“I turn on the tube and what do I see
They point their crooked little fingers at everybody else
Spend all their time feelin’ sorry for themselves
Victim of this, victim of that
Your momma’s too thin; your daddy’s too fat
“I turn on the tube and what do I see
I was having an interesting conversation on twitter with Mr. Jeff Man this morning about the state of the infosec world. Mostly about our lack of true understand of risk, and how we have become one of our own biggest problems.
It all started with a tweet from Jeff, ” A vulnerability is one part of the risk equation, but not the only variable. Do we spend as much time on the other variables? #“. Throughout the discussion we talked about understanding the variables in risk management, which in the end is what security really is.
We all know nothing will ever be 100% secure. We have learned about formulas for figuring risk. We realize that we have to use intuition on this formula at times. Do we really understand that upper management looks at the monetary figures more? In a different way, look at the credit card companies here in the U.S. They have lagged behind moving to chipped cards, and still don’t require pins for those chips, even though they are more secure. The risk equation to them points out that they save money by paying out for breaches, instead of requiring the higher priced safer technology. Don’t take the initial hit until you have to. This same principle I remember being described as Japanese manufacturing principle. Figure out what percent of items will not be at proper specifications (returned due to defect). Build in part of that cost into the price, and if the overall cost of returns becomes too high then worry about a recall and redesign. Don’t fix it unless absolutely needed.
Once we grasp this idea, and I mean truly grasp and understand it, we can work with it to our favor. It might take longer term projections, or showing how the brand could be impacted with bad PR (according to some in marketing no PR is bad PR). The issue with us grasping this becomes more cultural though.
The vast majority of us are techies. We are the geeks, the nerds and we love being that type of person. We hyperfocus on the hard problems and ignore or shove to the side the stuff we don’t want to deal with. This though not only affects risk assessment, but the future of the infosec community.
Our community is young still in some ways, but has been getting a lot more rigid lately. Look at what we deem good certs vs. bad certs. How we accept different ideas in, and how we learn. Each year I see more of a divide in certain areas. Training, top notch training, is affordable through your work, if you are lucky, but to do it on your own. $5,000 is a lot of money to shell out, especially for the new people in our line of work, or those looking to break into it. Yes there are things like Cybrary and ITProTV with lower cost, online training (both on demand and virtual classroom). But that $5,000 is in person, hands on, focused training. It is the GIAC, which is a great cert. It is how to get people up to speed and on the same page. It can be a barrier, to entry at worst, but to advancement at the minimum. We as a community have to help ourselves out better with training.
See how thick the forest starts getting? See how we keep looking at just a few trees? We are getting to a point that our lack of vision is creating the problems we are trying to solve. Where we are the problem. The question is, where do we go from here?
Community can be an awesome thing. It can also lead to a mentality of privilege, lying, shaming, head turning, and alienation.
I feel one of the best things about being involved in information security is the open community. through the community I have learned, made friends, and gained self confidence. Yet there is an ugly side of the community that has been coming to light, and the reveal has been a long time coming. The treatment of women, and the subsequent use of our talents to berate them, and those that support them, into silence. I am not talking about general disagreements, but about sexual misconduct. Sexual misconduct includes, continuous unwanted advances, drugging of women to allow for sexual advances that would otherwise be rejected, and rape.
We are the nerds, the geeks, the originals before being a nerd was the cool thing to be, before there were sub-categories of nerds and geeks. We were the ones who looked at the jocks and wanted to be like them, who were picked on, beaten up, and otherwise treated like we were less than everyone else in school (especially high school). We didn’t get to go to the cool kids parties, were (and might still be) socially awkward, and of course, had trouble getting dates. We looked at those who treated women poorly as bad people, something we would never do. How the times have changed.
We have become those jocks, those frat boys, those that will do whatever we want, to whomever we want and feel we can get away with it. You can look at the recent headline about the Tor Projects Jacob Applebaum, and the allegations against him. You can look at the whole backlash about Defcon and people I know and trust that have had their drinks drugged. There is a sense of entitlement, and the second someone goes and puts the truth out there, they get slammed, shamed, and people go on a social engineering tirade against them and anyone who supports them. All this because they are the opposite sex and we still haven’t learned the best way to deal with them is as human beings? To talk to them, to get to know them, to respect them for who they are and what they know?
Yes, we (we includes myself) are all guilty of sexist remarks, sexist jokes, staring at the opposite sex. That will never completely go away, and there are women who don’t mind the passing joke among friends, who sometimes find it an ego boost that someone is checking them out. I know I’ve made women in and out of the infosec community uneasy at times, especially when they haven’t gotten to know me yet. I try not to, but I am socially awkward to a degree. I will not push anything sexually on anyone though. I hear someone say they were drugged or raped, and I will stand behind them unless proven to be a falsehood. The law of the land might say Innocent until Proven Guilty, but that is for breaking the law, not public opinion, and definitely not the way the human mind tends to work.
I really wonder how many great ideas, and leaps forward we have missed in IT overall and infosec specifically, because women are afraid of us? They hear, and now with social media, see the fallout if you make an allegation and do not want to deal with it. They are not made to feel welcome. All of this because a relatively small portion have done bad things, and the rest of us either turn a blind eye or shame and attack the victims and their supporters until they disappear.
We are security people. Let us start by making our community a secure place for everyone.