INFOSEC is from the Internet and Executives Are From INITECH
According to some out there on the Twitters and the con circuit we in INFOSEC don’t communicate well to our corporate masters. I know what you’re thinking right now… here he goes again on this bullshit… but I really think that more could be said to elucidate at least how I feel about it all. So I thought I would attempt to put this down on the blog as it has been sticking in my craw for a while now. After having spent time talking to people like Josh Corman and others out there who decided to harangue me for being an INFOSEC heretic lately I still felt that perhaps some clarity was necessary and I thought what better way could there be than framing this argument in one of my favourite movies context! So I present to you “Infosec is from the Internets and Executives are from Initech”
INFOSEC is from the Internets
Infosec or Information Security to the lay, is the discipline, no not a science, of applying the practices of security principles to an environment. In many cases out there this means that we the professionals are trying to get the companies we work for, to comply with “Best Practices” with a goal of protecting their data, which really much of the time means the clients information. Now oftentimes I hear the haggard cry by my information security siblings that it feels like they are speaking a foreign language when they talk to the “norms” where they work. This failure in communication follows through to the world at large as well but in the microcosm of the “company” the strata is defined and one of the biggest problems that we all have is the elusive executive.
You see, the executive should be a primary concern of ours to communicate with but all too many times we find ourselves either filling out numerous useless TPS reports (with cover page *tm*) or worse, in the basement Milton style muttering to ourselves about burning down the building. Now some of you out there be saying “Now wait a minute! I have access to my executives!” and if you are and you do then please tell me which unicorn company you work for because I wanna work there as will 99% of the people in our business. Let’s face facts here, we are a different animal from the average exec out there and we may also consider ourselves outside the norm within the world at large too right? I mean we are always the smartest people in the room with the know how and the snark to carry it all off right?
Well maybe we are in fact the smartest in the room. Perhaps too we may be to the far end of the disorder spectrum collectively… at least we fancy we are because that makes us all VERY special fucking snowflakes right? I suspect the reality is much more complex but the feel of it for us all seems to be that we know what we are talking about, take it seriously, and try to tell the magical exec the truth and either are denied the access, not listened to, or just pretty much told to make due with not doing anything you recommend because the business can’t do it. So what is one in this business supposed to do when this happens? Are we to just suck it up and take it? Are we to complain and whine and moan? Are we to get even? Or, dare I say this in the naked cold light of recent derpy events and butthurt?
… Yes… I will…
Are we to internalize it all and get burned out and manifest all kinds of bad self destructive behaviour because of it?
C’mon! YOU are from the INTERNETS you INFOSEC God(dess) YOU are smarter than 20 of those sofaking executives you work for! So come on, stop obsessing about it and just do your job to the best of your abilities. Like I said in my last screedlet; Report the issues, let them sign off or not, then go home at the end of the day. This is all you can do. You are from the Internets and you can either accept this or just hack the system and then tell us all how you did it at some con in some cool PowerPoint right? Enough of the angst and gravitas ok? All this talk about “communicating” better may have some good points but in general I feel that there is much much more thought that needs to go into this and not just puke out some reductive 20 minute con presentation on it. I will continue with my process of reporting, sign off, and home while all you really smart autists geek it out in a better new hacky way.
Executives are from INITECH
The other side of this problem is understanding your executive beast. What you have to disabuse yourself of is the idea that executives are at all like us. Execs come from INITECH and by this I mean watch “Office Space” again and observe this documentary closely on the ways of the corporate executive and social interactions. This movie is not really satire kids and you should really be able to admit this to yourselves. Execs also believe they are the smartest people in the room as well and unfortunately they actually have the power to squash your nuts as well as just not listen to you. I guess let’s just say that the “them vs. us” thing isn’t working for us but one has to ask just how we “could” reach them and make them understand what we know to be true and important.
