SwiftOnSecurityA commonly-misunderstood aspect of computer security is that you are battling computers.
No. That is not right at all. Computers are barely involved.
You are battling humans who eat apathy and coordination problems.
I tell the story often but in the beginnings of my career in IT I was fascinated by stories of 0days by state actors. And I worried about them.
As our entire client base was XP SP2 with zero governance and many machines shared huge groups of local admins. Some of them made Authenticated User a local admin.
And I sat there and I was worried about foreign military 0days. Perspective later is hell of a thing.
The reason IT Security is so hard is someone has to do it. That's the answer.
That is not a technical challenge it is an interpersonal one.
Do you know how many smart people there are trying their very best? You think it would be deluged in security.
But it's not. This is a personal problem and that's what ruins everyone that tries it.
The funniest thing I find about my history and Helpdesk is the credibility. Yes I can talk your language and I know your priorities and I know what worries you about technical change. I know the results of an outage because I have had to support it. I took the calls and I took them for a decade.
I know exactly what it means to fail. Which is something you should understand when you make a change for IT Security.
They don't need to hear perfection. They need to hear empathy. They need to know you thought this out and that you know exactly what will mean if it fails. Because you sat on that call. The thousands of them.
Failure is pain. And they need to hear that in your voice when you tell them the plan about changing everything.
I have been through changes by people that did not understand the gravity of what they were implementing. The people they talked to probably felt it. But allowed it in grace.
One was they broke things that were extremely nuanced in the networking of Windows.
You understand what they've done. In perfect innocent honesty. The goal they were aiming. In naive abandon.
They did the right thing. But accomplished the wrong one. The victims will never trust us again.
Credibility is something harp so much on in InfoSec.
Your performance relies on your credibility more than your technology. Nobody gives a shit about the fucking firewall vendor. They don't care about the nuances of injecting TLS inspection certificate chain in 3rd-party toolchains.
They care about your credibility. It is something that is impossible to describe or proscribe, but is the most important ingredient in your success.
With the people that matter. Who decide if your benevolent campaign gets implemented.
You have to establish a human relationship. And I'm gonna tell you something. A human relationship is the most difficult thing in the world for me. I can talk to thousands. But I cannot establish a human relationship. And that is why it is my job. I have to get fucking paid to do it.
The thing about computer security is you get confused by benevolence.
All you wanna do is save them. You want to save them from themselves and you want to save them from the past they live under.
It is so easy that you will be cavalier. Your job is saving them. What could ever be simpler than that?
And in this frame you're gonna do the wrong thing and you're gonna ruin your credibility. Which is saving them by breaking it. If it's broken it can't hurt them. You will be proud and they will scream.
The essential question is how are you gonna save them without breaking it?
First you need to understand it. And that. That, my friends. Is the bedevilment.
Because it has to be fucking broken because it is intolerable in its current state.
You have to fix it in a way they never understand you did anything. Your job is to do nothing but change everything.
dundee@SwiftOnSecurity well said
Zimmie@SwiftOnSecurity One of the irritating aspects of this is that infighting above you can completely torpedo your work at building that credibility.
But when you’re able to build it, you can do some impressive stuff. My team owns tons of infrastructure other teams depend on. Due to the effort we’ve put into building understanding and relationships, we’re able to do things like roll out updates with speed which seemed impossible two or three years ago.
Clark Breyman (he/him)@SwiftOnSecurity - There's a certain "tears in the rain" cadence to this part.
StoneBear 
Purple Skies@SwiftOnSecurity the kind of things you never hear from the unfeeling corporate assholes who push out policy procedure and technical changes with messaging full of businessspeak and strong vibes of being massively disconnected from the day to day reality :x
mhoye@SwiftOnSecurity I have only once in my life heard of a CTO who asked to spend six weeks anonymously taking the tier 1 front line helpdesk training and answering the phones before taking the job, arguing that he had to know the product and the customers if he wanted to do the job well. Long retired, but people who worked with him still talk about him like they’d met a saint.
