Anytime you do anything, no matter how small or big, there will always be three groups of people involved. How we interact with these groups can affect the outcome of our decisions and projects. If you don’t know they exist it can be detrimental to what you’re working on. If you know who they are and how to deal with them, a great deal of pain can be avoided, and you will put yourself in a better position to succeed.

The first group are those who agree with whatever is it you’re doing. This group is easy to deal with as they are already in agreement. You don’t have to do anything special with this group. We’re not going to spend any time talking about them.

The second group is reasonable people who will listen to what you have to say. Some will come to agree with you, some won’t. The ones who don’t agree with you possibly won’t even tell you they disagree with you. If what you’re doing is a good idea you’ll get almost everyone in the second group to support you, if you don’t ignore them. This is the group you ignore the most, but it’s where you should put most of your energy.

The third group is filled with unreasonable people. These are people that you can prove your point beyond a reasonable doubt and they still won’t believe you. There is absolutely nothing you can say to this group that will make a difference. These are the people who deny evidence, you can’t understand why they deny the facts, and you will spend most of your time trying to bring them to your side. This group is not only disagreeable, its’ dangerous to your cause. You waste your time with the third group while you alienate the second group. This is where most people incorrectly invest almost all their time and energy.

The second group will view the conversations between the first group and the third group and decide they’re both insane. Members of the first and third group are generally there for some emotional reason. They’re not always using facts or reality to justify their position. You cannot convince someone if they believe they have the moral high ground. So don’t try.

Time spent trying to convince the third group is time not spend engaging the second group. Nobody wants to be ignored.

The Example

As always, these concepts are easier to understand with an example. Let’s use climate change because the third group is really loud, but not very large.

The first group are the climate scientists. Pretty much all of them. They agree that climate change is real.

The second group is most people. Some have heard about climate change, a lot will believe it’s real. Some could be a bit skeptical but with a little coddling they’ll come around.

The third group are the deniers. These people are claiming that CO2 is a vegetable. They will never change their minds. No really never. I bet you just thought about how you could convince them just now. See how easy this trap is?

The first group spends huge amounts of time trying to talk to the third group. How often do you hear of debates, or rebuttals, or “conversations” between the first and third group here. How often do you hear about the scientists trying to target the second group? Even if it is happening it’s not interesting so only first-third interactions get the attention.

The second group will start to think the scientists are just as looney as the third group. Most conversations between group one and three will end in shouting. A reasonable person won’t know who to believe. The only way around this is to ignore the third group completely. Any time you spend talking to the third group hurts your relationship with the second group.

What now?

Start to think about the places you see this in your own dealings. Password debates. Closed vs open source. Which language is best. The list could go on forever. How do you usually approach these? Do you focus on the people who disagree with you instead of the people who are in the middle?

The trick with security is we have no idea how to even talk to the second group. And we rather enjoy arguing with the third. While talking to the second group can be tricky, the biggest thing at this point is to just know when you’re burning time and good will by engaging with the third group. Walk away, you can’t win, failure is the only option if you keep arguing.

Join the conversation, hit me up on twitter, I’m @joshbressers

How many times have you tried to get buyin for a security idea at work, or with a client, only to have them say “no”. Even though you knew it was really important, they still made the wrong decision.

We’ve all seen this more times than we can count. We usually walk away grumbling about how sorry they’ll be someday. Some of them will be, some won’t. The reason is always the same though:

You’re bad at talking to the business world

You can easily make the argument that money is a big motivator for a business. For some it’s the only motivator. Businesses want save money, prevent problems, be competitive, and stay off the front page for bad news. The business folks don’t care about technical details as much as they worry about running their business. They don’t worry about which TLS library is the best. They want to know how something is going to make their lives easier (or harder).

If we can’t frame our arguments in this context, we have no argument we’re really just wasting time.

Making their lives easier

Anytime there’s some sort of vacuum, something will appear to fill the gap. In this context we’re going to look at what’s filling the vacuum in security. There are a lot of smart people, but we’re failing horribly at getting our message out.