Execs are often pampered, old, and out of touch with reality because of their job titles. This is a general malaise from my experience and in some cases it just feels like execs have lobotomies when they get their titles and offices anyway. Don’t even get me started on execs who have the titles with “security” in them as well. I have met many who did not have the experience in security in the first place to even speak knowledgeably on basic security issues never mind the intricacies of say an IE 0day. Lately the joke has been that we need popup books to enlighten them on certain concepts and while that is funny, it also is an admission of the futility we all seem to be facing to some degree in our work lives in security.
The base conceit though is that execs are most concerned with the bottom line. Their personal bottom line in their bank accounts and professional reputation bank seem to take precedence over perhaps listening to you INFOSEC Cassandra warning of the latest malware that might cause them to lose data. So do you really need to figure out a way to get that to them? Do you really have to expend all the time and energy trying to persuade them or to learn executive thinkspeak to reach them when plain and simple language or hand puppets won’t? Once again… Report the dangers, get them to sign off if they don’t want to make changes, and then go home. You know that the exec will be going home that night to their large home and their pool with 2.5 kids named Biff and Muffy and not have one scintilla of a thought about your warnings right?
Rinse and repeat.
Do We Need To Be Peter, Michael Bolton, or Milton?
So to follow through on the metaphor a bit more it becomes clear that we all must choose a means to deal with all of this claptrap we deal with daily. Do we want to be one of the archetypes from “Office Space” and sublimate that way? Which would you rather be I wonder?
Peter: Hypnotized into just not giving a shit about anything
Michael Bolton: Tightly wound and talking about pound me in the ass prison?
Milton: The long suffering borderline psychotic mumbling about burning down the business and being a basement dweller?
Honestly I personally have been a Michael Bolton and a Milton in the past but I have resigned myself to be more of a Peter lately. The others may have some catharsis somewhere down the line but in the end we all know they will pop at some point and burn a place down, have a coronary, or go on an office shooting spree. Nope, the not giving a shit is the way to go as long as you do your job and don’t go all INFOSEC JESUS on it. Face the cold hard realities kids, you can tell the truth, you can do it in the most wonderful ways but if the company or exec is not interested in making changes due to money, politics, or just not caring, then you won’t get anywhere. What’s worse is that if you start obsessing on it you will only make yourselves miserable and by proxy, your workmates, your loved one’s and anyone who comes in contact with you.
If your job makes you miserable because you cannot get through to your chain of command then it’s time to move along or just accept it and get a paycheck. Sure, maybe you have spare cycles and want to create the new mousetrap so go right ahead and come up with your very own Rosetta Stone for exec speak. Just let me know when that is all done and for sale and I will pick that shit right up. However, don’t tell me that I need to learn how to talk to my exec better at some con and expect me to just bow to your great wisdom. Do it first then lead the way! If you can do it and put that shit into a plan that works universally well god dammit I want that book! It’s once again DATA or it never happened.
…Just be a Peter and live better.
I recently had a conversation with a friend of mine about all of this post my recent heretical post. We agreed that there is so much that needs to be looked at to effectively attempt to even get close to the problem and that to date, the business and community has done nothing. Perhaps the ossification is due to the problem being so hard. It is also possible that the problem has been ignored because the money is too good now to really make a change and tighten things up. I mean that would really put a dent in many a business if everyone was actually doing security right huh? My personal take though is that there are just too many Lumbergh’s out there in charge and there is nothing we can do about it.
I could once again go into the whole cognitive issues around security but I am just sick to death with trying to explain it all. Face the fact that we humans are very flawed and have a real penchant for repeating history so this worm will just turn and turn and turn again. Nope, it’s better to just do the best you can, inform the management and work on the problems you are allowed to. Of course all the while all those things you aren’t allowed to fix have to be signed off on by management and YOU should have a copy of that form squirrelled away for that inevitable day when they try and shit on you.
Harsh you say? Well I am a realist so suck it. You should be too.
Don’t let the Lumbergh’s get you down man….