@mhoye I am the only one in the company who sits on the different helpdesk and frontline support group chats. Because that is where I'm gonna hear about us getting breached first. And I need them to be comfortable talking to me. I join the calls occasionally and I tell them my story. And they come to me and you would be surprised what I hear.
Wendy Nather@SwiftOnSecurity @mhoye Users are not the weakest link — they’re the best source of intel.
Wulfy—Speaker to the machines@wendynather @SwiftOnSecurity @mhoye
When I was looking after a large academic site, I would always cultivate the wannabe haxorz and give them extra priviledges like larger space and semester to semester persistent storage.
Keep your friends close
Keep your enemies closer.
@SwiftOnSecurity Maybe, I put in a few years of tier-1 support too. Everyone at any service company, from the facilities to CEO, should be putting in two or three days a quarter on front line support, It’s the biggest missed opportunity at every company in the world.
You can learn so much. Devops has been around 15 years and has less to say about how to run a customer service software shop than you’ll learn from 15 days on the phones.
Patrick Lam 
@mhoye @SwiftOnSecurity my spouse used to work for a credit union in Ontario where they made everyone do a week as a Member Service Representative (teller), though only once.
w7comI worked long and hard to get to a position where they never want me to talk to a user again.
SIEM Shady@SwiftOnSecurity @mhoye Yeah, similarly I run SecOps and get every single phishing report. I can see things like official HR communications being reported because of the third-party email sender or lack of good org change management, potential invoice fraud from a BEC at a supplier, etc.
There’s gold in them thar hills…
Lee Holmes 
@mhoye @SwiftOnSecurity For a long time, Microsoft had a "frontline" program where everybody promoted to a certain level spent a week on customer support. It for sure gives you empathy of what real people are dealing which, and it's rarely what you think.
TurnipCannon@Lee_Holmes @mhoye @SwiftOnSecurity such a good idea, but I bet some people who thought their farts don't smell wanted it axed because it was "a waste of their time"
@TurnipCannon @mhoye @SwiftOnSecurity Microsoft has a very experiential culture, so that kind of attitude doesn't last long. Heck, it's how "dogfooding" software became a verb: https://en.wikipedia.org/wiki/Eating_your_own_dog_food
vurpo 🏳️⚧️@Lee_Holmes @mhoye @SwiftOnSecurity at one point i worked at a small startup where literally everyone worked customer service for a couple hours a week, very useful experience
@vurpo @mhoye @SwiftOnSecurity Number 1 way to build empathy. We had a project folks were wanting to launch some time back that was intended to help with enterprise security, detecting malware on a server, etc. Many folks thinking through the scenario had never done security, so I arranged for a rotation throughout parts of the Microsoft SOC and the team spent 1 day a week there for 6 weeks. Network intrusion detection, malware analysis, forensics, etc. The product was never greenlit, but people quickly stopped talking as though there were magic wands that you could wave to save the world.
Ben Ford 
@Lee_Holmes @mhoye @SwiftOnSecurity this is how I ended up running Puppet’s community for so many years. I moved from professional services (where I engaged with people every day) to building the education team (sitting in an office) and I needed a way to stay connected with the things people were actually struggling with. Eventually that became my whole job.
Landwomble@Lee_Holmes @mhoye @SwiftOnSecurity A few years back there was a major incident (I can't recall the details) where everyone in MS CXP including VPs were working through support tickets post recovery to close them out with customers, due to the volume. Was quite a learning experience for those that had never worked helpdesk.
@Landwomble @Lee_Holmes @SwiftOnSecurity
L1 helpdesk, content moderation and community management are where you meet the Pure Unfiltered Id of your Real Audience, and it's genuinely not a surprise so many organizations outsource dealing with the real problems their products have caused for real people, however much you learn from that.
If Facebook's devs and execs had to spend a week every quarter doing the work they foist off on underpaid moderators, Facebook wouldn't exist in a year.
