Tuesday, October 27, 2015

The Third Group

Anytime you do anything, no matter how small or big, there will always be three groups of people involved. How we interact with these groups can affect the outcome of our decisions and projects. If you don't know they exist it can be detrimental to what you're working on. If you know who they are and how to deal with them, a great deal of pain can be avoided, and you will put yourself in a better position to succeed.

The first group are those who agree with whatever is it you're doing. This group is easy to deal with as they are already in agreement. You don't have to do anything special with this group. We're not going to spend any time talking about them.

The second group is reasonable people who will listen to what you have to say. Some will come to agree with you, some won't. The ones who don't agree with you possibly won't even tell you they disagree with you. If what you're doing is a good idea you'll get almost everyone in the second group to support you, if you don't ignore them. This is the group you ignore the most, but it's where you should put most of your energy.

The third group is filled with unreasonable people. These are people that you can prove your point beyond a reasonable doubt and they still won't believe you. There is absolutely nothing you can say to this group that will make a difference. These are the people who deny evidence, you can't understand why they deny the facts, and you will spend most of your time trying to bring them to your side. This group is not only disagreeable, its' dangerous to your cause. You waste your time with the third group while you alienate the second group. This is where most people incorrectly invest almost all their time and energy.

The second group will view the conversations between the first group and the third group and decide they're both insane. Members of the first and third group are generally there for some emotional reason. They're not always using facts or reality to justify their position. You cannot convince someone if they believe they have the moral high ground. So don't try.

Time spent trying to convince the third group is time not spend engaging the second group. Nobody wants to be ignored.

The Example

As always, these concepts are easier to understand with an example. Let's use climate change because the third group is really loud, but not very large.

The first group are the climate scientists. Pretty much all of them. They agree that climate change is real.

The second group is most people. Some have heard about climate change, a lot will believe it's real. Some could be a bit skeptical but with a little coddling they'll come around.

The third group are the deniers. These people are claiming that CO2 is a vegetable. They will never change their minds. No really never. I bet you just thought about how you could convince them just now. See how easy this trap is?

The first group spends huge amounts of time trying to talk to the third group. How often do you hear of debates, or rebuttals, or "conversations" between the first and third group here. How often do you hear about the scientists trying to target the second group? Even if it is happening it's not interesting so only first-third interactions get the attention.

The second group will start to think the scientists are just as looney as the third group. Most conversations between group one and three will end in shouting. A reasonable person won't know who to believe. The only way around this is to ignore the third group completely. Any time you spend talking to the third group hurts your relationship with the second group.

What now?

Start to think about the places you see this in your own dealings. Password debates. Closed vs open source. Which language is best. The list could go on forever. How do you usually approach these? Do you focus on the people who disagree with you instead of the people who are in the middle?

The trick with security is we have no idea how to even talk to the second group. And we rather enjoy arguing with the third. While talking to the second group can be tricky, the biggest thing at this point is to just know when you're burning time and good will by engaging with the third group. Walk away, you can't win, failure is the only option if you keep arguing.

Join the conversation, hit me up on twitter, I'm @joshbressers

Tuesday, October 20, 2015

How do we talk to normal people?

How do we talk to the regular people? What's going to motivate them? What matters to them?

You can easily make the case that business is driven by financial rewards, but what can we say or do to get normal people to understand us, to care? Money? Privacy? Donuts?

I'm not saying we're going to turn people into experts, I'm not even suggesting they will reach a point of being slightly competent. Most people can't fix their car, or wire their house, or fix their pipes. Some can, but most can't. People don't need to really know anything about security, they don't want to, so there's no point in us even trying. When we do try, they get confused and scared. So really this comes down to:

Don't talk to normal people

Talking to them really only makes things worse. What we really need is them to trust the security people. Trust that we'll do our jobs (which we're not currently). Trust that the products they buy will be reasonably secure (which they're not currently). Trust that the industry has their best interest in mind (which they don't currently). So in summary, we are failing in every way.

