Earlier this spring Robert Westervelt wrote a story about a panel he attended at the InfoSec World Conference and Expo. The session featured three security pundits who, according to Mr. Westervelt, chided the audience for focusing on compliance, buying appliances, and automating security processes. Instead, the trio recommended identifying core company assets, hiring and training talented people, and analyzing logs to identify intruders. While delivering their message, they apparently offended a decent number of attendees. I read several accounts of the event and these points seem core to what happened at the panel.
I understand the message the panel was trying to deliver, but what attracted my attention to the story was the emotional component. I don't care how "right" a security person thinks he is; if he offends the party to which he is speaking, his message doesn't matter.
I remember working an incident response at a tier one telecommunications company. The company was suffering a severe intrusion and my team was briefing our initial findings to the internal security team. One of the security engineers became so agitated that he stormed out of the briefing. My team was only briefing the facts, in a non-inflammatory manner, but the message was so damning that a member of the internal security group didn't want to hear any more of it.
Rather than staying in the room, confident that our message was "right" and the security team member "wrong," I realized I needed to repair the relationship. I waited a moment then left to find the security engineer at his desk. He was silent and furious, probably embarrassed that we had discovered intruders who had thoroughly compromised his company.
I noticed he had pictures of a farm at his desk, so I started talking to him about agriculture. (Having been raised in a suburb of Boston, I'm not sure how I managed that conversation!). In a few minutes the security engineer relaxed and told me he was probably "shooting the messenger" (my incident response team) rather than directing his anger at the adversary. The two of us walked back to the meeting and collaborated on a remediation effort.
I keep this, and related experiences, in mind when dealing with intrusion victims. It's too easy to blame an organization for an incident. Instead, we should always keep our fire aimed at targeted attackers, without whom none of our security programs would be necessary. It's also key to remember that security is a human affair, with motivation and determination playing leading roles. The bad guys win when we sow discord among ourselves, rather than working together to defeat their schemes.