Layer 8

Don’t ask me, ask that guy over there.

It occurred to me the other day that while it’s always fun to talk security with analysts (hell, who doesn’t like being asked for their opinion?), they probably shouldn’t be talking to me. Or at least, they shouldn’t be talking exclusively to me.

The security community is a pretty self-selecting group. If you only interview people on Twitter, people who blog about security (or comment on those blogs), or people who go to security conferences, you’re not getting an accurate picture of the security landscape. You’re ignoring the vast majority of people who are responsible in some way for the security of their networks, but (a) don’t know it, (b) don’t care, and/or (c) don’t have the knowledge or management backing to do anything about it.

How many organizations out there consider data breach notification laws to be completely irrelevant to them? Not because they aren’t applicable, but because the organization’s security state is so abysmal that they wouldn’t know a data breach if it sent them a strippergram with their own money? How many are falling through the cracks of compliance because they’re too small, in the wrong industry, or simply trapped in the security ghetto? How many are not in Verizon’s breach database because it would never occur to them to call?

On the one hand, the answers will probably make you depressed. On the other hand, those of you who are lusting after accurate data will probably regard anything that expands our state of knowledge as something to be pursued. We need more outreach—not for the sake of selling more security widgets or services, but simply to bridge the security divide.

Posted by shrdlu on Sunday, December 27, 2009
(3) Comments • Permalink •

Next entry: Shopping for security.

Previous entry: BSOFH: the roar of the packets, the smell of the cloud.

Comments

on 01/03 at 03:20 AM:

What an ignorant, smug and self-valorizing post. Do you really believe that ‘Tweeting’, blogging & attending security conferences somehow magically transforms the participants into guardians of the common good while relegating all others to membership in the Evil Empires of sloth and insecurity?

Perhaps some who do not tweet, blog or schlep to every overpriced conference are busy doing their jobs and keeping up to date with technology. Is that at all possible?

Perhaps some who obsess over tweeting, blogging and patting backs at conferences are more dedicated to self-promotion and marketing their personal ‘brand’ than actually doing their job and protecting systems. Is that possible or was that an unfair comment?

shrdlu

on 01/03 at 09:35 AM:

My, that’s an amazing straw man you’ve got there, buddy. Nicely done.

I did say “majority,” not “all.” However, if you have some accurate numbers to share, let’s have ‘em. Personally, I have yet to meet someone who does NOT at least read security blogs who can manage security at the level of those who do. (That would include yourself, by the way—or how is it that you managed to find your way here?) If you’re not at least dipping a toe in teh Internets, how are you supposed to secure against it?

My point was that analysts SHOULD be talking to the people who are NOT self-selecting by posting/tweeting/whatever. Why do you have a problem with that?

Oh. It might require you to undergo a massive, potentially dangerous chipectomy from that shoulder. Sorry about that.

on 01/03 at 11:23 PM:

Thank you for the compliment. I have no problem with communication (especially the nasty kind) yet I acknowledge civility is often more constructive. I agree with your chipectomy diagnosis and prescription yet I confess that ‘she’ keeps me warm at night. We like to cuddle and her name is Edwina. Take care.