Once again Wendy kills it with How to Help, saying things many of us probably think. Daily. It can get frustrating when all you hear is one person after another bitching about what’s wrong with security. And as she correctly points out, there are tools aplenty to tell you exactly how much work you have to do. But that doesn’t really help.

None of this is actually fixing anything. It’s simply pointing out to someone else, who bears the brunt of the responsibility, “Hey, there’s something bad there, you really should do something about it. Good luck. Oh yeah, here, I got you a shovel.”

Her message is complain less, do more. And I agree. Wendy then runs through a list of things you could do. All of them require work, and most of us don’t have a lot of time for side projects. Of course she has an answer for that as well.

And if you’re just about to say, “But that takes time and effort, and it’s not my problem,” then at least stop pretending that you really want to help. Because actually fixing security is hard, tedious, thankless work, and it doesn’t get you a speaker slot at a conference, because you probably won’t be allowed to talk about it. Yes, I know you don’t have time to help those organizations secure themselves. Neither do they. Naming, shaming and blaming are the easy parts of security – and they’re more about self-indulgence than altruism. Go do something that really fixes something.

Amen. Really great post. One of those I wished I’d written myself.

Photo credit: “The Fix Is In” originally uploaded by JD Hancock