I care about security, hence I don't care.
TL;DR: I’d love to see information security actually improve in a meaningful way. Not caring about anything but the bare security facts is a way of achieving that. Probably the only way.
In a couple of months I will have completed my first decade working in information security professionally. There are plenty of things that I could talk about, be it my own journey, or what I think has changed since I have started out. But somehow, what feels most important to me is talking about the fact that I don’t care anymore, and why that is.
This probably sounds quite sad (and admittedly a bit clickbait-y, I am sorry for that; I struggled to come up with a better title for this post), but it’s not, it’s the other way around. In fact, it’s probably the best thing that has happened to me personally, it enables me to do my job better.
When I started out in this field, I was understandably enthusiastic. I was young, idealistic, emotionally invested and also pretty clueless, but as much as I am happy about this having changed at least a bit over the past couple of years, this isn’t really relevant here.
In my early years I regularly got angry because of information security. I got angry when reading all the stories about how companies neglected their security, which resulted in customer data being stolen, and furious, when I read the statements said companies themselves put out. Because they were bullshit, every single time.
It was challenging to not lose my shit and yell at people when responding to an incident, and instead of being as helpful and forthcoming as possible, victimized organisations stonewalled and very much cared more about legal safeguards and public impressions, rather than properly responding to the incident, let alone taking steps to ensure that a similar incident wouldn’t happen again.
No matter how hard I and many others worked, things did not change. Sure, the vulnerabilities exploited changed, and the threats evolved. But the fundamental circus of “being interested in everything surrounding an incident that wasn’t the incident itself, rather than the other way around” never seemed to evolve, or even change at all.
It didn’t matter how many root causes we analyzed, how many recommendations were written, how many plans were made that included all kinds of meaningful steps for improvements. There really were none. And I could never really understand why that was the case.
At the beginning, this was frustrating, draining and disheartening. I led me to, at times, questioning myself why I should even bother with all of this. I’m quite sure that everyone working in our field for a prolonged amount of time eventually reaches that point, with that or similar questions popping up in their head.
What eventually ended up helping me understand was a coffee chat I had with an acquaintance of mine a couple of years back. They are working in an intensive care unit, as a trauma nurse, which means that in her job, people die. The worst possible consequence for mistakes they make, or the worst possible outcome of things in general for them, is people losing their lifes.
People losing their lifes is a regular thing in that profession. In most of the cases it’s because their injuries were too bad, or because they suffer from an illness that wasn’t properly diagnosed and all they can do is make sure that people don’t die in pain.
But sometimes, people die because of a mistake. Because something, somewhere in their area of control went wrong. And when that happens, they look into it, hard. They investigate the shit out of it, extremely thoroughly.
While that investigation in itself made absolute sense for me, I was a bit surprised at the reason behind it. It’s not for either the relatives or the employees, to help them find closure. It’s not for any legal reasons, to safeguard the hospital from legal claims by family of the deceased.
The single, sole reason (and yes, there are obviously nuances, such as cases of grave negligence) why they pour already tight resources into an in-depth investigation is to ensure that there is not ever going to be a need for another one. Because the price they already paid for being in a situation that needed an investigation was the most expensive thing on earth - a human life.
Having had this conversation felt like someone had just enlightened me. Yes, getting hacked hurts. It doesn’t matter if you are a large corporation or a single person falling prey to criminals, it hurts. It makes your life complicated, it might even make it quite horrible for some time. It’s going to cost you energy, time, money to get things back in order again. But in the end, to quote a famous songwriter, every little thing is going to be alright.
There simply isn’t any motivation for people to care about information security in a way that’s going to get them to change behaviour. Companies don’t learn from their incompetence, even if they are facing legal proceedings for their negligence, or punishing fines.
People aren’t going to learn from having to deal with the customer support of their mailprovider in order to get access to their account again, because they fell for a blatantly obvious phishing. They aren’t even going to learn when they lose all the pictures they have of their loved ones because they fell victim to ransomware without a backup. As much as companies and individual people claim they will learn, a statement whose intent I absolutely believe in that very moment, they won’t.
Negligence, inconvenience, pain, incompetence. All of those are things that people won’t learn from, because the cost isn’t there in a meaningful way. So there really isn’t a point in me getting emotionally invested in these factors. Quite the contrary, the less I care the better.
Because all I can do is my part to avoid ending up in a situation where we’ve reached a point of people dying in significant numbers because we failed to improve our security posture left, right, and center. That’s not a world I’d want to live in.