strongly...

It means the same thing it always did

[rsilvergun]

ever since it was used to describe the rats nest of wires under an MIT model train setup: it's a complex and clever solution to a problem.

Re:It means the same thing it always did

[ole_timer]

I agree - a hack is an elegant solution to an old problem - since securing IT is an old problem a hack gets around controls - fits perfectly

Re:It means the same thing it always did

[NicknameUnavailable]

I agree - a hack is an elegant solution to an old problem - since securing IT is an old problem a hack gets around controls - fits perfectly

That's the exact opposite of what a hack is. A hack is an inelegant shit solution to a problem. Hacks are defined by the absolute lack of skill on the part of their creator, be it in sloppy code to get something hacked together quickly and barely functional with no potential for future adaptation or someone so pathetic they take the easy route of breaking stuff instead of creating things. Hacks are by definition inelegant abominations.

Re:It means the same thing it always did

[ole_timer]

maybe from where you are - but not me - a hack is elegant - an inelegant solution is definitely not a hack - although many people claim it is - as you do

Re:It means the same thing it always did

[ole_timer]

you're thinking of a kludge - see "The Soul of a New Machine" by Tracy Kidder...

Re:It means the same thing it always did

[Misagon]

The word "hack" applied to computers and electronics is an analogy to using a hacksaw to a table leg, hence the name.
Therefore, it is indeed about a quick and simple solution to a problem.

If it should be considered elegant or not to cut the table's other leg shorter to make it less wobbly ... that's anyone's opinion.

Re:It means the same thing it always did

[ole_timer]

...to get my sinclair zedx80 computer to display on my tv was a hack and it was elegant too ;) ...to write code on the wang word processor so the upper drive displayed a banner was a hack and it was elegant too...

Re:It means the same thing it always did

[NicknameUnavailable]

The table analogy is probably a bit oversimplified, a non-hack solution would be to take the leg off, measure it against another, and cut it straight instead of some hand-made angle with a hacksaw, or to lengthen the other 3 legs. Realworld object analogies don't really work that well for software. (Cue the horde of plebs talking about building houses.)

Re:It means the same thing it always did

Oh, really?:

snip:

6 a : a usually creatively improvised solution to a computer hardware or programming problem or limitation

6 c: a clever tip or technique for doing or improving something

So, when you said "Hacks are by definition inelegant abominations," you apparently didn't bother to look up the definition.

What have we learned today? That language is sloppy and the same word can be used differently by different groups of people.

Re:It means the same thing it always did

[TheCastro1689]

Hacking is breaking something up, like hacking up a tree. Hacking is breaking the code so I can get access.

Re:It means the same thing it always did

[TheCastro1689]

Hacking away at a tree. It's to break something up. Or break through something.

Re:It means the same thing it always did

[ole_timer]

