I consider it a privilege to be the dumbest guy in the room on most days. The individual and collective brain-power focused on computer and information security issues that I deal with on a regular basis is staggering in its depth and breadth.
Yet the fact remains that the vast majority of people in security are not doing things that will have a major impact. They’re working on discrete problems, largely independent from everyone else working on other discrete problems. There is no coherent, systemic approach to the whole, and if history is any indication, there isn’t likely to be.
I don’t know anyone working on anything stupid, or that isn’t necessary. I just don’t know anyone who is working on something that will address the center-mass of both vulnerable systems/risky practices, as well as from the perspective of the population. There is no shortage of work being done on “advanced” solutions for “enterprise” customers, which is code for iterative upgrades for corporations with multi-million-dollar cyber security budgets.
The approaches to cyber security that are going to have the biggest impact are the ones that address the widest range of problems for the largest swath of people. That’s not big business, that’s the SMB space. That’s very un-sophisticated customers who don’t understand the threat or risks they face. It’s a massive and extremely diverse set of organizations that make extensive use of technology, just not the same way you’re used to (and that technology is almost certainly dated). Your next-gen, advanced, whatever isn’t going to work for SMBs. Your Fortune 500 mindset doesn’t translate. These are the people you disdain. They’re the punch lines of your stupid-user jokes and clueless leadership stories. When it comes down to it, you don’t bother with SMBs because helping them is too hard, and the financial reward is not commensurate with the level of effort.
Are we really making a difference in security if we’re only solving problems that smart, rich customers can afford? Well, let’s be honest: on stuff that smart, rich customers are forced to spend money on due to regulation or ‘best practices?’
Before you get too lathered up, let me acknowledge that to properly address a sufficiently complicated problem there likely isn’t a cheap way to go about it. Researchers cost money. Developers don’t work for free. Growth requires capital. I get it. But the number of organizations getting compromised by APT actors and those getting phished by kids in Ukraine or Brazil is wildly disproportionate in favor of the kids. The Fortune 500 is pretty well defended; their vendors and subcontractors, not so much. You’d be a fool to go after, say, Lockheed-Martin or Target stores directly, but one of their contractors however…
I’m not saying “stop doing what you’re doing,” I’m saying “ask how what you are doing can work for everyone, not just everyone who understands and can afford it.” Does it protect the billion-dollar conglomerate just as well as the $10M machine shop that runs XP? Maybe a better question is: can you think of something that will help all the machine shops running XP (a bigger market than you might think)? Are you willing to take on that Herculean labor, or are you just here for the paycheck?