What’s the worst job you’ve ever had? I’ll start. When I was 20, I spent six long months working as a Sharepoint developer for a massive UK-wide charity. Our team was small and horrendously overstretched, and I often helped out with helpdesk calls, where I’d inevitably spend much of my time explaining our stringent password requirements to disgruntled non-technical staff.
That wasn’t fun, but at least I could say I was merely following orders. I didn’t come up with the rules. Unfortunately, top-level information security professionals don’t get the luxury of passing the buck as I did.
Good cop, bad cop
A survey from Thycotic shows that many security professionals believe they’ve got an image problem, with roughly two-thirds believing their teams are regarded as the company naysayers — either “doom mongers” or a “necessary evil.”
(Side note: what happens when you upset Mike Tyson? He goes Thycotic. Sorry.)
The report highlights an adversarial tone surrounding security bods, with 38 percent believing that they’re regarded as “policemen.” Depressingly, a further 13 percent said they experience negativity towards their team and work “all the time.”
The survey also shows that security teams are massively misunderstood. 90 percent of the sample said that other departments could have a better understanding of what they’re trying to achieve, while 88 percent highlighted struggles in communicating their value and mission to executive management in HR and finance.
Things seemingly come to a head when new security policies and measures are introduced, with 74 percent of security professionals experiencing negativity or indifference when they introduce new security rules. According to the survey, 35 percent of employees believe security rules interfere with their work, while 39 percent barely notice them.
This paints a lonely picture of the corporate infosec world, with security professionals regularly looked upon with disdain by their colleagues. But does the broader industry have an image problem?
“Insults, death threats, and clueless people”
VideoLAN Client (VLC) is easily the most popular open-source video player. It’s one of those apps that most people who’ve used a computer are familiar with. If you ever reinstall your operating system, VLC is among the first programs you install. It’s just that ubiquitous.
And last Sunday, its developers found itself in a heated feud with the infosec community over the inner workings of its update mechanism.
The drama started when the infosec blog The Hacker News publicly called out VLC after it dismissed a ticket suggesting software updates ought to be sent via HTTPS. This would mean the update binary is sent via an encrypted connection, thus preventing an adversary from tampering with the file while in transit.
We all love your media player, but that’s really rude #VLC 🙄
VLC developers refused to consider #software "update-over-HTTP" as a threat.
Responded→ “no threat model. no proof. no #security bug"
— The Hacker News (@TheHackersNews) January 19, 2019
VLC’s developers explained that HTTPS is in the company’s update roadmap, but is not a pressing priority. They’re busy and stretched unbelievably thin. Anyway, update files are checked against a hard-coded GPG key, making the odds of anyone successfully tampering with them almost nil.
It’s a reasonable explanation. Obviously, Twitter doesn’t work on the basis of reasonable explanations. Like kerosene on a naked flame, it’s a natural accelerant to debate. With hundreds of security professionals throwing in their own takes, what started as a technical discussion escalated until it reached a fever pitch.
Personal opinion: yes, you are overall very bad. We have only negative feedback from interacting with this community.
It is always insults, death threats and clueless people.
And never people who try to talk and discuss.
Remember, VLC isn’t a small product. It’s one of the most frequently installed consumer-facing pieces of free software with over three billion downloads to date. It’s therefore extremely concerning the developers have such a negative opinion of the infosec community, given you’d assume they’d be working hand-in-glove.
This incident underlined the fact that infosec has an chronic image problem. You could be forgiven for thinking that Security professionals are about as popular as botulism. And this isn’t just in the workplace, as underlined by Thycotic, but also within the broader software community. And how do you fix a problem like that?