Paranoia
Every good security professional has a healthy respect for the unknown, which usually is tagged as paranoia. An appropriate amount of paranoia in the right area leads to being quite effective in securing the network you're in charge of. The key is education. This doesn't mean that you need a degree in watching over your shoulder, but you should know what to be afraid of, and how to make sure you know if/when trouble is happening.
Listening to a recent Pauldotcom podcast, the point was made that most people don't really get serious about securing their code or systems until they've personally been attacked. The other side of this is that actually doing some of the attacking and seeing it work firsthand usually has the same effect. As such, it's important that all IT professionals get that experience some time in their careers.
I find it very interesting how human psychology impacts the information security industry. To me, it seems very straightforward. You have something of value, bad people want it, you need to protect yourself. There's nothing outlandish or new there, that concept has existed since the beginning of life. But somehow, despite our advanced intelligence and civilized society, we all seem to have a default naiveté when it comes to information and IT security. I suppose this effect also occurs elsewhere, such as when a person doesn't regularly wear a seat belt until he/she has been in a serious car accident.
Given the above, it's not difficult to understand why FUD-style (fear, uncertainty, doubt) marketing is necessary and does work. Placing someone in a scared mode is an incredibly effective method for switching them from actively opposing security to actively embracing it.
To be an effective information security professional, what you need is a balanced, aware, and fact-driven sense of paranoia. A proper balance is struck when your paranoia drives you have a constant need for security while not blinding you to the reality of your environment. As such, you need to be incredibly aware of the organization you are working within. While security is important, it needs to coexist with functionality, usability, and visibility, while also making the political, budgetary, and regulatory parts of the equation work. Because paranoia is a 100% emotional response, it's important to keep it properly in check. All decisions need to be passed through a filter of reasonability and facts, so that you don't spend all of your resources defending unevenly against the threat that scares you the most.
I think all good security professionals possess the right kind of paranoia that drives them to stay effective and not become stagnant or complacent. I personally think every IT professional would do well to acquire a bit of the paranoia. While this usually comes as a result of a negative experience, it can also be had by way of a class with hands-on hacking. However you get it, your effectiveness and career will benefit greatly, as will the security of everything you touch.
Leave a comment