So, many of us are scrambling here right before the major holiday season gets fully underway, trying to get ready for family gatherings, time away from work, etc. I am right there with you, folks, trust me.
This will be a short post that was spawned while reading Christopher Hadnagy’s (excellent) new book “Social Engineering: The Art of Human Hacking”. I will have a lot more to say on this topic in 2011, but for now what set me off was actually not the content of the book per se, it was a quote at the beginning of one of the chapters. The quote is as follows:
If you would persuade, you must appeal to interest rather than intellect. –Benjamin Franklin
This sparked a couple thoughts that I think, as infosec people, we’d do well to at least mull over. First, we wallow in our own beliefs a little TOO firmly in infosec. We tend to be a stubborn lot, and I’m no exception. The problem with this is twofold – it’s hard to change our minds, and sometimes we’re wrong. On Twitter, at the twenty million security conferences currently in existence, in whitepapers, on webcasts, during training – we essentially say the same things over and over and over, just in different ways. How many new paradigms have really shown up in infosec lately? Ahem. The point of this mini-rant? We tell each other all the time (thus reinforcing the idea) that FUD is bad. *No way* would we ever use FUD! Never! Boooo! Which leads me to my second thought.
We are not SELLING to US. We’re very cliquish. Click on an attachment? Dumbass. Open the door for a stranger? Moron. Willing to defend the Windows OS as a better platform? Heh, don’t even go there. But the reality is…maybe we’re out of touch. We’re not doing a bang-up job at getting people to change their behavior, and let’s face it folks…that IS what we’re trying to do. We are trying to manipulate people, for good reasons, granted, but we’re manipulating nonetheless. And failing at it miserably.
There are success stories. Some organizations embrace a “culture of security”, sure. Others have such draconian policies and regulatory oversight that people fear for their very souls while feverishly typing away in Cube 43 on the seventh floor every day. But most of us are making the mistake that Ben Franklin so adroitly points out. We’re trying to convince people that being savvy about security is a common sense thing. It’s not. We need a new tactic. And so…
You, my friends, may need an infosec marketing plan. No, no, don’t CALL IT THAT, for goodness sake. We’re much too snarky a group to respect you if you do THAT. But you need one. The biggest problem we have is still people’s innate desire to hack, slash, and click their way to compromise, and it’s our job, nay, our DUTY, to help them. We get so caught up talking about mentoring other people in infosec, having wholesome and enlightening conferences and conversation (personally, I think we need more debauchery at our cons, a la DEFCON 3), and these are all fine and well. But turning our focus inward only goes so far. It’s time to evangelize, folks. All of you. Not just the echo chamber, we love to hear ourselves, of course. All of the programmers, intrusion analysts, forensic folks, pen testers, risk/compliance peeps, all of you. We need to SELL this stuff. And it may take a little FUD to get there. “You’ll be blown up by evil hackers if you click an attachment” or “Your kidneys WILL be harvested if you give out a password over the phone” could be just the ticket. Am I exaggerating? Sure I am. But if a little more of this mindset changes people’s behavior, I just might call it a success.