Showing posts with label Security Conceptualization. Show all posts
Showing posts with label Security Conceptualization. Show all posts

Wednesday, August 15, 2018

OPINION: I Need to Vent About The State of Security



You may have noticed I haven't blogged in like forever. Yeah, I know. Look, I've been busy with life and stuff. Welp, I'm back. Wait. I've said that before? This time, I promise to be much more regular and consistent with my posting. I digress - I have a grievance about the state of our industry to air and dang it, you're going to read all about it.

So, you may have noticed a minor thing called a "national election" occurred while I've been away. You may have noticed the same thing I have since the election ended. EVERYONE HAS LOST THEIR MINDS!!! Seriously. It's been a strange time for every one of us. What's crazier than the public going bonkers over politics? Security professionals drunk on hype, the erosion of our professionalism, and fraudulent credibility have corrupted our analysis, jeopardized our assets, and enabled ineffective and inefficient security risk mitigation.

I'M NOT IMPRESSED

Obama: President strike's McKayla's famous pose as U.S ...

We're a failing industry, in short. Sure, we do our jobs and pretend as though none of this has an effect, while the public and the industry embrace perceptions based not on sound and trustworthy data but fear, uncertainty, and doubt (FUD). The public is encouraged to view threats based soley on identity rather than capability, opportunity, and motivation. Add in FUD and you have a consumer base who desire more and more radical solutions to solve what we, as security professionals over-complicate, due mostly to our intentional ignorance and discipleship to partisan rancor, confirmation bias, and ego.

New attacks can't simply be the products of luck or one-offs. No, these attacks, according to our "experts", are "advanced", "sophisticated", or "impressive". I could include other superlatives but you get my drift. These professionals are constantly being impressed by attacks whose effects are often unclear.

After the drone assassination attempt on Maduro, security professionals on social media were aghast and seemed almost terrified at the prospect of a massive global pandemic of wayward killer drones.

Okay. Okay. I'm a terrible human......

I admit it - I called the Maduro assassination attempt a "game changer". It wasn't because I assumed the worst. The drone attack was interesting and certainly, a bit surprising. I'm a guy whose job it is to address and mitigate such threats. While I was intrigued, I didn't lose much sleep. Why? Because there was a lot that could have gone right but didn't in that attack. In fact, the attackers chose a methodology which required far more resources and placed unnecessary risks on its operatives. This is especially true when you realize there were far simpler and effective means of killing Maduro. In fact, the drone attack placed innocent people in danger and had any one of them been killed, perhaps the attackers would have lost a great deal of support.

DO YOU EVEN CRITICAL THINK, BRO?!

Huh!!!!!!? - Jacky meme on Memegen

These same "experts" are often impressed by al Qaeda and other groups for doing simple attacks. There are many counter-terrorism and physical security folks who often declare after every attack, we should embrace more and more drastic security measures in response. They never consider the drag on existing resources, the ability to stay in this threat reaction posture for long-term, and whether they're only inviting more problems by creating additional threats. These folks will suggest everything to include putting soldiers in classrooms after shootings, increasing security at hardened facilities, and demanding tools which have shown they're barely appropriate for their current use.

Have no fear! Your consummate security professional is up at night defending our honor and challenging these professionals to consider better solutions. I find a lot of folks in security who happen to do social media can be very reactionary and haphazard about how they communicate threats and mitigation. Is it appropriate or wise to denigrate how others mitigate threats, when your situational knowledge might be minimal, at best? Some people would argue that it is. I'm no badge defender and I certainly challenge bad practice. I also get how often we try to get mitigation in place, only to be told stakeholders would rather allocate resources or funding elsewhere. It happens all over practical security organizations. In fact, having to adjust your mitigation programming is one of the toughest parts of this gig.