The answer to this isn’t simple. You have to look at what’s getting attention that doesn’t deserve to get attention. Just because we know a product, service, or idea is hogwash doesn’t mean non security people know this. They have to attempt to find someone to trust, then listen to what they have to say. Unfortunately when you’re talking about extremely complex and technical problems, they listen to whoever they can understand as there’s no way they can determine who is technically more correct. They’re going to follow whoever sounds the smartest.

If you’ve never seen the musical “The Music Man” you should. This is what we’re dealing with.

Rather than dwell on it and try to call out the snake oil, we should put our effort into the messaging. We’ll never have a better message than this group, but we really only need to be good enough, not perfect. We always strive for our messages to be perfect, but that’s an impossible goal. The goal here is to sound smarter than the con men. This is harder than it sounds unfortunately.

We can use the crypto backdoor conversation as a good example. There are many groups claiming we should have backdoors in our crypto to keep ourselves safer. Security people know this is a bad idea, but here’s what the conversation sounds like.

Them

We need crypto backdoors to stop the bad guys, trust us, we’re the good guys

Us

, backdoors don’t work

We don’t do a good job of telling people why backdoors dont’ work. Why should they trust us, why don’t backdoors work, who will keep us safe? Our first instinct would be to frame the discussion like this:

1. Backdoors never work
2. Look at the TSA key fiasco
3. Encryption is hard, there’s no way to get this right

This argument wont’ work. The facts aren’t what are important. You have to think about how you make people feel. We just confused them, so now they don’t like us. Technical details are fine if you’re talking to technical people, but any decent technical person probably doesn’t need this explained.

We have to think about how can we make people feel bad about encryption backdoors? That’s the argument we need. What can we say that gives them the feels?

I don’t know if these work, they’re just some ideas I have. I’ve yet to engage anyone on this topic.

What are things people worry about? They do value their privacy. The old “if you have nothing to fear you have nothing to hide” argument only works when it’s not your neighbor who has access to your secrets.

Here’s what I would ask

Are you OK with your neighbor/wife/parent having access to your secrets?

Then see where to conversation goes. You can’t get technical, we have to focus on emotions, which is super hard for most security people. If you try this out, let me know how it goes.

Join the conversation, hit me up on twitter, I’m @joshbressers

The security people are currently losing the battle to win the hearts and minds of the people. The war is far from over but it’s not currently looking good for our team.

As with all problems, if there is a vacuum, something or someone end up filling it. This is happening right now in security. There are a lot of really smart security people out there. We generally know what’s wrong, and sometimes even know how to fix it, but the people we need to listen aren’t. I don’t blame them either, we’re not telling them what they need to know.

On the other side though, we also think we understand the problems, but we don’t really. Everything we know comes from an echo chamber inside a vacuum. We understand our problems, not their problems.

We have to move our conversations into the streets, the board rooms, and the CIO offices. Today all these people think we’re just a bunch of nuts ranting about crazy things. The problem isn’t that we’re all crazy, it’s that we’re not talking to people correctly, which also means we’re not listening either.

We have to stop talking about how nobody knows anything and start talking about how we’re going to help people. Security isn’t important to them, they have something they want to do, so we have to help them understand how what we do is important and will help them. We have to figure out how to talk about what we do in words they understand and will motivate them.

How many times have you tried to explain to someone why they should use a firewall and even though it should have been completely obvious, they didn’t use it?

How many times have you tried to get a security bug fixed but nobody cared?

How many times have you tried to get a security feature, like stack protector, enabled by developers but nobody wanted to listen?

There are literally thousands of examples we could cover. In virtually every example we failed because we weren’t telling the right story. We might have thought we were talking about security, but we really were saying “I’m going to cost more money and make your life harder”.

It’s time we figure out how to tell these stories. I don’t have all the answers, but I’m starting to notice some patterns now that I’ve escaped from the institution.

There are three important things we’re going to discuss in the next few posts:

1. What’s filling the vacuum?
2. How do we talk to the business world?
3. How do we talk to normal people?

One the hardest things we have to do is to build trust.

It’s not hard for everyone, just us specifically. It’s not in our nature.

