May 22, 2009

idontcareby Dennis Kuntz

Recently I attended a talk by Jennifer Jabbusch about the dangers posed by black hats exploiting all manner of wireless devices. The audience was mostly non-technical law enforcement, so the talk contained a little FUD by design to shake them a little as to the gravity of the threats. It was an excellent presentation that was well-received. During the 15-minute break before Jack Wiles was to speak about physical security, I overheard the officer next to me (he was there to “take advantage of the free training”) speaking with the business continuity guy on his other side. This is what I overheard:

“I don’t care what they [the black hats] do or how they do it. That’s what the technical guys are for. I’m glad I work in regular investigations.”

Now, my first thoughts were somewhat predictable: How could you not want to understand what, how, and why these guys and gals can do what they do? Wouldn’t that just help your job? With the increasing prevalence of electronic crimes specifically, and the increasing role wireless devices will continue to play in other crimes, how could you not care about this stuff? How could knowing more – of just about anything – not be something for which to strive, especially if you can apply it to what you do?

Now, I do not know this officer. He might be the laziest man on the force, and might skate by doing the minimum that’s expected of him. I honestly do not believe that to be the case. So, assuming that this was a skilled officer who cares about solving crimes and catching the bad guys, something struck me – what this officer was really saying was that he just wants to do his job. He doesn’t want to deal with anything that he doesn’t have to in order to solve crimes. Because if it’s something he doesn’t have to know or deal with then it takes time away from what he does have to know or deal with. He wants to be able to rely on the technical folks to do “their part” just like he wants the physical forensics team to do their part – and without him having to know about all of the ugly details.

What also struck me was that this was reality. Here was a real person, from real life, who considers having to know anything about technology – beyond what he needs to know to function – to be something to avoid. We encounter these people all the time in every industry. As “IT” folks in general, and “IT Security” folks specifically, what can we do to deal with people like this officer who just want to do their jobs without being overwhelmed by technology?

There are two primary things that we can do: First, we can educate people as to the benefits various levels of understanding of technology will have on what they are trying to accomplish. Does this officer need to know how to fire up Wireshark and rip into some packets to help him do his job? No, he doesn’t. But can understanding the ease with which black hats can commit crimes, as well as facilitate others’ illegal activity, help him have more insight into the crimes he’s investigating? I would venture to say that it absolutely will. We need to approach people like this officer with the understanding that they are, at the very least, unconvinced that this knowledge will be helpful, if not against it altogether. We need to tailor our educational messages in such a way as to help them see that they can attain the benefit of the knowledge without it having to be a complete jargon-and-acronym-filled head spin, and without it sucking up all of their valuable time.

But what about those who refuse to accept any benefit? That’s where the second item comes in.

Ultimately a good portion of our jobs involves providing an appropriate level of protection for whatever assets are our responsibility in such a way as to help the bottom line, or at least to impact it only as much as is appropriate. When we encounter people who refuse to take part or to help with this, we need to use innovation and creativity to protect the assets anyway. In the case of the officer, it’s just as he said – the technology guys (and gals) need to do their jobs. Would it help if the officer did know a little so that the knowledge about the case could dovetail between the groups a bit? As outlined above, yes, it probably would. But if that officer is doing his job, and that job doesn’t require his involvement in the technology pieces of the case, then we need to be the ones to step up and fill the gaps. Just as we might wish others would have a better understanding of what we do, it’s important that we do the same, because ultimately it matters more that things get done than who does them. If we can educate along the way, all the better.

About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.