Understanding realities

In between all the politics and memes on twitter, you sometimes come across a genuinely interesting security conversation.

My friend Quentyn Taylor, who happens to be a CISO posted this tweet that generated a lot of great commentary.

I recomment going through and having a read through the comments, there are some very valid points being made in support of, and against this viewpoint.

Personally, having worked in many banks which had huge legacy estates running critical banking applications, I agree with the statement. It’s easy to sit on the sidelines and say, “just upgrade” but it’s never really that simple. Security is often only a small consideration in the big scheme of things.

It’s why risk management is so important, it helps clarify what the tradeoffs are. A legacy system may be vulnerable, and that risk may equate to a dollar value. But the downtime, upgrade costs, and impact to associated systems of an upgrade may outweigh that considerably.

So many times it comes down to having a proper inventory, classifying data, and monitoring legacy systems with a closer eye.

However, this isn’t the whole reality.

It’s a reality based on my personal experience which likely mirror many of Quentyn’s experience. And that’s something many often forget – just because something works in one enterprise, or type of business, it doesn’t necessarily mean it will work in another.

Which is why, I feel that when discussing security topics, it’s worthwhile to be specific and add context around it. It’s something I’ve been guilty of in the past, and I’d like to change it.

For example, take these two statements:

Scanning QR codes is not popular.


Scanning QR codes is not popular in the West

That is because in some countries like China, QR codes are everywhere. The location adds that important bit of context by which the statement turns from a generality to something more specific.

The logic can be applied to many of the broad security statements that are often made. So when someone makes a statement such as, “there’s a shortage of infosec talent.”, the questions that come to mind are:

Which geographies does this apply to?


Is there a lack of red teamers, blue teamers, risk managers?

Is it a lack of people with over 5 years experience, or do they too expensive?

If we stick to our own realities and speak only in general terms, we will remain adamant that our point of view is correct and never reach a consensus. And it’s probably about time that we start having better conversation.