Security Is Like an Onion, That’s Why It Makes You Cry

27 January 2012 by 2 Comments

 

Tonight I’ll be trying something new. I recently submitted my first CFP to a security conference and was accepted for a Firetalk at Shmoocon. As many of you know, I have a love/hate relationship with the security industry. But the intention of this presentation is to transcend my complaining-mind and offer some positive strategies for change in our profession. It’s an attempt at a paradigm shift out of the reactivity so common in this field. The following is an excerpt from my abstract:

Why is the security industry so full of fail? We spend millions of dollars on firewalls, IPS, IDS, DLP, professional penetration tests and assessments, vulnerability and compliance tools and at the end of the day, the weakest link is the user and his or her inability to make the right choices. It’s enough to make a security engineer cry. The one thing you can depend upon in an enterprise is that many of our users, even with training, will still make the wrong choices. They still click on links they shouldn’t, respond to phishing scams, open documents without thinking, post too much information on Twitter and Facebook, use their pet’s name as passwords,  etc…. But what if this isn’t because users hate us or are too stupid?  What if all our complaints about not being heard and our instructions regarding the best security practices have more to do with our failure to understand modern neuroscience and the human mind’s resistance to change?

Basically, I’m trying to say that many of the failures in security start with us, not the users. We fail to see that this is a human problem, not a technical one. The talk will be streamed live here between 8 and 10 PM on 1/27/12, but I’ll probably follow up by posting a recorded version with the slides after the conference. As always, I value any feedback from the Packetpushers community, which has been so supportive over the last year, both personally and professionally.

UPDATE:  The recorded talk can be found online here. Or watch below.

Filed Under: Blogs, Events, Security, Work Life Tagged With: , , ,
About Mrs. Y

Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.

  • Fernando Montenegro

    Looking forward to the recording (can’t catch the livestream).

    I think one element often ignored in these discussions is that a practitioner’s ‘acceptable level of risk’ is likely different than an executive’s: in other words, an unpatched server does not necessarily a crisis make…

    I know it may not be a popular opinion, but in the grander scheme of things, being pwned and having to clean up later *may be* an acceptable compromise to the “business” and it is our job as professionals to advise/execute to the best of our abilities but that’s it, no taking matters into our hands (cue in Terry Childs).

    Hoping that your talk (or subsequent discussions) explores this scenario.

  • Phil Ashman

    Understanding the people factor has always been a challenge for many IT professionals. I often discuss the fact that the challenge is often not the technical implementation, but the politics, culture and communicating realistic and not overly dramatic consequences to spread awareness.

    Great to actually see Mrs Y in person..;)