INFOPOCALYPSE: You Can Lead The World To The Security Trough... But You Can’t Make Them Think
Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there” ~ (Dante Alighieri; The Inferno)
The current state of the Security “Industry”
It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security.
The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations).
Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialized. By saying something has been made industrialized, implies to many, the cookie cutter Henry Ford model really.
In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.
Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well.
Frankly, all that can be said on this issue is “Caveat Emptor”. It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.
Often its the simple things that allow for complete compromise... Not just some exotic 0day.
So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars.
It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns.
More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”
Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece.
Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.
“It is a tale Told by an idiot, full of sound and fury, Signifying nothing” ~ (Shakespeare; MacBeth)
Security Joan of Arc’s and their Security Crusade:
Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later.
I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”
Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc)
They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.
Here’s a bit of a secret for you... The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalized in favor of the status quo...
After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.
Think Richard Clarke (I heard that chuckle out there).
Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervor. Much as yours may do the same to you... Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”
The subtle knife wins the battle.
“If the Apocalypse comes, beep me...” ~ (Joss Whedon;Buffy the Vampire Slayer)
What’s the worst that could happen really?
The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists.
The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviors accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed.
They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.
It's the same thing for information security.
Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties).
In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles... Even though a month before a report was handed out with that very scenario on the cover.
The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security.
Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp.
In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognizant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.
So, on they go... About their business after you, the security curmudgeon has told them that they need to store food for the winter..
But the grasshoppers, they don’t listen... Until they are at your door in the snow begging for food.
“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.“ ~ (John W. Vessey, Jr.)
How do we communicate and manipulate our elephants?
Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.
- The whole Joan of Arc thing above
- The languages we speak are... well... like Tamarian and theirs are corporate speak.
We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think:
“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely...”
So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t.
We all have seen it... Admit it... It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.
So, how do we communicate with these people and get them on the same page?
I have no answers save this:
“Some get it, some don’t...”
That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away.
As long as you have performed the due diligence and told them of their problems... You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.
“The greater our knowledge increases the more our ignorance unfolds” ~ (John F. Kennedy)
The Eternal Struggle
There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..
All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.
Cross-posted from Krypt3ia