Like every year, RSA was a whirlwind best described as “a firehose of information.” Countless booths, activities, and talks brought the cybersecurity community together for 4 days of discussion. It’s impossible to pick one highlight, but what was top of mind for us were the entries at our Confess Your Stress wall.
On the heels of our State of Pentesting 2023 report, where we found security teams were overstretched, under-resourced, and burnt out, we asked, is cybersecurity stressful? Then we invited RSA attendees to share what was on their minds as anonymous stickers on a blank wall. We had one prompt: confess your stress. All stickers contributed to a $1,500 donation to the charity Project Healthy Minds in honor of Mental Health Awareness Month.
What did people share? Confessions came together under 3 topics:
- Too much work, too little time
- Teams not knowing what’s in their blind spots
- AI and its influence on people and cybersecurity
Let’s look into each of these in more detail:
Too Much Work, Too Little Time
Between overflowing inboxes, meetings that could have been emails, risk assessments, development roadmaps, tests, monitoring, keeping up with shifting regulations, and many more tasks, security pros are struggling to do it all. Teams are lean and understaffed, while the work doesn’t scale down proportionally. The truth is, if this is your stressor, you are not alone. In our latest State of Pentesting report, 95% shared the scope of their role had increased, 60% were experiencing burnout, and as much as half wanted to quit.
How can you move forward if you’re held back by stress and overwork? 72% plan to outsource more tasks compared to 2022, for example addressing vulnerabilities, vendor security reviews, and pursuing voluntary compliance frameworks (e.g. SOC 2). Some work will have to go on the back-burner altogether, with implementing DecSecOps practices, hiring, and adopting new technology at the top of the chopping block.
When under this kind of pressure, every investment has to deliver as much ROI as it can. To help extract maximum value out of your next pentest, we pulled together this preparation checklist to make sure everyone is aligned on scope, objectives, and specific requirements.
Teams Not Knowing What’s in Their Blind Spots
One of the most persistent challenges for security teams is simply not knowing what they don’t know. This can take shape in different ways, from shadow IT piling up, to undetected vulnerabilities that might lead to a breach or data leak.
RSA attendees reported a curious paradox, where they have “too much information & dashboards” — or, as one person eloquently put it, “I cannot close my eyes without seeing visions of spreadsheets and ledgers and numbers floating around everywhere” — but still feel blind to critical issues. Information overload can blindside entire departments, or data could be spread across multiple locations, as is usually the case with pentests when enterprises collect reports from different vendors over several quarters or years. What can make a difference is a centralized view of the most important insights that guide where teams should focus their limited resources.
Here are the most likely issues lurking in web applications, based on what we’ve seen from over 16,000 findings across 3,100 pentests in 2022 (for a view of other asset types, download our latest report):
- Stored Cross-Site Scripting
- Use of Outdated Software Versions
- Insecure Direct Object References
- Lack of Security Headers
- Insecure Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Protocols
Why do these known issues continue to slip past teams’ defenses? We explore this topic in more detail in our upcoming webinar “Doing More With Less — How to Secure Your Assets With Fewer Resources.
AI’s Influence on People and Cybersecurity
Automation tools have been around for a while, but the mainstream adoption of chatbot AI tools, à la ChatGPT, has been putting some new strains on security professionals. Some confessions highlighted anxiety around how quickly AI is developing, when teams are already stretched thin and struggling to keep up. Others raised concerns that AI could end trust in people’s expertise altogether.
On the one hand, AI tools can strengthen defenses, particularly when it comes to processing large amounts of data and identifying patterns. Many tools are already based on algorithms designed to detect anomalies in network traffic and identify threats in real time. Another example is their use in vulnerability scanners, although, like one confession put it, the tradeoff is dealing with “way too many false positives.”
The stressful part starts when teams realize the same resources are available to the people they’re trying to keep out. AI tools can scan target systems and guide attackers to more sophisticated exploits, or automate much of their work and make attacks faster and more frequent. In addition, AI has played a large role in deepfakes and phishing, deceiving individuals into social engineering attacks. The more refined this technology becomes, the harder it is for security teams to withstand it. In parallel, the more robust AI becomes, the more security teams can leverage it to defend their organizations — the cycle of attack and defend goes on.
Where does the human stand in all of this? Ultimately, the burden falls on security professionals to stay on top of industry changes, adapt their strategy to maintain good security standards, and stay sane and healthy in the process. It’s a big ask, and not something one should tackle alone.
Stress will come and go, but your work will protect more than just company assets and data — it will keep people safe. Stay focused on what drives your passion in InfoSec, and we can help with the rest. Keep an eye out on our resource center for more materials that can guide your strategy, or tune in to Caroline Wong’s Humans of InfoSec podcast to hear how leaders in the field are carving a path forward for their teams. As for your pentesting needs, we have you covered — whether you need a comprehensive review of your systems, or a more targeted check for a specific vulnerability.