Recently, I attended a security talk on risk management. The theme of the topic was about how "Security Awareness" was ineffective and that we should, in fact, be teaching "Security Training". During the talk, I found myself growing more and more upset with the theme of the talk. I felt that the oversimplification of changing habits, mindsets, and attitudes required more than trying to teach 60 year-old Gretta in Accounting the differences between malware, worms, and viruses.
As a Sales Engineer for a security solutions and services company, I am often speaking at ISSA chapters, InfraGard, SecurityBSides, and other groups and conferences. I generally find myself talking about security, risk, and other topics that are within the fairway of the solutions my organization develops or supports. Speaking to these groups are fun and the data I hear in the field is extremely valuable for performing my job.
Through years of public speaking, I am often rushed at the end of my talks by a couple of classes of people. There are a few who want to know more about what my company does, some who want to sell my company something they do, and some who are looking for a job. Yet, the most interesting person who will sometimes approach me after a talk is the person who disagrees with my data or my message.
In the context of the security talk that I disagreed with, I bit my tongue during the presentation. Due to the nature of the presentation, I was unable to discuss with the presenter my thoughts, but I was able to meet with a few attendees that evening. I was surprised to learn that quite a few people agreed with the message. When I provided a contrasting viewpoint, a few that were maintaining silence began to jump in and agree with me. At the end of the discussion, about half of us agreed with their message and the other half disagreed.
With the field of Information Security growing exponentially, the number of speakers and presenters grows as well. People want to share their experiences, their thoughts, and their opinions on lots of new topics. We are not all going to agree with everything that is said, but this is all part of the conversation. It's important that we continue to listen as much as we talk, and disect statements, data, and ideas as critically as possible.
As the world of Information Security grows, we can not afford to be spoonfed our thoughts and ideas from speakers, magazine articles, and vendors. In order to do that, we need more volunteers to share their experiences and opinions. Sure, people may not always agree with you, but that is the risk you take in order to gain knowledge. There are always dangers to opening your mouth, but unless you do, your opinion will never count.