SwiftOnSecurityA commonly-misunderstood aspect of computer security is that you are battling computers.
No. That is not right at all. Computers are barely involved.
You are battling humans who eat apathy and coordination problems.
I tell the story often but in the beginnings of my career in IT I was fascinated by stories of 0days by state actors. And I worried about them.
As our entire client base was XP SP2 with zero governance and many machines shared huge groups of local admins. Some of them made Authenticated User a local admin.
And I sat there and I was worried about foreign military 0days. Perspective later is hell of a thing.
The reason IT Security is so hard is someone has to do it. That's the answer.
That is not a technical challenge it is an interpersonal one.
Do you know how many smart people there are trying their very best? You think it would be deluged in security.
But it's not. This is a personal problem and that's what ruins everyone that tries it.
The funniest thing I find about my history and Helpdesk is the credibility. Yes I can talk your language and I know your priorities and I know what worries you about technical change. I know the results of an outage because I have had to support it. I took the calls and I took them for a decade.
I know exactly what it means to fail. Which is something you should understand when you make a change for IT Security.
They don't need to hear perfection. They need to hear empathy. They need to know you thought this out and that you know exactly what will mean if it fails. Because you sat on that call. The thousands of them.
Failure is pain. And they need to hear that in your voice when you tell them the plan about changing everything.
I have been through changes by people that did not understand the gravity of what they were implementing. The people they talked to probably felt it. But allowed it in grace.
One was they broke things that were extremely nuanced in the networking of Windows.
You understand what they've done. In perfect innocent honesty. The goal they were aiming. In naive abandon.
They did the right thing. But accomplished the wrong one. The victims will never trust us again.
Credibility is something harp so much on in InfoSec.
Your performance relies on your credibility more than your technology. Nobody gives a shit about the fucking firewall vendor. They don't care about the nuances of injecting TLS inspection certificate chain in 3rd-party toolchains.
They care about your credibility. It is something that is impossible to describe or proscribe, but is the most important ingredient in your success.
With the people that matter. Who decide if your benevolent campaign gets implemented.
You have to establish a human relationship. And I'm gonna tell you something. A human relationship is the most difficult thing in the world for me. I can talk to thousands. But I cannot establish a human relationship. And that is why it is my job. I have to get fucking paid to do it.
The thing about computer security is you get confused by benevolence.
All you wanna do is save them. You want to save them from themselves and you want to save them from the past they live under.
It is so easy that you will be cavalier. Your job is saving them. What could ever be simpler than that?
And in this frame you're gonna do the wrong thing and you're gonna ruin your credibility. Which is saving them by breaking it. If it's broken it can't hurt them. You will be proud and they will scream.
The essential question is how are you gonna save them without breaking it?
First you need to understand it. And that. That, my friends. Is the bedevilment.
Because it has to be fucking broken because it is intolerable in its current state.
You have to fix it in a way they never understand you did anything. Your job is to do nothing but change everything.
dundee@SwiftOnSecurity well said