Skip to main content
CrankySec

We also suck, you know?

Yo! How are you today? Good, good. Well, since it is Friday, I thought I'd take a break from trashing 10-ply vCISOs and talk about ourselves for a minute. Let me grab my power suit, and cosplay as Satan's Lawyer or whatever the fuck the expression is.

Some of the members of our beautiful, sexy, and cool Discord server were talking about that bizarre toothbrush DDoS thing, and it seems like some introspection is in order across the industry. Why, I wonder, the bUsInEsS doesn't take cybersecurity seriously? Well, boys... It's because we're full of shit most of the time.

Every time there's a big breach, or a new class of vulnerabilities debut at Blackhat, or OpenSSL tells people that a patch is coming up for a cataclysmic bug that wasn't cataclysmic at all, a vCISO loses a couple of Persuasion points. Even serious stuff like Heartbleed, Log4j, or the LastPass hack gets sensationalized by people who don't really know how to measure the impact of those things and the specialized media that just serve as stenographers to "CyBeRsEcUrItY lEaDeRs" with zero critical thinking. They're pulling impact numbers out of their asses, and people just eat it up. "Extreme risk! A million ssh servers facing the internet!" Sure, but 900,000 of those are honeypots.

Those issues were obviously serious, but they didn't bring about the end of the world as we know it. People in operational roles who have to actually deal with these things are working behind the scenes to patch things up, while your influencer boss is crying "The End is Nigh" on LinkedIn and opining on incidents they have nothing to do with. You know how (good) doctors don't like to diagnose people who are not their patients? Yeah, we don't do that here.

It's a mix of stupidity, inflated egos, the need to be the center of attention, and the power struggles of the corporate world. It's all good until the people who allocate money start to wonder about the returns of investing in cybersecurity. Here we have a CISO telling everyone that utter and complete annihilation is on the horizon, and... nothing of consequence really happens? That won't fly for too long. So, instead of toning it down a bit and being realistic about the actual risks, you need to find another boogieman: AI. Nation States. Ransomware Gangs. Flipper Zero. Insiders. Or...

dark web

Vendors know this, and the codependent relationship lives on. Just give the CISOs enough plausible material to propagate stories of threats that don't really exist, and they will diligently bring those overblown threats to the 4 layers of management above them. Vendor makes money, sales people get a commish, CISO gets a big budget to brag about, cocaine dealers can finally buy those hippos.

The foundation of shit this whole mess rests upon is the absolute unwillingness to even try and estimate things correctly. This industry at large does not know how to measure their risks. They don't even know what they're supposed to protect, let alone how to do it. But don't worry: some vendor will show up with a solution to all your problems. Turnkey. Hand them a few million dollars a year and go to a FedEx store to get that "Mission Accomplished" banner printed. Forget about the fact that now you have to worry about your security and the security of the vendor who now has the keys to your kingdom.

I suppose this is for the best, though. In the grand scheme of things, whatever happens to the information assets of 99% of the companies out there is of no consequence. And I even think it serves them right because people who suck at their jobs should not be allowed to keep working at their jobs. The problem lies in the fact that the people who lose their jobs over these things are not the ones who caused the clusterfuck in the first place. The dumbass director who says "We don't calculate impact because anything that can happen will happen!" (true story, I'm afraid) to an auditor with a straight face when asked about the risk management process will become a Senior Director. Everyone who rolled their eyes while hearing this insanity will get RIF'd.

What's the solution here? Fuck if I know. But I do know that making fun of these idiots is something the market craves, hence the astounding success of our Discord. So, roll your eyes when your boss says something stupid. Let out a huge sigh when the PM says something about t-ShIrT sIzE. Be obtuse on purpose. Practice malicious compliance. You're going down anyway, might as well go down swinging.