Thotcon (Chicago’s Hacking Conference) thoughts…
Saw several good Cybersecurity presentations while one of the keynotes “Josh Corman” discussed the burnout of the infosec opsec community. This is a problem for our industry as I have discussed before in past posts. It has to do with the 3 following topics:
1. Workload to most infosec people is 50-60 hours minimum on a regular week, and more during emergencies. Josh mentioned 80 hours as a regular work week for many this high workload leads to exhaustion.
2. What happens when there is no relief and it is a constant way of life to say you will work 80 hours a week forever??? Now we get to a negativity or cynicism. The constant pressure is creating a kind of relief psychology of defense by cynicism.
3. Efficacy or reduced effectiveness due to constant pressures.
What was really on Josh’ mind was the increasing number of suicides by a number of his friends.
So Josh would like to do something about this phenomenon. He gave an example of a Psychologist saying that the other profession with similar characteristics is nursing (high workload, and cynicism leads to lower efficacy).
He also said to not follow the herd and do not put down your fellows/ colleagues.
Above is a picture of the beginning of the second day where the Thotcon organizer was having some fun in a Wookie costume.
The main problem is to get more help so that infosec people will not burn out completely and do things that we all will regret. Another problem is that infosec people are hard to find (or at least competent ones).
So the true issue is to get resources and eyeballs, attention of the C-suite, and generally a different level of attention.
Believe it or not for companies this is taken care of in GRC – Governance, Risk, and Compliance.
Governance is different than just IT department run by CFO, or the CEO. The issue with Governance is that the goals of the organization are kept in mind (which is not just the mind of one person). It is the codification of the goals. WRITTEN goals and thus the group of people in charge of GRC can work toward this written goal using Risk and compliance as a way to manage things. So, the staffing of the IT department (which includes opsec or infosec) is a risk to be measured. You should not have a single person running the IT department, nor should you have 80 hours of work for 1 person. For 80 hours of work, there should be 2 people.
Setting up GRC in an organization might take a while, but once set up it can help an organization manage the compliance and regulatory risks by giving a proper Governance controlled by the people who are supposed to run the company with proper human resource goals as well.