Security Ripcord

I have been thinking a lot about work this week and Alan Shimel's recent blog post titled "Security for the everyman" has really driven it home.  Security professionals, security researchers, network and system administrators, and developers all have to realize that they are really tha part of the "Service and Support" group.  They are not the front line personnel getting business done.  It is actually the end user who is bringing in the bucks.  It is end users that keep the jobs available and cash flowing throughout the technology industry.  Without them we would all be hanging out looking for something to do or going back to school to learn a new skill.  

I don't really think about this that much because of my background.  As a Force Reconnaissance Marine I, and the majority of my buddies, knew that everything we did was to support the Marine on the front lines.   Sure we were highly trained.  We could jump from planes, scuba through pitch black waters, fast rope onto a bobbing ship, sit in a bush for days on end, and shoot smiley faces in a target from 25 yards.  But in the end the only thing that mattered was that we obtained the intellengence our mission required of us.  This intellegence would in turn protect the front line Marines by providing them with information they might not have received otherwise.  Everything from troop movements to river or surf depths we got the information and passed it back to the people responsible for analyzing it and passing it onto our fellow Marines.  In other words, we did our jobs.  Additionally, because we had special training and we knew that our fellow Marines looked up to us we showed them the utmost respect.  We answered every one of their questions.  We provided them with as much training as time permitted.  We hung out with them at bars and were patient with them as they told us their stories and experiences.  

I have been hearing a lot of talk from security professionals that seems very elitest.  End users are the enemy.  End users are generally too stupid to operate technology correctly, let alone securely.  Well, I am here to tell you, if you are thinking this way then you have it all ass backwards.  If you have come to the point where you cannot stand the people that you are supporting then perhaps you should move on.  Yes, there are lot of stupid ideas out there.  Yes, there is more than one way  to skin a cat.  Yes, some of the things were are currently doing either don't make sense now or will not make sense as technology evolves.  But what will always remain the same is the fact that we all have to be professionals about our duties.

So, I challenge you.  Stop whining about end users and start educating them.  For every second that you bitch to your friends (or public) about them spend an addition two or three sitting down with an end user and find out what is hindering their progress toward understanding the technology and security.  Stop whining about how your friends and family keep asking you how to do things at home because, after all, they are your friends and family and you have a skill they do not.  Sure, if you don't have time tell them, but get back with them because to them the topic is important or they would not have brought it up.  Stop whining about how a particular technology either does not work or should go the way of the Dodo.  All technology changes and either evolves or becomes obsolete.  Fine, if you think a particular piece of technology does not provide any value within your organization then by all means you are oblogated to either pass it up the chain of command or make the decision yourself to remove it from the environment.  But whining about perception is just time consuming.  Make a decision, one way or the other, and move on.  And, by god, stop tell end users flat out that they cannot do things.  Telling somebody "NO" is just going to make them want to do it that much more and that is when they start violating policy.  Instead sit down with them and find our what they are trying to do.  Have a conversation with them.  If you have to tell them no then soften it with several reasons.  Don't just say "That's against policy" or "That will blow holes in our security posture."  Instead, tell them the reporcussions of their actions.  Use real world examples of how it could affect them, their coworkers, their boss, and their jobs.  People are smarter than you think, but they tend to be smart about particular things.  By sitting down with end users you find out how to relate to them and how to make them understand.  Once you have done this your next conversation with that end user will be shorter.  The reason for this will be two fold:  1) You know how to talk to them so that they understand, and 2) The respect your and your decisions.  Amazing.  Security 2.0 in action.

With all that said, I want to remind you to watch for the Trusted Catalyst Community coming online soon.  We have been working hard trying to find the best way to provide a service that will facilitate conversation and education.  If this interests you then monitor The Security Catalyst website for updates and timelines.  Once we get a few more things straightened out you will see that we have consolidated some very knowledgeable and inspirational security and technology professionals.  And yes, the last post, "Selling your soul for $1 ,"  on the Security Catalyst site called end users stupid.  (Dang it Ron, you're killing me.)  But, as you can read, he did offer a solution and steps to correct the problem.  (Good save, Ron.)

Go forth and do good things,

Cutaway 

Security, administrators, StillSecure, Security Ripcord, Security Catalyst, Security 2.0

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.