Security people tend not to trust anyone. Everything we do is based on not trusting anyone, it’s literally our job. Trust is a two way street. If you expect someone to trust you, you have to trust them to a certain degree. This is our first problem. We don’t trust anybody, for good reason often, but it’s a problem. We have to learn how to trust others so we can get them to trust us. This is of course easier said than done. Would you trust someone with your password? I wouldn’t, but a lot of people do. This is a place where they won’t understand why we don’t trust them. Of course sharing a password isn’t a great idea, but that’s not the point.

I have a recent example that sort of explains the problem. It’s not related to security, but the idea is there. A friend does graphic design work and was tasked to create a logo. This is easy enough, he made a few rather nice logos for the client to choose from, but then things went crazy. None were good enough, so they just kept bikeshedding the logos. The designer was of course very upset as this isn’t productive and honestly, the end result always ends up looking almost exactly like one of the first few logos. Furthermore, the people commenting aren’t graphics people, so many of the suggestions were just silly. Because they didn’t trust the designer, now the designer doesn’t trust them.

So how could this scenario have gone down? Ideally you look at what the designer gives you, you can give some feedback along what you think, things like “It has too many colors” or “It’s not bright enough”, not “The second letter A should be 3 piexels to the left”. You have to trust your designer will give you something that does what you need it to do. It won’t be perfect, it just has to be good enough. And in time as trust is built between you and the designer, the results will just keep getting better.

How many times have you sent back a presentation or whitepaper because it wasn’t perfect? Or decided to just do something yourself because the writer wasn’t doing a good enough job? Those people no longer like you. They think you’re a rude inconsiderate jerk. They’re probably right.

You can’t just show up and demand trust, that never works. You can’t demand perfection. Everyone is good at their own things, you have to trust that if you’re working with a writer, or designer, or developer, they’re going to do a job that’s good enough, possibly better than you could ever do, if you let them.

Join the conversation, hit me up on twitter, I’m @joshbressers

We can’t.

You think you can, but you can’t. This reminds of the Feynman video where he’s asked how magnets work and he doesn’t explain it, he explains why he can’t explain it.

Our problem is we’re generally too clever to know when to stop. There are limits to our cleverness unfortunately.

I’m picking on buffer overflows in this case because they’re something that’s pretty universal throughout the security universe. Most everyone knows what they are, how they work, and we all think we could explain it to our grandma.

There are two problems here.

1) You can’t explain away some of the fundamental principals behind computing.

Even if we want to take away as much technical detail as possible, there are some basic ideas that regular people don’t know. Computers are magic to most people. When I say most people I mean probably 90% or more of the people. When I say magic, I mean actual magic, not the joking sort of “I really know this isn’t magic but I’m being funny”. All they know is they push this button and they can pay their bills. They have zero idea what’s going on. If someone doesn’t understand the difference between a CPU, RAM, and a potato, how on earth will you explain the instruction register to them?

2) They don’t care.

Most people just don’t genuinely care. Some will pretend to be nice, but a lot won’t even do that. Even if we found a nice way to explain this stuff (which we can’t), We can’t make people care what we’re saying. If we’re dealing with the likes of a CIO or CEO, they don’t care what a buffer overflow is, they don’t care how Heartbleed works. They have their goals and while security is important, it’s not why they wake up each morning. Some people think they care, but then when we start to talk, they figure out they really don’t. Most are nice enough they will let us talk while they’re thinking about eating cookies.

So what do we do about it?

The answer is to drive the discussion around the problems. Rather than trying to explain technical details to someone, we have to build trust with them. They need to be able to trust us on some level. If there’s a buffer overflow in something, we need to be able to say “here is the patch” or “here is how we can fix this” for example. Then if we’ve built up trust, we don’t have to try to explain exactly what’s going on, just that it’s something we should care about.

We’ll cover how to build trust in the next post.

Join the conversation, hit me up on twitter, I’m @joshbressers

Sometimes it’s really hard to be nice to someone. This is especially true if you think they’re not very smart. Respect is a two way street though. If you think someone’s an idiot, they probably think you’re an idiot. You’re both going to end up right once it’s all over though.

As an industry we overestimate how much people know about security, which I think is the root of our problem.

I was talking to a peer of mine one day and was complaining about someone not understanding what I thought was an obvious security concept (I don’t recall the details anymore, but it’s irrelevant). She then said to me words I will never forget “I think you overestimate how much everyone else knows about security”.

