- Compounding Confusion
- Big Words Seldom Accompany Good Deeds
- Reality Check
Big Words Seldom Accompany Good Deeds
So what actions are available to security specialists who are required to "consult" (in the truest sense of the word) with clients? Well, the first goal should be to not only explain actions and reactions, findings and mitigations, and methodologies clearly but also concentrate on relevance. Any practicing security professional has encountered an assessment whereby they have done something "cool" (indeed that serves as a principal motivator for many in the industry, including the author), but just because you think it is a cool hack, don't expect the customer to agree.
End clients are interested in knowing only a few things: whether they are secure (and if not, why not) and, most importantly, how much it will cost them to be more secure (and how they can get away with not expending the cash.)
The value that security professionals bring is the ability to not only engage in cool attacks but also assist the client in understanding what those attacks are and then positioning them in relation to risk and potential expenditure. This can probably only be accomplished if you know your clients' goals and expectations (and indeed, any behind-the-scenes machinations and agendas) from the start. Is a potential client looking for a rubber stamp? If they are, can you in all good conscience provide it? If not, can you sway the prospective client away from such a short sighted view of their security? Like many things, security doesn't happen in a vacuum, and defining the limitations and expectations of client approaches to computer security and your own as a practitioner can reap real long-term benefits and rewards.
When the security industry attempts to communicate with potential clients and consumers using non-expert language, it all too often can appear to rely on stock phrases that mean little. Hence in recent years, we've been exposed to companies delivering "trustworthy" computing and promising "confidence in a connected world." It is an arguable point, but the reaction to this marketing-orientated language by most security specialists is to hack up a metaphorical hairball.
Would it not perhaps be easier to provide assurance to prospective clients without having to fall back on such hackneyed terms? This clarity can potentially be accomplished by explaining clear methodologies, devoid of either marketer-led buzzwords or alienating technical jargon. Many security professionals will know about the potential impacts of insufficient database security and attack vectors that can be used, for example, but how many of their clients do? Explaining attacks, methodologies, and consequences clearly and in relevant terms (not just in terms of descriptions, but potential impacts) is a challenge, but surely not one that is beyond the reach of the industry (and of the many talented, lucid, and communicative individuals that are part of it).