I Wish

That all security professionals spent time having to explain what they want to do to lay people. And that doesn’t mean Information Technology professionals, who will understand many of the things you are describing.

No, you really need to learn how to communicate what you intend to accomplish, how you will accomplish it, and what it will involve to people who have absolutely no practitioner knowledge of InfoSec. Talking to people who don’t automatically know what packets are, a man in the middle, firewalls, malware and all the other things we take for granted would open everyone’s eyes.

You would have to find ways to explain what a SIEM is, why you need an MSSP, how someone’s credentials are compromised, and why that puts them at risk for financial fraud and identity theft. When you talk about whaling, spear phishing and social engineering, their eyes will glaze over until you explain it in ways they can understand.

How many of you ever have to do that? Very few. I wish you all had the opportunity to talk to “normal” people and explain what you do. It would make a huge difference for all involved.


About Eric Cowperthwaite

Nearly 30 year security professional, 11 years in the US Army, and another 18 in the civilian world. Worked for EDS for 9 years, then for Providence Health & Services as their CSO for 7 years. Now I work for CORE Security as their VP, Advanced Security & Strategy. This blog is not just about security, either physical or information. You can expect to read about cigars, my life, things I think are funny and much more. And I will rail about the FUD that so many security practitioners toss around on a regular basis. Plus, once in a great while, I might actually share a thought or two about security. Did I mention that I will probably blog about cigars? Just to be clear, nothing that I write here represents the position or opinion of my employer. Nothing I write here is proprietary or confidential to my employer. Everything I write here is my personal opinion.
This entry was posted in InfoSec, Security. Bookmark the permalink.

2 Responses to I Wish

  1. Ken Swick says:

    Well said. Amazing that more IS professionals do not do this. How else can you convince business to do what is required to help them do their jobs securely? Otherwise all they see is money being thrown at mysterious acronyms with little to no idea of its effectiveness.

  2. Most IS professionals live and work in echo chambers. They generally only have to explain what they are doing to other Infosec guys or, perhaps, some IT leadership. Maybe the ISO has to talk to people outside the IT organization, but other than that, not so much. And the Prof Services and consulting folks very often have little to no idea of what the life of that ISO is like.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s