Mary Ann Davidson’s post chastising Oracle customers for checking the company’s code for vulnerabilities created nothing less than a surge in security industry chatter this week. I’m not necessarily writing to analyze that chatter or further dissect Davidson’s comments, however her post hit one of my exposed nerves.
My friend Branden Williams touched on it:
Davidson really wants to be considered a security person. She reminds me of Jerry Jones wanting to be known as a Football Man. She ran for and sits on the ISSA International Board of Directors. She has keynoted several conferences as a security expert. Yet, based on her actions, she may be one of the only security people I have ever interacted with that DOESN’T want to make her products more secure.
It’s a fair statement, and it brings up a question that always makes me a bit uncomfortable: what exactly is a security person? CSOs are generally given a baseline level of security credibility due to their roles, even though the role has varying degrees of technical capability and depending on the organization, may be entirely business and policy focused. Davidson has benefitted from this, as evidenced by her ISSA position and previous acceptance as a speaker at security conferences.
By default, she is a security person.
But, to Williams’ point, the commentary in her now-deleted post is indicative of someone that doesn’t understand security much at all. And that’s where my exposed nerve comes in; de facto credibility of security people because of a role. Flip that on its head, and there’s a lot of “you are not a security person because you don’t” conversation as well.
Allow me to explain.
I’ve been a marketer in the security industry for the better part of 15 years. Aside from how much this dates me, it’s a stat that makes me proud – except when others question whether I’m a security person at all. Take, for instance, last week’s Black Hat USA conference. I was having a perfectly pleasant conversation with an acquaintance, and mentioned that I was considering staying for DEF CON. The immediate, and well-intended question was, “Why would you do that? You’re a marketer, not a security person.”
I did my best “blink twice confused face” and then shrugged it off. It’s not the first time I’ve heard this, but it stings each time. Sure, I don’t have security in my title, and I’m only technical enough to be slightly dangerous, but it still thrust me into an episode of auto-critique, “well, I can’t code or do crypto, and I’m not a technology purist, so perhaps that’s a fair assessment…”
I guess I’m not a security person.
I’ve been at this a while and I’ve heard the same statement countless times, so I don’t take this too personally, even if it sometimes makes me wobbly. Heck, I can’t take it too personally, because this isn’t just a technologist vs. marketer thing. Even within the more nitty gritty security community, there’s the existence of what I call an “arbitrary hierarchy of technical proficiency.” “I can write better exploits than you do” is a common underpinning of much of the otherwise friendly banter I see on social networks.
The biggest challenge I see in my exchange with my acquaintance, and with the arbitrary hierarchy of technical proficiency, is the pronounced need of members of our industry to feel “special by exclusion.” Create little groups with special rules to separate yourself from the masses, and then dictate terms of how the industry should work, and who should play a role and how important they are. Regardless of Davidson’s intent, that’s exactly what she did in her post.
But, well, OK, she’s a security person.
And hey, I get it. Special by exclusion has its perks. People smile when they look in the mirror, they get handshakes at conferences, and no one gets hurt.
Except for when they do.
Except for when special by exclusion gets in the way of better securing people and organizations.
Except for when special by exclusion interferes with an industry that is trying to move toward more sharing for better outcomes.
Except for when special by exclusion alienates people who otherwise believe in the cause and want to do their part to move the industry forward.
So, take away the de facto credibility and ego battles and let’s ask, fundamentally, what is a security person? In my mind, regardless of skill set or role, these four things are fundamental attributes of a security person:
- You care about the ultimate cause of making life harder for the adversary
- You fiercely protect sharing, reverse engineering, and research
- You eradicate all FUD while educating (or marketing, for that matter)
- You never blame end users for trying to achieve better security
There’s more that can be added to this bare bones list; these are just fundamentals in my mind. I would like others in the industry to think about what they mean when they say security person, or people, or even practitioner. To me, again, to be a security person you don’t have to write exploits. You don’t have to be famous. You don’t have to have a fat paycheck or a fancy title.
However, you do need to care about the end result of securing people and businesses and not take your position as security person for granted. And, if you are a corporate business leader, you do need to foster inclusivity and not berate your customers for doing what they need to do to ensure their own protection, or the protection of their own customers.
It’s funny, we are nearly 20 years since Elias Levy published “Smashing the stack for fun and profit”, and we still have organizations producing poor quality, insecure software, policy makers hiding from the reality of criminal intent and ability, and Davidson, the CSO of a major global company pretending that vulnerabilities do not exist, and if they do, others do not have the right to find them.
But, hey, she’s a security person.