Sticks and stones: Picking on users AND security pros

Name-calling is harmful to the cause of security

Bill Brenner (CSO (US))
26 August, 2010 02:08
Comments

I took my share of name-calling as a kid. I did my share of name-calling, too. We're taught that nothing good comes of such behavior. I've been thinking a lot about that since writing an article two weeks ago called " Security blunders 'dumber than dog snot'" during the 2010 USENIX Security Symposium.

The story is based on a talk of the same title given by Roger G. Johnston, a member of the Vulnerability Assessment Team at Argonne National Laboratory. In the presentation, he gave examples of surprising (or not) examples of what he has seen as a vulnerability assessor: security devices, systems and programs with little or no security -- or security thought -- built in. There are the well-designed security products foolishly configured by those who buy them, thus causing more vulnerability than before the devices were installed.

Then there are the badly-thought-out security rules and security programs laden in security theater, lacking muscle and teeth. In fact, some policies only make some employees disgruntled because they are treated like fools. In turn, the company risks turning them into malicious insiders.

Also see "Ouch! Security pros' worst mistakes

Johnston described three common problems: People forgetting to lock the door, people too stupid to be helped and -- worst of all -- intelligent people who don't exploit their abilities for the betterment of security. Enter what he calls the dog snot model of security-- where intelligence and common sense exist but are not used.

He came up with the term by watching his dogs, who often crash themselves against the picture window facing the yard when they want to go chase a squirrel. Hence, the windows are covered in dog snot. Executives and lower-level users are often like the dogs in that they bang their heads against the firewall (or their fingers against the keyboard) in an effort to get at a shiny object online. The security pros themselves can get caught up in this too, usually banging up against the glass by trying to prevent bad things from happening by repeating the same failed practices.

Moments after the story went live and appeared on Twitter, I got a message from Adam Shotack, co-author of "The New School of Information Security" and a security specialist at Microsoft.

"Is that attitude helpful? Does anyone respond better when you call them 'dumber than dog snot?'" he asked.

Shostack has never hesitated to tell me when he thinks my position is off target. When I wrote a column about getting grilled by the U.S. Secret Service for taking pictures at the White House, he suggested that I was too soft on the officers for their treatment of just another tourist with a BlackBerry camera.

I always welcome his feedback. He is, after all, one of the rock stars of the security industry. He didn't get there by tossing around hollow critiques and empty applause lines. When he talks, I listen. He's also one of the friendliest guys you'll ever meet.

So when he took me to task for comparing professionals' security mistakes to dog snot, I thought hard about it.

I've written before about how language is misused in the security industry and how it often does more harm than good. The last thing I want to do is contribute to the problem.

So let's look at the dog snot article and see where it fits in.

When Shostack suggests name-calling is harmful to the cause of security, I wholeheartedly agree. It's basic psychology. Put a person down often enough and their work will suffer. It's also against common decency to put down people who are working hard to do their jobs well.

But the folks at the heart of Johnston's talk weren't the same people. These were CEOs and other executives who have done foolish things online, putting their company network at risk, even though they should know better. These are the folks who create a workplace environment where people are always feeling embattled, raising the chances that some of them will use their hurt feelings to do some damage.

There were examples where blunders were the result of faulty installation of security devices, and that can be blamed on the security professionals who put them there. But Johnston didn't call them names. He didn't call the executives names, either. He focused more on the mistakes themselves and what other security professionals can learn from it.

As for the dog snot, he was talking about the actions of good people who often bang their heads against the wall by making the same mistakes over and over again. By flagging those blunders and calling them dog snot, he was trying to raise the awareness level, which is step one in this battle.

It's also important to note that he never once mentioned the mistake-makers by name or their companies. So hurt feelings shouldn't apply here.

I see individuals called out on Twitter by folks who don't agree with a point they made. Most of the time it's respectful disagreement that leads to a useful dialogue we can all learn from.

Sometimes, one security tweeter will use harsher language against someone they don't agree with. It's a lot rarer, but I've seen it happen.

Those instances are a lot like the behavior where users trash their bosses or co-workers online, usually via Twitter or Facebook.

