Breach Vultures

To All the Breach Vultures: Better Get Your OWN House In Order!

[WARNING: Contains bad language.]

The 3 things I hate most about my chosen field of cybersecurity are, in no particular order:

  1. The proliferation of ‘silver bullet‘ / end-point protection technologies – when security is primarily concerned with people and process;
  2. Security organisations using either F.U.D or regulatory compliance to make money without providing real benefit – with GDPR for example; and
  3. Security ‘professionals’ who bad-mouth other security professionals at the lowest point in their careers – against Susan Mauldin for example.

In 4.5 years and close to 300 blogs I have never used the following words. But for those guilty of 3.;

Fuck you!

Seriously, how dare you!? Especially those who actually had the nerve to say Susan wasn’t qualified because she had a music degree and no other security related qualifications on her LinkedIn profile. Like certifications or even a degree are accurate representations of either a person’s skill-set, or their competence. I have no security relevant degrees, and my certifications were collected by reading a book and passing a pathetic multiple-choice test, but I will happily match my ABILITIES against anyone who does what I do.

More to the point, unless you actually work(ed) for the company that was just breached, you have no idea of what caused the breach in the first place. Yes, you can point to unpatched devices, and a host of other vulnerabilities POST-forensics, but you have NO idea of the business pressures the IS/IT teams were under. And if you think that should not matter, you’re not a true security professional.

I am in no way defending organisations that egregiously ignore security good practices just to increase profit. Nor am I defending the truly incompetent. But unless you have irrefutable evidence that either was the case, keep your opinions and reproaches to yourself. There is no such thing as 100% security, and there is no such thing as unlimited resources. The best you can ever hope for is that you have enough.

In security, a bad guy only has to be right once, security professionals have to be right ALL the time. Eventually we ALL make mistakes. Most of us are lucky, and our mistakes lead to nothing more than a minor event, but for some, the mistakes are career ending. Too often this is not because the people involved actually WERE incompetent, but because of the pressure to resign from the jerks who somehow think they are better. That the breach would not have happened under their watch.

Have you noticed though, that the people who are most critical and vitriolic tend to be mid-level no-bodies who will likely never make to the CISO level?

Do these people actually think that by taking cheap shots at the less fortunate that decent people won’t hate them for it. That Equifax and the other breach victims will suddenly reach out to them for help? That someone who has nothing better to do than kick someone while they’re down is just the kind of person they want on their team?

Let me ask you this: When was the last time you saw someone getting berated by his/her team for missing a penalty / field goal / you name it? You probably can’t remember, and why? BECAUSE THEY ARE ON THE SAME FUCKING TEAM!!

There are only 2 sides to cybersecurity; the good guys and the bad guys. Choose which side you’re on and stop being part of the problem.

[If you liked this article, please share! Want more like it, subscribe!]

10 thoughts on “To All the Breach Vultures: Better Get Your OWN House In Order!

  1. What a great article, well said.
    I head up the Internal IT for an SME. Our small team have no formal qualifications in Security, we follow widely agreed best practices re our environment and that environment is certified to basic good practice levels. We do the best we can with what’s available and its an on-going battle to get security technology funding and actually a bigger part of the battle is to ensure staff don’t do anything stupid with the numerous social engineering attempts. it never ceases to amaze me that with any of these high-profile hacks or compromises that the need to find a scape goat (the CIO or CISO) seems to be front and centre. I wonder if banks sack the Head of Security every time a branch is held up or a clerk inadvertently handed the branch door keys to someone.

  2. Exactly right!!!

    I also vote with my pocket-book. Wife’s company just offered some neat products through a local credit union. I would rather pass than give any business to a sector that has gone out of their way to publicly bash one party in the US PCI industry instead of working to actually reduce the risk.

  3. Like it, like it. Hard not to really. Thanks for this David.
    I don’t berate analysts and engineers who’ve been employed at a haxored organisation because the sector in general is sick. Their fate was handed down to them from above.
    I have to confess though to being especially scathing of one class of pro – one that I will regularly single out as being a cancer on the sector. They are sort of at “a low in their careers” as you said, because they’ve been flat-line since day one. These are the Upton Sinclair Quotables as i call them. These are the folk with no technical background who regularly tell C-levels that security is not even remotely about IT. Now its one thing if they genuinely believe what they say, then we can forgive them for being ignorant. But come on….seriously. Nobody believes security is not at all about IT.
    If my experience is anything to go by, this is a pandemic. Most of the advice given to boards come from these folk because they also fit the mould of being aesthetically pleasing and the associated dishonesty allows for short-cutting the stairway to heaven.
    So whereas i am usually able to find the Dalai Lama ability-to-forgive qualities with infosec peeps, i completely fail with these chumps.
    β€œIt is difficult to get a man to understand something, when his salary depends on his not understanding it.”

  4. Very well said David! Cyber/Information/IT security is not all FUD. The business context is so important to understanding what went wrong which led to a breach. Organisations need to be held to account for any lapses which caused a breach but picking on individuals and attacking them without knowing the full operational context they had to deal with is short sighted.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.