Activity
Mon
Wed
Fri
Sun
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
What is this?
Less
More

Memberships

The Surgery

Private • 132 • Free

Real Security Heretics

Public • 80 • Free

Well Fed Renegades

Public • 194 • Free

2 contributions to Real Security Heretics
When your employer demands shit security
@Lupe Peterman mentioned something interesting that is worth a thread on its own. She said that this... "It gave me confidence my concerns were valid but it also depressed me in the sense that I felt my concerns could not be voiced. Especially because I work at a company that supports some of the ideology that the book goes against." I hear that a lot. Organisations just want to get on with what they understand, or what they think everyone else is doing (even if it is demonstrably shit). The question is this...what can we do (if anything) about it? What skills do you think you'd need to 'turn the ship'?
2
10
New comment Jul '23
2 likes • Jun '23
I'll go with the obvious. If you don't believe in what you say, nobody else will. Do the work, prepare, read opposing arguments to your theories, change your opinions if needed, build knowledge... Do whatever you have to, but start by believing in what you say. Start backing up with actions, even small ones. Walk the talk, do it consistently. Be curious. You also need context about the company, the people, the processes, the assets, the competition, the legal environment, the finances... That's where business skills can be useful. Then, the most important thing is to make it actionable. Have solutions, not just complaints. It requires to be able to design a strategy which means at a minimum performing a diagnostic, defining guiding policies and taking coherent actions. If you just have ideas, people can dismiss them or say yes to everything to get rid of you, when you have a plan that's when things get real because they commit to something (in writing ;) ). Then when you have this action plan you should communicate it. That requires human interaction, which means whatever your picks are in a long list of specialties (psychiatry, psychology, criminology, communication, sociology...). Of course, yo have to also follow up, keep things organized, track results. So I guess project management skills. The last thing, is that you should manage your expectations. I'd be surprised if you manage to do everything on the first try.
Some questions
Over on the hellhole that is LinkedIn, the following (rhetorical) questions were posted on a thread of mine from someone who read the book and is familiar with my work. Here is what they said... "I've read the problem of security and know your opinions on Certification Bodies as a whole. But for entry level folk just starting their career, they're going to rely on what they are taught. They trust (rightly or wrongly) that what they paid for and were tested on was correct. At what point does it become the individuals fault that they're working off incorrect/outdated principles and not the certification bodies or educators? When is it no longer acceptable to claim ignorance? Or is it never OK and you should understand these problems before stepping into the field or you're doomed to fail?" I have some ideas...but what do you think?
3
8
New comment Jun '23
3 likes • Jun '23
Most people going into Security have either : a higher education diploma, or real work experience. That means they don't start on a bank page, we can't (or at least we shouldn't have to) treat them as toddlers. They should be able to apply basic reasoning skills. Particularly one of the standard principles is that security is always evolving and that your job is to stay one step ahead of the attacker. If that is really true, how can you say that the domain evolves, but that the practices associated to i t should not change ? If you have this mindset you should always strive to find things to improve. I've never seen anybody in IT applying a tutorial, see that it obviously failed, and assume that because he applied the tutorial properly he did everything he could. In that situation people immediately go into diagnostic mode and try to fix things, adapt the tutorial, check the versions, check access rights, read logs... I believe that for security we should do the same. It's more difficult because the feedback is not as clear and immediate but I still think it's possible. (which should immediately bring the question in everybody's head : if we need feedback to learn quickly, how can we improve the way we get feedback on our actions in security to make easy and fast learning a reality ?). So to answer your question, it stops being acceptable to claim ignorance when you know something doesn't work (or that you made a mistake) and you don't even TRY to fix it. At that point it's called laziness or resignation/surrender. I am not saying you can always fix it, but you should at least think about it to determine whether or not it is fixable and what it would take to fix it. That reminds me of a very common saying : trick/fool me once...
1-2 of 2
Jérémy Dondaine
2
15points to level up
@jeremy-dondaine-8889
Problem-solver specialized in security

Active 24d ago
Joined Jun 16, 2023
powered by