I've been (w)racking my brain for quite a long while as to why this whole infosec thing just doesn't seem to get through to people. Why are we still having the same conversations over and over and over and over again? Einstein is famously quoted for defining this practice as insanity ("Insanity: doing the same thing over and over again and expecting different results."). Namely, we're banging our heads against the brick wall that is "business" and coming up with the same stupid answers with the same stupid results.
At first (15 years ago) I thought it might be a problem with the technology. If only vendors wouldn't produce insecure products, then maybe life would be better. If only Microsoft didn't have to have Patch Tuesday every month, then maybe we wouldn't have so many compromised users. If only software could be written more perfectly, then maybe we wouldn't be having these conversations. Alas, perfection is not reasonable nor attainable, and humans are themselves fallible.
About 10 years ago I then began thinking that it was a problem with the strategic vision of companies. If infosec was not included in the strategic planning of the business, then of course there wouldn't be any meaningful change. If infosec was driven in a strictly bottom-up fashion, then it would never achieve success as an organization-wide initiative. If infosec was not positioned as a business-enabler, then the ill-begotten reputation of security as jack-booted thugs would persistent. Alas, as it turns out, infosec strategy still eludes senior management, not in the least because technology should not drive decisions, but rather ride in as a solution to business problems. We failed to properly frame the problem, it seems.
About 5 years ago, I then began thinking about security as a matter of cognitive dissonance. Unlike real life, where threats are physically registered, in the online world threats do not generally have a physical incarnation. If there's no physical threat, then there's no physical reaction. Sure, trolls can sometimes raise our ire and set us off, but this is more the exception than the rule, and it certainly doesn't apply to threats like worms or ID theft. If someone waves a knife or gun in your face, then you'll have a physical and physiological reaction. If someone launches an automated attack against your computer, then you're unlikely to have much response at all (assuming you even notice).
About 2 years ago, I then began thinking about security as a problem of integrating information risk management into standard business risk management practices. Similar to the earlier theme on business enablement, this approach looked at how risk was surveyed/assessed and then managed by the business. Was the business getting an accurate picture of information risk? Does information risk management have the same markings as business risk management? Where's the commonality? Even now there is a need for improvement in this area, but it still doesn't explain the persistent disconnect. Even when we have well-defined information risk management that works well with business risk management, we still seem to encounter problems in getting the message across. People still make very bad decisions.
Today, then, I've concluded that the real problem here is that infosec is, in fact, a counterculture. By its very definition, a counterculture swims against the current. As a group of people in the industry, we represent a unique perspective that diverges from the mainstream. We speak our own language, have our own conferences, and are general separate from the world as we walk through it.
This counterculture of ours is markedly different from previous countercultures. Sure, we have our own literature and trends and poets and leaders, but thus far we've not classified our behavior as cultural in nature. This, I think, is a key to our failure. If we stop and accept that our movement represents a counterculture, then it frees us to do things differently. All of my previous notions about "what's wrong" are correct and can be harmonized, but the fundamental challenge is that we are not mainstream, no matter how hard we try to prove otherwise. To which I wonder "why fight it when we can embrace it?"
It's time to articulate ourselves as an alien race representing a counterculture from which the mainstream must learn and benefit. Our goal should not be to become the mainstream so much as to help the mainstream evolve. It's time we establish our zeitgeist, fly our flags proudly, and declare our position clearly and loudly. If the movement were to become mainstream, then that would be fabulous, but it should not be our goal so much as a desirable side-effect of our effort.
We are the security industry. We are business enablers. We are strategic thinkers. We are information risk managers. We are seers amongst the blind who can detect the unseen threats. It is our responsibility, our mantra, our mission, to help those who have not joined the movement. Cogito ergo sum.
Seriously, I think you have hit the nail on the head Ben. Although I think this counterculture attitude is detrimental to managing infosec risk. I experience it as an attorney all the time, and I have been partially successful (by pure force of will) with getting into the infosec community. (P.S. lawyers have the same problem in many ways). My conclusion on this is the opposite... in order to truly be part of the solution, the infosec counter-culture has to be broken down, or at least more inviting and "user-friendly." Right now many other professionals/individuals representing other business processes basically view you as unapproachable and often an obstacle that has to be gotten around.
@David -
Thanks for the comment! You pose an interesting quandary. I think we must first admit and acknowledge that this industry is a counterculture. Once we formally do that, then and only then can we take the next step to mainstreaming. As I see it, we as an industry tend to act disaffected and isolated when we're in fact a large movement. Organization is required to better establish identity before we can then work to break down barriers. Put another way, until we identify and solidify barriers, it will be impossible to tear them down. :)
-ben