Luckily for us most people don't seem to be noticing yet.

It's also important to clarify that some people will never trust us. Look at climate change denial. Ignore these people. Every denier you talk to who is convinced Google sneaks into their house at night and steals one sock is wasted time and effort. Focus on people who will listen. As humans we like to get caught up with this "third" group, thinking we can convince them. We can't, don't try. (The first group is us, the second is reasonable people, we will talk about this some other day)

So back to expectations of normal people.

I'm not sure how to even describe this. I try to think of analogies, or to compare it to existing industries. Nothing fits. Any analogy we use, ever existing industry, generally has relatively understood models surrounding them. Safes have a physical proximity requirement, the safety of cars doesn't account for malicious actors, doors really only keep out honest people. None of these work.

We know what some of the problems are, but we don't really have a way to tell people about them. We can't use terms that are even moderately complex. Every time I work through this I keep coming back to trust. We need people to trust us. I hate saying that, blind trust is never a good thing. We have to earn it.

Trust me, I'm an expert!

So let's assume our only solution for the masses at this point is "trust". How will anyone know who to trust? Should I trust the guy in the suit? What about the guy who looks homeless? That person over there uses really big words!

Let's think about some groups that demand a certain amount of trust. You trust your bank enough to hold your money. You have to trust doctors and nurses. You probably trust engineers who build your buildings and roads. You trust your teachers.

The commonality there seems to be education and certification. You're not going to visit a doctor who has no education, nor an engineer who failed his certification exam. Would that work for us? We have some certifications, but the situation is bleak at best, and the brightest folks have zero formal qualifications.

Additionally, who is honestly going to make certifications a big deal, everything we need know changes ever 6 months.

As I write this post I find myself getting more and more confused. I wonder if there's any way to fix anything. Let's just start simple. What's important? Building trust, so here's how we're going to do it.
  1. Do not talk, only answer questions (and don't be a pedantic jerk when you do)
  2. Understand your message, know it like the back of your hand
  3. Be able to describe the issue without using any lingo (NONE)
  4. Once you think you understand their challenges, needs, and asks; GOTO 1
I'm not saying this will work, I'm hopeful though that if we start practicing some level of professionalism we can build trust. Nobody ever built real trust by talking, you build trust by listening. Maybe we've spent so much time being right we never noticed we were wrong.

Join the conversation, hit me up on twitter, I'm @joshbressers

Tuesday, October 13, 2015

How do we talk to business?

How many times have you tried to get buyin for a security idea at work, or with a client, only to have them say "no". Even though you knew it was really important, they still made the wrong decision.

We've all seen this more times than we can count. We usually walk away grumbling about how sorry they'll be someday. Some of them will be, some won't. The reason is always the same though:

You're bad at talking to the business world

You can easily make the argument that money is a big motivator for a business. For some it's the only motivator. Businesses want save money, prevent problems, be competitive, and stay off the front page for bad news. The business folks don't care about technical details as much as they worry about running their business. They don't worry about which TLS library is the best. They want to know how something is going to make their lives easier (or harder).

If we can't frame our arguments in this context, we have no argument we're really just wasting time.

Making their lives easier

We need to answer the question, how can security make lives easier? Don't answer too quickly, it's complicated.

Everything has tradeoffs. If we add a security product or process, what's going to be neglected? If we purchase a security solution, what aren't we purchasing with those funds? Some businesses would compare these choices to buying food or tires. If you're hungry, you can't eat tires.

We actually have two problems to solve.
  1. Is this problem actually important
  2. How can I show the value
Is something important is always tricky. When you're a security person, lots of things seem important but aren't really. Let's say inside your corporate network someone wants to disable their firewall. Is that important? It could be. Is missing payroll because of the firewall more important? Yes.

First you have to decide how important is the thing you have in mind. I generally ponder if I'd be willing to get fired over this. If the answer is "no", it's probably not very important. We'll talk about how to determine what's important in the future (it's really hard to do).

