Over the weekend I glanced at Twitter and saw a bit of hand-wringing inspired by something going on at (I think) the Baythreat in California. This is something that’s been popping up quite a bit on Twitter and in blog posts for a while now. The core of the comments centered on the problem of educating the unwashed security masses, combined with the problems induced by a compliance mentality, and the general “they don’t understand” and “security is failing” memes.
(Keep in mind I’m referring to a bunch of comments over a period of time, and not pointing fingers because I’m over-generalizing).
My response? You can probably figure it out from the title of this post.
I long ago stopped worrying about the big picture. I accepted that some people understand security, some don’t, and we all suffer from deformation professionnelle (a cognitive bias: losing the broader perspective due to our occupation).
In any risk management profession it’s hard to temper our daily exposure to the worst of the worst with the attitudes and actions of those with other priorities. I went through a lot of similar hand-wringing first in my physical security days, and then with my rescue work. Ask any cop or firefighter and you’ll see the same tendencies.
We need to keep in mind that others won’t always share our priorities, no matter how much we explain them, and no matter how well we “speak in the language of business”. The reality is that unless someone suffers noticeable pain or massive fear, human nature will limit how they prioritize risk. And even when they do get hit, the changes in thought from the experience fade over time.
Our job is to keep slogging through; doing our best to educate as we optimize the resources at our disposal and stay prepared to sweep in when something bad happens and clean up the mess. Which we will then probably be blamed for.
Thankless? Only if you want to look at it that way. Does it mean we should give up? No, but also don’t expect human nature to change.
If you can’t accept this, all you will do is burn yourself out until you end up as an alcoholic passed out behind a dumpster, naked, with your keys up your a**.
Fight the good fight. But only if you can still sleep well at night.
Reader interactions
4 Replies to “Get over It”
Only my dad calls it *The* BayThreat, Rich. :p
Gal Shpantzer had a great talk at DojoCon also this weekend about the “Security Outliers” and using analogies from other health and safety industries to tackle the subjects of infosec education and adoption. Seems like there is hope out there, and when the security industry is as old as sterilization practices in hospitals we’ll be seeing more trickle down adoption.
“We need to keep in mind that others won’t always share our priorities, no matter how much we explain them, and no matter how well we “speak in the language of business”
I am Just starting down the road to becoming a serious security professional and this statement above fits me to a T. It seems like there is so much to do and so much to learn and so many recommendations you NEED to make that its very overwhelming.
“every security professional needs to have with his/her peers”
Maybe this should be an article by itself, a burnt out security professional is no good.
Keep fighting the good fight, I whole heartedly agree.
As an absolutely tangential afterthought, I wonder if there is a relationship that those who accept compliance (or embrace it) also tend to maintain enthusiasm in the face of such negativity? That’d be a good question for another round of pints.
1. Thanks for that term: deformation professionnelle. I just informally call it closeness bias, but now to see a more proper term for it… 🙂
2. I think this is a talk every security professional needs to have with his/her peers (the earlier in the career the better!). In fact, we need to have this talk regulary. Hell, I’ll even go so far as to say this is one of those things that brings us closer together as a community and as friends. Pretty much a support group for each other where we drink, complain together, and build each other back up from the doldrums that “everyone else” doles on top of us because we never get exactly what we want. We find our motivation with each other, very often, and I see many sec professionals go through these annual highs and lows. We, collectively, need to learn to channel that and stay positive and motivated to everyone else, even if in our pub groups and cons we tease the negativity out and share our war stories.
That’s security. There is no win or perfection. It’s security + economics + humans. We simply need to accept that as a Law of our profession as surely as we accept that there is no silver bullet. Doing so will lead to a better chance at happiness (if your personality is compatible with that; not everyone can work without ever achieving end goals).
3. And you’re absolutely right about continuing to fight the good fight. Just because business doesn’t listen to every word and suggestion we make, doesn’t make us worthless/pointless. But rather keep striving and doing whatever we can for improvement.