Defensive Security is a Glacier, and That's Ok 1

Defensive Security is a Glacier, and That's Ok 2

I think I just figured out why so many people burn out in defensive
cybersecurity after a decade or two.

It’s because Defense is a glacier that moves at its own speed, with
occasional bursts due to major incidents and/or regulation.

But nothing within the glacier is dictating its speed.

That’s our problem. We are the pebbles and sticks and moss that gets
captured by the giant wall of ice as it creeps. And we scream at it from
within.

Go faster! Make progress! I’ve been telling you about this problem for
years, why are you not listening?

Glaciers don’t listen. They do precisely what they are going to do.

Think about the innovations that moved security forward the most in the last
15 years. I’m not sure what they are but let me throw a couple candidates
out there.

SSL/TLS
Password Managers
PCI
FIDO2 “Passwordless” (Happening now)
Incorporation of Security into Windows and macOS

A few things jump out at me about this list, which I know isn’t perfect.

First, everything here was inevitable. Second, everything here could only
happen when it happened, and not a moment before. When a new technology gets
invented, like SSL, that was the moment for it. And if that person/group
hadn’t done it, someone else would have.

❝

Change comes at its own pace, and we have to find a way not to be angry it’s
not faster.

It’s the same with a thousand other ideas. They don’t exist for all of human
history, and then all of a sudden multiple people have the idea at the same
time. A few examples:

Calculus: Both Sir Isaac Newton and Gottfried Wilhelm Leibniz developed
calculus independently around the same time in the 17th century.
The Telephone: Alexander Graham Bell and Elisha Gray both filed patents
for the telephone on the same day in 1876.
The Theory of Evolution: Charles Darwin and Alfred Russel Wallace both
independently developed and proposed the theory of evolution through
natural selection in the mid-19th century.
The Radio: Guglielmo Marconi and Nikola Tesla are both credited with the
invention of the radio in the late 19th and early 20th centuries.
The Television: Philo Farnsworth, Vladimir Zworykin, and John Logie
Baird are all credited with significant contributions to the invention
of television in the early 20th century.
The Jet Engine: Frank Whittle in the UK and Hans von Ohain in Germany
independently developed the jet engine in the late 1930s.

And then you have something like PCI, which, again, could only happen at a
certain level of industry and government maturity. Plus the prevalence of
attacks that make such a thing necessary.

Why Software Remains Insecure

There are myriad theories as to why software remains insecure after we’ve
spend decades trying to solve the problem. Common reasons include: Get the
Audio

danielmiessler.com/p/the-reason-software-remains-insecure

So these things were basically going to happen.

Slow. Steady. Glacial. But inevitable.

Glacial problems

Then you have unyielding problems—like human gullibility.

How many security people have screamed at users because they clicked on
something they obviously shouldn’t have? Well, humans are set up a certain
way, and they really like free stuff, and relationships with royalty, and
they tend to get lonely.

❝

We create our own problems when we are mad at the universe for not being
different than it is.

That’s millions of years of evolution in the red corner. And in the blue
corner? Your security awareness campaign.

So what do we do? We bash our faces against a wall of gullible for multiple
decades.

FIDO2 and Passwordless

But then here comes “passwordless”, which is truly great and is likely to be
the first thing to make a serious dent in phishing in forever.

Why didn’t we just do FIDO2/Webauthn sooner! Gee, how silly of us! Answer:
we couldn’t have. It is happening now because that’s the time it
can happen.

Real progress bakes into the furniture

Then you have the real progress, which is integration into the operating
systems we use everyday.

Windows
Mac
Android
iOS

That’s where real progress is made.

So again I ask you—why didn’t we just incorporate all these security
features in these OS’s back in 2005? Or 2010?

Same answer. Because we couldn’t. Turns out, it’s very hard to move giant
machines like Microsoft and Apple to add things. Millions of moving parts.
Things happen when they happen, just like electrification of the country.

The takeaway

What made me realize is that cybersecurity is this planetary-sized box of a
trillion tiny gears. Or it’s a glacier. Or it’s an ocean. The metaphor
doesn’t matter. Use the one you like most.

What’s important is that it’s:

slow
random
inevitable

And that’s the problem with a lot of the burnout in cyber. Specifically on
the defensive side.

❝

We’re told to expect the world to change when we make a suggestion, and this
sets us up for a bad place.

We’re sold that we can make the difference. We’ll just tell the boss about
this thing, and they’ll let the business know, and we’ll get it fixed.

But we do that, and nothing fucking changes.

We build elaborate plans, perfectly articulate them. Expertly socialize
them.

And nothing. Fucking. Happens.

This is why.

Progress in security is a massive machine. It’s moving very slowly. And even
when it occasionally bursts ahead with progress, that progress is random and
not generally tied to any one person or even any one company or industry.

So I just quit?

And that leaves us with what to do.

I don’t think this revalation is sad. If anything it’s empowering. It wasn’t
you. It’s just the machine. When we absorb this message we can reclaim our
sanity. We can reclaim our peace.

Progress will be made, but it won’t be on a clock set by us or anyone else.
It’ll happen in its own time. It actually reminds me of General Absurdism,
which is my way of dealing with the big questions in the universe.

On one hand, I behave as if I can change things. Me. Just me. With my very
own will. And I try hard in that mindset. But I also—and
simultaneously—know that I can’t. This does two things for me.

It keeps me motivated and trying to improve, and makes me productive
It keeps me grounded and sane becasue I understand the larger mechanism

More practically, if you are seeking a field in which your idea can more
instantly and directly translate into a change in the world, I recommend
business.

❝

There is still tons of innovation that can be done in defense. It’s just
little-i instead of big-I because the opposing forces are so powerful.

If you create something net-new that solves a problem people have, and
people actually use it, well now you’ve made a real difference, and you
might make some money in the process.

And to be clear, you can still get wins in defensive cybersecurity. You can
innovate new detections, new products, new techniques, etc. And they can
make some difference.

Just don’t fall into the trap that depresses so many people, where they zoom
out and look at the overall machine, and see that their impact didn’t really
change what was going to happen anyway.

Summary

Defensive security is a slow-moving machine that makes incremental and
inevitable progress
The largest advances come from integration of new security features into
operating systems and regulation
We can make some progress as individuals, but ultimately, change happens
at the speed it’s going to happen at—especially in security
If you want to have a more direct impact on the world, consider
something more dynamic like business where you can more easily create
net-new things in the world
If you stay with security, break your mind into two pieces: 1) the one
who knows they can change the world by themselves, and works to do so,
and 2) the one who knows change only happens when it’s supposed to, and
who doesn’t get rattled when things don’t move fast enough