For me, the asset is never "soft" or "hard" - it's about what attracts the bad guys to the target. I surmise most kinetic attacks occur on crowded spaces not because of a lack of visible security but because there is a crowd. I could go on and on about crowds but there's a real and transferable reason why wolves hunt sheep. The reason is easily deduced if you've ever seen wolves hunt sheep. Sheep can't stop being a part of a crowd. Wolves either hunt stragglers or those caught in the herd. Why? Because they're slow and they have limited egress points.

GAME RECOGNIZES GAME

Boondocks Funniest Quotes. QuotesGram

I've blogged here before about the ways in which fraudulent "experts" taint our profession, so I won't beleaguer the point here. Here's what I will say:
  1. There is an ever-growing field of "experts" who lack credibility or credentials who often imagine threats and mitigation, based on how it impacts their "bottom line". Don't get me wrong - I like to network and certainly, respect your hustle but I might be more inclined to buy your product or promote your ideas, if you weren't always trying to sell them to me like an over-eager crack dealer. Slow your roll. Again, I digressed.

    None of the aforementioned points I made aren't why I question someone's credibility or their credentials. They do cause me and others to take someone less seriously and see further marketing less as attempts to grow the industry with your knowledge and insight and more about how you line your pockets. I blame our collective anger and angst on 9/12 to be the root of the problem.

    The inconvenient but honest truth is after 9/11 the American people wanted two things: more security and revenge. Our industry, seeing the potential for unlimited growth, went bonkers trying to meet this demand. The government created the TSA. The Internet became a weaponized instrument against our foes both at home and abroad. We believed we were unprepared and needed to adhere to everything "unconventional" pertaining to security. We sold buzzwords like "hybrid warfare", "dynamic", and even my own favorite, "kinetic", without even a semblance of critical thought on whether if any of what we were seeing was "new" to everyone or just "new" to us. 

  2. Rather than fixing a problem which required some TLC, we demanded everyone become Jack Bauer and lined our budgets and pockets with cash which promised not only job security but the most coveted of all security prizes - relevance. Naturally, the fakes and phonies came like vultures and they've been picking the meat off the bodies ever since.

    To be quite fair and honest, I've been called an "expert" by media and I know firsthand, they often mislabel you based on what sells their narrative or topic area to be discussed. When it happened to me in ways I couldn't articulate, I challenged those attributions. I've blogged about it here and explained how it occurred to friends and people I know in that community. As I saw the problem getting worse and seeing audiences and studios seemed less and less interested in what I said versus how I said it, I felt my work as a professional was more important than how awesome I did on an appearance. While I'm grateful for the opportunities that were given to me, my focus will always be on professional development, promoting sound mitigation ideas and best practices, and perfecting my craft. Just cast Cuba Gooding, Jr. in my biopic when I sign the movie deal.

  3. What's worse than creating a side industry filled with the fake and greedy? Giving them a seat at the table of influence and policy. I'm not just talking media. No. I'm talking about Cabinet positions. I'm talking about boards. I'm talking about senior staff positions in major departments. The greatest danger we face from these people is not their inevitably, bad advice. It's their untested and untenable security "solutions" backed by flawed analysis and threat perceptions which we declare as "factual" and "balanced" because they suit infectious and malignant ideas which tarnish our industry and ruin public trust.
What can we do about our fellow practitioners and the public who are engorged with hubris, ego, and
grift? Can we save our industry before we transform into a conflagration of our parents' Facebook pages and the worst of Twitter, LinkedIn, and major news media?
  1. Address their knowledge of the topic and the process from which they've derived their conclusions. 
  2. Challenge how they receive data. 
  3. Challenge who they vetted it with. 
  4. Ask them if what they're seeing is repeatable. 
  5. How do they establish credibility with their sources? You'd be surprised how many professionals subscribe to ineffective ideas on mitigation from sources who have no connection to security or our best practices. 
YUP. WE'RE SCREWED.

We're All Going To Die!! | Daily Vlog - YouTube

Whew! That's the bright spot. Wait until I cover all the stuff I hadn't covered in two years.

About Us