Monday, December 7, 2015

Security lacks patience

I had a meeting with some non security people to discuss some of the challenges around security. It's a rather popular topic these days but nobody knows what that means (remember 5 years ago when everyone talked about cloud but nobody knew what that meant?). The details are irrelevant, the most important thing that came out of this meeting was when someone pointed out as a group we are impatient.

I sort of knew this, but I wouldn't have listed this in the top 10 of "what's wrong with us".

What does it mean to be impatient? We don't listen as well as we should. We get tired of having to explain the same thing over and over again. We don't like to talk to someone who knows less than us (which is everyone). There are plenty of other examples, I'm not going to dwell on them though. It's likely many of us have no idea we're impatient.

I think the most important aspect of this though is how we deal with new idea. In almost every instance of someone proposing a new idea, we rarely talk to them about it, we spend time telling them why they're wrong. There is nothing security people like to do more than tell someone why they're wrong. Being technically correct is the best kind of correct!

I was at a working group recently where a number of people suggested new ideas. In almost every case the majority of time was spent explaining to them why their ideas were stupid and would never work. This isn't a good use of time. It's the help or shut up concept. We're not patient, we don't want to engage, we just want to prove why we're right and get back to doing nothing. Don't be this person, if you don't have constructive feedback listen instead of talking. Bad ideas generally self destruct during discussion, and discussion makes good ideas great.

Has bluntly telling someone their idea is stupid ever actually worked? I bet in almost every instance they double down and never will listen to you again. This is how bad ideas become bad projects.

How do I be more patient?

Being more patient isn't all that hard in theory, but it's really hard if you're used to proving everyone wrong all the time. You just have to learn to listen. It sounds simple but for most security people it's going to be really hard, one of the hardest things you'll ever do. Let's cover some examples.

A new way to classify security flaws is proposed, you think it's dumb. Do you
  1. Tell them why they're wrong
  2. Argue over why your way is better (even though you don't really have a way)
  3. Sit there and listen, even though it feels like your insides want to jump out and start yelling
The correct answer is #3. It's really hard to listen to someone else speak if you think they're wrong. There are few feeling of satisfaction like completely destroying someone's idea because it wasn't thought all the way through. This is why nobody likes you.

You find a remote execution flaw in some code a coworker wrote. Do you
  1. Make sure everyone knows they did this and push to revoke their git access
  2. Tell them how stupid they are and demand they fix the problem without any help
  3. Teach them how to fix the problem, listening to what they say while they're trying to learn
#1 and #2 are pretty much the way things work today. It's sort of sad when you really think about it.

If you just sit and listen, people will talk. Most people don't like silence. If you say nothing, they will say something. In the above example, the person you listen to will start to talk about why they did what they did. That will give you what you need to teach them what they need to know. This is how you gain wisdom. We are smart, we are not wise.

Listening is powerful. Patience is listening. Next time you're talking to someone, no matter what the topic is, just sit and listen. Make a point not to speak. You'll learn things you never dreamt of, and you'll build trust. Listening is more powerful than talking, every time.

Join the conversation, hit me up on twitter, I'm @joshbressers