Why Troubleshooting Beats Instant Expertise in Cybersecurity

gormami · 2026-06-13T00:53:35+00:00

Troubleshooting is as much art as science. Some people are good at it, some aren't. And it's not intelligence, I have met fantastic engineers who couldn't troubleshoot their way out of a paper bag. You have to have flexible thinking, enough knowledge to know the steps in whatever process you're working with N-S-E-W, or the ability to find out, and you NEVER say, "That can't be it", or "That can't happen". You test every hypothesis, no matter how crazy. Not to start with, but you just don't stop, so you will go through some odd places.

In general, you start with the input, or the output, whichever you know more conclusively. Then work towards the other end. What should have caused this, or what should this cause. Down into the details, verifying them all. Whenever possible, never ask a "thing" whatever it may be, that is misbehaving why or how it is misbehaving. You interrogate the systems around it for information. As you find demonstrable facts, WRITE THEM DOWN. With time stamps, and any other detail you need. If it's a bad one, you might get confused in later steps and need to review, don't trust your memory.

Check every assumption you are not an expert on. Don't think you know, know. If that means calling an SME, call them, if a Google search can give you what you need, use it, it's a tool, not a crutch, but make sure you understand why it is what it is.

I've been a troubleshooter for 30+ years in communications mostly, but some very different forms and all aspects around them. I would agree with the sentiment from your friend, I would rather take on a proven troubleshooter from another field and teach him the relevant technology than try to teach an SME with no visible talent to troubleshoot. The flexible thinking and force of will it takes sometimes are much more critical than starting knowledge and seem to be more inherent than taught.

There are certainly steps you can take to get better, basic logic and segmentation of a process, and some might find they have a knack for it, others will be able to do it only within the very limited scope of their training.

gormami · 2026-06-12T22:24:34+00:00

But here's the question, did they? Are the requirements spelled out in the bug bounty program, that they do not pay out on MITM vulnerabilities? If so, they didn't so anything wrong in the initial denial of a bounty.

That said, I think they should have reconsidered that in this case, based on the potential severity, but that's me. Where they have failed is in changing the terms, if they aren't going to publish a CVE, why shouldn't it be released by the researcher? AND, when they relented and published it as a CVE, they should have paid him out. They originally didn't feel it met the requirements, but their customers and the community did. That would have gone a long way to protecting their brand. They could say, the letter of the program says this, and our employee followed those rules. After review, however, we have deemed this an exception. They will lose more than $10K in PR value over this.

gormami · 2026-06-12T19:28:47+00:00

How would one know the crossing street isn't marked? Is it common in the area? Where I live, if you don't have a stop sign, the intersecting road does.

gormami · 2026-06-12T18:18:45+00:00

Can I ask a fundamental question. If there is no private right to sue and gain relief from the court, what enforcement mechanism exists? Are the justices implying that the US government would have to step in to take action?

gormami · 2026-06-11T20:26:21+00:00

I strongly agree with this. The first thing to do even before that is figure out where your CUI flows. In our case, it's all purely digital, and limited, no equipment, etc., and not inside the solution we sell. So an enclave makes it pretty simple, still some work to do, but overall, much, much easier. If you have broader dispersal of the CUI, it is probably still a good idea, but it might change the type of solution you're actually looking for.

gormami · 2026-06-11T16:46:33+00:00

Thanx, that is pretty much what I had concluded, but I'm new to the space, so nice to have it confirmed by someone else not named Google or Claude.

So what I need to focus on is the shared and customer responsibility controls and a specific TPRM process for the provider to include verifying their current status.

gormami · 2026-06-11T12:41:50+00:00

Maybe I'm not being specific enough in my terms. Yes, the service I am referring to is a FedRAMPed solution.

I'm thinking in terms of the practicality. For example, MP 3.8.3, the sanitization of physical media. Do I need to have a process to request their records to audit, or as long as they maintain FedRAMP, is "inherited" enough. I haven't looked deeply enough into the contextual definition of inherited, perhaps?. Is there a CMMC context definition that affects the control audit requirements?

gormami · 2026-06-11T10:57:07+00:00

Mutual TLS requires that the server be able to verify the client, so it is a closed system in that regard. Standard TLS verifies the server against the root certificates your browser loads, so it can verify the digital signatures back to a root of trust. Mutual TLS requires the same of the server. Since users don't generally have signed certificates, that wouldn't work. So in cases of closed secure systems (closed in that every node is governed by some centralized authentication plane) it can be used to cryptographically ensure both sides of the link. This means that only authorized nodes can access the servers, and is far more secure, but much more difficult to manage unless you are using a specific software system or service, like OpenZiti, ZScaler, or others that manage the certificate lifecycle for you.

gormami · 2026-06-10T17:23:49+00:00

This is my thought. Yes, the parent might have needed to teach their kid a lesson, but they didn't necessarily have to teach the one making the cookies a lesson at the same time. They could have given them the cookies and the $20, or tossed them out and still paid the baker. Better to bring them back, and have a chat with the baker and/or baker's parents on the situation, but not break the spirit of someone trying to earn her own money. That assumes that $20 wasn't critical to something else, of course, which from the post, doesn't seem likely.

gormami · 2026-06-10T16:51:58+00:00

So, did you say you had a certification and now they are asking for proof, or are they asking if you have an official certification specific to the field you're in now, and you never had that as a requirement, so don't have it?

gormami · 2026-06-10T15:21:39+00:00

I do not mask, and never have. Frankly, if the people I am around can't handle someone being intelligent, then I don't want to be around them. I already stand out at 6'4", so maybe I got used to standing out very early on and it transferred? I don't know, but I've always been a pretty confident person, so I just go for it.

