Armchair Security Experts

Providing security advice to someone can be very difficult, particularly when unsolicited. This is because IT security is entirely context based. I use the term Armchair Security Experts to describe people who provide security advice, often wrong, as if they had expertise in the subject area.

Wikipedia explains the term Armchair Expert (or Armchair Theorizing) well enough, and the security aspect is much the same. Someone with limited practical expertise in the field. Or more generously, someone whose responsibilities doesn’t include owning any risk.

Security is all about context. If you make broad bold statements about security without leaving your armchair to consider the context you are providing negative value to a delivery.

The security advice Armchair Security Experts sometimes provide I call these Security Grenades. This would often be in the middle of a big important meeting and someone semi senior would throw in something like “I have heard that S3 is insecure”. This is so bafflingly bad information that it de-rails the purpose of the meeting.

This is closely related to the dead cat strategy (which is more or less as horrible as it sounds) but instead of drawing attention away from a dangerous line of discussion it diverts the delivery team in to trying to handle this knowledge asymmetry.

This is where in an Agile delivery that taking all stakeholders on the journey with you is so important.

You need to keep everyone informed and up to date on your progress, your assumptions, and your solutions. You should be able to identify those who have the power to derail your project and put the extra effort in to keeping them informed so that they don’t scupper your delivery at the final stages.