“The industry we fought to draw respect for is now on every front page of every newspaper pretty much every week. Whilst times have changed, the community and the industry have not really changed with them. The truth is, we don't fight the man anymore, in some ways we are the man, but we haven’t really changed our attitudes towards what sort of responsibility that puts on us.”
These were the words of Alex Stamos, chief security officer at Facebook and opening keynote speaker at Black Hat 2017 in Las Vegas today.
In a session titled ‘Stepping Up Our Game: Re-Focusing the Security Community on Defense and Making Security Work for Everyone’ Stamos argued that the information security community is not yet living up to its full potential.
“We have perfected the art of finding problems over and over again without addressing the root issues,” he added. “We need to think a little more carefully about what we do down stream after that moment of discovery.”
Therefore, Stamos pointed to three cultural aspects that the infosec community and industry needs to improve to make the lives of internet users safer.
Firstly, Stamos pointed to a tendency to focus on the complexity of flaws as opposed to the human element. “We are still really focused on the really sexy, difficult problems”, but in reality the adversaries will do the simplest thing to affect the cause they want, which can often go unrecognized.
Secondly, is that the infosec community has a real problem with empathy, and a tendency to punish people who implement imperfect solutions in an imperfect world.
“I don’t just mean empathy to each other,” Stamos explained, “we have a real inability to put ourselves in the shoes of the people we are trying to protect.
“It’s a common thought that everything would be better if users were perfect, but it’s a really dangerous one, because it makes it easy to shift responsibility for building trustworthy, dependable systems off ourselves onto other people.”
Third, Stamos argued that the industry has not been very effective in engaging the world.
“We are no smarter than the people whose systems we break. Security people are not brilliant, we’re not that much smarter than anyone else. We bring a very important way of looking at the world and an important set of skills and tools, but that does not mean we should denigrate others when we point out their mistakes.”
To conclude on a more positive tone, Stamos said that he is optimistic about the industry’s ability to improve, and doing so will come down to addressing two key factors: defense and diversity.
“I believe that good, educated defense is the child of offensive research, but I do believe the balance is a little bit off."
When it comes to diversity, Stamos said that building more diverse teams , with a diversity of backgrounds and ways of thinking, is vital for good security, as “you never know what kind of problem you are going to get into, so it’s much better to have a tool box with lots of different types of tools rather only having the best screwdrivers in the world.”