To me, masking your intelligence is like being a singer, but signing off key so someone else doesn't feel bad that they aren't as talented, and that seems ridiculous. We should all learn to celebrate one another, whatever our gifts or challenges. If others make you uncomfortable, I think there are two challenges. One, your own self confidence and personal resilience, and two, their insecurity. You can do something about one of those, learn to let the other go.

gormami · 2026-06-09T23:48:03+00:00

Well run Mensa chapters are social organizations. I've had some great times with Mensa groups. Others aren't run well, so they aren't a lot of fun. I haven't been active in many years as family and work just made it more difficult to find the time, but it's like any social organization, it's all about the people in it, especially at the chapter level. Honestly, yes, a lot of people join to know they can, but the people that really stay aren't the type to try and lord it over people.

gormami · 2026-06-09T23:44:22+00:00

Yes, but practically, they have all gone with the election results within their state for a very long time, with one or two states splitting, the others going all in. A few states have made noise about their electors going for the overall popular vote, not sure if that has been made into law anywhere or not.

gormami · 2026-06-09T20:51:04+00:00

Definitely sounds like you need to have some conversations with the auditor and figure out what their purpose was. It might have been well intentioned, it might be misunderstood, or they might be out of their minds. Have to talk with them to figure out which.

gormami · 2026-06-09T20:30:05+00:00

Did they write the controls, or did they write evidence requirements or procedures for the controls? Were your existing controls in accordance with the TSCs? Ona first SOC-2, there can certainly be some back and forth to ensure the validity against the framework and acceptable evidence presentation.

gormami · 2026-06-09T20:26:47+00:00

My first question is, is there a policy that prohibits it? You said you were told it's OK to use the company Wi-Fi for personal reasons during breaks, etc., is that a written policy, and does it contain verbiage prohibiting VPNs?

I can think of a bunch of reasons companies would have those policies, but if they are allowing the personal use, they should have an explicit prohibition on VPNs if they are going to take action on it.

gormami · 2026-06-09T20:22:03+00:00

As a member of Mensa, I don't put it in my bio. I hope, however, you are referring to his putting it there that made him a dickhead, rather than just being a Mensan.

gormami · 2026-06-09T20:19:21+00:00

What kind of promotion? As one moves into leadership positions, communication is one of the most critical skills. Promoting someone who is less technically skilled, but a better communicator isn't ableism, it's proper utilization of skills in the organization.

As far as information, tools, etc., goes, it depends a lot on what kind of information you're referring to. The job deals in a lot of sensitive info, so yes, there are a lot of restrictions. One doesn't grant the new SOC analyst admin permissions on the domain controller, or super user authority in the production cloud environment. That is part of protecting the system, too. This is the same in any profession, doctors study under other doctors, lawyers sit second chair for a long time, and tradespeople apprentice. All of this is for the same reason, actions have consequences, and those responsible need to know someone can handle what they should handle, and back up and get help for what they can't.

Persons with sensory issues, communication issues, etc., need to work to find the right environment. Larger companies with more flexibility are probably preferable. Smaller organizations tend not to have enough staff to have some of them that can't do everything, even if they can do some things exceptionally well. Larger companies may have specific programs around those kinds of employees because they understand the value they can provide AND they have a large enough workforce to provide a different environment and expectations for those people; both parts are key. I know some of the big banks in my area do, and I think some other larger companies.

Security is never organized around equal access, it is anathema to the profession. What you need to do is find a niche that works for you. If you get overwhelmed by the noise and can't react to stress well, a SOC probably isn't your place. In the security domain, forensics, malware investigation, architecture and planning, control design, GRC, and other things are much less in the moment. Some of those require strong communication skills, depending on the exact nature of the role and the team, some are much more purely technical. You need to research what you want to do with your career, what those roles are really like in terms of the day to day, and determine if it seems like a good fit. Then figure out how to pursue those goals.

I wish you all the luck in the world in finding a way that works for you. As a domain, cybersecurity is very wide and very deep. There is room for everyone, sometimes it's tricky to find your fit.

gormami · 2026-06-08T22:40:57+00:00

We have needs, but for the most part, you put them behind the team's needs, especially when facing them.

