The British have a marvelous word-- "whinging"--which refers to the practice of complaining without doing anything about it. As in, "Everybody whinges about the weather, but nobody does anything about it."
We may not all call it by this name, but security practitioners in every country love to "whinge," because it's so much easier to whinge about a problem than try to fix it.
Nobody understands how important security is. We never get the budget and respect we deserve. The CIO won't listen to us... Any of this sound familiar?
Over the last few years, the volume of infosec whinging has been deafening, thanks in part to the legions of newbies whose expectations don't square with reality. Even after the high-tech meltdown, the vendor space is filled with goofy products developed by technologists who don't know the difference between need and demand.
One unintended consequence of this trend is that thousands of bored employees have become convinced that infosec is a really happening place, characterized by astronomical salaries and constant entertainment. Inspired by the hype, an increasing number of new entrants to the field are bringing unrealistic and unfulfillable expectations with them.
Unprepared to deal with strategic issues, the chronic infosec whinger is blind to the reality of business: No significant gain is possible without accepting significant risk. All aspects of commerce are perilous, and savvy executives responsible for choosing which risk to accept realized long ago that doomsday predictions from security weanies can be safely ignored. We're worse than naïve in our expectations about what it takes to gain attention for our priorities, and hence we're constantly frustrated.
These issues are not unique to infosec. Three fables provide insight: The Boy Who Cried Wolf manipulated the agricultural emergency broadcasting system to selfishly provide himself with amusement at the expense of his community. Chicken Little was responsible for a different form of false alarm, taking the position as a crackpot whose prophesies about the integrity of the sky were totally unfounded. Both were chronic whingers, attempting to increase their prestige and influence through the manipulation of fear.
The message in both stories is that such fun is short-lived, and it causes irreparable loss of stature and influence. In contrast, when becoming aware of an actual risk to his community, the Little Dutch Boy immediately did what was necessary, not complaining, but patiently and painfully waiting through the long cold night until help arrived. Society values those who contribute, not those who squawk.
Security is an inherently political field, and a whinger would rather ignore the political realities than learn how to create compromise and work within the system. The ability to determine organizational priorities is a privilege that must be earned...and fought for.
A lot of infosec wannabes lack the ambition and skills necessary to gain the influence they desire. For those who sincerely wish to advance the profession, an understanding of general business principles, not to mention their employer's own business model, is mandatory. To avoid being marginalized, we must paint a realistic and credible picture of infosec risk for the corporate decision-makers. And we must stop complaining when those responsible for the big picture don't automatically react after we point out some obscure new bug.
No, we'll never get everything we think we need. But this is a good thing. It's important for the decision-makers to have multiple sources of information to make good choices about expenditures for the entire organization. If we can't respond to this, we must start thinking outside our comfort zone. That's the way to earn the respect of those who control the purse strings.
But instead of doing something to earn it, the whingers would rather keep complaining that they don't get enough respect. This creates a reputation that all infosec practitioners are the Rodney Dangerfields of the corporate world. It's time that we stopped putting up with this--it's putting us all at risk.
About the author:
Jay Heiser, CISSP, works for a large European bank in London. His most recent book is Computer Forensics: Incident Response Essentials (Addison-Wesley, 2001).