An independent guest blogger wrote this blog.
I was in a medical office the other day, and when the doctor came into the room, he needed to unlock his phone to contact a pharmacy. I couldn’t help but notice that his home screen had a photo of an infant. It was an adorable infant, and I asked “how old is your child?” The doctor reflexively answered, “10 months”, but then became a bit shocked, and asked me ‘how do you know I have a child?"
I confessed that I saw it on his home screen on his phone. I told him that I worked in cybersecurity, to which he responded, “oh, you guys steal everything”. Ouch! Now, the shock was shifted to me. A bit embarrassed, I apologized for being such a snoop, but it certainly made me think: are all of us InfoSec folks like this?
Reflect for a moment on your actions when you enter a room and see computer screens. Do you instinctively try to see what is on the screen? Does something as trivial as an operating system logo make you mentally churn through all the exploitable vulnerabilities? Do your eyes light up when you notice that your local pizza place is still using Windows XP for their ordering terminals?
We have a problem in our community. Our reputation is tarnished. We are not viewed as people who can help, like doctors, nurses, and other first responders. Instead, we are seen as the digital thieves and snoops. We need a reputation overhaul.
Is this because our particular profession is so young, that we feel officiously compelled to point out every vulnerable system, every exploitable action, and every weak security practice? Is this our way of increasing awareness about the perils of the digital world? It is not serving us well. I have pointed out in a previous post that we need to better engage with our clients, as well as how we lack inherited credibility. Yes, soft skills indeed, but look at what we have created by behaving in our current state; “you guys steal everything”.
What is our remedy for this problem? I propose that we InfoSec folks start to think more like the first responders. There is nothing wrong with reserving the ability to act when necessary, but perhaps we need not point out everything we see when we are not being asked to do so. How would you feel if you were cautioned by a nurse every time you ordered something “unhealthy” in a restaurant? Not the most pleasant dining experience. That nurse may be there to rescue you if you start choking, but will not make unsolicited comments about your food preferences prior to that.
My wife is a psychotherapist, and when we attend social events, people often say to her “Oh, I suppose that you are analyzing me”. She has come up with a very funny, but true response; “You ain’t paying me, I ain’t analyzing you”. Perhaps it is time for InfoSec professionals to take the same approach.