Monday, August 31, 2015

What is Sober Security?

As an industry, security professionals are really bad at speaking to people. I don't just mean speaking to normal humans, I even mean each other even. We're a group of pedantic grumpy people. We don't understand how someone can't understand what we do. We're impatient, we don't like to have to explain ourselves, and we hate being wrong (any many of us are right quite a lot).

I work at Red Hat, I used to be part of the group that did all the security updates, but now I've moved on to be a security strategist. That means I mostly speak with non security people both inside and outside the company. I've already apologized to a bunch of them, I now see how bad we can treat others. By "defeating" normal people we don't win, they decide we're crazy horrible people and they don't talk to us anymore, we end up losing but we don't even know it. The only reason anyone is paying attention at all right now is because security just can't be ignored anymore, they don't want to talk to us, they just don't have anywhere else to go ... yet. If the security professionals don't step up and start working with everyone else, we're going to end up with a lot of weasels pretending to be security people. If you have a fast talking fraud up against a grouchy security dude, I'll let you guess who everyone is going to listen to.

I've not tried very hard in the past to explain things to anyone really, but that's changed. I now have to explain extremely technical concepts to people who don't know what a buffer overflow is. I can't use acronyms or jargon, it doesn't mean anything to my audience. I'm probably learning more than they are, for our lot talking to people is hard, really hard, the hardest thing many of us will ever do, but it's something that has to be done. The whole industry needs to think about this. Part of why everything is so broken is because nobody has any idea what's going on and that's our fault, not theirs.

How do we fix it?

I won't lie, I don't have any answers. I do however have some great people to work with, a solid background in the industry, and top notch security peers. I'm going to use this blog to talk about what I learn about talking to people. Hopefully there will be some others out there who can benefit from what I learn, and if you have something to share, by all means let me know.

The pioneers get the arrows as they say. Let's hope I don't get too many. Stay tuned for what I expect to be a most interesting adventure.

Join the conversation, hit me up on twitter, I'm @joshbressers