Big Trouble in Little Infosec
The security “community” has been so incredibly drama-laden this year (largely due to media sensationalism and that wily A-P-T, yeah you know me!) that it’s been tough to stomach. That’s really not me being curmudgeonly, honest. I’ve had a fascinating year, done some amazing work with clients, and seen at least a good number of incredibly smart friends and colleagues at industry events and elsewhere. So, what’s got me wound up? Well, it’s that time of year, first of all. As a consultant who travels internationally a LOT, and stays busier than a rational human should be, I am reaching a point of exhaustion where I start reflecting on what I’ve seen and thinking a bit more philosophically about the state of the “industry”. Second, I’ve really had some big insights personally, just seeing things a bit more clearly for what they are.
You may have noticed that I surrounded the terms “community” and “industry” in quotes. That’s intentional. And directly related to concern #1:
If we’re a “community”, what are our values? And why do we qualify as an “industry”?
I’ll explain. From what I’ve seen, it might be time for us to work a little harder at helping the “normals” get secure. I know we THINK we all do. But ya know what? We’re NOT approachable. We are very quick to judge people not fit to compute. And that, my friends, is 99% of the world, in our eyes. We have to lower our bar, try to be a bit more understanding of Facebook people, and start solving the real problems of awareness and usage scenarios. And, uh, misogyny in IT. Or at least infosec. Really, being a bigot to women is pathetic these days. Especially if you are a fat, white and pasty nerdbot that doesn’t see much daylight.
As to the “industry” thing…please. Everything about infosec is a “feature”. We are not IT. We are not “risk”. We are a part of both. Yes, there’s money here. But we are NOT a strategic element. We’re a small piece of the business equation, no matter how important we think we are. Maybe, in some industries and situations. But not as “the norm”.
And so…problem #2: We think we’re more important than we are.
True, sadly. Especially the pompous CSO types who puff their chests out and talk about “metrics” and “governance” and “GRC” and “advanced threats”. We have a lot of the “let’s preen and act important” game going on, where people act very serious and try hard to dress nice and seem like they know what’s happening. Pffft. These folks are reacting just like everyone else, and the last fucking thing we need is more corporate politicians. Take your “GRC” and “dashboards” and go do something better suited, like create a colorful chart. UNLESS…you cover for the real team that actually does shit. And maybe once in a while, you enact some changes through your amazing PowerPoint skills of persuasion. Which leads me to #3:
We need a LOT less talkers. And a lot MORE “do-ers”.
Seriously. I’ve said this before. More than a few times, really. But what I see out there is concerning, folks. I see a lot of infosec professionals who, candidly, suck. Basic Windows skills and ability to fill out Word docs does NOT an infosec professional make. You need admin skills, network skills, DB skills, some code, and maybe more to be a well-rounded infosec person. Most are not. Some can learn, and want to. But many are in it for the perceived paycheck. If you are 20 years in and can’t use Linux, don’t expect me to give two fucks about you and your career. Because you don’t care. And neither do I. This isn’t a cushy 9-5, maybe we’ll get a pension someday, kind of gig. Keep learning, evolve or die. And if you DO care, and are trying to switch careers? I’m your biggest fan. I’ll help anyway possible.
And finally? Another topic I’ve harped on, at #4:
Bo don’t know code. And neither does infosec.
We need more people to code. Less click, more code. App issues are the now AND the future. If you can’t handle that…you’re on the way to dinosaur, sorry.
These are some harsh realizations. But really, we look at infosec and data breaches and wonder why things aren’t better. What if we’re a big part of the problem?