The security people are currently losing the battle to win the hearts and minds of the people. The war is far from over but it’s not currently looking good for our team.
As with all problems, if there is a vacuum, something or someone end up filling it. This is happening right now in security. There are a lot of really smart security people out there. We generally know what’s wrong, and sometimes even know how to fix it, but the people we need to listen aren’t. I don’t blame them either, we’re not telling them what they need to know.
On the other side though, we also think we understand the problems, but we don’t really. Everything we know comes from an echo chamber inside a vacuum. We understand our problems, not their problems.
We have to move our conversations into the streets, the board rooms, and the CIO offices. Today all these people think we’re just a bunch of nuts ranting about crazy things. The problem isn’t that we’re all crazy, it’s that we’re not talking to people correctly, which also means we’re not listening either.
We have to stop talking about how nobody knows anything and start talking about how we’re going to help people. Security isn’t important to them, they have something they want to do, so we have to help them understand how what we do is important and will help them. We have to figure out how to talk about what we do in words they understand and will motivate them.
How many times have you tried to explain to someone why they should use a firewall and even though it should have been completely obvious, they didn’t use it?
How many times have you tried to get a security bug fixed but nobody cared?
How many times have you tried to get a security feature, like stack protector, enabled by developers but nobody wanted to listen?
There are literally thousands of examples we could cover. In virtually every example we failed because we weren’t telling the right story. We might have thought we were talking about security, but we really were saying “I’m going to cost more money and make your life harder”.
It’s time we figure out how to tell these stories. I don’t have all the answers, but I’m starting to notice some patterns now that I’ve escaped from the institution.
There are three important things we’re going to discuss in the next few posts:
- What’s filling the vacuum?
- How do we talk to the business world?
- How do we talk to normal people?