How many times have you tried to get buyin for a security idea at work, or with a client, only to have them say “no”. Even though you knew it was really important, they still made the wrong decision. We’ve all seen this more times than we can count. We usually walk away grumbling about how sorry they’ll be someday. Some of them will be, some won’t. The reason is always the same though: ...

Anytime there’s some sort of vacuum, something will appear to fill the gap. In this context we’re going to look at what’s filling the vacuum in security. There are a lot of smart people, but we’re failing horribly at getting our message out. The answer to this isn’t simple. You have to look at what’s getting attention that doesn’t deserve to get attention. Just because we know a product, service, or idea is hogwash doesn’t mean non security people know this. They have to attempt to find someone to trust, then listen to what they have to say. Unfortunately when you’re talking about extremely complex and technical problems, they listen to whoever they can understand as there’s no way they can determine who is technically more correct. They’re going to follow whoever sounds the smartest. ...

The security people are currently losing the battle to win the hearts and minds of the people. The war is far from over but it’s not currently looking good for our team. As with all problems, if there is a vacuum, something or someone end up filling it. This is happening right now in security. There are a lot of really smart security people out there. We generally know what’s wrong, and sometimes even know how to fix it, but the people we need to listen aren’t. I don’t blame them either, we’re not telling them what they need to know. ...

One the hardest things we have to do is to build trust. It’s not hard for everyone, just us specifically. It’s not in our nature. Security people tend not to trust anyone. Everything we do is based on not trusting anyone, it’s literally our job. Trust is a two way street. If you expect someone to trust you, you have to trust them to a certain degree. This is our first problem. We don’t trust anybody, for good reason often, but it’s a problem. We have to learn how to trust others so we can get them to trust us. This is of course easier said than done. Would you trust someone with your password? I wouldn’t, but a lot of people do. This is a place where they won’t understand why we don’t trust them. Of course sharing a password isn’t a great idea, but that’s not the point. ...

We can’t. You think you can, but you can’t. This reminds of the Feynman video where he’s asked how magnets work and he doesn’t explain it, he explains why he can’t explain it. Our problem is we’re generally too clever to know when to stop. There are limits to our cleverness unfortunately. I’m picking on buffer overflows in this case because they’re something that’s pretty universal throughout the security universe. Most everyone knows what they are, how they work, and we all think we could explain it to our grandma. ...

Sometimes it’s really hard to be nice to someone. This is especially true if you think they’re not very smart. Respect is a two way street though. If you think someone’s an idiot, they probably think you’re an idiot. You’re both going to end up right once it’s all over though. As an industry we overestimate how much people know about security, which I think is the root of our problem. ...

How many times have you been afraid to say something about security because you knew if you’re wrong, you’re going to be destroyed in public about it by your peers? How many times did you try really hard to completely discredit someone who said something wrong about security? How many times have you been wrong but still argued because you didn’t want to admit it? How many good ideas never saw the light of day because of this? ...

You’re probably bad at talking to people. I don’t mean your friends you play D&D or Halo or whatever hip game people play now, I mean humans, like the guy who serves you coffee in the morning. We’ve all had more than once instance where we said something and ended up with a room full of people staring at us because it wasn’t terribly nice or thoughtful. At the time you had no idea anything was wrong, you still might not. ...