What was the worst job you ever had? I'm Starting When I was 20, I spent six months working as a SharePoint developer for a major charity across the UK. Our team was small and terribly overwhelmed, and I often helped with help desk calls, where I inevitably spent a lot of time explaining our strict password requirements for disgruntled non-technical employees.
It was not fun, but at least I could say that I only followed orders. I did not come up with the rules. Unfortunately, top-notch information security professionals do not have the luxury of how to pocket my purse.
Good cop, bad policeman
A survey by Thycotic shows that many security experts believe they have an image problem. About two-thirds believe that their teams are considered as the company's naysayers – either doom mongers or a "necessary evil."
(Side note: What happens if you've upset Mike Tyson? He goes to Thycotic.) Sorry.)
The report highlights a counterproductive tone around the security forces. 38 percent believe that they are considered "policemen". Another 13 percent said they are "negative" to their team and "working all the time".
The survey also shows that security teams are massively misunderstood. Ninety percent of the sample indicated that other departments may have a better understanding of what they want to achieve, while 88 percent emphasized struggles in communicating their value and responsibility to executive management in the human resources and finance departments.
With the introduction of new security policies and measures, things seem to be getting worse. Seventy-four percent of security experts suffer from negativity or indifference when they introduce new security rules. According to the survey, 35 percent of employees believe that safety rules affect their work, while 39 percent barely notice them.
This paints a lonely picture of the corporate infosec world, with security experts regularly viewed with contempt by their peers. But does the broader industry have an image problem?
"Insults, death threats and unsuspecting people"
VideoLAN Client (VLC) is by far the most popular open source video player. This is one of the apps familiar to most users who have used a computer. When you reinstall your operating system, VLC is one of the first programs you install. It is just so omnipresent.
And last Sunday, the developers were in a heated feud with the Infosec community about how their update mechanism works.
The drama started when the infosec blog, The Hacker News, publicly addressed the VLC after declining a ticket that suggested that software updates should be sent over HTTPS. This would mean that the update binary is sent over an encrypted connection. This prevents an attacker from manipulating the file during transmission.
We all love your media player, but that's really rude
VLC developers rejected #software "update-over-HTTP" as a threat.
Answered → "no threat model. no proof. No #safety error "
It would not hurt to just consider the proposal. //T.co/GWhE1US5Ko pic.twitter.com/L77KDcNUMy
– The Hacker News (@TheHackersNews) January 19, 2019
The developers of VLC explained that while HTTPS is included in the company's update roadmap, it is not an urgent priority. They are busy and stretch incredibly thin. In any case, update files are compared to a hard-coded GPG key so that the probability of someone successfully manipulating them is almost zero.
It is a reasonable explanation. Of course, Twitter does not work on the basis of reasonable explanations. Like kerosene on an open flame, it is a natural accelerator for the debate. With hundreds of security experts taking their own takes, what started as a technical discussion escalated into a fever.
"Infosec is incredible," tweeted an angry VideoLan. When the researcher continued to investigate Scott Helme and asked if he thought everyone in Infosec was bad, VideoLAN replied:
Personal opinion: Yes, you are very bad overall. We only have negative feedback from interacting with this community. There are always insults, death threats and unsuspecting people. And never people trying to talk and discuss.
Remember that VLC is not a small product. It is one of the most widely installed, free consumer software products that has received over three billion downloads so far. It is therefore extremely worrisome that the developers have such a negative opinion about the Infosec community, assuming they assume they will work hand in hand.
This incident underlines that infosec has a chronic image problem. You might be forgiven for believing that security experts are as popular as botulism. And this is not only the workplace, as highlighted by Thycotic, but also within the broader software community. And how do you solve such a problem?
Learn how to write code by creating 25 cool websites and apps in this $ 12 course