In 2017, I wrote a SecurityWeek article entitled “All Hail The Ambulance Chasers of Security”. In the article, I delved into some of the reasons why “Ambulance Chasing” does a disservice to the security community as a whole. Recent events have reminded us that, unfortunately, over the nearly seven years since I wrote that article, this is something that we as a community still struggle with.
In my 2017 article, I also discussed another bad habit of our community – mocking. Indeed, the security community has no shortage of those who seem to relish any opportunity to mock those who are going through difficult times. This too is detrimental to our community as a whole.
In this piece, I’d like to discuss five reasons why “Ambulance Chasing” and mocking harm the security profession and are never a good idea:
- It could happen to you: There is an old saying that goes: “People in glass houses shouldn’t throw stones.” Per the Cambridge Dictionary, this saying “means that you should not criticize other people for bad qualities in their character that you have yourself.” Indeed, how many of us in the security profession would bet even one paycheck that we would never encounter an embarrassing breach, software update gone wrong, or another such difficult event? Would you want to be mocked if it happened to you? Doubtful. Instead, you would likely want to remediate the issue, study what went wrong, seek constructive criticism and helpful feedback, compile lessons learned, and improve as a result. That is a much better way to handle a difficult situation.
- It isn’t helpful to those toiling: “Ambulance Chasing” and mocking don’t help those toiling to resolve a critical issue. In fact, they can be quite frustrating, annoying, and distracting to those in the trenches during a crisis. It shouldn’t come as a surprise that a team that chose to go with vendor X or that implemented process Y doesn’t want to be the butt of jokes when those choices lead to a critical situation. In fact, people and organizations that make jokes or target victims often do themselves a significant disservice.
- You don’t have all the answers: News flash, your solution isn’t going to solve all the problems that the security team is dealing with, no matter how critical the situation. Pounding the drum of “if you only had our product or solution” isn’t going to win you any favor. As with the previous point, it may in fact have exactly the opposite effect. Modern enterprises are sufficiently complex, as are the security risks and challenges that need to be mitigated and addressed. It is often the case that a mix of people, process, and technology is required to address different risks and challenges. Claiming that your solution is the answer is not helpful, particularly during a time of crisis.
- Constructive dialogue is needed: I’ve never heard anyone I respect say, “we need more immature rhetoric in the security profession.” Not surprisingly, the best security professionals I know regularly and repeatedly call for constructive dialogue. Critical situations, while trying and difficult, are unique opportunities to learn together as a community. They have the potential to foster serious dialogue that will allow us to move forward as a community on specific issues. That is if we let them, of course. Otherwise, these unique opportunities quickly devolve into immature rhetoric that is more harmful than helpful.
- Security as a field needs to mature: As time has gone on, security as a profession has migrated from relative obscurity to being far more well-known. It is long past the time that we as a field mature. Security needs to be part of the business and taken seriously as a critical function within the business. This means building partnerships both within the enterprise and externally to accomplish our goals of allowing the business to function more securely and with lower risk. “Ambulance Chasing” and mocking cause those outside the security world to look at us as though we are still an obscure profession. A more mature dialogue and a more professional demeanor will serve us well by making the business more interested in partnering with the security team. On the contrary, immature dialogue will have exactly the opposite effect, making it significantly harder for us to accomplish our goals.
I am often disheartened by certain behaviors I observe when there is a big incident or a crisis in the security field. While security practitioners are busy toiling away in the trenches, there are, unfortunately, some that seem bent on engaging in “Ambulance Chasing” and mocking. Engaging in these practices does a disservice to the security profession as a whole and sets us back in our efforts to better protect our enterprises.