The blunders Johnston talked about were caused by both the users/executives AND the security professionals. The former engaged in reckless activity and the security blunder resulted when the latter responded inadequately.

In the final analysis, it's wrong to call individuals names. It sinks morale and never leads to an improved performance. And to engage in name-calling online is something only a jerk would do.

But it should be OK to poke fun at the mistakes themselves. The people aren't dumber than dog snot, but sometimes the mistakes that lead to a blunder are dumb. Sometimes, it's OK to say that. We can even laugh about it, as long as we take the lesson to heart.

Language is difficult to master in any industry. In security, it's particularly difficult.

Read more about executive communication in CSOonline's Executive Communication section.

Bookmark this page
Share this article
- facebook
- slashdot
- digg
- Reddit
- stumbleupon
- linkedin
- twitter
Got more on this story? Email CIO
Follow CIO on twitter

References show all

Comments

Post new comment

Share
Share this article
- google+
- facebook facebook
- slashdot slashdot
- digg digg
- Reddit Reddit
- stumbleupon stumbleupon
- linkedin linkedin
- twitter twitter
print
email
Bookmark

Related Coverage

Related Whitepapers

Latest Stories

Community Comments

"Very first time commenter on Face Time - Interview with John Brennan ..."

Face Time - Interview with John Brennan and Robert DiStefano
"When someone writes an piece of writing he/she keeps the idea of ..."

Monday Grok: Will Siri crack the walls of GOOG?
"Truly no matter if someone doesn't be aware of after that its ..."

Face Time - Interview with John Brennan and Robert DiStefano
"I read this post completely about the resemblance of latest and previous ..."

Face Time - Interview with John Brennan and Robert DiStefano
"A survey has found that eight out of 10 Australians would be ..."

Phones are distractions during catch-ups

Tags: Argonne National Laboratory, cybersecurity, insider threats, penetration testing, security, security blunders, security language, Security Leadership, vulnerability management, vulnerability research

Latest Blog Posts

Whitepapers

Top 5 Myths of Safe Web Browsing
There are a lot of misconceptions out there about safe web browsing. You might think you're being safe. But without the facts it’s next to impossible to stay protected against today’s changing threats. In this paper we describe the top five myths of safe web browsing, what the facts really are, and what you can do to stay secure.

Learn more »
Optimizing Storage and Protecting Data with Oracle Database 11g
This paper focuses on key Oracle Database 11g capabilities that help IT departments better optimise their storage infrastructure, enabling administrators to deliver a cost-effective, scalable data management platform that is easy to manage, reduces costs, and protects data while continuing to deliver the performance and availability that today’s businesses require.

Learn more »
Teleworking made simple—and secure—with desktop virtualisation technology
Businesses of all sizes are increasingly focused on creating flexible work environments and offering telework options for employees. By administering policies and providing the technical capability for employees to work remotely, these companies can improve job satisfaction and worker attraction and retention. This paper explores the implementation of teleworking based on a foundation of desktop and server virtualisation.

Learn more »

All whitepapers

Most Read
Most Commented

Get exclusive access to Invitation only events CIO, reports & analysis.

Latest Jobs

Zones

Featured Whitepapers

No Bull - What Customers Should Expect from Cloud Services

This paper describes how a cloud Services User achieves the true benefits of cloud services and sends warning messages to the providers, hosting companies and telecommunications firms. It also provides ...

Sticks and stones: Picking on users AND security pros

Comments

Post new comment

Building trusted relationships

Planning your IT career

Taking the risk out of diversity

5 open source help desk apps to watch

How to create a clear project plan

5 open source billing systems to watch

10 Tips for Dealing with a Bully Boss

CIO challenge with BYOD: Don't fall down the rabbit hole

Face Time - Interview with John Brennan and Robert DiStefano

All Systems Down

IT service management going social

Survey: Over 97 per cent of enterprise tablet users got an iPad in Q1

Judge throws out mass John Doe porn copyright lawsuits

HP Business Efficiency - Money Payback Guarantee Resource Centre

The Australian Cloud

No Bull - What Customers Should Expect from Cloud Services

The Pathways ICT Leadership Development Program Brochure and Curriculum 2012