Jessy Irwin, VP of Privacy and Security, Mercury LLC
If you’ve ever been to an information security conference, you’ve probably seen a t-shirt that said, “there’s no patch for human stupidity.” That iffy diss—and lame t-shirt—about sums up the icy tone the security community has taken over the last few decades when it comes to users.
Figuring out a newer and more effective approach is the burgeoning field in which Jessy Irwin, the vice president of privacy and security at Mercury, works. Instead of the same old people talking down to users, Irwin advocates for the “weirdest and most strange, diverse groups of people” at work in security, all the better to deal with the weird, strange and diverse users that end up with the products they build.
Why are security professionals so bad at the human question?
I think people are bad at the ‘people’ question. I think much of it is that security industry and community culture, there’s a lot of value placed on technical talent. That’s not wrong, but I think we’re getting to a point that there’s only such much hardening you can do to a system and code or whatever else. Engineers may not have all the soft skills or the passion or the drive to say, ‘Hey, let’s look at all these human factors.’
They’re not easily measurable, you can’t necessarily attach data to feelings in a way that is going to work with machine learning, for example. But I think a lot of it is just that there hasn’t been value on it, people haven’t had to learn it because there’s been so much to do on the technical side. It’s just not a skill set that’s really been developed yet.
It seems like more and more there’s a lot of value to diversity of talent and plain old diversity. So instead of just an engineer, having a psychologist or marketing professional. Or instead of just white guys, having women or other minorities to effectively communicate from multiple perspectives to multiple audiences. How important do you think that is with regard to education and what you’re working on?
I think it’s absolutely vital to have the weirdest and most strange, diverse groups of people. I say weird and strange in a loving way. We need to have the weirdest, craziest people together to dream up these creative attacks. We need people who have been in tough positions in life where maybe they had to deal with an abusive partner or maybe when they were in an abusive situation and they can think of what a setting might mean to a kid for the ability to keep information private, to keep information from being used against a kid by a parent.
There are all kinds of spots where we just need diverse thinking, period. One of the things I’ve been thinking a lot about too, especially since the election, is that a lot of people have been really excited about encryption tools. Signal has seen unprecedented downloads which is great and amazing. Tons of people are using WhatsApp for the end-to-end encryption which is also amazing. But we need a diversity of voices and experiences from our security teams to say, ‘Hey, wait a second, the tool’s not the thing that’s going to save you if you’re in a bad spot.’
Security is not just using some product the right way. As Bruce Schneier says, it’s also a process. It’s creating your own personal data policy, figuring out how long you keep information around and what you lock down. Keeping your accounts online and organized in a way so that, if something bad happens, you can focus on taking care of important things like your email and anything connected to money first. We need people who come from all walks of life to point out what’s important to everyone to secure and protect.
You just mentioned abuse. This is, at the very least, an underrepresented threat that’s not really addressed in the way people think about security. Is that something that you see? Is there any progress being made?
I totally agree. There are a lot of security and privacy issues we haven’t fully thought through.
I’d say the majority people in tech are used to having their own private devices. They don’t have to share passwords or email, they can set up whatever they want to. That’s not how the rest of the world works. There are many, many use cases where people in the same household share the same device. Remember a while back when people shared Facebook accounts and that was it’s own mess. Imagine being in a situation where you are not in a healthy relationship with respectful boundaries and you share a phone with someone.
That means that person is able to access pretty much every single thing you say and do and know what is going out, knowing what your communication pattern is and who you’re talking to. Most security people would say, well, once a device is compromised, you can’t defend it. There are a lot of smart people working on this problem but there are things we can do not just from a security perspective but from a user interface perspective, from a user experience perspective to make sure people using share devices and people in some of these weirder use cases are taken care of.