Tonight I’ll be trying something new. I recently submitted my first CFP to a security conference and was accepted for a Firetalk at Shmoocon. As many of you know, I have a love/hate relationship with the security industry. But the intention of this presentation is to transcend my complaining-mind and offer some positive strategies for change in our profession. It’s an attempt at a paradigm shift out of the reactivity so common in this field. The following is an excerpt from my abstract:
Why is the security industry so full of fail? We spend millions of dollars on firewalls, IPS, IDS, DLP, professional penetration tests and assessments, vulnerability and compliance tools and at the end of the day, the weakest link is the user and his or her inability to make the right choices. It’s enough to make a security engineer cry. The one thing you can depend upon in an enterprise is that many of our users, even with training, will still make the wrong choices. They still click on links they shouldn’t, respond to phishing scams, open documents without thinking, post too much information on Twitter and Facebook, use their pet’s name as passwords, etc…. But what if this isn’t because users hate us or are too stupid? What if all our complaints about not being heard and our instructions regarding the best security practices have more to do with our failure to understand modern neuroscience and the human mind’s resistance to change?
Basically, I’m trying to say that many of the failures in security start with us, not the users. We fail to see that this is a human problem, not a technical one. The talk will be streamed live here between 8 and 10 PM on 1/27/12, but I’ll probably follow up by posting a recorded version with the slides after the conference. As always, I value any feedback from the Packetpushers community, which has been so supportive over the last year, both personally and professionally.
UPDATE: The recorded talk can be found online here. Or watch below.