Judging vs. Good Judgment in Security
« Back to Blog

Judging vs. Good Judgment in Security

By Pete Herzog

I’m judging you for reading this article. Oh, don’t stop now because it’s too late. I’ve already judged you. So you might as well read through and figure out how I can live with myself.

In security we tend to judge people. A lot. We judge them when we don’t know a damn thing about what really happened. We judge the violators, the attackers, and their victims. We judge them for action and inaction. Don’t believe me? Go tweet right now: Equifax is a victim too! #equifaxbreach

Why didn’t you? You scaaaaared? Of being judged? Oh, you WILL be. Because that’s what we do.

It doesn’t have to be Equifax. It can be any breached entity. I’m sure by the time this is published there’s a few more you can choose from.

We all pride ourselves on our opinions. Far too many of us need to share them though on everything and anything. Social media is designed to make us think we should reply something because our opinion matters. Hell, some of my best moments, in my head, are when I threw down a snappy response. It’s when we think our opinion matters do we truly feel alive. Or so it seems. It happens. Even in security. Especially in security.

The thing is that our opinions do matter. 

We cybersecurity people are paid for what we think and say. Unlike Earl who has to clean up on aisle four, people actually want us for our minds and not just our skills. Or, better said, our thoughts and words are part of the skill set they want from us. Look at any security hiring wish list and probably double underlined is communication skills. And for those of us who grew up mumbling at our screens and including our modem in the number of people who called us recently to reach a digit above zero, that’s friggin awesome!

So what happened?

Cybersecurity seems to have a warrior thing. Knights, ninjas, samurai, soldiers, phalanx, jedis, and so on proliferate on the security landscape. There’s a lot of power in that. Makes sense because protecting has always been provided by warriors. This image has been tweaked for an online world made up of information and communication. So what was once the force of stone slinging is now word slinging. Brute strength and speed has become smarts and wit. Not wisdom. The wise always knew that war is pointless much like they find online, sparsely-informed judgments today.

Oh, and it doesn’t stop there. Oh no.

We judge the security products we use and we judge the companies that provide them. We judge them based on how they install, how they run, which is fine. We judge them on how they brand and position themselves, which is less good but still negligible. We also judge them based on other people’s opinions like magic quadrants, testing bodies, and online reviews despite not really having any idea on how/what cash installments influenced the review. Which is less than okay. But, whatever.

But the worst is when we judge them for not being like another product or service we’re familiar with. That seems a bit thick. Because then we complain that there’s no innovation or good enough security solutions.

One thing that many people tend to not realize is that we are creating the lack of innovation in security. We are making a vicious cycle. Our inability to accept something that’s different and judge them publicly with our respected, paid-for opinions is why vendors lie to us about what the product is or what it can really do. And other vendors, their competitors, will do the same thing because if they don’t say the same lies then we think they can do less. And judge them for it. On the vapor of nothingness. Where realistically we should only be judging the liar and the lie. Seems messed up, doesn’t it?

It’s why too many vendors continue pushing a solution that their own further research shows no longer works. So even if they’re aware it’s garbage, it still has value until the consumer knows it’s garbage. And since people tend to justify something they paid for especially if their opinion matters we end up with more of the same and more of it being utter crap.

The problem with that line of thinking is 1) It's wrong. It's so horribly wrong. And 2) It’s a self-fulfilling prophecy of sucky, same security solutions that gets us nowhere. Don’t believe me? Then tell me why you use automatic patching on your systems.

The real question is, are automatically patched systems breached less than unpatched systems? Yes, let your opinionated gut feeling spill forth. Yes, I’ll judge you for it. Now, show me the objective research on this? And no, some other opinionated pundit giving their opinion is not research no matter who they work for. But do you promote patching systems as a security safeguard? Why? Because everyone else is and you don’t want to be judged for questioning it?

Some insist that automatic, immediate patching is necessary for security while others are correct. The red flag is that it’s clearly not even an issue up for public debate.

Wait, are you judging me? For the patching thing? Well I’m judging you for perpetuating the crappy product line and choices of security solutions because you won’t question best practices.

I’m not perfect either. I bought into the whole ‘firewall’ thing at first too. But I didn’t buy into the ‘8 character minimum password changed every 30 days’ thing though.

Now, just to be clear, I may judge you for doing this but I don’t BLAME you.

I think money is at least partially to blame. And maybe some ego. But the truth is if you’re the first or loudest to make a viral idea or meme then you have power. You will be first to be interviewed and first to be modeled after by all the others. You will have a gazillion followers. You will get all the best conferences asking you to be the keynote. And so with that power comes money. Sweet, sweet money. So the system encourages louder, meaner, snappier, full contrast opinions from you. It also encourages them from the vendors. Because nobody reads sensible, thoughtful responses which are too long and not funny enough. And nobody wants to follow the one who says, hey, wait a minute, maybe the system is broken. Because that’s really not interesting.

So when I judge you for your opinion I’m really just asking myself if you’re truly on a campaign of showing fact, feigning having some kind of better info than the rest, or just saving face. Are you doing it to be funny and get attention for yourself or are you just trying to humiliate someone? Oh I reserve my harshest judgments for those who are making fun of someone on their efforts. That’s how I roll.

I don’t do it to dislike you. I do it to learn from you even if it’s to know that I can’t learn from you. That’s why I can live with myself for judging you. And feel free to do the same to me. That’s the only way we can get real research and innovation happening in security.

About Pete Herzog

Pete knows how to solve very complex security problems. He's co-founder of the Institute for Security and Open Methodologies (ISECOM). He created the OSSTMM, the international standard on security testing and analysis, Hacker Highschool, cybersecurity for teens, and the Cybersecurity Playbook, practical cyberdefense for everyone else. More about him here.

The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance.

Tags: