Security professionals devote many years to mastering security analysis, and in the process, laying the groundwork for a career in alienating the public. You see, “security analysis” means as much to your average Joe on the street as “plucky raccoon poncho,” so of course they really don’t get what we do or why we do it.
For starters, cybersecurity professionals say things that regular folk don’t understand. And when we say the things we do want them to understand, we dumb it down so much as to make it garbage security advice. It’s as if being around others who are not learned in the ways of cybersecurity makes us suddenly less factual and more terrible at communicating concepts.
So, when we’re talking to members of the security community, we sound like this:
“The correct path to security is maintaining a broad defense across all your endpoints and controlling for threats by using a security solution tailored to your environment.”
Meanwhile, when we’re talking to the public about security, we sound like this:
“You need to use a strong password with symbols and numbers, patch automatically, and use a brand-name antivirus program at all times.”
So, the first statement made to fellow security professionals is okay advice, whereas the second statement meant for the public is actually terrible advice. So why do we do that?
Ask a hundred cybersecurity professionals why they talk to the public the way that they do, and ninety-nine will tell you that the public isn’t technically sophisticated enough to understand how to eat maple syrup without getting sticky from it, let alone configure a firewall on their home PC. The one left over will just write an article about it and publish it on their personal blog (readership: three).
The problem here is that the public isn’t just this sticky mass of technophobes who are lucky to get their headphones plugged into their smartphones. The public is actually a diverse mix of people of various levels of technical capabilities, with some of them eventually becoming cybersecurity professionals themselves.
Therein lies the problem: that dumbed-down oversimplification becomes the core of security for far too many. It’s why hardening has gone from reducing the attack surface through shutting down services and configuring least privilege to installing ever-more security products.
The difference, in case you’ve already been tainted by the oversimplification virus, is going from reducing an attack surface to defend against everything to increasing the attack surface to make it easier to defend against common things. Hardening - like a good suit of armor or a good entourage around you at a club - should reduce, not add to, the bits of you exposed for attack.
Most security professionals agree on something in the middle, where the middle is way to the one side that requires first reducing the attack surface as much as possible. The idea is to aim for an easier (more automated) defense against the barrage of common things that hit us all the time and have to worry less about the stuff we don’t use or need getting attacked by uncommon things in a way we wouldn’t notice.
Which isn’t at all hard to understand for the sticky masses if we say it like that. Even the ones who are the stickiest can understand that you put on protective equipment first and then go fight the invading horde, not the other way around. So why do ninety-nine percent of cybersecurity professionals still insist on spitting out the same product rhetoric all the time?
I think they do it because they have spouted the same nonsense so often that they have come to believe it themselves - even if they know it’s functionally not true - so it’s so ingrained in their psyche that they can’t not say it.
Or, that their cybersecurity knowledge comes from a book, not through experience. At least I’d like to think so, because no security professional in the trenches would ever say that simply installing a single antivirus product has kept their company cybersafe. However, those who never had to actually defend a company might think it’s possible.
So, what you have now is those who know cybersecurity but can’t properly communicate with the public, and those who don’t know cybersecurity very well but do have the resources and time to communicate their notions. This serves to not only alienate the public (as previously mentioned), but also to alienate their fellow cybersecurity workers in the trenches. And that’s a mess of plucky raccoon poncho proportions!
It makes you think that average cybersecurity folk should not, in fact, be advising the public, leaving them free for important cybersecurity analysis work like guessing CVSS scores to prioritize how soon they want to be breached, and being generally grumpy.
So, this need to talk to the public like they are not smart enough to understand the truth has only exacerbated their problems. This is the cybersecurity version of the self-fulfilling prophecy. I for one reject it - or should I say, I will be one of the few to reject it, because I don’t think this will ever change.
Just like people still talk to children like they’re idiots who wouldn’t know their ache is in their stomach and not their “tummy,” or how the pharmaceutical industry talks to us like we’re idiots with their diagrams of the human body as an outline over a simplistic network of tubes that change color with pain.
So, what should we do? Well it’s time to repeat “plucky raccoon poncho” until the public gets it. We start using the appropriate terminology and proper explanations with them, and furthermore, we tell them that anything you buy also needs to be hardened or sandboxed, because all the amazing connectivity features they’ve been sold aren’t secure in the real world where anyone on the planet can wake up and decide it’s your breach time.
And you know what? Maybe we’ll actually, finally see some progress in cybersecurity.