Optimistic Thinking in Security...

Wishful thinking while ignoring an open door, don't work quite well in 

keeping maliciousness out.

        

Introduction

Without hope, humanity will perish. And to hope, one needs a certain level of blind belief, that doesn't ask for proof. A feeling that there is something better, more secured, more safe. While in my interaction with the security domain I have seen a lot of optimism among security professionals. Superbly confident in their threat assessments, their security designs/architecture, their trainings, their deployments, their follow through, etc... But in some cases, there was something extremely alarming in that confidence and optimism.

Negative thinking has 2 aspects. One that paralyses you into fear and uncertainty. The other that pushes you to find a way to mitigate the worst. The 2nd kind is what can keep you safe from maliciousness.

Its called Optimistic Negative Thinking...

The Real Face of Optimism ?

The moment the audit identifies and highlights a vulnerability that has a very low possibility of being exploited but when done, will deliver a massive impact....the spotlight falls on the real face of this tremendous confidence and optimism - The Face of DENIAL. The fact that one understands the theory of a High Impact - Low Possibility Vulnerability, but is super sure of the same not being exploited and that too with no factual evidence to support such a claim is nothing less than a ticking time bomb. And then when pushed harder the reasons that come out are not even worthy of mention. The reasons completely destroy the reputation of the individuals intent and capability to be able to mitigate such threats.

If DENIAL was a social networking site, it's membership would surely 

surpass LinkedIn and Facebook combined.    
        

Why Do We Subscribe To Denial ?

Many factors. I'll mention the ones I think we can address together. And these factor are not limited to the domain of security alone.

• Lack of Knowledge & Skill: This has been a common reason I have come across. The concept of - I don't need, what I don't have, don't apply to a domain like ours. In security, we do what ever it takes to acquire what can help us to secure and defend Man, Material & Space, under our guard/protection. We all have done it as kids, it's a wrong question when you don't know the answer. But guess where such an attitude landed us ?
• Balancing Between Cost & Service: It is more than evident in our industry that we don't get paid enough for the kind of work we do. It's a fact. We hire an untrained, incapable security guard (watchman in reality) pay him 8K to 10K a month and expect him to put himself at risk to mitigate a threat that is upon you. In most cases we are well aware that he would probably be the one running first, at the slightest hint of a serious threat. That being said, as security professionals, it is our duty to put on paper all forms of threat that exist to a certain client and offer our earnest solutions. If they can't afford your solution, you at least will be at peace that you PREDICTED a threat, PREPARED a mitigation plan and offered the client PROTECTION, that he rejected...what ever may be the reasons.

I'd rather PREDICT the worst, PREPARE for the worst and then hope that my preparation for the worst, will PROTECT me during the worst. That's my kind of optimism.

Best Practices ?

Transparency with clients in this domain is critical. It does happen sometimes that your point of contact at the client's side is a weak and timid person. And I can totally imagine discussing a threat assessment report with such a kind. However, being completely transparent in our interaction is vital to winning a lasting partnership with a client. Also, if the client expresses a budget constrain, you could always give him the option of paying a nominal fee to keep a contingency plan ready. Give them some pre-incident indicators they should be looking out for. This could help you delegate a small part of your job to them and also give them the ownership of having all situations under their control.

However, the client must have the interest to learn about how they can help you secure them, better. Else, it won't go very well. And such an interest can be developed by identifying a good point of contact on the client side. This is just a suggestion. I implemented it in a couple places and it worked great for me. And I must admit, it didn't work out in few places too. But it's worth trying.

I hope I have made some sense. And if you feel I have, or I haven't....do share your thoughts in the comments. So don't just like....comment as well.

Till next time....Stay Safe - Stay Alert

Regards