Information Security Professionals Cannot Be Luddites
I'm starting to realize that many infosec people are luddites rather than technologists.
— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) February 18, 2018
Not a good look for us.
We need to be the shepherds, not the crazy people belting out scripture at people on the street.
I just posted this on Twitter after being frustrated again by how a lot of my fellow security folk are talking about technology.
They make fun of it. They ridicule it. They bash it. They tell people not to use it. They claim it’ll never get better. And by extension they are also pointing that scorn at anyone who would take an alternative opinion.
To be clear, I absolutely agree with them that we’re in for a shitshow. All I’m saying is that it’s inevitable. It’s coming. And we should be helping people get through safely instead of telling people categorically not to participate.
If I were looking for help with new technology, I wouldn’t want to take advice from someone on the Internet of Things, or Machine Learning, when I know they secretly hate it and wish it didn’t exist. And that’s where so many people in infosec are right now.
Too many people in infosec are basically teaching safe sex through abstinence, and it’s irresponsible.
Anyone who finds sex to be dirty and immoral is not qualified to teach sex education. And anyone who finds new technology to be demonic and scary is not qualified to prepare us for it.
The standard for InfoSec professionals on this account should be two-fold:
- You should be a genuine technologist who understands, appreciates, and enjoys technology in its various forms.
- You should be intimately aware of how technology can cause harm, and able to help others navigate its strengths and weaknesses.
We’re protectors and advisors, and our role is to help extract the good that technology can bring the world while helping people avoid the potential negatives.
If you see security people telling new technologies to get off their lawn, do us all a favor and call them out on it. Remind them that they should be technologists first, and that if they don’t like technology anymore then it’s time for them to move along and make way for those who do.
Disdain and fear is not going to make us more prepared for what’s coming. For that we need honesty, courage, and optimism.
Be that person, and ask others in the industry to be that person as well.
Notes
- I also don’t mean to disrespect researchers or other infosec professionals who believe they are doing a good thing by showing people all the problems with various IoT systems. They are doing good work, and it’s valuable. I just think we need to put it into the context of inevitability and work from there towards long-term solutions vs. pretending that we can actually stop it.