Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Management & Strategy

What Does Security Mean to the “Unwashed Masses”?

There is a great deal of wisdom contained in the well-known idea that we can each learn something from everyone we meet. As you may have already guessed, I’d like to take a look at this concept from a security perspective. To understand what I mean by this, and how we can learn security lessons from everyone, let’s dig a bit deeper into the idea.

There is a great deal of wisdom contained in the well-known idea that we can each learn something from everyone we meet. As you may have already guessed, I’d like to take a look at this concept from a security perspective. To understand what I mean by this, and how we can learn security lessons from everyone, let’s dig a bit deeper into the idea.

We all know many people who have little to no involvement with the information security community. For example, most of us interact with our friends, neighbors, family members, and other non-security people on a regular basis. But how many of us have looked to these people to learn security lessons? At first, you might think it sounds a bit crazy to look to these people as a source of security lessons. As I explain my reasoning, my hope is that the value of doing so will become clear.

To learn security lessons from the “unwashed masses”, we must first understand what security means to them. The information I have is based on my own informal polling, along with discussions with other security professionals on the topic. While certainly not a scientific assessment, when I ask non-security people what security means to them, I generally get one of four responses:

1) Don’t you fix laptops? / It’s all computers, right? / Can you help me fix my laptop?

2) I’ve gotten a new credit card four times in the last two years.

3) Someone hacked my email account. How did that happen?

4) Why do hackers keep stealing so much information from government and business? Why does this keep happening and why are we letting them get away with it?

Advertisement. Scroll to continue reading.

If you think these four responses sound elementary, childish, or uneducated, then I would ask you to reconsider that viewpoint. These responses give us stark insight into the way that most people outside of our profession think about security. They focus on how it affects them and want to understand why if affects them. Because of that, we need to take a lesson from these responses. But what lesson should we take?

Let’s face it. Most people in the world in which we live are not very security literate. They struggle to make sense of the barrage of information that is constantly coming at them, including all of the hype and FUD that is out there. Of course, to those of us who try to communicate different ideas around the topic of security to the “unwashed masses”, this makes our job much more difficult.

If we are to have any chance of reaching the non-security masses with our security message, we have to do it in terms they are comfortable with. That means relaying, communicating, and socializing complex security topics, concepts, practices, and explanations in everyday terms. It means embracing people’s thirst for knowledge, rather than condescending, casting them aside, or looking upon them unfavorably because they aren’t in the know. Educate. Try to help. Don’t lecture. Don’t mock. Don’t condescend. Don’t think you’re better.

Like it or not, security comes at a cost to both organizations and individuals. Sometimes, the cost is monetary, while other times, the cost involves convenience or time. Of course, the costs of ignoring security can be far greater in the long run, and it is our job to help non-security people understand that. That requires the ability to relay the value of security efforts in everyday terms that can help gain support and budget for those efforts. That budget can then ultimately be used to improve security in accordance with our vision. But we won’t get there by mocking people and throwing 140 character tantrums on Twitter.

How can we accomplish this goal? It starts by being constructive.

Sometimes I think that the security community has forgotten the concept of being constructive. It seems that criticism and snarkiness lurk nearly everywhere I turn, but sadly, constructive dialogue is often rare. Further, the demeanor of our discourse is often unpleasant at best. You might ask: If that is the personality of many in the security community, what is the issue with this?

The issue with this would seem to be that we are not getting our message across to a world that desperately needs to internalize it. The end result of our demeanor is that many people and organizations that are in need of a dialogue with the security community simply tune us out. Who wants the headache of dealing with a bunch of cynical, negative curmudgeons?

Although there is no silver bullet that will cause the world to pay attention to the security community, I believe that a move to a more constructive approach would help. I see a lot of activity around criticizing ideas, and sometimes, unfortunately, attacking or ridiculing people and organizations. Might I humbly suggest that the world has little patience for this and that this actually hurts our cause?

I am not advocating that we cease thinking critically about the many important issues confronting the security community. Rather, I am advocating quite the contrary. In my experience, constructive approaches to address the issues we are passionate about are far more effective. After all, most people are happy to be educated about a variety of issues. But if we have only a stream of negativity and no constructive alternative to offer them, what can they really take away from the exchange of ideas that they can implement or otherwise take action on?

Over the years I have seen that, in practice, the best response to an idea, a policy, a practice, an approach, or anything else that doesn’t sit right with us is a constructive alternative. There is no need to tear down that which we take issue with, particularly if we don’t have all of the facts. If our alternative is good, and if we are able to adequately communicate its value, it will stand on its own.

The next time you want to take the road less traveled, it may be helpful to think about this point. Which style do you think will be more effective for you and produce the results you are after: To attack that which you disagree with, or to eloquently communicate a constructive alternative?

As an added bonus, this principal works well in life in general. It is a principal that can be applied broadly, well beyond the borders of information security. It’s not naive to be positive and an optimist. It’s really the only way forward, particularly in a world that is thirsty for constructive security ideas they can understand, relate to, and internalize. I’m positive.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...