It is NOT time to “professionalize” information security.
I recently read an article that was posted by my friend Brian Honan titled “Is it time to professionalize information security?” I know this debate’s been going on for a bit. I have a lot of respect for Brian (who supports licensing or “professionalizing” infosec), for a lot of reasons. If you’ve ever met the guy, and/or know of his accomplishments and track record, you likely do too. So to be clear, my opinions in this matter have nothing to do with Brian, and everything to do with what I see as a bad direction to take in our industry right now.
People – this is a “knee jerk” to the insanity that is information security. Things are chaotic, sure. Breaches, crime, national defense…all contributors to this mess. Top that off with a general distrust for vendors (with a perception of them selling “snake oil”), a disturbing number of “charlatans”, raging debates about certifications like the CISSP, drama at every turn, and constant cries of “we have to get better”. Sigh. I know, it sounds bad, right? But it really isn’t nearly as bad as it seems.
We are an “industry” in a very early stage, folks. I’ve said this before, I’ll say it again – we have a major, fundamental difference in infosec that makes it seem much worse – we have adversaries. They are working against us. When the Windows MCSE came out, it was a joke. Anybody could go learn a little about Windows, and become a “certified” Windows…, uh, person. But there was no diabolical Blofeld waiting in the wings to set Microsoft back, planning a global overthrow with Linux-wielding henchmen in an underground lair while he stroked his cat. Same for networking, whether Cisco or otherwise. Same for databases, CRM, enterprise middleware, and so on. Nope, only infosec has these shadowy lurkers who continually thwart our best efforts, stealing data and making the news.
We’re making progress. Really. Yeah, we have some idiots jumping on the bandwagon churning out Nessus reports as “pen tests”. So do we run to “certify” everyone so such an atrocity can never happen again? Really? You’d put us in a little box so that we can all feel safer? No. Here’s a better plan – those of us who are NOT clueless and DO provide quality work for clients or our businesses should work harder to educate people on this. That’s the problem. People are freaked out, they may not know any better, and they’re looking for solutions. Be it vendor or consultant or both, there’s ALWAYS a solution. Some are good, some are not. We’re falling prey to FUD, plain and simple. And if you get caught up in the daily whining on Twitter and elsewhere proclaiming that infosec is “so messed up” and that it “needs fixing”…well, you’re falling right into the drama-laden trap that plagues our industry.
The infosec industry needs creativity. It needs people who don’t fit the mold, who would rather set a kitten on fire than wear a tie, and who cannot help themselves from telling dick jokes, no matter when or where. Those people may not fit the “professionalization” scheme, but we would be SCREWED if we lose them. They think outside the box, they don’t look “corporate”, and they insist on wearing black T-shirts. I’m being purposefully stereotypical, of course. We’re a widely diverse crew these days, and we’re better for it. But thinking we’re failing so badly that we need to “professionalize” is silly. If that is the case, then why don’t we REALLY get to the heart of things, and professionalize programmers? It’s their shitty code that is causing a lot of the mess, there’s no denying this. While we’re at it, we should probably “professionalize” systems admins, network engineers, everyone. They screw up too, right? We should definitely “professionalize” project managers. Those people are a pain in the ass. Let’s make them certify!
C’mon. This isn’t the answer. Infosec is crazy, sure. But we’re not headed into doom and gloom as some would have you believe. We’re improving education programs all the time. I have met some of the college kids who are taking part in Red Team-Blue Team competitions, and some of them are crazy sharp. We’re trying to fix things like the CISSP, with guys like Wim Remes and Dave Lewis as our men on the inside. We’re having proper debates about “attacking back” and cyberwarfare (ugh), and so on. We’ll get there. But don’t react and put us in a little defined “program”. I don’t want to be a part of the Borg, not now and not ever. I have hundreds of happy clients who can attest to my work, and so do many of you. Let’s let folks like the Attrition crew smoke out the worst charlatans. And let’s try to keep our sense of humor AND reality along the way.