Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

INFOSEC is from the Internet and Executives Are From INITECH

with 3 comments

executivesarefrom

 According to some out there on the Twitters and the con circuit we in INFOSEC don’t communicate well to our corporate masters. I know what you’re thinking right now… here he goes again on this bullshit… but I really think that more could be said to elucidate at least how I feel about it all. So I thought I would attempt to put this down on the blog as it has been sticking in my craw for a while now. After having spent time talking to people like Josh Corman and others out there who decided to harangue me for being an INFOSEC heretic lately I still felt that perhaps some clarity was necessary and I thought what better way could there be than framing this argument in one of my favourite movies context! So I present to you “Infosec is from the Internets and Executives are from Initech”

INFOSEC is from the Internets

Infosec or Information Security to the lay, is the discipline, no not a science, of applying the practices of security principles to an environment. In many cases out there this means that we the professionals are trying to get the companies we work for, to comply with “Best Practices” with a goal of protecting their data, which really much of the time means the clients information. Now oftentimes I hear the haggard cry by my information security siblings that it feels like they are speaking a foreign language when they talk to the “norms” where they work. This failure in communication follows through to the world at large as well but in the microcosm of the “company” the strata is defined and one of the biggest problems that we all have is the elusive executive.

You see, the executive should be a primary concern of ours to communicate with but all too many times we find ourselves either filling out numerous useless TPS reports (with cover page *tm*) or worse, in the basement Milton style muttering to ourselves about burning down the building. Now some of you out there be saying “Now wait a minute! I have access to my executives!” and if you are and you do then please tell me which unicorn company you work for because I wanna work there as will 99% of the people in our business. Let’s face facts here, we are a different animal from the average exec out there and we may also consider ourselves outside the norm within the world at large too right? I mean we are always the smartest people in the room with the know how and the snark to carry it all off right?

Well maybe we are in fact the smartest in the room. Perhaps too we may be to the far end of the disorder spectrum collectively…  at least we fancy we are because that makes us all VERY special fucking snowflakes right? I suspect the reality is much more complex but the feel of it for us all seems to be that we know what we are talking about, take it seriously, and try to tell the magical exec the truth and either are denied the access, not listened to, or just pretty much told to make due with not doing anything you recommend because the business can’t do it. So what is one in this business supposed to do when this happens? Are we to just suck it up and take it? Are we to complain and whine and moan? Are we to get even? Or, dare I say this in the naked cold light of recent derpy events and butthurt?

… Yes… I will…

Are we to internalize it all and get burned out and manifest all kinds of bad self destructive behaviour because of it?

C’mon! YOU are from the INTERNETS you INFOSEC God(dess) YOU are smarter than 20 of those sofaking executives you work for! So come on, stop obsessing about it and just do your job to the best of your abilities. Like I said in my last screedlet; Report the issues, let them sign off or not, then go home at the end of the day. This is all you can do. You are from the Internets and you can either accept this or just hack the system and then tell us all how you did it at some con in some cool PowerPoint right? Enough of the angst and gravitas ok? All this talk about “communicating” better may have some good points but in general I feel that there is much much more thought that needs to go into this and not just puke out some reductive 20 minute con presentation on it. I will continue with my process of reporting, sign off, and home while all you really smart autists geek it out in a better new hacky way.

Executives are from INITECH

The other side of this problem is understanding your executive beast. What you have to disabuse yourself of is the idea that executives are at all like us. Execs come from INITECH and by this I mean watch “Office Space” again and observe this documentary closely on the ways of the corporate executive and social interactions. This movie is not really satire kids and you should really be able to admit this to yourselves. Execs also believe they are the smartest people in the room as well and unfortunately they actually have the power to squash your nuts as well as just not listen to you. I guess let’s just say that the “them vs. us” thing isn’t working for us but one has to ask just how we “could” reach them and make them understand what we know to be true and important.

Execs are often pampered, old, and out of touch with reality because of their job titles. This is a general malaise from my experience and in some cases it just feels like execs have lobotomies when they get their titles and offices anyway. Don’t even get me started on execs who have the titles with “security” in them as well. I have met many who did not have the experience in security in the first place to even speak knowledgeably on basic security issues never mind the intricacies of say an IE 0day. Lately the joke has been that we need popup books to enlighten them on certain concepts and while that is funny, it also is an admission of the futility we all seem to be facing to some degree in our work lives in security.

The base conceit though is that execs are most concerned with the bottom line. Their personal bottom line in their bank accounts and professional reputation bank seem to take precedence over perhaps listening to you INFOSEC Cassandra warning of the latest malware that might cause them to lose data. So do you really need to figure out a way to get that to them? Do you really have to expend all the time and energy trying to persuade them or to learn executive thinkspeak to reach them when plain and simple language or hand puppets won’t? Once again… Report the dangers, get them to sign off if they don’t want to make changes, and then go home. You know that the exec will be going home that night to their large home and their pool with 2.5 kids named Biff and Muffy and not have one scintilla of a thought about your warnings right?

Rinse and repeat.

Do We Need To Be Peter, Michael Bolton, or Milton?

So to follow through on the metaphor a bit more it becomes clear that we all must choose a means to deal with all of this claptrap we deal with daily. Do we want to be one of the archetypes from “Office Space” and sublimate that way? Which would you rather be I wonder?

Peter: Hypnotized into just not giving a shit about anything

Michael Bolton: Tightly wound and talking about pound me in the ass prison?

