SwiftOnSecurityA commonly-misunderstood aspect of computer security is that you are battling computers.
No. That is not right at all. Computers are barely involved.
You are battling humans who eat apathy and coordination problems.
I tell the story often but in the beginnings of my career in IT I was fascinated by stories of 0days by state actors. And I worried about them.
As our entire client base was XP SP2 with zero governance and many machines shared huge groups of local admins. Some of them made Authenticated User a local admin.
And I sat there and I was worried about foreign military 0days. Perspective later is hell of a thing.
The reason IT Security is so hard is someone has to do it. That's the answer.
That is not a technical challenge it is an interpersonal one.
Do you know how many smart people there are trying their very best? You think it would be deluged in security.
But it's not. This is a personal problem and that's what ruins everyone that tries it.
The funniest thing I find about my history and Helpdesk is the credibility. Yes I can talk your language and I know your priorities and I know what worries you about technical change. I know the results of an outage because I have had to support it. I took the calls and I took them for a decade.
I know exactly what it means to fail. Which is something you should understand when you make a change for IT Security.
They don't need to hear perfection. They need to hear empathy. They need to know you thought this out and that you know exactly what will mean if it fails. Because you sat on that call. The thousands of them.
Failure is pain. And they need to hear that in your voice when you tell them the plan about changing everything.
mhoye@SwiftOnSecurity I have only once in my life heard of a CTO who asked to spend six weeks anonymously taking the tier 1 front line helpdesk training and answering the phones before taking the job, arguing that he had to know the product and the customers if he wanted to do the job well. Long retired, but people who worked with him still talk about him like they’d met a saint.
@mhoye I am the only one in the company who sits on the different helpdesk and frontline support group chats. Because that is where I'm gonna hear about us getting breached first. And I need them to be comfortable talking to me. I join the calls occasionally and I tell them my story. And they come to me and you would be surprised what I hear.
@SwiftOnSecurity Maybe, I put in a few years of tier-1 support too. Everyone at any service company, from the facilities to CEO, should be putting in two or three days a quarter on front line support, It’s the biggest missed opportunity at every company in the world.
You can learn so much. Devops has been around 15 years and has less to say about how to run a customer service software shop than you’ll learn from 15 days on the phones.
w7comI worked long and hard to get to a position where they never want me to talk to a user again.