Cybersecurity and the Ungrateful Masses

It’s probably no surprise to you that cybersecurity professionals are an unhappy bunch. There are a lot of issues between people in the community, between consultants and vendors, and between management in the security strategy tower and security professionals in the trenches. So, if you’re miserable and a cybersecurity professional, add ‘not being special’ to that now and go on be a little grumpier.

We have a lot to be frustrated about, really. Nobody understands us. But worse than that is the ungratefulness for what we do.

To Serve and Protect

Through history, people have put themselves in harm’s way to do the right thing. Sure, some do it for money and others for the sex appeal, but mostly people go into security to protect. I get it that 'harm’s way' isn’t the same for cybersecurity and a beat cop’s police patrols, but the part of helping and protecting is the same. But I’m on a roll so don’t start throwing facts at me now.

The point here is that people who do physical security and assorted heroics get all the accolades. And the people in cybersecurity get insomnia, stress-fat, and eventually fired. Maybe not in that order, but definitely some of that.

Why? Spoiled ungrateful masses. It’s just a theory but I personally think the public is thoroughly unimpressed by tech skills - or at least nonplussed by anything not physically driven.

So, if I track a criminal through the forest by looking at foot impressions and broken twigs, I’m amazing. But if I track a criminal across the globe through code variations and connection timings in a variety of logs, at best I’d get an indifferent shrug from the public. Why?

CyberSkills and Rose Gold iPhones

Twice in a year I used cyberskills and detective work worthy of Batman in cleverness in finding the owner of a lost iPhone. Not the old ones either, but new ones. Expensive ones. One was rose gold. I found the phones, one on a bench in a parking lot of a hiking trail and the other outside a tourist bathroom. Both times I ran around immediately looking for the owner, but found no claim. So, then I went to work.

Both phones were locked with a PIN, so both required some effort to find the owner. One, I had to deduce the owner from recent pictures where I identified and located her car to flag her down before she left the parking lot. The second one had the pictures roll locked, so I used Siri to call someone, just making up generic names until it asked me if I meant “Steve” and then called him. I had Steve get in touch with the phone owner for me.

So, all that done in under a minute each time. And while I may have overstated the whole ‘Batman’ bit, it’s at least Veronica Mars type action.

But that’s not the point. The point is both times the owner seemed annoyed and dismissive of me, bothered that I ruined their day because they had to come and pick up their phone from me. Neither wanted to hear how I found them using the locked phone. Neither saw it as anything great, or even just a really nice thing that I did.

I get it that it’s not the same as pulling someone’s child from the jaws of a raccoon or finding their runaway cat. And that’s my point too. It’s just not seen as a big deal at all, at least by the masses.

If it was any of you cybersecphiles then you’d think it was really cool. You’d ask questions. You’d make me feel happy for helping or even clever. But you’re not the masses, are you?

Why Cybersecurity is a Thankless Job

This is what happens every day, all the time, on some level to all cybersecurity professionals. It’s a thankless job. People feel safe when they see the security guards in the parking lot. Nobody tells you they feel safe with cybersecurity people on the network. And while I can enumerate many possible psychological reasons for it, emotionally it still sucks. It still feels like a thankless job.

I was going to suggest some changes we could make to improve the situation, or at least some things that make us feel less bad about it. But I couldn’t. Instead, I just started listing all the ways the message of cybersecurity is unclear to the masses and what they think they know about security.

So here it is:

  • Cybersecurity is not like physical security. The most obvious example is that you can’t build a bigger packet to break down a firewall. There’s no “bunker-busting” bombs to tear down walls. Packet floods don’t cause mud damage like real floods, or even cyber-mud damage if you need to hear that. So, don’t make comparisons as if it is. That just gives a false premise and conclusion.
  • Cybersecurity has no deterrent capability like physical security does. There is nothing you can build on your network that would make someone run away in fear and pick a different target.
  • Cybersecurity sucks at attribution. We can’t say definitively if a particular person did something and we can rarely say if it really originated at a particular computer. It’s because cybersecurity is really bad at identifying where things really came from or what’s good and what’s bad as a packet. So, where we say “cybersecurity is where you block bad things and allow good things,” it’s much, much harder than it sounds because in most cases we can’t easily or readily identify what’s bad or good or where it’s really coming from.
  • In cybersecurity, less services means less to attack, and less assets means less to steal. And oh, by the way, your security devices are also your assets. Oh, and so are people. And their identities which we need to protect from identity thieves despite how, at the same time, we keep giving them away for free on social networks.
  • Cybersecurity is designed to keep information safe while physical security is designed to keep information AND people safe. So maybe that’s why people don’t particularly feel safe to have cybersecurity around, because they never felt a threat to begin with.
  • Anything you own and use needs maintenance if you want it to last. This includes computers and online services. Maintaining good passwords, keeping your endpoints clean of malware, fixing vulnerable applications, and limiting what kind of traffic can come through your door are all maintenance tasks you need to do. But it’s not security. That comes first. Which is easy in the physical world because maintenance cleans up clutter, makes things look newer, and generally is the first thing people do before they apply security. On networks, maintenance just feels like a grind because there’s nothing to really show for it.
  • In the physical world you can feel exposed. That makes it easy to check the door handle to see if the door is actually locked. Online, the masses never get that feeling of being exposed, so they don’t worry about closing ports and services they don’t need, avoid using the main administrator or root account as your regular account, watching the traffic or logs for signs of attacks, and encrypting the messages they send. That lack of feeling exposed also means they don’t notice when it’s unexposed. If anything, the security bit of it feels controlling and burdening.

What do we do with this knowledge? Make better marketing? Write more articles? Try to be a little less depressed? I don’t know. I just know that the lack of appreciation will likely never go away as long as people don’t have an emotional connection with their online selves.

Until then, we'll just keep doing our jobs.