Last night’s episode of “Last Week Tonight with John Oliver” made a great point about security, how we talk about it, and how we message it to the broader audience in a way that they’ll remember and care about. In the segment John interviews Edward Snowden and points out that many Americans have totally forgotten who Snowden is and what he did, with many of them confusing him with Chelsey Manning/Julian Assange.
What do you think? How can the security industry and security professionals discuss these topics in a way that is understandable and relatable by the public?
(NSFW language in video) This is the clip when Oliver and Snowden discuss the lack of understanding in the general public, with John making the comedic point that if we discussed the Government logging your “dick pics”, people would be much more outraged.
I think security could be discussed in the same way that John took it. Yes, that’s a crude way to discuss anything but it breaks it down for the average person to understand. What we should try to do is find something that gets the same response from people, but is not NSFW. Insecure webcams is one of the easier topics for the public to understand.I wish all topics were that simple.
Copying John’s tactic exactly wouldn’t work in every setting, but by being deliberately crude and controversial he solved the fundamental problem of the security person: How do I get someone to care about a risk, when the alternative is to carry on as normal because “maybe nothing will happen”…
The logical analogy to this in bug hunting is to make sure that your POC’s carry an understandable message of risk (not just the raw data about the finding), and be creative in how you achieve that.
(…but please no dick pics in Bugcrowd POC’s)
I could rant about this a lot but I’ll keep myself in check. Key points for me are:
- Instead of talking about security to security people, try talking about it to non-security people. Get out of the echo chamber.
- Encourage cross-pollination of industry subsectors.
- Stop assuming that non-security people don’t care or are grossly incompetent when it comes to security. They’re generally just uneducated, and super keen to learn.
- The word “risk” is used as an incentive for security related action and change, but that doesn’t work in many circles though. Try talking to devs about risk, and they will come back at you with the risks they face if they don’t focus on features and hit the arbitrary deadline set by the PM. Use different words. Talk about other incentives. Developers are proud people, and take their code seriously. Focus on that and watch the devs warm to you.
Yes, there’s a bit of a common thread in these points, but for good reason. Since leaving dev work full time and coming into the security world, this has been a bit of an elephant in the room. It’s worth investing time in bridging the gap between sec and non-sec. Until we do, I can’t help but agree with Metlstorm’s “10 years of Pentesting: Mission Accomplished” position. It’s spot on.