There is a lot wrong with our industry. And when I say "our industry" I am referring to the Infosec world. There is a trend for Infosec people to bitch about poor coding practices, default configurations, poor patch management and so on. For me this is in fact the real problem - we blame others.

We made the tech. Us. We made it. You say "but wait, I am not the coder of this insecure app" or "I didn't write this default insecure configuration file." My response is simple. So what? To the users in the organizations we are responsible for protecting, we're the ones that make the security rules, so we're a part of this regardless. To those outside of our job, to our non-technical friends and family - those not even in the tech world - we made it.

Here's the real rub - when we explain why things are insecure and broken in great detail, the end user or the non-techie thinks "Why tell me this? If you know the answer, then go fix it!" They have a point.

While it is against my nature to do this, I am going to use an analogy. I usually don't, but in this case I am doing so only to illustrate one point. So don't pick apart the analogy, just think about what I am saying.

You are at a restaurant and you order your meal. You've informed the wait staff about a specific change to the menu item, such as to leave off a specific item and your particular cooking preference. When the order comes to the table, the specific item you requested to be left off was in fact left on, and it has been cooked incorrectly. You call the wait staff over and state, "I asked for no butter and medium rare, this has butter on it and is well done." The wait staff apologizes, and then goes into great detail about how the kitchen staff is short a cook, they are using a new ticketing system, the kitchen has "communication issues," the restaurant is not just extremely busy but there were a couple of unscheduled large parties that came in, there is a new staff member being trained and while they do have extensive experience as a line cook it is in fact for them a new menu and on and on in great detail about how things should really be run back there in the kitchen.

Your first thought is probably not: "Wow the wait staff really understands the problems back there, that is fascinating when you think about the levels of complexity, in the grand scheme of things it is amazing I got anything on a clean plate delivered to my table as quickly as I did." Instead your first thought is: "If the wait staff knows this much about what is going on, why did my order still come out wrong? I don't work here, they do, they know the cooks, they can talk directly to management and point out problems, they can fix so much."

Yes this is a simplification of the software industry and our roles as security practitioners in this realm, but the end user just sees us as wait staff that continually serves up mistakes. We do seem to know what's wrong, we do seem to know the cooks and management, and we are in a good position to fix things. We are certainly in a better position than the end user to fix things. The end user doesn't want to learn how to talk to cooks in cook-speak to get meals correct, they just want it done right. We know cook-speak.

If you are in Infosec, you are wait staff. Don't blame the end user, because what they are asking for is really quite simple - they want to do X and Y and Z with this piece of technology. They expect to receive something that does those things in a manner that doesn't involve risk to their bank account, unique identity, and personal privacy.

Here's another way of looking at it. Many of us have to do tech support for our non-tech family members. Oh sure, you could go on and on about browser standards, the need for some level of consistency in password policies on different websites, or why MyFaceSnapTweet is horrid for privacy in general. Or you could just listen to them yell at you like you personally ruined their life by preventing some stupid app from working, and just fix it.

I don't blame the plumber when I clog the pipes. I don't blame the electrician when I plug in fifteen items into a single outlet and flip a breaker. So yes it is not our fault that Grandpa Joe's computer is acting up. But we know how to remove the malware, apply the patches, and adjust the various security settings. Why, technically we even know what the source of the problem actually is (hint: it is the software, not Grandpa). Remember, to Grandpa Joe we are in the industry that keeps delivering problems to the computer, we are as close to someone speaking cook-speak as he will ever get, so he is going to yell at wait staff.

So it's "our" fault, Infosec. Accept it, and let's try to fix things.