I lead my team to victory in 8 hackathons in the United States and consecutively won last 5 of them (before losing first 3 of them miserably). But hackathons are projects you create in 3-4 days depending upon the course of duration.
I have worked as a WordPress Developer, Web Developer, Site Reliability Engineer/Infrastructure Engineer also consulted as a security engineer and the truth of why teams fail is not a 1 or a 0.
Engineering teams try to solve problems in a right way, wherein they should try to solve the right problem. Guiding and leading a team takes leadership, maturity and radical thinking which most managers I see, do not possess. The manager should know every high-level overview of new technologies and have quick decision thinking to tackle incoming threats.
Teams are just designed to follow the manager’s orders and they are paid to do so. They do put forward their proposals but most of the time they are flung off. (I have been in that position). If the manager of the team has no idea what to do in a live DDOS attack, there is no way the team is going to survive (any type of attack).
Doing security is not hard but it is not piece of cake either:
Patch quickly and frequently.
Use reasonable security controls—intrusion prevention, application control, and anti-malware—and monitor them.
Use two-factor authentication, together with a reasonable password policy.
Classify information as it is created.
Have a good backup system and test it regularly.
I handle many sites and one of the site which has 1,00,000+ users monthly. I have set up CDN, WAF and continuously monitoring for active threats from countries like Russia, Turkey, and China. (Don’t ask me why). I can handle that traffic because I created the project from the ground up and know in and out of the product. When an engineer is hired to do something like this, he has no clue what to do and what not to do. He does not spend time scaping and learning about the infrastructure. He dugs deep into the code and 99% of the time, he ends up breaking stuff. My only advice to any engineer is, spend 3-4 months of your new job learning about the infrastructure and talking to people who built it and why it was built the way it was built. (Sharpen your axe for 4 days out of 5 to cut down the tree)
Radical decision making is vital in the field of security. Security is a never-ending cat and mouse game. There is only losing on the good side. The hackers either win or nothing happens. The companies either lose or nothing happens. People do not enter cybersecurity because of its complicated nature and stressful work culture. Some people like me love it but it is not for everyone. 2 of my friends moved on to computer science for their master’s degree after coming in for cybersecurity.
If the manager/VP/Director of a security team pressures something to be followed, the team has to obey. But there is no point in having tightened security if the product doesn’t work!
- “Any engineer can solve a problem given enough time, a good engineer solves a problem in the least amount of time”.
- “Engineers try to solve a problem in a right way where they should be trying to solve the right problem.
- “It is okay to not know all the answers. ASK.”
- “Understand the problem you are trying to solve before solving it.”
- “Any engineer can write code. A good engineer knows when to write the code or if it is necessary to write the code”
These points are valuable in any type of computer engineering job role.
The common view of security’s role is to stop hackers. Looking around the security community, there’s plenty of material to support that. Most conferences and publications focus on the latest threat or malware variant. Movies always show the hackers taking down the firewall; rarely do we watch someone poring over log files.
A far more realistic and productive definition of the role is to ensure that your systems work as intended—and only as intended. This may seem like splitting hairs, but the definition of the role is critical.
Stopping hackers is an activity that is viewed as a job with limited scope and a definite perimeter. Ensuring that systems work as intended and only as intended requires multiple teams working together. An isolated team cannot accomplish this goal.
The teams break down into five areas:
Digital forensics and incident response (DFIR)
Governance, risk, and compliance (GRC)
Every team that the security team needs to communicate with adds overhead—and it needs to work with everyone. Each new link needs to be maintained, and eventually, the number of connections becomes overwhelming. This severely impacts the team’s ability to effectively communicate within the organization.
Lack of context
Take for example a massive spike in inbound network packets. If the security team sees an unexpected increase in network traffic from a variety of IP addresses, its (understandable) assumption is that the traffic represents a DDoS attack.
The team is missing additional details that would suggest alternative causes. What if this traffic is the result of a wildly successful marketing campaign and the business has had a day the sales team previously only dreamt of?
Without information from key business systems (such as the total number of completed transactions) and application metrics, the security team doesn’t have enough information to make the correct determination. This is the direct result of the isolation of a centralized team structure.
Centralization also shapes the perception of both the team members and the rest of the organization. Security is known as the team of “no,” and the security team generally has a negative view of the organization’s users.
The good news is that understanding the forces at work allows the team to fight against them. A modern security team embraces the need to act as educators within the organization. Its members seek out an understanding of how the business works and build bridges with teams throughout the organization.
I always say to managers: If your employee is leaving the company, he is not leaving the company, he is leaving you.
Most of the places I have worked, I see that employee leaves because of
1] Manager has no technical background
2] No leadership skills
3] No direct communication or 1 on 1 with team members.
4] All teams working differently (SOLO)
5] Employee has no idea what his work matters to the company has a whole.
In such situations, the security team is destined to fail miserably.
Although the need for security has just risen, things are going to get much worse in these coming years before it gets better.
Companies and big conglomerates should be on their toes in security incident response. They have to know that they are the biggest target for hackers since they sit on ample amount of money. Saying that our security is strong and nobody can hack us is pure negligence.
Again, the person leading the security team need not be a pro hacker but needs to know that what needs to be done when a breach occurs. The security teams should also understand that they are not making the company any money. They are protecting their assets. It is their job to protect the company’s asset. Although no system will ever be perfectly impenetrable, eventually defenders will catch up to the point that hacking is less cost-effective than other methods of pursuing the same goals.
Computer hacking fundamentally depends on human mistakes. A programmer must make an error that exposes a vulnerability. An administrator must set a weak password or fail to change a default one. Additional layers of “defense in depth” must also fail. We have existing technologies that can knock out entire classes of vulnerabilities (e.g. garbage collection prevents most memory corruption vulnerabilities), but they aren’t fully deployed.
The mitigation of security threats won’t happen tomorrow or after a year, but it will happen eventually. One Day.
I wrote an answer some time back on quora similar to above: Hackers: Is it possible to hack into a school system and change your grades? : http://qr.ae/TUN8T9