"Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently." ... "I've often speculated about how much of this is innate, and how much is teachable. In general, I think it's a particular way of looking at the world, and that it's far easier to teach someone domain expertise -- cryptography or software security or safecracking or document forgery -- than it is to teach someone a security mindset."Debate rages in comments, of course. It's one of the founding Laws of the Internet (right up there with horses having right-of-way over dump trucks) that making an unequivocal statement of one's opinion is grounds for an immediate flame war. So I'm going to make an unequivocal statement:
http://www.schneier.com/blog/archives/2008/03/the_security_mi.html
It is not difficult to teach someone a security mindset. What is difficult is selling them on the idea that the security mindset is a desirable one.
Law school, business school, boot camp, police academy, even some undergrad programs are all designed to take a generalist human being, re-shape their mindset, and turn them into a tool with a specific purpose. When done for academic or career training purposes, we call it "school"; when done for nefarious purposes, we call it "brainwashing." It doesn't happen overnight - those programs range from months to years - but it does happen reliably and systematically. Mindsets are changed every day.
Unfortunately, it's a lot easier to sell law school than it is to sell security training. Most people can readily understand how the legal mindset will be helpful to them, their careers, and their businesses. Very few people in the world understand why it would be valuable or desirable to, upon encountering a new system, automatically think of ways to exploit it. That pings most people's morality meters as bad.
You have to sell them on the idea that it's good.
I would argue that the infosec community's difficulty in getting more of the world to have "a security mindset" is a failure not of their product but of their marketing.
I write this blog specifically because I do not know how to market "the security mindset" to the video game industry. I'll admit that I've had an easier time of it than most. It's my job to point out flaws, both in our software and in our business process. Having a security mindset in my job is immediately recognizable as good - or at least as not evil. (I do keep my mouth shut about mailing people tubes full of live ants.) But I'm having trouble convincing them that it's not merely good for one person to have by happy accident, but necessary for the entire company to understand and prioritize. In short, I have a marketing problem.
Successful marketing requires a number of factors:
- a perceived need in the marketplace
- a product or service that meets the perceived need
- understanding of the people or businesses who have that need
- communication that physically and psychologically reaches these people or businesses
Some needs are obvious and exist even in absence of a product (clean water, clothing, a cure for AIDS.) Some products create a need for that product once the customer is exposed to it (post-it notes, iPhones, crack cocaine.) Some products are basically unnecessary to anyone, yet brilliant marketers created a perception of need (Oreos, designer handbags, Beanie Babies.) You can create this perception for just about anything, though it's not easy, even when the value of the product seems obvious. Creating a perceived need for the Internet took a couple of decades.
At the moment in the games industry, there is no perceived need for the security mindset. There is a recognized need for some level of security; CEOs do understand that they need to be PCI compliant and programmers do know that it's bad when their game software is pirated. But, as I've mentioned in previous posts, there exists a fundamental naivety in most game companies I'm familiar with. "No one wants to hurt us; we just make video games" is, in marketing speak, a lack of perceived need. Conflation of hacking with cheating reinforces this view. Looking at the world through rose-colored Glasses of Fun and Games reinforces this view.
So how does one market "the security mindset" to the games industry? To any industry?
4 comments:
This is, indeed, the hardest part of my job as a security geek. I generally try to make a business case for why doing whatever security thing is good... otherwise the execs see it as a loss, and therefore something to be scheduled for next quarter/next year/never. In many industries, there's a 'show me' mentality... if an attack isn't in the wild, it's not popular to proactively protect against the possibility. There are other fires to put out that pre-empt a theoretical maybe, regardless of the risk analysis. But once you have the first public instance, 50% of the time everyone panics and wants it right now. Bolted on, of course. We get a few clients that want to do it right and design with security in mind from the start, but they are sadly outnumbered by the ones that don't think that way.
When you find you're repeatedly needing to make a business case for "this thing is good" each time you find something, I think that highlights the problem I've outlined: the mindset itself hasn't been sold. It's like trying to convince people that they need a special "floods and hurricanes" indemnity policy when you haven't yet sold them on the concept of insurance.
From a business perspective, the "show me" mentality is absolutely reasonable. Spending resources to protect yourself against something that isn't an issue yet, and that other members of your industry haven't encountered, might easily be construed as mismanagement of shareholder funds. It's just not cost-effective to try to remove every risk you encounter. And it's entirely possible that the risk of losing customers because their marketing needs an overhaul outweighs the risk that they'll be hacked - so that's where the money goes. And that's where it ought to go. (Logically, not necessarily morally.)
That said, I think that engineering people and marketing people are almost inherently at odds. Most geeks I know consider sales to be Evil. Which is really unfortunate, because I think geeks would vastly benefit from having greater skill at marketing and sales. As it is now, "Our marketing needs overhauling!" is going to trump "You're going to get hacked!" every time, if only because it's sales people that are selling "New marketing!" to management, and hackers who are selling "Fiery doom!" to management, and who do you think is going to win that fight?
"I write this blog specifically because I do not know how to market "the security mindset" to the video game industry."
Like most businesses, until something happens that impacts the bottom line, it is hard for many to see the benefit. Pirating a few thousand copies of a game doesn't cut it. Having 0.00001% of your virtual economy created from hacks/cheats doesn't cut it.
Having a major event devastate the game environment in some fashion or seriously impact customer confidence might do it. Wasn't there a fairly big happening in one of the MMORPGs a year or three ago?
This makes me wonder if anyone is keeping track of game security related events that can be publicly documented. With that type of history, it might be easier to start convincing the right people. Two years ago, dataloss events were happening frequently but most people didn't put it together that it was a big problem. Once dataloss was created and people could see a clear history and that the problem wasn't going away.. things changed a small bit. Sure, we still see big breaches every few months and tons of smaller ones daily, but many C-level executives are starting to get scared.
"This makes me wonder if anyone is keeping track of game security related events that can be publicly documented."
Not to my knowledge. If there is, I'd love to see it. If not, how does one create that?
There was the World of Warcraft plague back in 2005 (http://news.bbc.co.uk/2/hi/technology/4272418.stm) but that was a design flaw that acted on its own, not an exploit. I've seen mention of a trojan to steal WoW user/password info, but to my knowledge that's never been big news.
Post a Comment