@mhoye @Lee_Holmes @SwiftOnSecurity agree. I started on helpdesk about 30 years ago and attribute all my professional success in IT afterwards to the *soft skills* learnt there. How to listen, empathise and see things from a user perspective. No one does proper formal training in these things, unlike tech skills.
Dan Murphy@SwiftOnSecurity The human communication aspect of what we do is undervalued sometimes.
I think you make an especially good point about the consequences of failure. Unfortunate timely example: Our local hospital trust had an IT upgrade for patient records rolled out very recently and apparently it wasn't sufficiently load tested and has been causing chaos for clinicians.
Having spent some years in software testing prior to infosec, I empathise with the QAs who likely weren't given sufficient time to test and/or had defects they raised "risk accepted" for fixing after release. But the decision makers aren't often the ones who feel the negative outcomes of their poor decision making.
I think you make an especially good point about the consequences of failure. Unfortunate timely example: Our local hospital trust had an IT upgrade for patient records rolled out very recently and apparently it wasn't sufficiently load tested and has been causing chaos for clinicians.
Having spent some years in software testing prior to infosec, I empathise with the QAs who likely weren't given sufficient time to test and/or had defects they raised "risk accepted" for fixing after release. But the decision makers aren't often the ones who feel the negative outcomes of their poor decision making.
Meatzie@SwiftOnSecurity please don't. Your humanity, and your ability to convey the gravity of it, was one of the biggest things that inspired me to believe that I could be in this industry and _help people_. Years ago, when I was poorly imagining being where I am now, I learned how important it was to be where I was then. I've always held on to those experiences because of you. Thank you.
(Edit: Originally wrote this to reply to your follow up about how you might delete it)
Stegosaur@SwiftOnSecurity Literally this. Incredibly well said. The problem isn’t the computers, it’s the CFO who thinks MFA “ruins the culture” they’ve built. It’s the software developers who don’t want to bother supporting their own creation. It’s the Directors who refuse to move off an old, unsupported platform, or the business that refuses to adapt its processes or systems.
The computers did exactly what bad humans told them to, which was to remain vulnerable to harm.
Convincing the humans involved of that fact is 99% of IT.
bigiain@SwiftOnSecurity I've just been through ISO 27001 certification. It's _mostly_ boilerplate required documentation, but I did allow me to at least push some of the "IT Security" changes I'd been advocating for years for, but which had perviously always been deprioritised to "we'll get to that sometime after the heat death of the inverse". It's nice to have IT Security (and ISO certification) show up as procurement requirements and suddenly become "the most important thing!!!" to keep the money pipe open.
Alpine Tocsins@bigiain there's talk of going through that here -- one of the issues is BYOD vs "choose your own device" and management. Was that a big factor for you?
@nonspecialist I chose to go kinda minimal on the device management stuff. You can do that so long as you document those choices. We’ve only ended up with a device monitoring tool that checks for four things - he encryption, screen lock (with password unlock), existence of an installed password manager (we use 1Asseird) and, umm, something rise I’m not gonna try remember this n a friday afternoon. ;-)
Do you need a “CSIO with experience reaching ISO27001 certification”? I could be tempted away pretty easily. Even without a C(whatever) title…
@bigiain mmmmm .... maybe? LMK if you're serious, it's a role I don't want to do but in the absence of anyone else, am likely to end up in
@nonspecialist I am fairly serious? Leaning well towards very serious if the role and engagement feels like a good fit? (Anbd by that I mean that I'm 59 in February, so any career change I make now is likely (I hope) to be the last one so I'll be looking for something that looks like it could be a 5/6 year stretch rather than a 6-12 month contracting gig that'd require me to go job-hunting again next year. I can easily work out to retirement here if I just suck it up and deal with the mundanity, but something new, exciting, and potential long-ish term could easily tempt me away.)
@SwiftOnSecurity ... and today if you go looking at what those foreign adversaries are doing, it's pretty much all unpatched, long-known CVEs, and those vulnerabilities are pretty much all elevated access via unsanitized input.
Just basic, wash-your-hands fundamentals.
Sander