I work in the computer security industry.

When I got my job, I was not delusional about it. Like any field, I knew that there were good things, and bad things, about compsec. Perhaps it’s because I’ve been doing it for going on 6 years now, that I am cynical about everything related to the field.

I’m sure there are haters out that there that will call me a blasphemer for saying this but 99.999% of computer security comes down to these two things

  • Don’t read email in HTML
  • Don’t visit websites that you shouldn’t

There. Done.

Computer Security is not a technology problem. At all. It is 100% a people problem. People don’t like to be told the obvious though. In much the same way that people want to be “told good things about their bad habits” (a la Atkins, Paleo, Diet Pills, etc) people want to be believe that they can just buy the new whizbang security appliance from Giant Vendor Who Doesn’t Care, and it will solve all their problems.

The security industry is built on this premise. But the industry operates in the same way that the majority of the drug industry operates; it treats the symptom, not the problem.

That approach is immoral and wrong. It is wrong because it is wrong; there is no arguing.

I have crossed Go, I have collected the $200 dollars. I’ve lived this whole charade for last 6 years. Most of the products in the industry are snake oil. Full packet capture tools, extrusion prevention systems, IDS, IPS, Antivirus, Anti malware, SIM and SEIM, malware analysis engines, web proxies and filters, actually, just make that anything that has to do with blocking.

It boils down to the one and only question that you ever need to ask yourself before implementing security anything at an organization. The foundation of your security program. The one decision that will make your life a living hell or tolerable. The one question that you must ask yourself before you ask any other question. And that question is.

Default allow? Or default deny?

All of your future decision making will be affected by that one decision.

How much money your organization will need to spend, or save, will be influenced by that decision.

How much stress you will have to live with. Catastrophes you will need to deal with. Sleepless nights that you spend in front of a terminal or sitting in meetings listening to people bitch and moan about your incompetence….will all be influenced by that decision.

Do you have the courage to stand up to your peers and demand default deny? Or will you be like every other security professional out there who chooses default allow, and continues to run the rat race to “secure” their organization’s environment.

Be different. Be fucking great. Be awesome. Stop settling for this shitty situation that you’re always dumped into where you have to work your ass off all day long and accomplish nothing in the process…for your entire career. Think about that. Your entire career summed up in one word; meaningless.

Security is not rocket science. I’ve told you above what the solution is. On the surface it’s easy. But it’s a people problem. And that, by it’s very definition, makes it hard. You can’t fix people. You can’t fix stupid. Computer Security, as it sells itself today, is a fool’s errand.