I don’t get it. I mean I really don’t get it. I can’t possibly imagine why it isn’t so obvious to everyone else!! Don’t you see what’s happening!!! Soylent Green is QSAs!!!

One of the more frustrating aspects of our profession is the apparent lack of security prioritization by the rest of the world. We feel like we see things they don’t, and in that context many of their decisions make absolutely no sense. Are we just that much smarter than everyone else? Are they blindfully ignorant? Alan sums up our problem in his post on security gimmicks:

Agree or disagree with the gimmicks. You have to ask yourself why. With all that we read and see about data breaches, with all of these compliance regulations and rules around, why can’t people take security seriously enough? Here is one man’s opinion. Security is a bad news generator of an industry. We focus on what happens when things go wrong. We focus on adding to the process. We don’t focus on the positive and the profitable. There is enough bad news in the world for people to focus on right now. They don’t want the bad news that security makes them confront. If we can figure out how to make security a way of bringing a message of good news, we wouldn’t need to resort to gimmicks.

My position is a little more zen.

Back in physical security/paramedic/firefighter/mountain rescue days I learned we all go through a process of dissociation with mainstream society. When all you see is nasty sh*t and dying people all day, every day, it’s hard to give a rat’s ass about someone getting the cold shoulder at the water cooler. The military, police, nurses, and many other professions suffer the same problem. In that world, there are two ways to handle it- shut up and deal, or isolate yourself into your chosen community. It’s no accident that so many cops are married to nurses.

It’s pretty much the same deal for IT security, except we don’t have to wash blood off our shoes quite as often.

We see the fragility and danger of our online economy and society. Stolen elections, rampant fraud, and pwned grandmothers. No website is safe, all PCs have trojans, and those damn Macs will all be compromised next week.

We need to collectively chill out. Before we blow an aneurysm.

As Marcus Ranum said (totally pissing me off because I didn’t say it first):

Will the future be more secure? It’ll be just as insecure as it possibly can, while still continuing to function. Just like it is today.

We need to do our best to communicate risks to the business and cost effectively keep those risks within tolerance. Then we clean up the mess if the business, after being well informed, decides to accept that risk.

If we don’t take risks, we can’t possibly grow. No matter what someone tells us, we sometimes need to touch the hot stove and learn for ourselves. It’s human nature; don’t expect it to change. Security is only good news when it’s no news.

Don’t worry. When things get bad enough, we’ll get the call. If you’ve kept your documentation and communication up, you won’t get shafted with the proverbial short end.

Don’t end up like I did in college- working as a full time medic on top of being a student wasn’t exactly conducive to my dating life. That uniform didn’t work nearly as well as I expected. (However, a black belt a few years later was very… effective).