Shostack + Friends Blog Archive


Participatory Security

Cutaway, over at Security Ripcord provides us with an alternate take on the fact that security needs to understand the business constraints and goals of the organization. He (She?) quite rightly points out that security is a part of the “Service and Support” Group. He has two essential points:

I have been hearing a lot of talk from security professionals that seems very elitest. End users are the enemy. End users are generally too stupid to operate technology correctly, let alone securely. Well, I am here to tell you, if you are thinking this way then you have it all ass backwards. If you have come to the point where you cannot stand the people that you are supporting then perhaps you should move on.


Telling somebody “NO” is just going to make them want to do it that much more and that is when they start violating policy. Instead sit down with them and find our what they are trying to do. Have a conversation with them. If you have to tell them no then soften it with several reasons. Don’t just say “That’s against policy” or “That will blow holes in our security posture.” Instead, tell them the reporcussions of their actions. Use real world examples of how it could affect them, their coworkers, their boss, and their jobs. People are smarter than you think, but they tend to be smart about particular things. By sitting down with end users you find out how to relate to them and how to make them understand. Once you have done this your next conversation with that end user will be shorter. The reason for this will be two fold: 1) You know how to talk to them so that they understand, and 2) The respect your and your decisions. Amazing.

More importantly, he challenges security people to do something rather than bitching and moaning:

Stop whining about end users and start educating them. For every second that you bitch to your friends (or public) about them spend an addition two or three sitting down with an end user and find out what is hindering their progress toward understanding the technology and security.

It’s this challenge that I find most compelling, but not only for security but rather for privacy. We as security and privacy professionals have a responsibility, especially in light of the way that the US is becoming a surveillance society, to not just speak out at conferences and in blogs, but to educate our friends and families directly and what is going on and how they can protect themselves. So in a similar spirit, I challenge you to teach your friends and families, to donate to causes such as the EFF, EPIC and the ACLU. Contact your senators and your representatives and let them know you feel. And last but not least, vote.

4 comments on "Participatory Security"

  • Brad Lhotsky says:

    I wrote about this a while ago on my blog:
    Another problem is the people making the security policy tend to grant themselves exceptions to those policies. Here at my organization, all IT has the same security restrictions on their workstations as the rest of the crowd. It’s incredibly useful to get in the trenches with the users and actually learn how the computer can help them do their job.
    Also, as working from home becomes more common, security professionals are going to need to learn to teach security principles to their users in interesting ways. Users generally don’t want to be insecure, but there’s a perception of security as inconvenience.
    I’d appreciate some feedback on the articles I’ve written on these topics if someone’s got a few minutes.

  • David Brodbeck says:

    I’ve often remarked that, as an IT worker, the other employees of the company are my “customers.” I have to remind myself frequently to treat them that way.

  • Cutaway says:

    Thank you for commenting on my post. I like how you have applied my words into other important, related aspects. I too am concerned about privacy (funny how many security professionals are these days) and I am also glad to see you are asking people to make a political stand. I hope that people take this to heart. Might I suggest that people also try to make a change by participating in their party’s local primaries. This will help get people who care about these issues on the ballots.
    Go forth and do good things,

  • Iang says:

    LOL, talk about hubris … there is also 3) that maybe the users are right, and the security people don’t know what they are talking about. This happens more commonly than we care to believe.

Comments are closed.