Do You Really Want to Know?

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

We ask a lot of questions that we don't want answered honestly and we know when not to answer certain questions honestly. If you think about it, how many times do you say "How are you doing?" without expecting an honest answer or waiting to get one? And there is not a man in his right mind that is going to tell a woman "yes" when she asks, "Does this dress make me look fat?" We don't really want honesty, we want people to tell us what we want to hear.

This lack of desire for honesty holds true in the security industry as well. Typically, it plays out like this: a client requests a security assessment, you perform the work and create a report that is an honest assessment of their security posture, the client begs you to modify the report to keep them from looking so bad. A lot of times you give in because you don't want to lose the client. This cycle is the reason companies continue to get plundered by attackers and why we are still dealing with security issues that should have been fixed years ago.

If you are a company seeking a security assessment, fix the problems in the report instead of arguing over the severity rating. If you provide security assessment services don't placate your clients by modifying the report to suit them, find new clients that want honest answers.

"Honesty and transparency make you vulnerable. Be honest and transparent anyway." -- Mother Teresa