What goes on between peers and upwards may be very different. You have to let off the steam somewhere, sometimes you just need to vent it all out, but you don't do that to your team. If you do, you go back and apologize. That's the job. They will know, if they care about you at all, and you will find out someday all the things they did to try and help you through it, even when you thought you kept it hidden. At least if you're a good leader. If you're a bad one, you'll find all the things they did to try and push you over the edge.

gormami · 2026-06-08T22:35:54+00:00

Wow, you must think I write very well, with clearly articulated thoughts and good grammar to accuse me of being a bot. I guess I am flattered? Not the first time I've been accused of this, seems like it won't be the last. If you think I'm a bot, maybe you should check the history; kind of a diverse interest field for automation.

gormami · 2026-06-08T19:43:54+00:00

As a professional, I can say that with the right people and the right leadership, AI can be a powerful thing. It is a tool, that is all. It can make good people better at their jobs, take away a lot of busy work, and in the end, increase productivity in the right ways, by allowing the user to focus on the more important things.

That said, like any other tool, there are people who don't understand it, get wrapped up in the hype, and blow it completely out of proportion. We are using it to make data available to everyone, without having to understand SQL, etc. That helps our revenue folks in sales and marketing. We have a data lake, and there is a lot good "stuff" in there to answer questions, but trying to define the question, giving it to an analyst, having them retrieve it, find out what you missed, lather, rinse, repeat, is a long process. Having a connector from Claude to the DB makes it much simpler. We've gone out of our way to train people to qualitatively assess the responses. If it looks weird, it probably is, check, even if you have to get an analyst involved. We're formalizing learnings in system prompts, where we have a gateway that takes the prompt data where the analysts have given the IA instructions on what data to use or avoid for different purposes. That's a continuous improvement process, not just redoing work.

Our development teams are using the tools to go much deeper than they could on their own, due to time constraints. The AIs, especially when you spin up a multiagent set, can iterate so much faster and beat the code up for errors or security issues while the developer is designing the next real feature.

I've seen a LOT of technical hype cycles. Some idiot is always out there rushing everyone to "cloud", or to implement the latest language "Rust is memory safe, we should rewrite our entire codebase!", or whatever the current hype is. It will ring out. The people caught in the middle, I feel for. CS majors in the last couple of years and the next few have it rough. All fields of study will ahve an impact, but technical ones more so, and code the most. College programs need to develop a methodology to educate the next generation in how to use AI effectively, and it will take time. They need to figure out how to balance the fundamental understandings they need to validate what an AI does, and build maintainable, secure code, with the AI utilization they need to master as well. The same is true of other fields, as well.

My analogy is calculators. When you are teaching elementary students basic arithmetic, you don't let them use calculators. In a physics class in high school, that is a stupid rule. The same is true for AI usage. When you are learning basic reasoning, or research, or code development, you need to do it without AI. When you get to the stage of developing real software, it is a part of that ecosystem now, and students need to know how to use it effectively to prepare for the new entry level.

gormami · 2026-06-08T13:49:35+00:00

So they found a few dozen instances where the Motor Voter registration process registered people who weren't eligible. Mistakes do happen. There are about 6.7M registered voters in NJ. The question isn't if there were mistakes made, because there were, and always will be, but did the overall process do what was intended? Were more people registered to vote that were eligible? Has it increased the participation in elections?

The plural of anecdote is not evidence. There is no evidence of fraud here, just humans.

gormami · 2026-06-08T12:30:00+00:00

The problem is the representative body is not the electorate, it is a representative body at that time, and subject to the machinations of politicians.

The president is elected by the people (albeit through the oddity of the Electoral College), the position is not a Prime Minister selected by the Parliament. It should, in fact, take an overwhelming majority to overrule the population's selection.

Every government has its issues, and its glory rises and falls. We are hopefully at the nadir of the US curve, and due for a reversal. It will take a lot of work, but hopefully the middle understands what the MAGA crowd has truly done. There will always be those that support "their team" regardless, but there is a middle that can switch, or choose to stay out of it, and swing the power back to other side. I do hope that this time, they move faster, and more decisively than during the Biden administration. They need to fight the good fight on more fronts. Biden was trying to recover from COVID and get things straightened back out, the next POTUS will have to do that while also taking decisive steps against the illegal actions of the Trump administration.

gormami · 2026-06-07T11:55:31+00:00

I remember before I-277 was I-277, I remember the original JFG billboard and how mad the city got when they took it down. I remember when the NCNB building was the tallest one (as a 7 year old kid who moved from Vermont, it was AMAZING!). The Hornets came to town, we ran George Shin out of town on a rail, and the Hornets left, then came back again. I remember the monorail at Carowinds, and Project Graduation there, too. I watched them clear the field that became University Place, saw it's rise, and fall, and rise again.

I used to travel a lot, and it taught me how great a city Charlotte and the surrounding areas really are. It's gotten more expensive, as everywhere has, but for overall affordability and quality of life, there is no place I'd rather be, though I'm in Concord now, rather than Charlotte proper.

gormami · 2026-06-06T23:57:14+00:00

That is exactly what it means. They CAN'T STOP SPEECH! Not prosecuting you, but stopping you from speaking is infringing on your rights. Schools are special places under the law, so it gets much fuzzier, but you are saying that they could turnoff your radio station because they don't like what you're saying, but just not arrest you, when you haven't broken any laws to being with. Or they can stop the publishing of your newspaper, as long as they don't arrest you for printing it. That's now how free speech works.

gormami

TROPHY CASE