Since writing the New School, I’ve been thinking a lot about why seems so hard to get there. There are two elements which Andrew and I didn’t explicitly write about which I think are tremendously important. Both of them have to do with the psychology of information security.
The first is that security experts are often excited by what we do. Many people have said to me “I can’t believe they pay me to do this!” That’s great — the enthusiasm, dedication and engagement that many security professionals bring to work helps us get through tasks which can feel depressing and futile. This enthusiasm can also lead to a great deal of attachment to projects. It can lead to frustration when our own risk assessments — as good as we can make them without outcome data — aren’t good enough to get things to go the way we know they ought to go so the business is protected.
There’s a constellation of ideas I talk about. There’s a crisis in information security, a need to change the way we work and the need to learn from other fields. And the passion that experts feel for our work makes those ideas threatening. It can seem as if I’m critiquing the way we do things out of malice, and that’s simply not the intent. I’ve been there. I’ve pounded the table and screamed at people. And I, and I think Andrew, wrote the New School so we can be more effective.
The second reason that I think we’re having trouble is that the personalization and attachment to our work makes mistakes feel like personal failures. They’re usually not. We get told that we need to write policies and force people to use 13 character passwords with 4 non-alphanumerics and changed every 3 weeks because that would lower our ALE if only we could calculate it. That it’s a best practice to claim that users are un-educatable and the problem. That if we fail our businesses will fail. That what that stupid engineer did was wrong. That’s the cultural orientation, the markers that we learn to use to identify each other. And when we fail after doing all of what we’ve been told, we feel it’s our fault. Our colleagues, our idols and our mentors can’t have been wrong, so it must be that we didn’t do what they said well enough. But no one wants to take blame, and so we double down on the same, failed, old school ideas and we hide our mistakes.
These are real and human reactions. I’m not critiquing anyone for reacting in these ways. We’re simply offering a way forward which has worked most everywhere it’s been tried.