Is your infosec guy any good? A weird trick will tell you

Microsoft is at it again. Windows 10 will have a snazzy feature called Wi-Fi Sense that automatically shares your Wi-Fi passwords with your friends. This isn’t the place to go into the details of how this works (Microsoft isn’t going full-disclosure yet) or whether it’s safe. Opinions are divided on that, among security professionals as well as those who just worry about such things for fun. But it is clear that if you tell your friend your home Wi-Fi password and they’re using Wi-Fi Sense, then all your friend’s Skype, Outlook and Facebook contacts who use the feature will get those access privileges too.

Is this a good thing? It may not be, but it is a good question to ask of anyone who has responsibility for information security. Their reply will tell you just as much if not more about them as about Microsoft’s brilliance/stupidity/goodness/evil (delete according to taste).

And that’s an essential thing to know, because - whisper it - some infosec people aren’t actually very good at their jobs, but are very good at hiding it. Here’s how to decode their answers.

“It’s useful, and Microsoft knows what it’s doing.”devil-pvThis infosec professional is fed up with having to manage other people’s passwords, and defaults to the ‘do it and get off my back’ response  when dealing with any new user behaviour. Do you want laziness and responsibility abdication in your data defenders? No, you don’t. Bad infosec person.

“I don’t like it, but there are ways to minimise the risk. Follow them, and you’ll be fine.” This infosec professional thinks users deserve what they get if they don’t know what they’re doing; learn the rules and get the skills if you want to be a fit citizen of the cyberverse. This is old-school arrogance, and shows a real lack of empathy for how actual humans use actual computers. The most widespreaddevil-pv infosec problems are caused by reasonable people - which most people are - failing to cope with badly designed or thoughtlessly implemented systems - which most systems are. Do you want your bits protected by someone who considers themselves too good to deal with one of the most dangerous and common sources of security misery? Of course not. Bad infosec person.

“I don’t like it, and it’ll be trouble. Don’t use it, don’t encourage others to use it.” The denialist. Very common - almost compulsory - in large enterprises, this infosec person may have once been a perfectly useful member of society before being broken by corporate lock-down-itis. Or perhaps they were always like this. devil-pvThis sort of thinking again shows a lack of empathy - as if any sane user will ignore something that makes their life easier just because it’s not very safe - and, as a result, the near certainty of not only allowing the dangerous practice to happen but ensuring the users will try and hide it. An infosec professional who actively encourages covert insecurity? Bad infosec person.

“This isn’t the best way of doing things, but WiFi passwords are a pain. What problem are you trying to solve? Here, let me give you a script that will take care of that, and why don’t you let me set things up so they’re safe?”  Also known as an “Uncle Phil” - from a famously approachable and sympathetic IT infrastructure manager - this is the sort of infosec person you want to track down, capture and keep in a dungeon. They know you have a job to do and want to help you do it. angel-pcThey know the limitations of IT security tools and do their best to humanise them. They know that 90% of actual usual work done in large organisations happens through tacit collusion. And they know that if they have your trust, they will forestall or swiftly shut down many real security issues before anyone senior enough to be dangerous has to worry about them. Good infosec person.

So while the advent of new and apparently disastrously insecure security practices and utilities may forever fail to filter out technical threats and vile vulnerabilities, they do have their uses as firewalls for humans. The technology of infosec is only half the story: filter for the good guys, and even Microsoft can’t get you.


« With Microsoft on board, is gamification about to pass Go?


The SMB Guide: Jargon buster »
Rupert Goodwins

Rupert Goodwins expected to be an engineer, but journalism happened. As an engineer, he worked in defence, for Sinclair Research and Amstrad, in startups and for himself. First appearing in print in 1982 and online in 1984,  he's written about all aspects of technology in business for most of the UK nationals and tech magazines, and was most recently editor of ZDNet UK. Tries to solve more problems... See More

  • twt
  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?