build more than break

I like this new year’s tweet from hrbrmstr:

Final “Three things: Resolutions” (no blog post needed) for infosec professionals: Stop being smug; Build more then break; Quit the FUD.

Particularly, I like that middle part. (That first part can roll into people in general, not just infosec). Build more than break. It’s great and necessary that we have people who can research and find issues. And that we have people who can break into systems and play on red teams as a learning tool. All of this makes for great learning and research, no doubt.

But what really brings value to individual businesses is the ability to create defense and protect against risks in a realistic fashion. This doesn’t mean just blabbering on about best practices and what a company should do, taking your consulting paycheck, and leaving. It means actually being able to design, build, and maintain a proper defensive posture. Not just talk it, but actually be able to walk the walk and explain what works and what actually is just smoke and mirrors or way too costly despite how it sounds on paper. If you tell someone they should be watching XYZ logs for events ABC and correlating those against change mgmt forms and GHI assets, but have never done it and have no idea how much work that actually entails (let alone how fragile it is once you do figure out a way to do it), you’re not helping. And that doesn’t even take into account the audience business size/type/incomes/staff/industry…

Part of that is also being able to talk in a senior leadership sort of way to technical persons like network admins and software developers and desktop teams; to not just give them the same old lines, but be able to give actionable, technical, specific guidance for improvement.

In my opinion, all of this requires a technical background filled with actual hands-on-the-keyboard experience. Not meeting agendas and new school non-PowerPoint presentations and email mandates. Sure, these are needed, but the real value is made or broken down in the trenches.

Addendum: I feel like I shortchanged the attacker knowledge a bit. I absolutely believe we need to be able to think and behave like attackers to anticipate issues, but also it makes for a great way to test our defenses rather than waiting for an attack, enticing an attack, or waiting for that annual pen test which may or may not even trigger what you’d like to test.