That statement changed my life. It’s why I’m writing this blog now.

I’ve been paying attention to security for longer than I can remember. It’s been at least 20 years, probably more. I was a teenager back when I started this journey. It’s easy sometimes to think someone should just know something, it’s all so obvious! When they don’t, we of course decide they’re dumb and we stop respecting them. I remember in my younger days being just brutal to people who didn’t know something I did. It was all quite silly really.

The next time there’s a clear misunderstanding, here’s what you need to do. Stop talking and listen first. See what they’re saying. Do they sort of get it? Do they not get it at all? Are they making up nonsense? Listening is easy and you can always start to think about donuts if you get bored. I won’t lie, some people are just giant bags of gas, most aren’t though.

Now, once you start to understand the other person, try to speak their language. Use words they understand. Terms like buffer overflow, XSS, remote code execution, DoS, APT, these don’t matter to most people. They’re all “security bugs”. We’ll talk about language in the future, but for now, just be patient. Your patience will be worth more than anything else you do. Remember that everyone knows something you don’t, so while they need your help for security, you need their help for something else, even if you don’t know what that is yet.

Some people won’t deserve your respect, I’m not suggesting we become whipping posts, but the majority of people you should probably pay attention to. Just slow down long enough to talk to them properly. You’ll be amazed what you’ll learn.

Join the conversation, hit me up on twitter, I’m @joshbressers

How many times have you been afraid to say something about security because you knew if you’re wrong, you’re going to be destroyed in public about it by your peers?

How many times did you try really hard to completely discredit someone who said something wrong about security?

How many times have you been wrong but still argued because you didn’t want to admit it?

How many good ideas never saw the light of day because of this?

I think one of the bigger problems the security industry tends to have is a trait for being overly pedantic. This is true of technical people in general, but in security we turn it up to 11. Now don’t get me wrong, sometimes you need this, there’s no such thing as crypto that’s half right. When we work with normal people though, we can’t be so pedantic.

This of course isn’t a hard and fast rule. Sometimes we need the details to be correct, sometimes we don’t. You have to use your best judgement, but if you’re not sure I suggest you lean toward being understanding (rather than overly critical).

Let’s go through some examples, just for fun.

Question“Hey guys, I’m trying to understand if this patch is correct for a buffer overflow, could someone give it a review?”
Answer“Actually that bug was a buffer overflow caused by an integer overflow.”

We just ensured this person will never ask us for help again. This is a detail they probably don’t really care about. Is the patch right? If not, help them understand what’s going on. Use small words. If they ask questions, be patient. The right way to answer this would have been to look at the patch and ack it if it works, or offer advice on how to fix it if it’s still not done.

Question“Hi everybody, I’m working on adding SSL support to my application. The documentation isn’t great though, are there any examples I could look at?”
Answer“SSL is dead, use TLS!”

While that answer is technically correct (which is the best kind of correct), it’s still not helpful. When you give someone an answer, we have to try and be helpful. If you’re dealing with another security person you can probably be borderline unhelpful as they should know better, but remember, normal people think we’re all crazy, don’t support this theory.

Most people call TLS SSL because they don’t know the difference, honestly to most people there is no difference. The differences between TLS and SSL are huge of course, but if someone is looking for help to enable TLS in their application and they decide to call it SSL, it’s an opportunity to educate them. They don’t need to be experts, but if you’re using a crypto library, you need to sort of know what’s gong on.

And finally.

Question“Hey, I need help with a new XOR encryption algorithm I’m building.”
Answer“You’re an idiot”

This one is probably OK 😉

If you have any examples to share, I’d love to collect them to use in the future.

By being patient and understanding is how we build trust. You don’t build trust by being harsh. We’ll never make a difference with most people without trust, so this is important. Now when you’re dealing with some technical people, this is the exact opposite, it’s the old show me the code argument, it doesn’t matter how nice you are, if your code is trash you’re not trusted or respected. This doesn’t work with regular people though. They don’t get warm fuzzies form reading code, they like to talk to people in a civilized manner using words they understand.

It’s not easy, but we should all be smart enough to figure it out. Good luck.

Join the conversation, hit me up on twitter, I’m @joshbressers