Throwing Stones in Glass Houses: Views on the Security Industry

Sunday, August 26, 2012

Rafal Los


Disclaimer: This blog post is strictly my personal point-of-view.

The old saying goes "People in glass houses shouldn't throw stones", which translates to don't attack others when you may have the same problems...

The Information Security industry is rife with this sort of negativity.

Watching the blogs and security news is equally uninspiring.  All you have to do to witness this nastiness is wait for news of some company being hacked and watch their competitors come out in full force to rave against them.  

We saw this when RSA got whacked as everyone selling authentication solutions that competed with RSA went after them. There are many, many examples of this all over the place.

The lesson here is that it's really easy to look at someone else going through what I (and hopefully a large part of the industry) believe is an inevitability of doing business - getting hacked or compromised - and comment about the failings, short-comings, and laugh at how you'd do it better.  

That is, of course, until it happens to you.  It may not happen immediately and heck it may not happen for years... or worse it's already happened and you simply don't know it. The threats are real, and there is no such thing as 'secure'... so why are we so quick to pile on to others' pain?

We, as an industry, do it to companies as well as individuals.  I'm confident that this sort of thing happens outside the security industry - but it's more visible here because of the gravity of some of these cases.  It's easy to Monday morning quarterback and talk about what you would have done differently or why someone is stupid for doing something that put them in a compromising position... but the reality is we're all living in glass houses.

Believe me, I'm as well-aware of this as anyone.  Being in a public position in an organization that has it's good and bad days, I see the ebb and flow of support out there. When you're the King of the Mountain, everyone wants a piece of you and can't wait to dethrone you... point out your flaws, tear you down, and rejoice in your failures.  But then eventually you get to be King of the Mountain, and become the one with the target painted on you... then it's not so fun.

The question I've been trying to answer for myself is - are people in the security community just more cynical in nature, is it psychological?  Are we just wired this way? Maybe this is the route some people and companies feel they need to go to get attention?  Healthy ribbing of the competition, I get.  The rest baffles me.  As an industry our goal is to create more resilient, more 'secure', and more defensible postures for everyone.

With that in mind, here's some 'rules to live by' I've made for myself over the years, from a conglomeration of corporate directives, personal philosophy, and personal outside influences... I hope you find them helpful:

  1. Rule #1: Never rejoice in someone else's failure
  2. Rule #2: Never point out someone else's specific failures unless you're 101% sure you haven't made the same mistakes
  3. Rule #3: Never mistake foolish pride for actual knowledge
  4. Rule #4: Remember the golden rule? - treat others as you would want to be treated
  5. Rule #5: Remember the higher up you've climbed, the more shoulders you're standing on
  6. Rule #6: It's a small world, and we're all connected, don't forget that.

Anyway... I just thought I'd write this as we all begin piling onto the next company that gets hacked or sacked... as Queen's "Another one bites the dust" plays in the background.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Service Provider
Incident Response Attacks hackers Information Security Infosec Security Solution vendors Media
Post Rating I Like this!
Lisa Simpson While I agree with you on the whole, public ridicule has been used since the dawn of human society to enforce standards of behavior. HBGary and Sony PlayStation Network spring immediately to mind. Given the way that both companies created the situation in which they got hacked, the rather lame attempt at a massive cover up of the breaches, etc. it becomes increasingly difficult to muster up a lot of sympathy.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.