Lies, Damn Lies, and Infosec.
The little lies we tell ourselves are usually the most insidious. Lies about our weight, our success in life, our relationships. We believe these lies. Or we *want* to, at least. They make us feel better, most times. But they creep up on you over time, and when you really, truly discover that they’re lies, after all, they hurt. And they can hurt a lot.
We just might be lying to ourselves in the information security industry.
After a great and spirited debate on Twitter (naturally), a realization dawned on me. Well, two realizations, but I’ll start with the lie.
We may never be seen as business “partners”, or something that really adds value in an organization.
We’ve been struggling with this for years. “Get a seat at the business table” blah blah blah. What if we’re not meant to have one? What if the notion of a “Chief Security Officer” is most businesses’ (and the universe’s, perhaps) grand joke upon us and our industry? Any of you reading this that hold a CSO or CISO title…do you feel like you’re treated as a true executive? My guess is no. I’ve been one, I know. People are pretty nice to us, maybe. But we’ll never have the clout of a VP of Sales, or a CFO.
And down deep, I think we know this.
But we keep on lying. Now, lest you sink into a quagmire of depression from which you’ll never surface after reading this, we DO have some value. Of course we do! I don’t need to describe all the things we do, and the unemployment rate in infosec right now supports the notion that we are serving a definitive purpose. But time and time again, I hear my fellow infosec folks opine that things are futile, we’re not making a lot of progress, we’re not “winning” (whatever that means in this business).
I’ve struggled with this for a long time. I’m a natural optimist, and I want (badly) to believe that we CAN “win” or succeed at beating back what for all appearances seems to be an unending tide of malicious and horrible crap. But this Twitter-borne realization dawned on me that I may in fact be lying to myself, and everyone else may be, too.
I said I had two realizations. The other came later, after my friends Kevin Riggins and Josh Corman pointed me to something beautiful. Neil Gaiman, a well-known fantasy author, gave one of the most incredible 20-minute speeches I have ever heard at a university commencement ceremony, and you can find the video here. I cannot encourage you enough to watch this video, it may give you something you didn’t know you needed.
There’s one passage in Neil’s speech that hit home, perhaps more than others:
So be wise, because the world needs more wisdom, and if you cannot be wise, pretend to be someone who is wise, and then just behave like they would.
So, for that second realization. I may be lying to myself, and you may be, too. As for me, I may not be the one to change the business world’s idea of infosec and the value we bring. But I’m going to pretend to be someone who can. And maybe that’s just as good.