Tuesday, September 29, 2015

We're losing the battle for security

The security people are currently losing the battle to win the hearts and minds of the people. The war is far from over but it's not currently looking good for our team.

As with all problems, if there is a vacuum, something or someone end up filling it. This is happening right now in security. There are a lot of really smart security people out there. We generally know what's wrong, and sometimes even know how to fix it, but the people we need to listen aren't. I don't blame them either, we're not telling them what they need to know.

On the other side though, we also think we understand the problems, but we don't really. Everything we know comes from an echo chamber inside a vacuum. We understand our problems, not their problems.

We have to move our conversations into the streets, the board rooms, and the CIO offices. Today all these people think we're just a bunch of nuts ranting about crazy things. The problem isn't that we're all crazy, it's that we're not talking to people correctly, which also means we're not listening either.

We have to stop talking about how nobody knows anything and start talking about how we're going to help people. Security isn't important to them, they have something they want to do, so we have to help them understand how what we do is important and will help them. We have to figure out how to talk about what we do in words they understand and will motivate them.

How many times have you tried to explain to someone why they should use a firewall and even though it should have been completely obvious, they didn't use it?

How many times have you tried to get a security bug fixed but nobody cared?

How many times have you tried to get a security feature, like stack protector, enabled by developers but nobody wanted to listen?

There are literally thousands of examples we could cover. In virtually every example we failed because we weren't telling the right story. We might have thought we were talking about security, but we really were saying "I'm going to cost more money and make your life harder".

It's time we figure out how to tell these stories. I don't have all the answers, but I'm starting to notice some patterns now that I've escaped from the institution.

There are three important things we're going to discuss in the next few posts:

  1. What's filling the vacuum?
  2. How do we talk to the business world?
  3. How do we talk to normal people?
The vacuum is currently being filled by a lot of snake oil. I'm not interested in calling specific people out, you know who they are. We'll talk about what we can learn from this group. They know how to interact with people, they're successfully getting people to buy their broken toys. This group will go away if we learn how to talk about what we do.

Then we'll talk about what motivates a business. They don't really care about security, they care about making their business successful. So how can we ensure security is part of the solution? We know what's going to happen if there's no security involved.

Lastly we'll talk about the normal people. Folks like your neighbors or parents. Who don't have a clue what's going on, and never will. This group is going to be the hardest of all to talk to. I sort of covered this group in a previous post: How can we describe a buffer overflow in common terms? These are people who have to be forced to wear seat belts, it's not going to be pleasant.

If you have any good stories or examples that would make these stories better, be sure to let me know.

Join the conversation, hit me up on twitter, I'm @joshbressers