“Insanity is doing the same thing over and over again and expecting different results”.
A quote often attributed to Albert Einstein, but there’s some doubt about that. Nevertheless, it’s absolutely correct and applies to our beloved information security community.
If you spend even a small amount of time on ‘infosec social media’, be it Twitter, LinkedIn, Mastodon or whatever, you’ll notice that certain patterns emerge. Mostly they’re around debates being endlessly recycled year in, year out.
Here are just a handful of examples:
- What is the right thing to do about user account management?
- How do we manage the lifecycle of technology (read patching, getting rid of technical debt and stuff like that)?
- What’s happening with the supply chain?
- Social media app use, is it appropriate or safe for public servants?
Basically, all of that and every other circular argument that consumes professionals’ time and energy to debate.
Add to the list things like end-to-end encryption (E2EE) and data incident management and frankly the list becomes pretty lengthy.
I won’t unpack every example mentioned above, because this will cease to be a blog post and become an academic paper or a collection of more words than the good folks at Infosecurity Magazine can be bothered to proof, let alone you read.
Questions We Know the Answers To
I will however make some general points. Here goes.
How long is it since we all agreed that password management for most online services people consumer is inadequate? How long is it since we all agreed that multi-factor authentication (MFA) is a must, as a component of helping keep your online accounts free from compromise?
How long is it since we all agreed that using a password manager was a good idea, in order to create strong and unique secrets that unlock our digital personas?
How long is it since we last saw a social media pile on when a well-known corporate entity had its data encrypted and also looted by a bad actor?
The answer to all bar the latter question is ‘years ago’.
The reason for that is increasingly because we’re learning one massively important thing. Compromise is a when and not an if. That’s helpful, as it aids in quelling the bizarre glee that historically ensued when a big-ticket firm had a particularly bad day and ‘infosec social media’ danced around that fire.
Many now understand that and worry about the thought of “is it me and my company next?” It’s great for the constitution, but importantly great for risk reduction both personally and, in the enterprise, as it focusses effort on the materially important things to deal with.
The Cyber Bubble
My point takes us back to the circular arguments and the phenomenon that is the ‘cyber bubble’.
“Bubble, you say?” Yeah, bubble. We spend a lot of time in this industry arguing and throwing conjecture around, but also, we often agree. There are many Twitter polls out there that suggest so.
The problem is this: When we do agree, we just circle back round and round to the same debate and then either agree again or disagree for reasons such as a ‘luminary’ with 100K+ social followers has an opposing view, and their ‘workers’ join the rebellion.
The challenge is that when we do agree and are able to quash the rebellions in favour of an overwhelming consensus, we often don’t enact or promote that it to the extent that it makes its mark on the people we need it to – the architects, the designers, the builders and of course the users.
Everything in life that is repeatable should be automated, but that excludes mistakes.
Follow The Beer Farmers on Social Media:
Twitter: @Thebeerfarmers
LinkedIn: The Beer Farmers