There is a great deal of wisdom contained in the well-known idea that we can each learn something from everyone we meet. As you may have already guessed, I’d like to take a look at this concept from a security perspective. To understand what I mean by this, and how we can learn security lessons from everyone, let’s dig a bit deeper into the idea.
We all know many people who have little to no involvement with the information security community. For example, most of us interact with our friends, neighbors, family members, and other non-security people on a regular basis. But how many of us have looked to these people to learn security lessons? At first, you might think it sounds a bit crazy to look to these people as a source of security lessons. As I explain my reasoning, my hope is that the value of doing so will become clear.
To learn security lessons from the “unwashed masses”, we must first understand what security means to them. The information I have is based on my own informal polling, along with discussions with other security professionals on the topic. While certainly not a scientific assessment, when I ask non-security people what security means to them, I generally get one of four responses:
1) Don’t you fix laptops? / It’s all computers, right? / Can you help me fix my laptop?
2) I’ve gotten a new credit card four times in the last two years.
3) Someone hacked my email account. How did that happen?
4) Why do hackers keep stealing so much information from government and business? Why does this keep happening and why are we letting them get away with it?
If you think these four responses sound elementary, childish, or uneducated, then I would ask you to reconsider that viewpoint. These responses give us stark insight into the way that most people outside of our profession think about security. They focus on how it affects them and want to understand why if affects them. Because of that, we need to take a lesson from these responses. But what lesson should we take?
Let’s face it. Most people in the world in which we live are not very security literate. They struggle to make sense of the barrage of information that is constantly coming at them, including all of the hype and FUD that is out there. Of course, to those of us who try to communicate different ideas around the topic of security to the “unwashed masses”, this makes our job much more difficult.
If we are to have any chance of reaching the non-security masses with our security message, we have to do it in terms they are comfortable with. That means relaying, communicating, and socializing complex security topics, concepts, practices, and explanations in everyday terms. It means embracing people’s thirst for knowledge, rather than condescending, casting them aside, or looking upon them unfavorably because they aren’t in the know. Educate. Try to help. Don’t lecture. Don’t mock. Don’t condescend. Don’t think you’re better.
Like it or not, security comes at a cost to both organizations and individuals. Sometimes, the cost is monetary, while other times, the cost involves convenience or time. Of course, the costs of ignoring security can be far greater in the long run, and it is our job to help non-security people understand that. That requires the ability to relay the value of security efforts in everyday terms that can help gain support and budget for those efforts. That budget can then ultimately be used to improve security in accordance with our vision. But we won’t get there by mocking people and throwing 140 character tantrums on Twitter.
How can we accomplish this goal? It starts by being constructive.
Sometimes I think that the security community has forgotten the concept of being constructive. It seems that criticism and snarkiness lurk nearly everywhere I turn, but sadly, constructive dialogue is often rare. Further, the demeanor of our discourse is often unpleasant at best. You might ask: If that is the personality of many in the security community, what is the issue with this?
The issue with this would seem to be that we are not getting our message across to a world that desperately needs to internalize it. The end result of our demeanor is that many people and organizations that are in need of a dialogue with the security community simply tune us out. Who wants the headache of dealing with a bunch of cynical, negative curmudgeons?
Although there is no silver bullet that will cause the world to pay attention to the security community, I believe that a move to a more constructive approach would help. I see a lot of activity around criticizing ideas, and sometimes, unfortunately, attacking or ridiculing people and organizations. Might I humbly suggest that the world has little patience for this and that this actually hurts our cause?
I am not advocating that we cease thinking critically about the many important issues confronting the security community. Rather, I am advocating quite the contrary. In my experience, constructive approaches to address the issues we are passionate about are far more effective. After all, most people are happy to be educated about a variety of issues. But if we have only a stream of negativity and no constructive alternative to offer them, what can they really take away from the exchange of ideas that they can implement or otherwise take action on?
Over the years I have seen that, in practice, the best response to an idea, a policy, a practice, an approach, or anything else that doesn’t sit right with us is a constructive alternative. There is no need to tear down that which we take issue with, particularly if we don’t have all of the facts. If our alternative is good, and if we are able to adequately communicate its value, it will stand on its own.
The next time you want to take the road less traveled, it may be helpful to think about this point. Which style do you think will be more effective for you and produce the results you are after: To attack that which you disagree with, or to eloquently communicate a constructive alternative?
As an added bonus, this principal works well in life in general. It is a principal that can be applied broadly, well beyond the borders of information security. It’s not naive to be positive and an optimist. It’s really the only way forward, particularly in a world that is thirsty for constructive security ideas they can understand, relate to, and internalize. I’m positive.