The problem causing the dip in my often prolific blog posting is my arrival at a particular point on the security (or anything) knowledge and confidence curve. Rather than deep navel gazing (emphasis there on the gazing not the navel) I’ll illustrate via the pictures and words of funny and smart folk:
In other words I’m sandwiched somewhere between Denning Kruger and Bertrand Russell.
While being super busy doing security lately, I’ve been casting a critical eye over what I produce and the conversations I have.
The compact and bijou public profile I’ve acquired is a novel thing and phrases like ‘great thinker’ have been bandied about…it’s a dangerous place to be.
Am I Too Stupid To Spot That I am Being Stupid?
The answer (I am pretty confident) is no. I checked carefully and asked lots of folk much smarter than me. So on to the secondary question; Is the doubt I feel about the stuff I write valid? A tougher one. Is it mainly an interpretation of common sense…yup. Does it feel bleeding obvious to me most of the time and so potentially simplistic and echo-chambery to others…perhaps. Can I possibly have a handle on all the information pertinent to the point I’m making…nae chance.
Allowing for all of that I’ve decided, on balance, I’m on another fun learning curve rather than vociferously and blissfully clueless.
On the other hand, the people paying so little attention to people risk ….and people who’ve given up on educating users…
You get where I was going with that.
Hopeless & Clueless or Hard Done By?
So, in a fundamental review of where I am, where I can go to add most value (and ways not to go loopy), it looks like a people risk, training, and awareness focus is in my nearish future. Starting, rather excitingly, with access to some movers and shakers in BIG corporates who are supporting effort to create a security awareness maturity model. Nothing publishable may come of it. It’s just for a group to mutually benchmark, validate and build upon what they do now, but aren’t we dying for that in our industry?
Yes all the piecemeal, narrowly focused, generic stuff imposed on users isn’t working. But please let’s keep our nihilistic powder dry until some good stuff (informed by hard lessons learned in other related disciplines), has been given space, time and financial support to roll for a while.
Then, by all means, ride back in on your “negate user stupidity with tools” tank…
…or perhaps turn to the person next to you and stop judging their luser ignorance long enough to give them tips and solutions in a personally meaningful context. Maybe also take a long hard look at why they gleefully swerve controls and ignore advice (are your tools and processes really fit for daily business and home computing reality?).
The Pro-Am Security Challenge – A Gauntlet Chucked At The InfoSec Crew
Education isn’t the preserve of the young. Heck I’ve been getting schooled a bunch lately. Not least at Shmoocon, and by friends indulging my desire to hack and code a bit. And let’s face it, security is both incredibly cool and spectacularly hot right now. You are guaranteed to have a subset of non-specialists who’d snatch your arm off for a non-judgemental leg up to do better. Or, in other words, some Pro-Am security mentoring.
How’s about that for a start for all of us – pick a user and teach them skillz. Ideally someone from the middle management ranks who briefs the big guys and influences down and out from where they sit in your world. How often have you wished they had even half a clue how much effort goes into the security day job? Yeah, me to. So lets get off our backsides and do something about it.
Implement a shadowing scheme. Relate what you do to their concerns about their own and their children’s safety. Show them how that local effort grows exponentially in a business context. Bring them to the next con, a con we could petition to put on a Pro-Am Capture The Flag, social engineering challenge or other such fixture. Make it a point of pride if you have the best non-specialist body under your wing. Win a Pro-Am challenge. Stick it on your CV and trumpet it as both an expertise and communications skills win. Get them to feed back on what they think could help mature security. Plug their fresh and different perspective into our frequently jaded, often siloed and sometimes arrogant world.
Pyramids were built one block at a time, and many slaves were killed in the process. Shoving boulders about on logs is roughly analogous to what we’re doing to ourselves and staff right now. Sure, you don’t get spectacular results without sacrifice, time and heavy lifting. But why not chuck some monster machines at this (in terms of expertise, time and sponsorship) and throw up a monolith that proves the doubters wrong?