Let's assume we have something that is important.

Now how do we bring this to the people in charge?

Historically I would write extremely long emails or talk to people at length about how smart I am and how great my idea is. This never works.

You should write up a business proposal. Lay out the costs, benefits, requirements, features, all of it. This is the sort of thing business people like to see. It's possible you may even figure out what you're proposing is a terrible idea before you even get it in front of someone who can write a check. Think for a minute what happens when you develop a reputation for only showing up with good well documented ideas? Right.

Here's how this usually works. Someone has an idea, then it gets debated for days or weeks. It's not uncommon to spend more time actually discussing an idea than it is to implement the thing. By writing down what's going on, there is no ambiguity, there's no misunderstanding, there's no pointless discussion about ketchup.

I actually did this a while back. There was discussion about a feature, it had lasted for weeks, nobody had a good answer and the general idea kept going back and forth. I wrote up a proper business proposal and it actually changed my mind, it was a HORRIBLE idea (I was in favor of it before that). I spent literally less than a single work day and cast in stone our decision. In about 6 hours I managed to negate hundreds of hours of debate. It was awesome.

The language of the business is one of requirements, costs, and benefits. It's not about outsmarting anyone or seeing who knows the biggest word. There's still plenty of nuance here, but for now if you're looking to make the most splash, you need to learn how to write a business plan. I'll leave how you do this as an exercise to the reader, there are plenty of examples.

Join the conversation, hit me up on twitter, I'm @joshbressers

Tuesday, October 6, 2015

What's filling the vacuum?

Anytime there's some sort of vacuum, something will appear to fill the gap. In this context we're going to look at what's filling the vacuum in security. There are a lot of smart people, but we're failing horribly at getting our message out.

The answer to this isn't simple. You have to look at what's getting attention that doesn't deserve to get attention. Just because we know a product, service, or idea is hogwash doesn't mean non security people know this. They have to attempt to find someone to trust, then listen to what they have to say. Unfortunately when you're talking about extremely complex and technical problems, they listen to whoever they can understand as there's no way they can determine who is technically more correct. They're going to follow whoever sounds the smartest.

If you've never seen the musical "The Music Man" you should. This is what we're dealing with.

Rather than dwell on it and try to call out the snake oil, we should put our effort into the messaging. We'll never have a better message than this group, but we really only need to be good enough, not perfect. We always strive for our messages to be perfect, but that's an impossible goal. The goal here is to sound smarter than the con men. This is harder than it sounds unfortunately.

We can use the crypto backdoor conversation as a good example. There are many groups claiming we should have backdoors in our crypto to keep ourselves safer. Security people know this is a bad idea, but here's what the conversation sounds like.


We need crypto backdoors to stop the bad guys, trust us, we're the good guys


<random nonsense>, backdoors don't work
We don't do a good job of telling people why backdoors dont' work. Why should they trust us, why don't backdoors work, who will keep us safe? Our first instinct would be to frame the discussion like this:

  1. Backdoors never work
  2. Look at the TSA key fiasco
  3. Encryption is hard, there's no way to get this right

This argument wont' work. The facts aren't what are important. You have to think about how you make people feel. We just confused them, so now they don't like us. Technical details are fine if you're talking to technical people, but any decent technical person probably doesn't need this explained.

We have to think about how can we make people feel bad about encryption backdoors? That's the argument we need. What can we say that gives them the feels?

I don't know if these work, they're just some ideas I have. I've yet to engage anyone on this topic.

What are things people worry about? They do value their privacy. The old "if you have nothing to fear you have nothing to hide" argument only works when it's not your neighbor who has access to your secrets.

Here's what I would ask
Are you OK with your neighbor/wife/parent having access to your secrets?
Then see where to conversation goes. You can't get technical, we have to focus on emotions, which is super hard for most security people. If you try this out, let me know how it goes.

Join the conversation, hit me up on twitter, I'm @joshbressers