“APT is your biggest risk.”
“Public cloud cannot be secure, just look at CapitalOne.”
“Insiders are your biggest threat.”
“You must have a SIEM if you are going to pass your SOX audits!”
Bah, humbug. Fear, Uncertainty, and Doubt (or FUD as we sometimes refer to it).
Most who revert to this pattern I find have particular characteristics.
They Haven’t Done It
Some people have never done security, now or in their past. However they do read the newspaper, or watch TV (okay, who watches TV anymore…YouTube!), or they are handed a sales script. Someone feeds them a story and they take it at face value. They repeat it. They preach it everywhere because they’ve been convinced through some disassociated argument. Or their livelihood depends upon it. You don’t earn money if your products don’t sell. Think of them loosely as the carpetbaggers. That may be a bit harsh, but security is not in their blood, under their fingernails, and they certainly don’t have any scars to show for it.
Those that have this characteristic sit outside of experience. They haven’t seen or experienced the realities nor do they have the insights. Note, I am willing to move those that do research out of this group because they at least can present some knowledge based on data, but those are few and far between, and they generally don’t use FUD. The rest are hard to convince, and are usually best just dismissed. If you find yourself 15 minutes into an argument with one them over whether you really need a SIEM to pass SOX, and they won’t budge, you have wasted 14 minutes and 59 seconds of your time. Well, maybe that estimate is a second short. Although kudos to those who spend the time to educate, and the 2% of Those Who Don’t Do who actually listen and understand.
They Don’t Do It
This characteristic has more to do with links by association. You find that your dinner conversation about being “in IT” means you must be able to fix someone’s home computer problems. Just like anyone in information security should be able to be a TV pundit about the latest ransomware attack, or motivations of hackers. The one difference in this category is that while the people who claim this ground have security in their blood, it may not be the right blood type, and the scars may be from completely different battles.
Those with this characteristic tend to build on an existing platform of knowledge, yet extend it through precarious cantilevers into subjects they haven’t really examined. That person who managed your mainframe security is probably not the best person to judge the security of public cloud, or at least not at first. Just like you wouldn’t (necessarily) ask your plumber to give you an opinion on how to replace your roof. But that does not mean that the cannot be educated. They just need to take the time to learn.
I find here the opportunity to teach, mentor, and share most rewarding. But it also can be the most challenging. Some people take to new information and views, but some cling to their old models like a survivor and a raft, even when the rescue ship is right next to them.
They Do It Wrong
Doing it wrong is usually a mix of taking what you’re told to do at face value, and not having the skills or experience yet to do it properly. The really egregious examples cling to their ways like that survival raft. The causes can be youth and inexperience, which is best overcome with good mentorship and opportunity to learn, or by stubbornly clinging to bad patterns despite every opportunity to learn otherwise.
In this category I find the opportunity to teach, mentor, and share most rewarding. But it also can be the most challenging. Some people take to new information and views, but some cling to their old models like a survivor and a raft, even when the rescue ship is right next to them.
Don’t Have Data to Back It Up
This is my favorite characteristic, and the one I like to “troll” the most. Some anecdote, recency bias, or availability bias creates “facts”. Everyone loves to use APT, or now ransomware as the way to drive attention to their solution, because it is an availability bias. The attempt to convince me that “Insider Threat is greater than External Attackers” will fall flat. You better be prepared to be challenged with data. I will take you to task.
Those that exhibit this characteristic either cling to their belief, even in the face of clear data, or eventually, and sheepishly, admit that their story has holes. Its often amusing to see how they will tread a fine line between saying, “Yeah, the data is right”, and “Still buy our product”.
Don’t Ever Do It In My House
For anyone who wants to do business with me, do me a big favor. Do not come with FUD. Do not come with anecdotes unless it is only to demonstrate how to accomplish building something, or to demonstrate an example. Do not come to educate me on something you haven’t done. Come to me with data that supports your point. Come to me with experience. Be willing to accept contrary views, and challenges to your solutions. Be willing to engage in discourse (note, I do not say debate or argument!). Let’s have a sensible conversation using data, attempting to find common ground, and points of reference. I will respect an informed view and one that is willing to be challenged any day. Anyone not willing to be challenged, and not having (accurate and relevant) data to back up their assertions will be summarily fed to the bears. They live under my desk…
If you want a really good read on the subject, Bruce Schneier has written a great article on the subject, and his book Beyond Fear: Thinking Sensibly About Security.