A wise and weathered security executive many years ago told me a picnic is nice with people who have their head in the clouds but the group’s food is safer with at least one person who watches the ants.

CSO Online reminds me of this when they strike out in a recent post and condemn the tone and style of comments on Barracuda Networks. Apparently they don’t want anyone to mention the ants. They are critical of those who are critical (of Barracuda Networks).

to skin a vendor alive in the twittersphere because imperfections were exposed is something that doesn’t necessarily lead to a more secure product.
If anything, it’s like a group of misfits in the schoolyard beating up on another kid just because he’s even more awkward and ugly than they are. That’s a typical human failing: When we’re insecure about ourselves, we take comfort in someone else’s misfortune. We may be pathetic, but at least we’re not as bad as the next guy.

Although I am tempted to ask whether they are just defending one of their advertisers, I want to set motive aside entirely. Instead I wonder about consequences — whether a critical view of critics and the chill of negative opinion is good advice for a CSO tasked with risk management.

Some philosophical issues come to mind when I look at the CSO Online complaint.

First, they ask us to be aware that bad things happen to everyone, even those they hold up as industry leaders. This must be a variation of “if you don’t have anything nice to say, don’t say anything”, which itself is based on a gross and dangerous oversimplification to manipulate feelings. It usually fails a simple logic test.

Chairs are white, I am wearing white, and therefore I am a chair. Successful companies have been breached, Barracuda was breached, and therefore it should pat itself on the back as a successful company?

This is not about the feelings of school yard children, it is about discipline to protect data. Points of breach differentiation need to be held up, reviewed in detail and dissected to reduce the chance of oversimplification and repetition.

I suggest a better consequence, that could acknowledge some or all of the CSO Online stylistic concerns, would come from the command “if you don’t have anything nice to say, stick to the facts”. That probably is not even necessary, however. Barracuda is surely prepared and able to perform an investigation while easily defending its reputation (able to cooperate with investigators whether or not they consider them nice, or congratulatory).

Second, the “it could happen to anyone” sympathy card in response to a breach could undermine efforts in an industry that hopes to modify behavior. Shame is a form of regulation. Shaming a company for inadequate security is crude but arguably has the consequence of an informal method of compliance. Asking the industry to avoid communication that carries the message of shame has what consequence? What benefit does CSO Online see in resisting the human instinct to shame, to fail to make an example of a breached company?

John Locke, the famous philosopher, gives the following insights to shame in Some Thoughts Concerning Education.

Esteem and disgrace are, of all others, the most powerful incentives to the mind, when once it is brought to relish them. If you can once get into children a love of credit and an apprehension of shame and disgrace, you have put into them the true principle, which will constantly work and incline them to the right. (§56)

CSO Online gives us the analogy of a school yard bully to consider. They equate negative commentary and shame to bully behavior, although they give no examples of speech they consider bullying. Their analogy is so broad as to be unacceptable at face value (a call to silence all negative opinions). But, setting that aside, I will take a stab at why their analogy actually undermines their position.

Let’s say a kid in the school yard is vulnerable to pneumonia if exposed to rain. One day it starts pouring rain and the kid, who actually sells umbrellas and rain coats, catches pneumonia. The umbrella fails. The rain coat fails. Other kids make fun of this situation and therefore the kid feels shame. Should the kids who laugh and point be called bullies? Are they asserting domination or control, a typical element in the definition of bullying behavior? They may be practicing only a form of shame and disgrace, behavior that philosophers of ethics say will “constantly work and incline them to the right”.

CSO Online thus advocates an overly broad regulation of speech. While they give examples of friends of theirs who communicate how they like, they should know already that positive-reinforcement is not the ideal model in regulation and compliance. If they want to define breach bullies, to point the finger at bad actors, they should provide a test to know whether and when we will offend the sensitive ears of CSO Online.

Professional sports, for example, provide rules to regulate bad behavior. Boxing does not allow a contender to be hit after a fall to the mat, hockey stops a fight when a skater is not standing, no hits are allowed after the whistle in football, and so forth. The rule tends to center around someone who is down and no longer able to defend, or is in a compromised state relative to their attacker.

Would CSO Online have us believe that Barracuda is so vulnerable now that commentary with even an unpleasant tone or style should be stopped? The security company seems not only capable of response on its own, but in a reasonable position to defend itself with a simple apology. If CSO Online wants to jump into the game and throw the red card for foul play they should focus their judgment and ire at the actual attackers and not upon heckling fans. If I were a player on the field and fans started booing my team after a loss, I would ask myself how to improve or avoid another loss rather than focus on silencing the rowdy but legal crowd. Stopping rowdy fan behavior is like trying to stop the rain.

Moreover, is it really necessary or desired to regulate a security community discussion separately from any other industry? America has a legacy of free speech principles that apply here and applying CSO Online’s vague rules of etiquette can have more negative consequences to risk management than positive.

Risk is measured in likelihood and severity of an attack. Thus, for me it is less about whether the tone of everyone in the peanut gallery is to my liking and more about a factual discussion – how and why did a security company miss one of the most common attacks (likelihood) and was exposed customer information sensitive (severity). Silencing those who talk about the ants at a picnic may make the organizers less annoyed but it does not make the food safer.