Sunday, March 20, 2016

Everything is fine, nothing to see here!

As anyone who reads this blog knows, I've been talking about soft skills in security for quite some time now. I'm willing to say it's one of our biggest issues at the moment, a point which I get a lot of disagreement on. I have sympathy for anyone who thinks this stuff doesn't matter, I used to be there. Until I had to start talking to people. As soon as you talk to most anyone outside the security echo chamber, you see what's actually going on, and it's not great.

I won't say the security industry is one fire, but nobody is going to disagree many of the things we're looking after aren't in great shape.Outside of a few very large successful companies, most organizations have serious and significant security problems that could result in a massive breach, it's just that nobody has tried, yet. I see a few reasons for many of our trouble, I always seem to come back to soft skills.

There is a skills shortage
But there's training, look at all the training, there's so much training everything is fine!

There is training. Some is good, some is bad (like anything). It's not that training in itself is bad, I would encourage anyone to go get training. It's not great though either. Most training today focuses on the symptoms of our problems. Things like pen testing, secure coding (which doesn't exist), network defense. Things that while important, aren't the real problems. I'll talk more about this in a future post, but chew on this. There are about 96,000 CISSP holders, and about 5 million security jobs. That's messed up.

Today everyone who is REALLY, I mean REALLY REALLY good at security got there through blood sweat and tears. Nobody taught them what they know, they learned it on their own. Many of us didn't have training when we were learning these things. Regardless of this though, if training is fantastic, why does it seem there is a constant march toward things getting worse instead of better? That tells me we're not teaching the right skills to the right people. The skills of yesterday don't help you today, and especially don't help tomorrow. By its very definition, training can only cover the topics of yesterday.

How do we skill up for the needs of today and tomorrow? The first thing we have to do is listen to the people running, building, and using the technology of today. They know things we don't just as we know things they don't. Security is still almost always an afterthought, even with everyone claiming it's the most important thing ever. This is our failing, not theirs.

We build our skills by being an industry that doesn't complain and belittle everyone who tries anything. We are notorious for being brutal to the new guys. Everyone starts somewhere, don't be a jerk. I know a lot of people who are afraid to do almost anything in the security space because they know if they're not 100% correct, they will have to deal with a torrent of negative comments. It's not worth talking to us in many instances.

As an industry we are failing our customers
Things aren't that bad, sure there are some breaches but in general everything is going pretty good!

If you read any news stories, you know things aren't OK. There are loads of breaches and high profile security issues. Totally broken devices, phones that can't be updated, light bulbs that can join a botnet. As an industry we like to stick to our echo chamber circles where we spin news and events into something that isn't our fault. We laugh at the stupid people doing stupid things. We find a person or event that can explain away the incident as a singular event, not a systematic problem. The problems are growing exponentially, our resources are growing linearly, this means that our resources are actually decreasing every year.

Most organizations don't have proper security and won't even have a proper conversation until they end up on the wrong side of a major compromise. It's our fault nobody is talking about this stuff, even if the breach isn't technically our fault.

What advice are we giving people they can actually use? In almost every organization the security group is feared and hated. We're not peers, we're enemies, and they are ours. This isn't helpful to anyone. How many of you actually sit down and have honest real discussions with those you are supposed to help. Do you actually understand their problems (not our problems with them, their actual problems, the ones they have to route around security to solve). Security shouldn't be something bolted on later, we're lucky if it's even that in most cases.

Security is seen as a business prohibitor, not a business enabler
I know what needs to be done, nobody wants to listen!

We've all been here before. We suggest something to the group, they ignore us. We are the problem here, not the people we are supposed to help. We blame them for not listening when the real issue is we're not talking to them properly. We throw information at people, complex hard to understand information, then rather than hold their hand when they don't understand, we declare them stupid and go find someone who agrees with us, then we complain about how dumb everyone else is and how smart we are.

They aren't stupid.

Neither are we.

The disconnect is one of talking. We have to talk to people, we have to engage with them. We have to build a relationship. You can't expect to show up and be listened to if you're not respected. People trust those they respect. If you're in that circle of respect, you won't be taken seriously. On a regular basis I hear security tell me "they'll know I was right when we get hacked!" That doesn't even make sense. It's your failure for not creating a level of understanding for the issue, it's not their fault for ignoring you.

Soft skills are hard
You don't even know what you're talking about, my skills are fine!

Maybe. I won't say I'm an expert. I am constantly thinking about the state of things and how interactions go. What I do know though is the things I discuss here are based on my real world lessons. Every day is a new journey into being a new and better security person. I know how the technology works, what I don't know is how people work. It's a journey to figure this out. I'm pretty sure I'm on to something because people I respect are encouraging, yet there are some who are trying very hard to discourage this conversation. As the old saying goes, if nobody is complaining about what you're doing, you're not doing anything interesting.

Here's what I do honestly believe. You can disagree with me or anyone you want. The industry isn't solving the problems it needs to solve. Those problems will be solved eventually, there are many industry groups forming to start talking about some of these problems, the groups mostly talk though, that's not a skill we're good at. Even then I see a lot of criticism toward those groups. Problems won't be solved quickly by doing the same thing we do today. I'm confident a big part of our future is humanizing security. Security today isn't for humans, security tomorrow needs to be. We get there by cooperating, not by arguing and insulting.

Think I'm an idiot, let me know: @joshbressers