A few days ago, I was sitting on my couch, mindlessly scrolling through Twitter, when something caught my eye. Someone had tweeted out an article from venerable business broadcaster, CNBC, about a "hack-proof" smartphone. Hack-proof. Their words.
Look, reader, I've been in this business for a while. I've been patching holes and doing incident response since before you were in diapers (unless you're older than 20).
One thing I can say with absolute certainty is that there's no such thing as a "hack-proof" anything. Give enough monkeys enough typewriters (or, indeed, enough researchers enough Club Mate), and they'll eventually stumble upon a hole big enough to give an attacker ingress.
But that’s just it, isn’t it? The concept of something being ultra-secure or ultra-insecure is just a fundamental misconception in how we look at security. Despite a manufacturer’s claims, 99.999 percent of the time, the reality is usually slap-bang in the middle.
Nobody knows nothing anymore
Channeling my inner Billy Bragg, isn't it fair to say that nobody knows nothing anymore? I'm not just talking about the press -- although sloppy security reporting is far too common, and unfailingly gets my goat. What about people in the inside of the industry?
A pen-tester, for example, may be incredibly talented at breaking into vulnerable systems. But how well does she know the other parts of the industry? You know, risk management, for example? Generally, not so much.
Similarly, a top-notch CISO probably knows all there is to know about managing a team and prioritizing security resources, but if presented with a hard-disk and asked to forensically image it, would they know how to? Perhaps not.
A huge misconception about InfoSec is the belief that, fundamentally, it's a technological discipline. Technology is a huge part of things, sure, but that doesn’t present the whole picture, either.
When I tell my distant aunts and cousins what I do, they inevitably conjure up visions of me sporting a black leather trench coat and a pair of aviators, frantically tapping at a keyboard while binary numbers snake down the screen vertically.
While that's a cool image, it's not an accurate reflection of what I -- and many people in InfoSec -- actually do. The reality is that my job involves a lot of writing and a lot of meetings. And it's still very much within the broader field of information security.
I'd even argue (although some would vehemently disagree) that marketing and communications should also be considered to be part of InfoSec. If your goal is to increase compliance in an organization, you've ultimately got to shape the behavior of non-technical workers. How would you do that?
Oh yeah, that would be through marketing and communications.
The public ain't too sure, either
So, people on the inside don't necessarily understand the true depth of our field. But what about the layperson, the ordinary bloke and blokette on the street? Surely, given that the UK's information security industry is worth billions of pounds and employs thousands, people would have a clue as to what we do?
Well…no. Depressingly, most non-technical people I've spoken with haven't got a clue about what we do, or indeed, why they should take an interest in the fundamentals of computer security. Here are just a few snippets from some conversations I've had during the first few months of 2018:
- Taxi driver: "Aren't you all teenage hackers that got caught, or something?" (Not quite, my good man. In fact, that's pretty rare; having a cyber-crime conviction would count against you when trying to go legit with a big firm. Most of the people I work with either entered the field through self-study or through a relevant degree program).
- Small business owner: "I don't buy it. Why should I be worried? My company's tiny. Nobody is going to target me. Hackers are only concerned with banks and big businesses." (Um, ever hear the expression “low hanging fruit?” And the acronym GDPR?).
- Different taxi driver: "I bet you lot are unhackable." (the answer is no – in fact, several of my colleagues across the wider industry have had their PayPal accounts hacked to buy iPhones for scammers in West Africa).
I sincerely wish I was making these up for comic effect; unfortunately, I'm not.
To know, or to grow?
That is the question. We can't really do much about the inaccurate reporting about security issues in the press, other than (politely) calling it out when we see it. Similarly, there's not much we can do about the people outside our industry who almost never end up thinking about information security.
But what about us, the industry insiders? As I mentioned, InfoSec is a big field, containing several overlapping disciplines, most of which aren't technical in nature. Should we all try to become more well-rounded, or continue to live within our particular discipline echo chambers, focusing only on getting really good at a particular skillset?
That, dear reader, is a question I'll leave for you. Feel free to tweet me your thoughts @J4vv4D.