Breach Vultures

To All the Breach Vultures: Better Get Your OWN House In Order!

[WARNING: Contains bad language.]

The 3 things I hate most about my chosen field of cybersecurity are, in no particular order:

  1. The proliferation of ‘silver bullet‘ / end-point protection technologies – when security is primarily concerned with people and process;
    o
  2. Security organisations using either F.U.D or regulatory compliance to make money without providing real benefit – with GDPR for example; and
    o
  3. Security ‘professionals’ who bad-mouth other security professionals at the lowest point in their careers – against Susan Mauldin for example.

In 4.5 years and close to 300 blogs I have never used the following words. But for those guilty of 3.;

Fuck you!

Seriously, how dare you!? Especially those who actually had the nerve to say Susan wasn’t qualified because she had a music degree and no other security related qualifications on her LinkedIn profile. Like certifications or even a degree are accurate representations of either a person’s skill-set, or their competence. I have no security relevant degrees, and my certifications were collected by reading a book and passing a pathetic multiple-choice test, but I will happily match my ABILITIES against anyone who does what I do.

More to the point, unless you actually work(ed) for the company that was just breached, you have no idea of what caused the breach in the first place. Yes, you can point to unpatched devices, and a host of other vulnerabilities POST-forensics, but you have NO idea of the business pressures the IS/IT teams were under. And if you think that should not matter, you’re not a true security professional.

I am in no way defending organisations that egregiously ignore security good practices just to increase profit. Nor am I defending the truly incompetent. But unless you have irrefutable evidence that either was the case, keep your opinions and reproaches to yourself. There is no such thing as 100% security, and there is no such thing as unlimited resources. The best you can ever hope for is that you have enough.

In security, a bad guy only has to be right once, security professionals have to be right ALL the time. Eventually we ALL make mistakes. Most of us are lucky, and our mistakes lead to nothing more than a minor event, but for some, the mistakes are career ending. Too often this is not because the people involved actually WERE incompetent, but because of the pressure to resign from the jerks who somehow think they are better. That the breach would not have happened under their watch.

Have you noticed though, that the people who are most critical and vitriolic tend to be mid-level no-bodies who will likely never make to the CISO level?

Do these people actually think that by taking cheap shots at the less fortunate that decent people won’t hate them for it. That Equifax and the other breach victims will suddenly reach out to them for help? That someone who has nothing better to do than kick someone while they’re down is just the kind of person they want on their team?

Let me ask you this: When was the last time you saw someone getting berated by his/her team for missing a penalty / field goal / you name it? You probably can’t remember, and why? BECAUSE THEY ARE ON THE SAME FUCKING TEAM!!

There are only 2 sides to cybersecurity; the good guys and the bad guys. Choose which side you’re on and stop being part of the problem.

[If you liked this article, please share! Want more like it, subscribe!]