"hack" has many meanings - I choose elegant even though the dictionary does not - from the oxford dictionary: 1[with object] Cut with rough or heavy blows. ‘I watched them hack the branches’ [no object] ‘men hack at the coalface’ More example sentences Synonyms 1.1 Kick wildly or roughly. ‘he had to race from his line to hack the ball into the stand’ More example sentences 2[no object] Gain unauthorized access to data in a system or computer. ‘they hacked into the bank's computer’ [with object] ‘someone hacked his computer from another location’ More example sentences 2.1 Program quickly and roughly. Example sentences 3[no object] Cough persistently. ‘I was waking up in the middle of the night and coughing and hacking for hours’ More example sentences 4(hack it) informal [usually with negative] Manage; cope. ‘lots of people leave because they can't hack it’ More example sentences Synonyms noun 1A rough cut, blow, or stroke. ‘he was sure one of us was going to take a hack at him’ More example sentences 1.1 (in sport) a kick or a stroke with a stick inflicted on another player. Example sentences 1.2 A notch cut in the ice, or a peg inserted, to steady the foot when delivering a stone in curling. Example sentences 1.3 A tool for rough striking or cutting, e.g. a mattock or a miner's pick. 1.4archaic A gash or wound. 2informal An act of computer hacking. ‘the challenge of the hack itself’ More example sentences 2.1 A piece of computer code providing a quick or inelegant solution to a particular problem. ‘this hack doesn't work on machines that have a firewall’ More example sentences 2.2 A strategy or technique for managing one's time or activities more efficiently. ‘another hack that will save time is to cover your side mirrors with a plastic bag when freezing rain is forecast’ Phrasal Verbs hack around Pass one's time idly or with no definite purpose. ‘she hacked around with neighbourhood buddies’ More example sentences hack someone off Annoy or infuriate someone. ‘it really hacks me off when they whine about what a poor job we're doing’ More example sentences Synonyms Origin Old English haccian ‘cut in pieces’, of West Germanic origin; related to Dutch hakken and German hacken. Pronunciation hack/hak/ Main definitions of hack in English: hack1hack2hack3 hack2 Noun 1A writer or journalist producing dull, unoriginal work. ‘Sunday newspaper hacks earn their livings on such gullibilities’ More example sentences Synonyms 1.1 A person who does dull routine work. Example sentences Synonyms 2A horse for ordinary riding. Example sentences Synonyms 2.1 A good-quality lightweight riding horse, especially one used in the show ring. Example sentences 2.2 A ride on a horse. Example sentences 2.3 A horse let out for hire. 2.4 An inferior or worn-out horse. Example sentences Synonyms 3North American A taxi. Example sentences Synonyms verb [no object] (usually as noun hacking) Ride a horse for pleasure or exercise. ‘some gentle hacking in a scenic setting’ More example sentences Origin Middle English (in hack (sense 2 of the noun)): abbreviation of hackney. hack (sense 1 of the noun) dates from the late 17th century. Pronunciation hack/hak/ Main definitions of hack in English: hack1hack2hack3 hack3 Noun 1Falconry A board on which a hawk's meat is laid. Example sentences 2A wooden frame for drying bricks, cheeses, etc. 2.1 A pile of bricks stacked up to dry before firing. Phrases at hack (of a young hawk) given partial liberty but not yet allowed to hunt for itself. Example sentences Origin Late Middle English (denoting the lower half of a divided door): variant of hatch. Pronunciation hack/hak/

Re:It means the same thing it always did

[NicknameUnavailable]

What have we learned today?

That English majors don't know dick about computer jargon (or much else.)

It's just over work

[rsilvergun]

and it's happening everywhere. Companies are cutting staff and forcing the ones left to work longer hours. 80% of Americans are living paycheck-to-paycheck (google it). _Everybody's_ stressed out. It's just that when your cyber security guys get that way and start making the mistakes folks under high pressure 24/7 tend to do then your network gets hacked and you've got a PR disaster on your hands.

Re:It's just over work

Wow! Life's a bitch. Who'd have thought otherwise!

Re:It's just over work

Stop buying $1000 iphones and $70,000 tesla's. Stop spending $200 a month on cable tv and internet. Stop buying expensive clothes. Stop eating out and learn to cook.

Re:It's just over work

Stop buying $1000 iphones and $70,000 tesla's. Stop spending $200 a month on cable tv and internet. Stop buying expensive clothes. Stop eating out and learn to cook.

Good idea. People will be deprived of whatever happiness (not to mention genuine utility) they may derive from having “luxury” like access to TV/internet at home, and on top of that the consumer economy will crater and drive wages even lower.

InfoSec is not stress unless you're doing it wrong

[ole_timer]

...if mgt is placing unrealistic pressure it's time to switch jobs...

Security isn't Stressful

Security isn't stressful. It's the lack of security that is stressful. If your infosec people are stressed, it is because they are failing at security.

Re:Security isn't Stressful

No, it just means that the CxO's haven't directed the DevOPS tag-team to incorporate best practices into their code /before/ they push it to production.

Re:Security isn't Stressful

Our InfoSec people aren't stressed because they're the authority-without-responsibility type. They read half an article in CIO Monthly, issue some word salad dictates based on whatever they think they read, and everybody else, often with no authority to implement these new responsibilities, has to scramble to figure out what will appease those idiots until the next round.

captcha: idiotic

Jack Daniel has a great keynote on this

[pierceelevated]

Check out his analysis and stories of incredible alcohol consumption at security conferences: http://www.irongeek.com/i.php?...

Re:Jack Daniel has a great keynote on this

[cavis]

A lecture about drinking presented by Jack Daniel? :-|

The response for stress in IT Security isn't any different than those in other high-stress careers like Fire. EMS, or Law Enforcement, but the local peer support group is much smaller in the IT field. If a firefighter has bad EMS or fire call, I have 30 guys in my own station that are going through or have went through the same thing. How many people in your organization can emphasize with your IT security stress?

Source: Firefighter/EMT with 28 years of experience.

Re:Jack Daniel has a great keynote on this

Security isn't any different than those in other high-stress careers like Fire. EMS, or Law Enforcement

As a tech worker, I'll tell you straight up nobody in IT has the same kind of stress as those jobs, because the people in IT will not be dealing with literal life and death situations or dragging bodies out of wreckage.

I don't even consider the two in the same league. PTSD from having your server hacked can't possibly compare to some of the shit those guys see.

Source: Firefighter/EMT with 28 years of experience.

Well, then thank you, the cowards among us appreciate what you do. =)

Re:Jack Daniel has a great keynote on this

[wyHunter]

I'm a volunteer EMS and Fire Guy. Do you know what an EMT makes? $10 OR LESS for the most part. No thanks, I'll keep cranking code.

Take lessons from folks that have been there...

What they are talking about is basically PTSD. PTSD does not have to be caused by a physical event (e.g. explosion/shell shock) - but can be from an extreme emotional event as well. In the case of security folks - working day & night to ensure that their customers are safe from the bad actors in the world. Emotionally, they are akin to protective parents. A security breach can be as emotionally traumatic as having something awful happen to their child.

I hope the the presenters are taking lessons from folks that have dealt with life and death decisions:
ER Staff (Dr's, nurses, etc.)
Emergency medical staff (paramedics / EMTs)
Parents that have have lost a child / suffered sexual abuse / kidnapped / etc.

Personally I think the sessions are a good thing - it's show's a maturing of the industry.

Fred in IT

Re:Take lessons from folks that have been there...

While I note and agree that breaches to an security personnel that's totally emotionally involved in the IT security may be a traumatic experience to him, part of me also ponder if the said personnel is a good fit for this industry. I mean (loosely quoting from your idea) if he may emotionally suffer as much as "his daughter getting sexually assaulted", for perhaps over 10 times throughout his career, through no fault of his own, then to stay in this field may be akin to inviting himself in a world of hurt and unnecessary mental torture.

(Posting AC only due to previous mod).

It's also their content & behavior!

It's not just the "protection" issue, it's the stress that can be caused by incident investigation and response. Like investigating porn and child porn, theft and hatred/abuse, etc.. These haunting things (or dismaying immersion into them) can lead to serious stress and anxiety. Adults behave like adults behave: they don't necessarily do the right thing (any of them involved, sometimes!) and somehow its up to InfoSec or SysAdmins to find and figure out (and present) on it because there was a computer or network involved.

Remember Unions?

Workplace stress, >40 hr work weeks, poor healthcare, and living pay check to paycheck could be solved with unionized bargaining, could it not? IMHO, tech jobs are the new middle class, and it's time to shake off old stigmas and look into unionization as an industry on the whole.

Re:Remember Unions?

Which is why in January 2019 I'm leaving IT after 21 years and going into the trades, specifically HVAC. Money is great, training is short (3 months) and it cannot be outsourced. I'm tired of IT being outsourced, insourced, moved to the cloud. Everything is now PaaS, SaaS, and now DaaS. IT is basically glorified monkey work now unless you are a senior developer or project manager.

Blistering heat?

[smooth+wombat]

110 with ~10% humidity is much preferable than 90 with 65% humidity.

Perhaps not wearing black in the sun might help.

Re:Blistering heat?

Being in the northeast and not in the west, I would argue that being hot and wet is better than being hot and on fire. Just sayin'...

I got out of IT security

I used to be a pen tester/security analyst/firewall engineer and I got out of that element of IT due to stress. I tried private companies and government contractor (far worse) and the IT security domain is very high stress, especially on the government side where you have to adhere to things like Letters of Operation (permission), NIST, FISMA, etc. I was a pen tester in this arena for 3 years and it's a nightmare, despite the high paycheck. My last job in that area was $106k and the stress and anxiety was not worth it.
I started out in Web hosting, which is docile in comparison, and actually prefer it to about anything else at this point. I've been in IT now for 20 years and am leaving at the beginning of 2019 to start a new career for my own sanity. IT has been hollowed out due to outsourcing, insourcing, moving everything to the cloud (you become a point/click monkey), and general democratization of IT from the user on down. I miss the data center where I didn't have to engage with end users. Being a sysadmin now for many years, I want out and am going to the trades where I can have my sanity and a higher paycheck.

