Installing hope in security conversations

I recently had the pleasure of being interviewed by a local news channel, an interesting experience and one that made me reflect on a bad practice of mine, a practice I hope to undo.

As with all interviews the producer or anchor will ask “will we ever be secure against X?” and my instinctive reaction is to say no (or probably not). That’s the wrong answer but not because it’s factually wrong – there will always be something that undermines the security of whatever you’re trying to protect – its wrong because it eliminates the possibility of the situation getting better.

To the non-security geek things are either secure or not, there is little tolerance for shades of grey or protection against specific threat classes. To tell someone that we’ll probably never get to secure suggests its pointless to even try, that all efforts would be for naught. Saying that something isn’t secure or probably won’t be secure discourages efforts to achieve the contrary.

I’m not suggesting that we put on a shit eating grin and tell people what they want to hear… “yes, your Cold Fusion app running as root is secure”. Rather I’m suggesting we help them by presenting the situation as “it’s a good start and we can get there by doing X,Y and Z” or “we can make this secure by…”. If you give users the belief that they’re working from a foundation of some (minimal) goodness, I think they’re more likely to want to improve upon it. Telling them that their castle is built on a foundation of quicksand and nothing they ever do will make it better won’t get any good outcomes. I believe that even a small improvement in security is a good thing as long as its part of ongoing journey.

Going forward my default answer will be “yes, we can make it secure”, admittedly the remainder of the conversation may have to cover a very large gap to get to secure but at least it won’t start from a default position of despair.