I’m sure we can all agree that there is a massive knowledge and skill gap when it comes to security, probably across most engineers and MSPs in the world. The threats and risks are evolving so quickly that keeping on top of all of them is next to impossible for most standard MSPs. It’s even exceptionally difficult even where there are entire teams/SOCs dedicated to just security.
This may be a unpopular opinion, but in the wider MSP communities, and I’m sure to some degree in wider technical communities, we are, broadly speaking, and in my opinion, perpetuating an environment that does not encourage open and honest discussion and learning about security.
I’ve seen it so many times. Someone comes in to a public space, they are honest about a security incident that they’ve had or they put forward that they haven’t done “XYZ” and the sharks ascend and absolutely rip them to pieces. “What do you mean you are not using XYZ technology”, “You have not even set XYZ?“, “You don’t even have an incident response plan for XYZ?”, “You are doing your clients a disservice”, “You have port XYZ open OMG THAT IS SO 2007″. This has a number of unintended effects:
It discourages people from being open and forthcoming about their security incidents and challenges
This is not even a technical thing, it’s one of human nature. No-one wants to be attacked, feel like they are on the defensive or make their MSP look weaker by admitting they have had a security incident or lack a certain piece of knowledge. All that means when this happens is none of us get to collectively learn from others experience because no-one wants to be at the receiving end of a shark fest so they just end up staying quiet, suffering through it alone and just not learning from the experience.
It actually encourages the continuation of poor standards
When people are not openly discussing their challenges and then learning from it, they are much more likely to just continue with security that is not at the standard it needs to be at.
It massively increases the stress on engineers going through a security incident
I’ve seen it happen before numerous times. Someone comes in with a security incident and they are absolutely overwhelmed by negativity, personal attacks, information overload, and conflicting methods to address a problem. I’ve had this happen to people who have told me privately after they felt worthless and useless following such events.
It causes people to brush security under the rug
This is a simple concept. People dare not ask how to solve “X” problem for fear of ridicule, so they never do!
What I’d love to see
- People taking a human first approach. If you’re one of these people who likes to sit on their technical/security high horse, climb down and consider the person before the technology
- People being constructive without judgement. If we can breed an environment where people feel open to discuss their challenges, we will ALL benefit down the line
- People calling out this behaviour as unproductive and unacceptable when they see it – let’s all try and shift the status quo
- People being challenged in a HEALTHY way (and being challenged is an important part of learning). If someone has done something stupid, then they should be told. It’s a key part of learning. If they fail to learn from that experience and carry on making the same mistake, then that person is incompetent and should not be working in IT
- “A Supportive open ecosystem of collaboration — disrupt the “gated mentality” of information” – Ashley Cooper (the real one). Completely agree with her point here!
Yes – there are some MSPs out there who absolutely should not be servicing clients or even getting involved with security at all. This post is not for them. This post is for those that do care but are too scared to stand up and ask for help for things they don’t know. MSPs who make poor security decisions and don’t learn from them should absolutely be bought to task.