Perceptions of risk

Originally posted on on September 14, 2011

At Blackhat & Defcon recently I was once again surprised by the number of security professionals who refused to touch a networked device for the duration of the conference. Yes, the risk is elevated and people might have zero days. But the risk is also high in airports, coffee shops, and hotels in far-away places. People in some parts of the world live at a constantly high risk of zero-days in their own homes.

How can we be expected to help defend our users (who at most have a small fraction of the security knowledge that we do) in hostile environments if we can’t defend ourselves? Some have called this attitude cavalier or attributed it to hubris, but that’s missing the point.

The point is that either we are overestimating the risk at Blackhat, or underestimating the risk the rest of the time. If a security pro can’t defend themselves in a highly hostile environment, then I claim they can’t defend their users in a moderately hostile one.

Author: Lucas Adamski

20+ years in the bay area, with a diverse experience of leading hybrid software/hardware products, security, web platforms, devops and helping drive product. Diverse background from tiny startups to large corporations, lots of experience with distributed teams and building high trust cultures (and occasionally, failing to).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.