Security Gate Keeping – Annoying – Unhelpful
Next time you’re bored to death and want to be bored back to life (because two negatives equal a positive)… go check out what the Security Community is talking about in the security circles of whatever social media platform they carved their deserted pocket of engagement from.
I’ve noticed a lot of gatekeeping and proclamations about what “good security” is, what is relevant or irrelevant, and what is phony versus real. Generally, there’s a healthy dose of this back-and-forth in any profession where “SMEs” clash, so that isn’t the real issue.
The issue is how absolutely certain most people are that their opinion is the one (Neo-style), or how sure they are that it aligns with whatever spirit animal vibe they think “true security” grooves to when chilling with the homies.
I came across an interesting post on X the other day that went something like this:
“Why doesn’t anyone know how to threat model worth a damn?”
The replies that followed were a bunch of vague insinuations and inferences about why no one does appropriate threat modeling. Ninety percent of the comments were vague allusions to times, issues, or knowledge gaps that individuals must have in their ongoing work/life to explain away this lack of “threat modeling worth a damn.”
Then the interesting part began. Someone chimed in, paraphrasing, “There are individuals who try to use STRIDE & MITRE, but I believe they’re using them in the wrong context.”
The original poster replies, “Those aren’t threat modeling.”
Another commenter chimes in, “It’s because they’re paper CISSPs!”
Huh? What?
I kept scrolling and saw the original poster gatekeeping any further explanation by shutting it down with “No Soup for you!” energy.
Soon, I felt a familiar rush of dismay. There are a lot of security folks who came over from the technical world (myself included) who mistakenly believe that technical “No True Scotsman” stances are legitimate and aren’t logical fallacies at all. I’m all for strong opinions, but it’s a whole different issue when you’re just out here shutting people down without sharing any insights.
Some people believe there’s only one way to do security, and it often revolves around shadowed, unappreciated, undervalued, non-spotlight-capturing, and business-irrelevant practices that earn them a badge from the Security Professional Alliance of Self-Congratulatory Importance at their next peacocking conference (complete with some dope swag).
It’s this idea that there’s some imaginary battlefield where they alone are privy to the tools, tactics, and strategies that make up “real” security. Meanwhile, every year, hundreds of billions of dollars in attacks hit companies, while these “experts” flood LinkedIn, X, and other social feeds to declare that everything in security is “not real security” because it’s not the way they’d enforce an ECC-based compliance check to block an RPC call from an untrusted, out-of-band device that fails their preferred cryptographic handshake.
I don’t know. I guess the issue is that I don’t like calling things out without setting an example of what’s better or what I believe is right.
There’s something to be said for actually putting out your theories, strategies, baselines, standards, goals, and tactics.
It’s another thing to tell everyone else their practice is subpar and leave it there—no context, just self-congratulatory righteousness that you know, they don’t, and if they don’t, they aren’t worth explaining it to. Honestly, I find it cowardly. If you want to claim that STRIDE, PASTA, Attack Trees, Risk Scenarios, decomposing systems, or mapping threats, countermeasures, and mitigations aren’t real threat modeling, then please—please—show us your method. I would love to see more robust discussion and critical examination of practices that could move the field forward. But if all we’re doing is posing the question and then suggesting each reply/comment is somehow insufficient to answer the troll at the bridge’s three questions, I chalk it up as one of the cons of Internet/Social Media culture.
In a way, it shines a light back on my own beliefs and theories. I’ve noticed that the more I learn about a subject, the less I lock onto the idea of there being just one way to do things. You can know enough to think there’s a right and wrong way, then learn even more and realize there’s always another approach—it’s about the timing and the context. So, in the end, all I can say is, let’s embrace the idea that every solution on a number line might be the solution for you. It just depends on the questions, the needs, and the results you’re trying to deliver.
.
Leave A Reply