Re: I got out of IT security

$106k is not well paid, anywhere in the US.

Re: I got out of IT security

Huh? That's patently untrue. $106k in California or NYC may not be well paid, but in Mississippi, Alabama, Texas, Florida, Georgia, that is fantastic money. Not everyone lives on the East or West coasts.

Like every other field

Stop the presses! Breaking News! Too much stress adversely affects humans, plants, and animals!

IF YOU CAN'T STAND THE CRACKS

Get out of the ASSES!

Re:Place the blame where it should be...

Your statement directly contradicts itself. The reason one would be interested in a worker that can do 3-5 times the work, is because it allows them to eliminate 3-5 positions, and hence safe costs.

It *all* comes down to costs.

The reason foreign workers are willing to work such long hours is twofold:

1) Where they live, things are even worse, and American money goes further, so desperation drives them to push themselves too hard. They get suicidal from this eventually, just like American workers do. But they are more easily replaced once they go.

2) Many of them don't have the education, nor even skill, that American technicians do. This is a side-effect of reason number 1 given above. Desperation drives people into the field who are absolutely NOT cut out for it. But they have terrible options every where they turn, so they lose nothing by faking it as long as they can.

The *only* reason that all American-owned software isn't *already* completely coded in foreign countries is the talent deficit. Regulation didn't stop the huge outsourcing push of the late 90s...the steady stream of missed deadlines and non-functional code from the foreign labor supply did.

*All* the complaints that employers have about American talent boil down to this single reason: there aren't enough of them. All the complaints about how lazy or demanding they are would be completely resolved if the labor supply exceeded the demand. The competition for the positions would drive salaries down and work-ethic up. But the situation is exactly the opposite of that, forcing employers to pay much more than they think they should have to pay in order to get software written.

Lastly, the reason the American labor supply of technicians is too low is twofold: 1) It's hard, you have to be of above-average intelligence to be good at it, so not many people can do it. 2) It sucks, because it is super-stressful and employers like to abuse their employees and take advantage of them at every turn.

Re:InfoSec is not stress unless you're doing it wr

[gweihir]

It can also be pretty stressful if you are an outside consultant being brought in after others have done it wrong for some time. I do agree that management is the main root-cause of the problems in almost all cases though.

Re:Place the blame where it should be...

Place the blame where it should be, laziness and the feeling of entitlement.

As true of employers as employees.

Re:Place the blame where it should be...

[HiThere]

In my experience, the "feeling of entitlement" is much more true of managers than of those they manage, and this differential is maintained at every level of the hierarchy.

The old way of describing this is "the servant problem".

Re:Place the blame where it should be...

[desdinova+216]

I was under the impression that the talent situation was one where there's not enough people willing to do the job at the price that companies are wanting to pay.

Re:Place the blame where it should be...

Completely true. I remember starting my IT career in the 90s, and even in college, the professors and instructors pushed and pushed for everyone to get as many certs as they could on top of your degree. I eventually did get a few specialized certs, but after being in the industry a couple of years, I noticed the people that had the certs were largely "paper tigers" and didn't have the experience to back up the certs.

Fortunately, I went into the UNIX world, working largely with Sun Solaris, the BSDs, Perl, and loads of Bash. I OJT'd under some truly stellar people, my favorite of whom has a HS education and knew more about UNIX and scripting than he had a right to know. He several like him were replaced by the aforementioned paper tigers in a layoff purge and the guys that came in were largely Indians and couldn't find their way around a terminal window to save their lives. These guys relied on GUIs alone and we were an enterprise-level Web hosting company that required tons of terminal, scripting, loads of Perl/CGI knowledge, as well as ability to build/configure/maintain UNIX servers. I miss those days. Now, everyone in IT save developers, project managers, and the odd IT security guy is a point and click monkey because everything has either been outsourced, insourced, is PaaS, SaaS, or now DaaS. I'm getting out of IT after more than 20 years. I love the essence of it, but I've had enough.

waiting to fail is always stressful

[ka9dgx]

The fact is that thanks to Ambient Authority, nothing is safe, and can't be made safe. Anyone who works in infosec and thinks otherwise is nuts. The shitstorm is going to come, just hope it doesn't happen on your watch, or that you can deflect the blame enough to survive.