As I’ve been trying to write (or come up with a topic for) an earthshaking, groundbreaking doozie of a blog post, it occurred to me that I have been neglecting reading those of my colleagues in this space we call infosec…orcyber whatever. Best, I thought, to try to catch up on what some of the folks I enjoy reading were up to. Worst case scenario, I might learn something, right?
That’s when I came across a recent post from Jack Daniel, “Improvement: incremental, or excremental?” (as well as his “Digital Natives, Digital Savages, and Immigration” and Krypt3ia’s “Digital Natives, Digital Immigrants, Exo-Nationals and The Digital Lord of The Flies”, between which I think some correlation can be drawn with the first post I linked…when I get around to it)
<distraction>oooh, look! Something shiny! See what I did up there, with all of those link-backs? My SEO-guru spousal unit will be so proud. But I digress…</distraction>
As “security professionals” part of our function is to instill change for the better, whether within our own organization, within our customers’, or in the process of trying to sell our services. There are the cases in which the powers that be determine that they need to implement a change, any change, to be able to tick off a check box on an audit sheet…where our job is to help guide them in the direction of making the correct change, to be not only more compliant, but more secure.
There are the cases where we know that there is a flawed system in place, a system that may have been in place long before we became involved, that all of their customers and back office folks are familiar with…where our job is to encourage them to change to a more modern, securely coded environment. And then, of course, there are the cases where we deal with in-house developers…where our job is to beat them over the head with a clue-by-four until they start building security into their code from the start. (…maaaaybe that one hit a little close to home for this guy)
All of these hurdles have combined to create a mindset within our community that Jack illustrates with the quote:
“We can make things a little better, with the goal of minimizing bad things and gradually improving overall. Or, if we are brutally honest, we may admit we’re more like sewage plant engineers, and that “stink less tomorrow” is a laudable goal.”
I admit, that the analogy made me chuckle. But as someone who’s made his living as a vendor of security services, this attitude is the one that I’ve come to find the biggest hindrance, trumping those mentioned above. Even when I was in-house security in both the public and private sectors, I’d run into the same thing with my colleagues and supervisors. It’s not apathy, exactly, but almost a sense of having given up. “Well, BC, that sounds like a great idea…but [CRB, the developers, the end users, CEO…] will never buy in, so why bother trying?”
Obviously, not everyone in infosec feels this way. I don’t think Jack does…if he did, he wouldn’t bother to work so hard to better our community and help the new guys and girls coming into it.
Maybe I’m a bit of an idealist, maybe I’m a little naive. I’d like to think not, though. I’d like to believe that if we go in to those meetings displaying the confidence and conviction that all of those letters after our names would suggest we should have…if we present our cases clearly and concisely…if wedo our jobs and educate…if we preach the good word, get out there and evangelize…all of our lives will be much easier when it comes to implementing the kinds of changes that our organizations need.
As we’ve been meeting with folks in the financial sector, I’ve found that the men and women in the senior leadership roles are now not only open to hearing about what they can do to change their security posture for the better, but they’re often the ones who are reaching out to us. As they see their contemporaries in the news following a DDoS attack or fraud-by-phish, they’re realizing they need to move forward. This is our opportunity to step up and make the changes that we’ve been complaining about finally happen.