Errores en el modelo RNA Backpropagation

Most teams have some level of politics that are inherent and build over time as the individuals work with each other. This case is also true for information security teams; nonetheless, most of the participants stated these team politics as being responsible in many instances for inaccuracies in the security reports. A participant who had close to three years of experience at the time cited an occurrence in which a security analyst was holding a grudge against a manager and would bypass the QA process and instead directly send the security report to the client. The intent was to get the manager in trouble for any mistakes in the report. The same analyst stated that they would do anything they could to distort the quality of the work because they did not care about the work and wanted the manager to look bad. As the participant explained,

They didn’t care about the work. [The situation] was more personal.

I think they took [it] more personally. They didn’t care…if they did not agree with the upper management or the lead; they would do whatever distorted it.

The same participant recalled that upon assuming a new role, she was met by a man who had been with the organization for over a decade. She initially thought that he was attempting to help her and was interested in how she found and validated security vulnerabilities. She immediately realized that he was uninterested in learning from her but rather was attempting to sabotage her.

This individual would ask her throughout the day about the matters she was working on. He would subsequently report to her supervisor that she was not doing what she was supposed to be doing according to him. When her manager spoke with her, he advised her that this individual had applied for the role she had but was denied. As a result, he was constantly trying to communicate with her each day and made the work environment hostile, causing her to dislike going to the office and bringing a negative effect to her security reporting.

An experienced participant described an experience with an application developer. When the participant started with a new organization, she made a mistake in scanning an application, which resulted in the scan going much deeper than expected. As a result, the application development team began to question everything that she had done and even suggested that she be terminated for the mistake. As she gained further experience and became more proficient, the dislike persisted, and the application development team would deny any finding she uncovered when scanning their application, thereby making her job more difficult. The participant described one encounter in which the application development team refused to accept her finding report and scheduled a meeting to demand that she explain herself. She described this encounter as follows:

He had his team involved in the call, and his leads, my leads, and I were all involved. I had to be on the call and he wanted me to speak up on the call instead of anybody else because…I guess it was just somebody who…already made a mistake, and this again was the same person. [However,] I did show him that [it] was a cross-site script.

After proving her finding in front of the team supervisors for both teams, the issue did not improve between her and the individual from the development team, as the application development team did not want to look bad and its members felt embarrassed that she was able to find an exploit and prove it in front of everyone. This same participant described how office politics would impede in her obtaining the information she needed to complete the security reports. When she would ask for a particular training or documentation that she required to conduct a security review, she would be blocked by the individual responsible for approving it due to her relationship with someone this individual had a clash with inside the office. As a result, she could not perform her job properly, and the security report would suffer.

Several participants mentioned security analysts who would intentionally neglect their responsibilities so that others on the team would be forced to step in and perform the task they had avoided. An inexperienced participant recounted an issue at his first company where the team would designate one individual each day to work the “hot seat,” that is, the ticketing queue. At the time, the individual was responsible for reviewing and remediating the security issues that were sent to the team while everyone else on the team would work on their individual assignments or special projects. As the participant explained,

People are assigned the hot seat daily; on certain days, you can see the tickets go down and on other days, the tickets really aren’t getting picked up.

This situation caused the rest of the team to pick up the extra work for those analysts who were not working the “hot seat” as required, resulting in less time for the security analysts to work on their security reports.

Another participant cited a similar experience early in his career, in which the organization had certain service level agreements to resolve high-priority tickets within 15 minutes of opening them. As some security issues were more difficult to resolve than others, several security analysts would only open the lower priority tickets that were easier to resolve within the 15-minute requirement. As a result, the high-level security issues would sit in the queue for sometimes six to eight hours before someone would begin working on them. From a security perspective, this delay had the potential to allow an attacker in the network for that many hours before the issue was even reviewed.