The evolving world of Internet Security has a tendency to be a complex and bemusing arena for the professionals that make their living from it. The rapid development and deployment of immature technologies, the growing size and sophistication of systems, the unwanted attention and migration of organization crime, and the near religious fervor some devote to the ethical quandaries of the Internet, mean that few security topics are neither simple or devoid of opinion.
One area of topic guaranteed to crop up in a weekly discussion of Internet security is the topic of “ambulance chasing”. It’s a topic capable of dividing a room; initiating a prompt and well-rehearsed ethics debate, and causing more than a few veins on people’s foreheads to swell and pulsate.
Now that breach disclosures are a daily occurrence and the frequency of “mega breaches” seem to have hit their stride of monthly broadcasts, much of the security industry really does need to put on its big-boy pants and overcome the philosophical debate of whether reaching out to a breach victim and offering to work with them to understand, overcome, mitigate, or remediate, is in fact “ambulance chasing” or more akin to being neighborly and professional.
For many folks, the prospect of contacting a victim and explaining what you could do to help them evokes a vision of seedy lawyers prowling the halls of hospitals looking for the latest motor accident patients.
The vast majority of security professionals I know (ranging from consultants to analysts, and sales to engineers) genuinely see their occupation as a calling and passionately want to help make the Internet a better place. However, for one reason or another, the prospect of reaching out to someone that hasn’t already reached out to them and explicitly asked for help is too often interpreted as a breach of some unwritten rule… a kind of “invasion of personal space”.
For sure, as a professional they’re offering your skills and expertise for a price. However, to interpret the actions of pro-actively reaching out to a victim as some slimy underhanded means of gaining business is naive and outdated. Amusingly enough, the majority of security consultants I’ve known or worked with other the years are only too capable of identifying new victims that they or their company could help, but may grudgingly to pass it on to a “sales guy” – thereby keeping their hands clean and distancing themselves from what they perceive as ambulance chasing sleaziness.
I don’t see it that way and as advice to consultants that want to grow their career and move on to becoming business leaders (with the reputation and salary to go with it), get over your inhibitions and reach out to those organizations and contacts yourself. Forget the term “ambulance chasing” and instead think in terms of supporting a neighbor down the road.
Look at it this way. You’re an expert locksmith. Every day you walk your dog down the street and you notice how poor many of the locks are (and how many are missing). Then one day a house down the street is burgled. You see the flashing lights outside, police dusting for fingerprints, and a substandard lock was clearly dismantled and exploited by the criminal to gain entry. Do you ignore the incident and hope the victim will Google locksmiths later and contact you, or do you rush home to make a call to your sales guy and tell them your neighbors address and leave it in their hands? Or, as a professional confident in your skills and expertise, approach the victim, introduce yourself and what you do, and offer to help them if and when they’re ready?
Think about it from the perspective of the victim too. Would you rather hunt and peck looking for someone to help? Would you prefer a sales guy cold calling you and pimping all their products? Or would you respond most favorably to a local expert from down the street who approaches you directly and offers to help there and then?
In a world of daily breaches and vulnerability disclosures, more people need help than ever before. As a security professional, if you’re waiting for them to reach out to you and ask for your help, you’re doing a disservice to both them and yourself.