Defensive Security is a Glacier, and That's Ok

My realization that change in security happens on its own timeline, and there's not much we can do to speed it up

Author

Daniel Miessler
September 04, 2023

I think I just figured out why so many people burn out in defensive cybersecurity after a decade or two.

It's because Defense is a glacier that moves at its own speed, with occasional bursts due to major incidents and/or regulation.

But nothing within the glacier is dictating its speed.

That's our problem. We are the pebbles and sticks and moss that gets captured by the giant wall of ice as it creeps. And we scream at it from within.

Go faster! Make progress! I've been telling you about this problem for years, why are you not listening?

Us

Glaciers don't listen. They do precisely what they are going to do.

Think about the innovations that moved security forward the most in the last 15 years. I'm not sure what they are but let me throw a couple candidates out there.

  • SSL/TLS

  • Password Managers

  • PCI

  • FIDO2 "Passwordless" (Happening now)

  • Incorporation of Security into Windows and macOS

A few things jump out at me about this list, which I know isn't perfect.

First, everything here was inevitable. Second, everything here could only happen when it happened, and not a moment before. When a new technology gets invented, like SSL, that was the moment for it. And if that person/group hadn't done it, someone else would have.

Change comes at its own pace, and we have to find a way not to be angry it’s not faster.

It's the same with a thousand other ideas. They don't exist for all of human history, and then all of a sudden multiple people have the idea at the same time. A few examples:

  1. Calculus: Both Sir Isaac Newton and Gottfried Wilhelm Leibniz developed calculus independently around the same time in the 17th century.

  2. The Telephone: Alexander Graham Bell and Elisha Gray both filed patents for the telephone on the same day in 1876.

  3. The Theory of Evolution: Charles Darwin and Alfred Russel Wallace both independently developed and proposed the theory of evolution through natural selection in the mid-19th century.

  4. The Radio: Guglielmo Marconi and Nikola Tesla are both credited with the invention of the radio in the late 19th and early 20th centuries.

  5. The Television: Philo Farnsworth, Vladimir Zworykin, and John Logie Baird are all credited with significant contributions to the invention of television in the early 20th century.

  6. The Jet Engine: Frank Whittle in the UK and Hans von Ohain in Germany independently developed the jet engine in the late 1930s.

And then you have something like PCI, which, again, could only happen at a certain level of industry and government maturity. Plus the prevalence of attacks that make such a thing necessary.

Why Software Remains Insecure

There are myriad theories as to why software remains insecure after we’ve spend decades trying to solve the problem. Common reasons include: Get the Audio

danielmiessler.com/p/the-reason-software-remains-insecure

So these things were basically going to happen.

Slow. Steady. Glacial. But inevitable.

Glacial problems

Then you have unyielding problems---like human gullibility.

How many security people have screamed at users because they clicked on something they obviously shouldn't have? Well, humans are set up a certain way, and they really like free stuff, and relationships with royalty, and they tend to get lonely.

We create our own problems when we are mad at the universe for not being different than it is.

That's millions of years of evolution in the red corner. And in the blue corner? Your security awareness campaign.

So what do we do? We bash our faces against a wall of gullible for multiple decades.

FIDO2 and Passwordless

But then here comes "passwordless", which is truly great and is likely to be the first thing to make a serious dent in phishing in forever.

Why didn't we just do FIDO2/Webauthn sooner! Gee, how silly of us! Answer: we couldn't have. It is happening now because that's the time it can happen.

Real progress bakes into the furniture

Then you have the real progress, which is integration into the operating systems we use everyday.

  • Windows

  • Mac

  • Android

  • iOS

That's where real progress is made.

So again I ask you---why didn't we just incorporate all these security features in these OS's back in 2005? Or 2010?

Same answer. Because we couldn't. Turns out, it's very hard to move giant machines like Microsoft and Apple to add things. Millions of moving parts. Things happen when they happen, just like electrification of the country.

The takeaway

What made me realize is that cybersecurity is this planetary-sized box of a trillion tiny gears. Or it's a glacier. Or it's an ocean. The metaphor doesn't matter. Use the one you like most.

What's important is that it's:

  • slow

  • random

  • inevitable

And that's the problem with a lot of the burnout in cyber. Specifically on the defensive side.

We’re told to expect the world to change when we make a suggestion, and this sets us up for a bad place.

We're sold that we can make the difference. We'll just tell the boss about this thing, and they'll let the business know, and we'll get it fixed.

But we do that, and nothing fucking changes.

We build elaborate plans, perfectly articulate them. Expertly socialize them.

And nothing. Fucking. Happens.

This is why.

Progress in security is a massive machine. It's moving very slowly. And even when it occasionally bursts ahead with progress, that progress is random and not generally tied to any one person or even any one company or industry.

So I just quit?

And that leaves us with what to do.

I don't think this revalation is sad. If anything it's empowering. It wasn't you. It's just the machine. When we absorb this message we can reclaim our sanity. We can reclaim our peace.

Progress will be made, but it won't be on a clock set by us or anyone else. It'll happen in its own time. It actually reminds me of General Absurdism, which is my way of dealing with the big questions in the universe.

On one hand, I behave as if I can change things. Me. Just me. With my very own will. And I try hard in that mindset. But I also---and simultaneously---know that I can't. This does two things for me.

  1. It keeps me motivated and trying to improve, and makes me productive

  2. It keeps me grounded and sane becasue I understand the larger mechanism

More practically, if you are seeking a field in which your idea can more instantly and directly translate into a change in the world, I recommend business.

There is still tons of innovation that can be done in defense. It’s just little-i instead of big-I because the opposing forces are so powerful.

If you create something net-new that solves a problem people have, and people actually use it, well now you've made a real difference, and you might make some money in the process.

And to be clear, you can still get wins in defensive cybersecurity. You can innovate new detections, new products, new techniques, etc. And they can make some difference.

Just don't fall into the trap that depresses so many people, where they zoom out and look at the overall machine, and see that their impact didn't really change what was going to happen anyway.

Summary

  1. Defensive security is a slow-moving machine that makes incremental and inevitable progress

  2. The largest advances come from integration of new security features into operating systems and regulation

  3. We can make some progress as individuals, but ultimately, change happens at the speed it's going to happen at---especially in security

  4. If you want to have a more direct impact on the world, consider something more dynamic like business where you can more easily create net-new things in the world

  5. If you stay with security, break your mind into two pieces: 1) the one who knows they can change the world by themselves, and works to do so, and 2) the one who knows change only happens when it's supposed to, and who doesn't get rattled when things don't move fast enough