Watch this episode on YouTube.
Reasonably Accurate 🤖🧠 Transcript
Um I will just go like this for now. So anyway, what I want to talk about today, uh It's Monday morning. Um Hopefully you guys had a great weekend. Hopefully you're set up for a great day. Um, stumbled across something, uh, this morning, completely unrelated to security that tied off, uh, to sort of leads to something that I have yet to do and I feel really bad about.
Um, but that I wanted to uh tackle today and that's getting started in cybersecurity. So, uh I posted a video a few months ago on youtube, how to get started in cybersecurity. And I've got a ton of great comments. A ton of people asking about how they can get started explaining their current situation saying, you know, can you give me some guidance, can you help out?
And I have a queue a mile long of people I need to respond to and I apologize. I will respond to you maybe in a group sort of sequence, um, hopefully individually or at least individually to point you back to the group.
A lot of people are curious about how to get into this area of computer science. And in it work and that's great. That is fantastic. The problem I'm having is giving advice that's somewhat neutral. I have a very different view of how we're doing in cybersecurity than a lot of folks.
I don't want to perpetuate sort of the same thing. But that being said it's a good employment track and I think there's a lot of stuff we're doing wrong that we need to fix and there's a lot of quick and easy fixes here.
And we've kind of done this to ourselves and this kind of ties back to something I talk, I gave a couple of years ago in an article I wrote up saying, you know, are you set up for failure? And essentially the gist of that push was we have set up teams within our organizations where all the cybersecurity expertise is.
Yet we say cybersecurity is everybody's responsibility. Um And that is really uh a conundrum. You can't say it's everybody's responsibility then take everyone who has anything to do with cybersecurity and sort of bundle them away. Um That's not quite how that works, right?
That's not logical. That's why would that make any sense whatsoever. Um So what triggered me this morning was not just looking at these messages that people had left me and thank you again for that, but I saw an article on UX movement.
So user experience movement, not at all to do with security, what it was was talking about the best place to put error messages on forms. So if you have a text box that you need to enter, is it better to put the message above the form below the box above the box to the left or the right of it?
And it quoted multiple studies, multiple studies done on which option is better for users, which is sort of like less of a mental load. And it turns out to the right and below are the two best options to the right on desktop below on mobile because it creates the flow and you know, not, not revolutionary by any stretch of the imagination, but really interesting in that insecurity, we fail to do this kind of work.
We work on a whole bunch of assumptions and sort of myth and um you know, this baseline just like, oh that's how you should be doing things, guess what? We're not getting any better at security. So what we're doing is obviously not really working, right?
We're making incremental improvements and by layering on inordinate amount of complexity as opposed to re evaluating our fundamental assumptions and constraints. And that's where I go off the rails where a lot of folks just go. Yeah. OK. You know, you need a CSO and an office of the CEO and a team to set up security.
You need a sock, you need all this stuff. And I'm not saying that stuff doesn't have value. I'm saying the problem is is that we do it blindly, we it on faith without actually questioning or testing the underlying assumptions.
And I think there's a huge amount of um wins to be had um insecurity when you realize that no developer sets out to write crappy insecure code, no one in operation sets out to build an insecure infrastructure. Yet there's this confrontational relationship.
It comes right back to that usability. There is this myth that is cemented in security culture, that it is usability versus security. Anything developers do to make something more usable, will lower its security. Not at all true. Um Completely the opposite.
If you don't have usable systems, you have insecure systems. Um Right, because people are going to bend over backwards to try to get it to do what they want, which normally means they're gonna break something. Um So that's where we really need to refocus.
And that's why I think I've been having such a challenge of answering these question of how do I get started in cybersecurity? Because I think a lot of the activities we do in a lot of the places we start today are not where we should be starting, where we should be starting is teaching people basic scientific method.
If they don't already know it and walking through and questioning certain assumptions about the environment they're working in uh questioning but how different systems are deployed. Um And then working through to test those assumptions and sometimes they'll be valid, sometimes they won't be valid.
That's how that process works. Um So I think we can do better. Now, that being said, I think, uh the reality is teams are set up in a certain way. Um, a certain set of skill sets, uh skills are looked for.
Um And I'm gonna write that up and put out a post and another uh little more formal video uh to answer all those people who have been kind enough to take their time. I have read every one of those requests.
Um I will get back to you guys either individually or en mass as I said, because I think the more people coming into cybersecurity, especially the more um different perspectives that come into cybersecurity, the better off we're all gonna be and then we can actually make a change, we can actually do better.
And that's the goal is for everybody to have more secure software. So, um probably not what you were expecting this morning. Um But there, it is a good way to start Monday. Um I hope you guys are set up for great day as always, hit me up here in the comments below if you're watching this after the fact on Facebook or linkedin or youtube.
Um If you're live here on Twitter, uh always marknca hit me up on Twitter, uh Happy to chat about this love to hear your perspective. What do you guys think about how to get started in security.
What do you think about the general approach that security takes right now? Is it working for you? It's not working for a lot of folks. Um So hit me up, hope you guys have a great Monday and of course, Periscope did not respond.
Um So you're gonna see the awkward, I'm gonna try to slice this down. Um But there is an X now up top, so maybe it'll actually work one time. Have a great Monday. We'll talk to you soon.