The Security industry sucks at getting people to trust us

Email update, 9 October 2017

As a follow-up to the previous email, this article from Threatpost is well worth reading:

Security Industry Failing to Establish Trust

As 2017 has so far demonstrated, there are more real-world, bottom-line consequences to major attacks than ever before. WannaCry forced hospitals across the U.K. to re-route patients. NotPetya put global shipping line Maersk out of commission for some time, as well as giant pharmaceutical Merck. Maersk alone reported $300 million in losses from the June wiper attack. And the solution enterprises and midmarket companies are given is an endless parade of appliances and products sold on the basis of fear, uncertainty and doubt without ever touching the problem.

“We need to change what we are doing. We need to change our approach based on FUD,” Honan said. “The key thing in our industry is to scare the crap out of someone and then come in with a shiny box and say ‘Here you go, this will save you.’ And when that doesn’t work, what do you do? You scare them again, and another shiny box comes in.”

The article nails a lot of the problems with the infosec industry as it currently operates, not least of which being the patronising victim-blaming stance so many of us take every time someone gets hacked (I’m as guilty as anyone here).

Unfortunately, it turns out that you can’t shame people into fixing their stuff, at least not as quickly as we’d like. Our industry is still very immature (in both senses of the word), and can look completely opaque from the perspective of people who aren’t already working in security. To them, everything “cyber” is one homogenous field: a mysterious black box they’re scared to get involved in.

I’ve noticed this last problem firsthand when looking for jobs: a lot of companies who don’t already have a mature security program tend to put out job advertisements for what I like to call a “silver bullet position”, or less charitably, “the scapegoat”.

These are the advertisements which look something like the following:

We need a cybersecurity ninja who knows how to cyber the cybers, because cyber. Cyber.

You will have 10 years of experience in security across the following areas:

  • Penetration testing
  • Exploit development
  • Defensive security operations (Firewalls, IDS, IPS, SIEM)
  • Incident response
  • Forensics
  • Malware reverse engineering
  • Security policy and governance

In addition, you’ll be expected to lead the development of our in-house security tools, and communicate to executives at the board level regarding our policy and governance compliance initiatives.

Tongue firmly in cheek, but you get the idea. The point is that an ad like this just shows that the company has no idea what they want, but they do know that they suck at “the cyber” and are desperately hoping to hire their way out of a decade+ worth of technical security debt.

All of the areas listed above are each their own specialised field of security, and if through some miracle you managed to find someone actually claiming to have all of those skills, they’re either A: lying through their teeth (most likely), or B: there’s no way you can afford them.

In short, in order to fix this problem, we need people to understand the basics of security, at least to the level that they can know what they need (or at least who to ask). This can only be done by (slowly) educating people, not by posting snarky tweets every time they f**k up.

And yes, I’m aware that I just made this point by snarking at an imaginary company job advertisement.