Security is not really part of most people's jobs

June 25, 2024

A while back I said something on the Fediverse:

In re people bypassing infosec policies at work, I feel that infosec should understand that "getting your job done" is everyone's first priority, because in this capitalistic society, not getting your job done gets you fired. You might get fired if you bypass IT security, but you definitely will if you can't do your work. Trying to persuade everyone that it's IT's fault, not yours, is a very uphill battle and not one anyone wants to bet on.

(This is sparked by <Fediverse post>)

Let's look at this from the perspective of positive motivations. By and large, people don't get hired, promoted, praised, given bonuses, and so on for doing things securely, developing secure code, and so on. People get hired for being able to program or otherwise do their job, and they get rewarded for things like delivering new features. Sure, you require people to do things securely, but you (probably) also require them to wear clothes, and people are rewarded about equally for them (which is to say they get to keep being employed and paid money). People may or may not fear losing their job if they don't perform well enough because security is getting in their way, but they definitely do get rewarded for performing the non-security aspects of their job well, especially in programming and other computing jobs.

(Perhaps their current employer doesn't really reward them, but they're probably improving their odds of being rewarded by their next employer.)

It's a trite observation that what you reward is what you get. When you hire and promote people for their ability to program and deliver features, that is what they will prioritize. People are generally not indifferent to security issues (especially today), but what you don't reward has turned it into an overhead, one that potentially gets in the way of getting a promotion, a raise, or a bonus. Will a team kill a feature because they can't make it secure enough, when the feature is on their road map and thus their job ratings for this quarter? You already know the answer to that.

Also, people are going to focus on developing their skills at what you reward (and what the industry rewards in general). When you interview and promote and so on based on people being able to write code and solve problems and ship features, that's what they get good at. When you provide no particular rewards for doing things (more) securely, people have no motivation to work on it, and also they generally have little or no feedback on whether they're doing it right and are improving their skills, instead of flailing around and wasting their time.

(My feeling is that industry practices also make it hard to get useful feedback on is the long term consequences of design and programming decisions, in large part because most people don't stay around for the long term, although to be fair a bunch of programs and systems don't either.)

(Many years ago I wrote that people don't care about security and consider it an overhead. I'm not sure that this is still true, but it's probably still somewhat so, along with how security is not the most important thing to most people.)

Written on 25 June 2024.
« (GNU) Emacs wants personal customization in practice
The xinetd restart problem with binding ports that we run into »

Page tools: View Source.
Search:
Login: Password:

Last modified: Tue Jun 25 22:23:52 2024
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.