deedasmiReflecting on my career and desire to be an #infosec #leader. It’s a wild industry. I have incredible talented engineers that just don’t care to put themselves out there, not so experienced engineers who are afraid to ask for help, analysts with solid foundations who think they aren’t qualified for the next step, and analysts who keep trying to do advanced things without the foundations. As someone typically overconfident, managing them fairly and equitably is hard. #cybersecurity #management
I’ve led a cybersecurity club. I thought it was easy. I micro managed and alienated a lot of people. Caused #imposter_syndrome. Drove skilled people to tears with criticism. I stepped away and got an #MBA. It’s so much harder doing it right. I’m not even a manager at this point. I’m not even officially a team leader, deapite that being my role. Deciding when to intervene, when it’s fine, and when you need management, or when you need non-management but also not you to intervene is hard.
It’s even hard explaining what you’re trying to do without sounding like an ass (or by my namesake, a Dick). Analyst rotated off our team for a year and just got back. Fine analyst, inexperienced incident handler. Took a #polyfill incident (duplicate) and told nobody. Not a one person job. Controls in place, easy near miss. But is running total #lonewolf. Already pinged this analyst twice in the past week for minor things. Ping again? Ask management to ping? Ask peer to ping? No right answers.
When a mistake can cause thousands of hours of work and millions of dollars in loses, how do you correct the minor shit that doesn’t matter today, but may matter in the future? I can see a hundred ways this incident could have been very different they didn’t even mention investigating. Do you remind them to not short cut? Schedule a tabletop on what could have happened? They did nothing wrong, but also didn’t do it in what I would call right.
Our analysts are empowered to safelist any field and value they deem not worthy of investigation. It’s a great tool to manage #alert_fatigue, but also very easy to fuck up. We have audit scripts for the worst of cases, but so many discussions brought to the team revolve around noise rather than impact of the detection. Wrong viewpoint in the big picture, but very relevant in this case.
Novel #detection technique for #phishing does what no other signature or rule does. Like everything else, has false positives. I already reduced the volume of alerts 10x and convinced my peers to leave it in production. It’s having issues again. Fight to fix the false positives and leave it in prod to the annoyance of my entire team? Let it go and hope other methods work? #Risk vs. #Reward has no answer when dealing with every threat actor in the world.