Preface from “The Security Hippie”

Wanna hear a crazy story?

Shall we go to lunch?

For me, these two questions seem to be naturally interlinked. So much so that I had struck many lasting friendships while answering them, as is (for example) evident in the foreword. Let’s face it: sharing stories over food – be it next to a campfire, standing together by a favorite hole- in-the-wall, sitting at a linen-covered table in a fancy establishment, or in any of numerous other settings – is as long of a tradition as humanity itself. Fundamentally, we are all cavemen grunting to each other while roasting whatever we just hunted over our recently discovered fire.

Humans are social animals, and this book is, first and foremost, a reflection of that basic truth.

If you’re here because you read my first book, Why CISOs Fail, then you may have inadvertently played a part in the writing of this one. Because if there was one overwhelmingly consistent feedback I received from almost every corner, it could be summarized thusly:

“We want more stories!”

(And thank you all; this book would not exist without you.)

If you’re here because the premise of this book drew you in independently, then I daresay you will be in for a treat. You see, the news media seems to have recently gotten around to the idea that security is something that is worth reporting, but with the news cycle being what it is, that reporting is, shall we say, not all that. We get the big stuff, like huge consumer privacy breaches, delivered in an all- too- familiar staccato cadence that is designed to get your attention – and keep it – without actually telling you anything.

Lots of drama, fire and brimstone, but let’s face it, none of it is very relatable.

It’s stuff that happens over there, and while it sounds scary and can definitely hurt us, we don’t really understand it. So we roll our eyes at these tech people and move on. I mean, and not to put too fine a point on it, most of the journos covering these stories usually don’t understand any of it either. And the people they then usually turn to for advice as they write their stories typically have an angle, often because they are associated with a vendor that wants to sell something that is somehow related to the news item.

But the truth is, so much of this field happens here, and happens all the time. We just don’t see or pay attention to it, because nobody ever points it out to us.

As an aside, why do these “vendor people” hold so much sway?

Yes, it’s a rhetorical question, but it also illustrates a mindset, which is a perfect segue into the term “Hippie” in the title. I settled on it because I’d essentially spent an entire career being the bratty kid who does things his own way, unable to accept the established ways of doing … well … pretty much anything, let alone conform.

It isn’t meant to imply drum circles and flower dresses, although that latter bit brings up my absolute favorite nickname ever given to me by the people who work in my company and thus know me very well:

Pretty Lil’ Princess.

One of these days, it shall appear on a business card as “PLP”, but only you and I will understand the joke. Keep it between us, yeah?

Through some odd twist of fate, at some point the counterculture started becoming the mainstream. Now everyone wants a “virtual CISO” because good full-time ones are expensive, hard to find, and (here’s that Hippie again) often simply unnecessary. That’s the thing about highly specialized skills – when you need them, you really need them, but usually you don’t. Still, having spent over two decades peddling this concept, which is apparently longer than anyone else has, I’d become associated with it to some degree. And along the way, I’d spent time in a frankly unhealthy number of different places helping them with this security stuff. The end result is stories.

Lots and lots (and lots) of stories.

As you might expect, there are many that I don’t share, too; I could tell you about how at one time, I utterly failed to explain a critical security concept, losing a potentially life-changing engagement, only because I suddenly had to do it in Hebrew – which is my mother tongue. Turns out my “business language” is English. Who knew?

Or that one time when I lost my largest customer because I neglected to wait and ask for permission before helping them preempt a massive security exposure (talk about a lesson). I could tell you about figuring out the code to turn on some of those big machine saws in the back of many a Home Depot, once you think of the problem in human behavioral terms. In fact, there are so many stories, this book could easily be six times as big.

But ultimately I came to the same decision as I did with Why CISOs Fail. I want you to actually read the book. And the first step in doing that is cracking it open. I contend that a heavy tome presents its own
barrier to entry, even if you had already paid for it.

That won’t do.

The other thing I want is for you to have fun. Like one of my early reviewers, who also makes an appearance in the book and with whom I have spent many a lunch together, told me as he was reading the early draft PDFs I was posting to the book review board: “I was reading it in my backyard hammock with a glass of wine” – he even sent me a picture to prove it – “and it was like having a little bit of Barak with me”.

So please, have a blast. Laugh with me. Laugh at me. Roll your eyes. Come back and tell me I’m clever, or maybe stupid; I’m easy enough to find. Ultimately, this is what these stories are for, and what all stories
are for – to help us relate. This field desperately needs more of that.

Thank you for joining me on this little trip. I promise you won’t get lost.

—Barak Engel

P.S. And also … if you actually read this preface, then also read the damn footnotes. They are, in themselves … quite … hippie.