Zero tolerance: How infosec’s online ‘cancel culture’ is stunting industry growth
Fear of Twitter fallout is stopping vital information from being shared
Social media backlash and online squabbling is stopping the information security industry from learning from its mistakes, Black Hat Europe attendees heard today.
Speaking at the conference that’s being held in London and virtually this week, security analyst Regina Bluman argued that peer-led criticism is stopping vital knowledge from being shared online.
This is due to the fear of backlash from industry peers, especially for organizations and individuals who have suffered a security breach.
Often the victim of a data breach will shy away from publishing the details online, meaning that others can’t benefit from their experience.
SolarWinds on trial
Bluman told The Daily Swig that the idea for her research was sparked during this year’s Cyber UK conference, which had the CEO of SolarWinds, Sudhakar Ramakrishna, as a keynote speaker.
She said that during his talk, the online comments section of the platform was flooded with criticism from attendees questioning why he should be presenting, given the very recent supply chain attack at the company.
“I was thinking, we’re going about this the wrong way,” said Bluman. “We should be learning from people who have made massive mistakes and who have really, you know, messed up.”
Bluman said that the “zero tolerance approach” within the online community is holding the industry back from learning from mistakes.
She added: “We haven’t solved it yet as an industry – people are still clicking on phishing links, companies are still getting hit by ransomware… things are still not perfect, so why not learn from people who have gone before us and have made those mistakes rather than criticizing them and making them pariahs of the industry?”
As summarized by Bluman in her abstract for the conference, “One only needs to hop on social media in the aftermath of any breach to see the ‘hot takes’ that abound”.
This can be particularly true on platforms such as Twitter, which are often awash with opinion on the latest security failing by an individual or company.
“People forget, especially after a breach happens, it’s all of us behind those systems and behind those breaches – it’s our peers,” mused Bluman.
“We’re all one step away from it [a breach], and you never know what a company is going through in terms of budget approvals, in terms of how long it takes to implement things, but every company has those challenges.
“It’s very easy for us to sit on the outside and say, ‘Oh, I can’t believe they didn’t have that installed’, or ‘I can’t believe they didn’t configure it this way’. You have no idea what resource challenges or budget challenges [they face].”
Bluman added: “Everyone likes to blame the big, bad, corporate guys and they get all the flack. They deserve it sometimes, you can look at some mistakes and be like, well, it was a ticking time bomb. But 90% of the time, it’s something that could happen to anybody.”
Bluman’s research involved speaking to people from the industry with differing levels of experience, from well-known figures such as Trend Micro vice president Rik Ferguson to security researchers and CISOs.
After determining that this was indeed a “widespread problem”, Bluman asked the security pros how they navigate better knowledge sharing?
“One of the big hurdles in terms of knowledge sharing [in] our industry is that a lot of the stuff we do is confidential, right?
“And so, it makes it really difficult to put your hands up and say, ‘I made this massive mistake’, because you could be held liable for a breach of data. The stakes are higher.”
She explained: “No one needs to know the details. No one needs to know what was misconfigured. It’s more: how did you discover this? How could you learn it for next time?
“And so the how and the why of what happened don’t really kind of matter as much.”
Bluman looked at various knowledge sharing consortiums to identify what they do well, and what gaps they have, concluding that “a lot of them don’t do communication outside of their sector very well”.
Finally, the researcher looked at how to address these issues and laid out recommendations.
She argued that companies should take a more active role in admitting their mistakes, managers should create a better working culture for employees to admit their failings and, importantly, individuals online should “not be a d*ck”.
“One of the call-to-actions is the golden rule of just don’t be a d*ck to people. That’s all there is to it.”