I've been thinking a lot about this topic lately, so Rich's article is timely. Rich says that we are finally at the table, security is a legit "thing" now, and we should stop whining about FUD, products, sales people, and a host of other things.
First, we're not complaining, well some of us may be, but most of us are trying to keep this business away from FUD and stop people from using half-baked products. This is important to business, any business, not just security, and it’s important for all of us to understand business as it related to security. I hear ya Rich, not all of us do, and we could benefit from a "Business 101 for Security Professionals Course." I have a degree in business, and it was nothing more than experience that taught me what I know, albeit I am still learning. The business landscape is constantly changing, and we have to roll with the punches as technology, and the security of the technology, constantly changes. Okay, enough rambling, let me address Rich's points, some of which are really spot on.
1) Hate the endless compliance cycle? For most of you it's the only reason executives listen to you at all. - Really? If the only reason stakeholders listen to me is because of PCI, I am doing it WRONG. Compliance is one phase of the game, don't forget about raw security and that thing called risk management. If you can't work with your management on all three fronts, you are playing a losing game (hopefully its not global thermonuclear war).
2) Hate the "industry"? Name me one other area of society involving big money that doesn't become dominated by some sort of industry. - I think we're dominated by business, and if you don't understand the business, you shouldn't be complaining. That’s not to say we all can't work to make this industry have integrity.
3) Despondent over lack of innovation? Then stop buying the same crap you buy every year and invest in the products struggling to innovate - I could not agree more! We have crappy products because people buy them.
4) Tired of users who just don't get it? How about you stop pretending human behavior can change and that just because you see something a certain way you're any better than everyone else. BINGO! Don't give up on user education, but continue to use innovative technologies that protect the user and let them do their jobs.
5) Pissed at careless developers? Go write a secure piece of software on time, budget, and specifications, and come talk to me again. - Yes, writing secure software is hard. However, this is another area where you can use education, coupled with technology, to make resilient software. There are many efforts in this area, Rugged, Dan Kaminskies project.
6) Shocked that the bad guys are targeting you personally? Why the f* wouldn't they try to remove or distract the guards? Do you want to be friends? - So true, I used to hear "No one would want to hack us." Get over it, people want to hack you. They are many. They have all different motives. They come in all shapes, flavors, and sizes. Defense is hard, be creative.
7) Angry at vendors that lie about capabilities? Then stop forcing them to have dozens of widgets and performance capabilities you won't ever use or send back for a refund. - Whoa, how is it my fault that vendors lie about capabilities? It’s true, technology gets complicated because everyone wants something custom for their needs.
Dear vendors, provide your customers a nice API, tell them to hire some talented people, and stop requesting one off features. There's a start. Example, why do I need 8,000 features in my web browser or document publishing product? It’s a tough market, and features rule, but my bet is that you could sell module and trimmed down versions of software. The problem is human nature tells us that we want the "advanced" version of everything, not the basic, because heaven forbid we don't have a feature, like Mr. Clippy.
Finally, we think this is fun. Sure, we discussed a story where one individual said he was ready to quit on the last show, and that is sad. But we should also all understand that we are at a point where IT is learning the limitations of their security services and products. Many of us in the security industry have known this for quite some time. But it is nice that other members of management, and IT are starting to see it as well.
The point is this is a dynamic and fun field. Also, many of us know what and where security's limitations exist. This is a good thing. Now, we just need to do something about them.
In short, we agree with Rich. We need to stop complaining and start spending more time fixing problems.
Originally discussed during episode 234
John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 - 23.