Cutaway, over at Security Ripcord provides us with an alternate take on the fact that security needs to understand the business constraints and goals of the organization. He (She?) quite rightly points out that security is a part of the “Service and Support” Group. He has two essential points:
I have been hearing a lot of talk from security professionals that seems very elitest. End users are the enemy. End users are generally too stupid to operate technology correctly, let alone securely. Well, I am here to tell you, if you are thinking this way then you have it all ass backwards. If you have come to the point where you cannot stand the people that you are supporting then perhaps you should move on.
Telling somebody “NO” is just going to make them want to do it that much more and that is when they start violating policy. Instead sit down with them and find our what they are trying to do. Have a conversation with them. If you have to tell them no then soften it with several reasons. Don’t just say “That’s against policy” or “That will blow holes in our security posture.” Instead, tell them the reporcussions of their actions. Use real world examples of how it could affect them, their coworkers, their boss, and their jobs. People are smarter than you think, but they tend to be smart about particular things. By sitting down with end users you find out how to relate to them and how to make them understand. Once you have done this your next conversation with that end user will be shorter. The reason for this will be two fold: 1) You know how to talk to them so that they understand, and 2) The respect your and your decisions. Amazing.
More importantly, he challenges security people to do something rather than bitching and moaning:
Stop whining about end users and start educating them. For every second that you bitch to your friends (or public) about them spend an addition two or three sitting down with an end user and find out what is hindering their progress toward understanding the technology and security.
It’s this challenge that I find most compelling, but not only for security but rather for privacy. We as security and privacy professionals have a responsibility, especially in light of the way that the US is becoming a surveillance society, to not just speak out at conferences and in blogs, but to educate our friends and families directly and what is going on and how they can protect themselves. So in a similar spirit, I challenge you to teach your friends and families, to donate to causes such as the EFF, EPIC and the ACLU. Contact your senators and your representatives and let them know you feel. And last but not least, vote.