Whenever there is a meeting to talk about say, Windows servers, the discussion is left primarily to the subject matter experts when dealing on a technical level. The same can be said of application development et cetera. So, why is it that when the discussion ultimately circles around to security that everyone in the room thinks that they know more than the security wonk?
I have had the distinct displeasure at a former company to sit in a meeting where the CTO said that UDP was a more reliable transport than TCP. He followed by telling me that telnet was a secure method of communication. Thankfully my coworker had the foresight to chain my to my seat and to jab a syringe filled with some sedative into my leg.
This is an example of why I refuse to be intimidated by anyone simply because their business card has a lofty signature. I do find it an interesting social experiment however. Why do people feel it necessary to tell me about the computer virus that they had on their Windows 98 machine when I’m at a Christmas party? Not that I have a problem discussing it. But, they feel it necessary to cross swords with me rather than discuss it. My first thought is “Well, hell. You asked me.” but, that gives way to a more diplomatic approach. I try to steer the conversation in such a manner that the initiator feels they have made their point.
Very curious.
[tags]Secuity SME, Security Education[/tags]
Two words – Marketing
Infosec professionals, and infosec organizations, have not correctly aligned their work to business goals. There is no credibility as a result. Any idiot can proclaim their just as effective as we are because we simply aren’t very effective right now.
Viruses run rampant, we scream “We blocked X virii today”. Data leaks out, we scream “We’re doing egress filtering today”. E-Discovery runs rampant, we scream “We imaged X disks today”.
Quite frankly, no one gives a rip and the problems aren’t being solved. Internal marketing efforts, as well as scope of work, MUST be focused on solving business problems – not technology problems.
No perceived value = Any Joe Schmoe can do the job
We can’t invent new ways of being valuable. We must plug into existing value propositions at the companies we work for – just like everyone else. What makes us think we can reinvent what business value means? Turning the table on the “we can do it better” beef, we aren’t risk managers and we aren’t technologists. The vast majority of infosec practitioners don’t have the chops to be cutting edge researchers. We must be business partners.