The Security Mindset
Security is what I do, it’s how I earn my living – and it is odd. You end up thinking about the world in a completely different way to other people. I’ve walked into meetings before now and asked questions that no-one else has asked during the whole lifecycle of the meeting. It’s caused more than one meeting to be scrapped as no-one can answer the ‘oddball’ questions and scenarios thrown up by the security dude.
Why? Security people think different
. I’m not the only one that believes this:
Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it.
SmartWater is a liquid with a unique identifier linked to a particular owner. “The idea is for me to paint this stuff on my valuables as proof of ownership,” I wrote when I first learned about the idea. “I think a better idea would be for me to paint it on your valuables, and then call the police.”
Really, we can’t help it.
This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don’t have to exploit the vulnerabilities you find, but if you don’t see the world that way, you’ll never notice most security problems.
Anyone else in the security field reading this? Are we weird or what?
Schneier on Security: The Security Mindset
Category: CreationRobot · IT · Personal · Security