Security Ripcord

Okay, this just blew me away today and I cannot let this behavior ride. I cannot say anything in person, so I'll have to rant here.  

First a little background.  Whenever I introduce myself as a security professional I usually have people ask me questions or express concerns.  As this is a part of the security profession I go out of my way to answer these questions and facilitate conversation.  So, today I took a little time to set up a monthly security meeting for my organization.  One hour a month to talk about information technology and computer security for home and work.  I plan on starting the meeting with a few slides on a particular topic that people have expressed interest in talking about.  I will set up the room so that everybody is seated in a circle so that they can all interact and relate their experiences.  Basically, I am making an effort to really start a proactive security environment.  Once I had the room reserved and the equipment assigned I sent out an email to the administrators group to give them a heads up that this was coming down the pipe and that the floor is open to suggested topics.  I asked them to pass the information on to their coworkers and peers.

I got my first response within about twenty minutes.  It was from a colleague who is also responsible for security within his area of the organization.  His response (and I am paraphrasing) was that he was not aware people were concerned about security.  He then advised me that he did not think that we should be speaking to people about how they can protect themselves outside of our organization because of liability concerns.    

So let's break down the real issue here.  How can a person with security responsibilities think that providing security training is a bad thing?  There are several common reasons that people think and act in this manner.  Let's cover the ones that pop into my head with examples.  There may be more, you can add them to the comments if you have any you would like to share.

1. Culture – here in south Texas things do happen a little slower than most places.  It is a frickin' fact of life you just have to get use to when dealing with people here.  This slow environment cripples change or, at least, rapid change.  It is the proverbial "If it ain't broke don't fixit" environment.  Of course there are exceptions to the rule.  There are plenty of large, scale, fast moving businesses here (usually based in other cities) but alas that is not where I work.  Much different than north Texas or the East Coast.  I am using south Texas here as an example.  There are plenty of other regions of the US and the world that will have their own cultural reasons for doing certain things.  Look around and try to determine the ones in your area?  Another example you, ask…hmmm….surf time in Hawaii (we should all be so lucky to skip security training for surfing).
2. Cover Your Ass (CYA) – I think everybody knows this one.  But when it comes to security it is just a little more important.  There are several ways to do CYA and they are all effective for a short time or when management doesn't really care to change the situation.  One way is to ignore problems and pretend they don't exist.  If we don't see it we don't know about it and we cannot fix it.  Another way is to keep everybody in the dark.  The less others know the more they are unable to directly confront the people responsible.  An even better way to CYA is to be confrontational: accuse, ask aberrant questions, point fingers, bully, etc.  Confrontation often works because many people will immediately back down to "avoid" a situation.  I am reminded of the joke rules that all men should consider when dealing with women, "Admit nothing, deny everything, counter-accuse."
3. Pride – some people like being the go-to-person.  They like handling issues and solving problems.  The more others know, the more likely they are going to be able to care for themselves, and the less likely they are going to need assistance.
4. Lack of security training – lets face it, there are a lot of system and network administrators out there who have been assigned the duties of security.  They may or may not want these duties.  The kicker is that if management has not bought into the concept of training their administrators then they either continue down the same path trouble shooting security as they go, or they educate themselves and only pick up bits and pieces.  Don't get me wrong, I believe that self-training and OJT go a very long way, but there is nothing like sitting down with a seasoned security professional who is a good and proactive teacher to start a system and network administrator down the path of securing their environment.  Many of these self-trained security professionals do not realize the necessity to proactively educate EVERYBODY within their organization on security related issues.

Now that I have identified the problem, what is the solution?  Well, in this case it is very obvious.  I just have to drive on with training the administrators and end-users within the organization.  The issue is not about addressing a few people who might have had a question about security.  It is not about monitoring every word that comes out of your mouth so you do not get sued.  The ultimate issue is about working and training together.  It is about becoming stronger together and protecting ourselves and the people around us as a community.  And it is the responsibility of the security professional to initiate this type of behavior not only to make our jobs easier but to protect the community as a whole.  Another example, you say?  Okay, my sister works as a genetic microbiologist.  We have both recently decided to delve into the wondrous realm of parenthood.  Because of her background we call and talked to her about having our sons receive the standard inoculations.  She informed us that inoculations are not designed to protect the individual child from the specific diseases (although they do).  Rather, the inoculations that our children receive are designed to protect the community.  The more people who get their inoculations the stronger the community.  The stronger the community the less serious the occasional outbreak.  Sure, there are issues.  There may be serious outbreaks or some individuals may be adversely affected.  But because the community has worked together these issues become manageable from the overall standpoint.  I trust that you can make the appropriate correlations.

I would also like to point out that it is hard not to take this type of response personal.  Of course, my initial reaction was exactly what this person wanted, I got pissed.  But, as I have learned from previous experience, I did not fire off an immediate reply.  I got up and left the keyboard.  "You cannot respond to that ****ing email for two hours," I told myself.  I went outside and said a few curse words under my breath (I am a Marine after all).  I reminded myself that it was just an email and any rash statements would just come across as me being confrontational.  A few minutes later I realized that my best course of action was to ignore it and just keep on driving on.

Of course, while I was writing this I did remember one thing.  A book I think I will have to pick up this weekend.

Go forth and do good things,

Cutaway 

Security Ripcord, Security Training

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.