Milton: The long suffering borderline psychotic mumbling about burning down the business and being a basement dweller?

Honestly I personally have been a Michael Bolton and a Milton in the past but I have resigned myself to be more of a Peter lately. The others may have some catharsis somewhere down the line but in the end we all know they will pop at some point and burn a place down, have a coronary, or go on an office shooting spree. Nope, the not giving a shit is the way to go as long as you do your job and don’t go all INFOSEC JESUS on it. Face the cold hard realities kids, you can tell the truth, you can do it in the most wonderful ways but if the company or exec is not interested in making changes due to money, politics, or just not caring, then you won’t get anywhere. What’s worse is that if you start obsessing on it you will only make yourselves miserable and by proxy, your workmates, your loved one’s and anyone who comes in contact with you.

If your job makes you miserable because you cannot get through to your chain of command then it’s time to move along or just accept it and get a paycheck. Sure, maybe you have spare cycles and want to create the new mousetrap so go right ahead and come up with your very own Rosetta Stone for exec speak. Just let me know when that is all done and for sale and I will pick that shit right up. However, don’t tell me that I  need to learn how to talk to my exec better at some con and expect me to just bow to your great wisdom. Do it first then lead the way! If you can do it and put that shit into a plan that works universally well god dammit I want that book! It’s once again DATA or it never happened.

…Just be a Peter and live better.

Planet Lumbergh

I recently had a conversation with a friend of mine about all of this post my recent heretical post. We agreed that there is so much that needs to be looked at to effectively attempt to even get close to the problem and that to date, the business and community has done nothing. Perhaps the ossification is due to the problem being so hard. It is also possible that the problem has been ignored because the money is too good now to really make a change and tighten things up. I mean that would really put a dent in many a business if everyone was actually doing security right huh? My personal take though is that there are just too many Lumbergh’s out there in charge and there is nothing we can do about it.

I could once again go into the whole cognitive issues around security but I am just sick to death with trying to explain it all. Face the fact that we humans are very flawed and have a real penchant for repeating history so this worm will just turn and turn and turn again. Nope, it’s better to just do the best you can, inform the management and work on the problems you are allowed to. Of course all the while all those things you aren’t allowed to fix have to be signed off on by management and YOU should have a copy of that form squirrelled away for that inevitable day when they try and shit on you.

Harsh you say? Well I am a realist so suck it. You should be too.

Don’t let the Lumbergh’s get you down man….

K.

 

Written by Krypt3ia

2014/05/02 at 19:08

Posted in Infosec

3 Responses

Subscribe to comments with RSS.

  1. Having had some insight into internal auditing, information security and technical it security I totally agree. Focus on identifying risks, classifying risks, make a recommendation and let management decide how to proceed. Don’t care about the result (as long as you presented the correct facts) … management is responsible if something happens and you got their written / signed decision. Takes some time to get used to it, but it works pretty well for my peace of mind.

    Bernd Lauert

    2014/05/02 at 19:29

  2. Excellent post as always and adding to that may I point out that management only thinks in terms of “best practice” and “compliance” without looking at the bigger picture as they should be. I was at a banking hall the other day with protection by 3 inch bullet proof glass and a flimsy access door with a broken lock. Management is done for the lulz.

    Dan

    2014/05/03 at 05:02

  3. “” Face the cold hard realities kids, you can tell the truth, you can do it in the most wonderful ways but if the company or exec is not interested in making changes due to money, politics, or just not caring, then you won’t get anywhere. What’s worse is that if you start obsessing on it you will only make yourselves miserable and by proxy, your workmates, your loved one’s and anyone who comes in contact with you.

    I Like your blog!!

    Well stop being a bull charging into a china shop. It’s frustrating but, you do have the answers start asking the right questions talk managements language board of directors share holder meetings. the only thing they understand Time & Money.

    Start crafting your questions that you know the answers to. Simplify, talk in a language the big Brass can understand. Don’t disagree or argue you don’t get anywhere.( but more frustration) It’s one thing to tell it’s another thing to start digging. Find out about the person you’re dealing with stop being a dickhead screaming at the top of your lungs I’m right your wrong.

    Techies are not sales people they get frustrated very easily when their not listened to and I understand but now is the time to take it to the next level start s

    I’m wrong 80 % of the time and I know it. The one thing I have learned you attract more people by listening and asking them the right questions.Start by building relationships with the people your trying to influence.
    Would you take advice from a complete stranger or from someone you hardly know? Or are you more likely to listen to someone you know fairly well and you respect. If it doesn’t work out take a look at yourself not them. You’re not going to get everyone to listen but you will come across others who will listen and will be proactive taking action to correct.

    YOU’VE BEEN INVOLVED IN SALES SINCE YOU WERE BORN START LEARNING- USE WHAT YOU KNOW ABOUT YOURSELF -TO SELL YOUR IDEAS.TO SELL CHANGE TO SELL SECURITY AND WHY IT’S IMPORTANT.

    Techies feel that we know everything well if we did we would be gods. Wake up and smell the roses we’re human we are prone to making mistakes and hopefully we’ll learn from our mistake, but very few of us will learn from or want to learn from our mistakes. (something to do with pride or vanity) There is and always will be someone out there who is smarter and brighter then we are.

    I’ve been around for a while I embrace technology but our technology is leaving us behind and we are surrendering to a technology that is/has overtaken us and is getting to point where it is able to think on its own.

    I’m in my late sixties and sooner or later you may reach it or you may not.

    Bobby

    2014/05/05 at 16:17


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: