We, as security professionals, have to raise our game. We have to be respectful and helpful. We have to know our audience and speak their language. If we are seen as the guys who will pounce on a mistake and publically humiliate the organization who makes a mistake, we will only make enemies among those we want to help. If we take the attitude of “every mistake is a catastrophy,” we will be ignored by management who will hear us saying “the sky is falling” and they will look out their window and see that the sky very plainly is not falling.
I will let Hunt’s own words express it best (modified slightly by me).
Over the weekend, a whole storm spun up over Tesco‘s web site security. I made a bit of a storify of it. They store passwords in the clear, they violate a bunch of SSL best practices, etc. Troy Hunt gets credit for the seminal tweet. Prompted by the flurry of interest, Hunt goes on to do a bit of investigating and blogging. What I think is noteworthy about his blog is the tone of voice. It undermines the (true and important) message and it represents a failure I think is common among security people. My favourite tweet was from matthewhughes: when he says “I think tone is less important than being right. And Troy was spot-on, IMHO.” That is exactly what I mean by “security tone deafness.”