Change we can believe in?

Post-RSA, I’ve seen a lot of commentary about how people were disappointed that the conference didn’t reveal more “change” on the part of the security industry. The reasons for this vary – too many Guido-esque sales douches, booth babes with pink hair (!?), the NSA using booth babes (spelled: desperate), overuse of the words “cloud” and “GRC” and “cyber” and….well, the list goes on. All of these are valid observations. And hearing all this noise has brought me back around to a thought I’ve had in the last few months about the nature of the “security community” in general.

I think some people in this industry have forgotten that first and foremost, it’s a JOB. That’s right, as in profession, earning a paycheck, whatever you want to call it. For whatever reason, a good number of people seem to have elevated information security beyond this (in their minds) to a CALLING. Let me be the one to call bullshit. Please. There is absolutely nothing wrong with having passion about what you do for a living. I fall into this camp – I genuinely love security, for the technical challenges, the people challenges, the unwashed (literally, too often) masses at the conferences, and the social camaraderie in many cases, too. But too many are constantly expressing outrage at how we’re not changing. Changing what, exactly?

Should there be more of a focus on application security vs network security? Probably. A good post to get you thinking about this (loosely, granted) can be found on Gunnar Peterson’s blog. Within our industry, that’s something we can rail about. And we do. But this serves as a perfect example of two fundamental truths that seem to be absent in most of the “we need change” conversations. Here they are, with my thoughts:

  1. Security (especially at RSA) is a business. We have been talking for the last few years about “integrating with the business” in our organizations. I don’t care what business you’re in, the first rule of business is making money. And that’s exactly what the vendors are trying to do – make money. So they don’t really give a shit about what the echo chamber thinks – they use “cloud” and “GRC” and all the other buzzwords because they work. People buy stuff. Are they buying the *wrong* stuff? As a corollary, are we trying to solve the *wrong* problems (i.e. network vs app security, etc)? Maybe. But the vendors will go where the money is, and they’ll market their way to profits. If it upsets you, then you’re not really in line with “business” at all. Sorry.
  2. We, as an industry, have absolutely zero control of what our adversaries do. That means that our innovation cycles will always be behind the threats and attacks, and it’s something we need to adjust to. I know, I know, we all pay lip service to this, but the reality is this – the criminals are BANKING right now. So their motivation is really a lot higher than ours in many ways – they want to make huge money, and they don’t want to get caught. We, on the other hand, are trying to prevent data loss/theft and “protect” ourselves and our organizations. It’s a noble effort, true, but will never have the same urgency as someone trying to illegally make millions of dollars quickly.

So what kind of “change” will get us ahead of the threats? That’s really the point of #2 – how do we “change” to get there? I’m not a pessimist by nature, but right now I think this is the wrong thing to be focusing on. I think the RIGHT changes to make are absolutely mental in nature, as Mike Rothman so aptly tweeted to me. Two things we can do:

  1. Focus on doing the best JOB we can. Get off the “holy crusade” tip and go out and secure something. I’ve railed about this for a long time, but we’re all too fascinated by “breakers” vs “builders”, or at least “defenders”. If 99% of the security “community” spent their time fanatically focused on hardening their OS and apps, tuning IDS and other systems (behavioral and otherwise), implementing whitelisting with/instead of AV alone, etc. INSTEAD of worshipping the pen testers and exploit finders, we’d be better off. Let those folks do their thing. But the most good most people can do is by focusing on being the best defenders they can be. This is the mental change we need – do most lawyers, doctors, accountants, engineers, etc treat their jobs as a self-righteous soapbox all the time? No. And many of them are GREAT at their jobs. Less soapbox, more lockdown.
  2. At B-Sides SFO, a few of us were having a conversation about how we could really make a difference to the realm of security. And Josh Corman suggested going outside our own “community” to talk to developers and others. This is probably the best idea out there – they call it the “echo chamber” for a reason…we all talk to EACH OTHER about the problems. We need to go to the developer conferences and local group meetings, the VMware meetings, the SysAdmin meetings, etc. What about teaching everyone at a retirement community about using Facebook “safely”? Teaching elementary school kids about online safety? You get the point – we need to expand our reach. Go evangelize! Just do it to a group that isn’t security people.

This is likely not the only type of “change” we need. I’m certainly no prophet, and I rant in the echo chamber, too. And do pen tests, etc, as well. But it seems like all this disgust at a lack of “change” could be easily remedied by some outbound efforts into other areas, not directed at security vendors and each other.

</rant>