Something's Rotten In The State of InfoSec

Like most other spaces, InfoSec isn't without its issues and dramas. In this post, I explore a few examples and offer my views.

Introduction

In previous posts, I've waxed lyrical about the good things I've experienced during my time in information security. To be fair, it has been a mostly positive experience and I have made lots of friends and done and seen some really affirming stuff.

On the other hand, I've also seen some pretty annoying things and indeed some downright shitty behaviour. Let me explain.

The back story

As with most things in life, once you declare yourself a member of a particular community, certain things start to happen. You become exposed to people that want to scrutinise you, question your bona fides or intentions and even pull them apart and ultimately attempt to throw you under a bus. InfoSec is no different in those respects.

It's critically important to point out that this is a minority of individuals globally, but nevertheless they exist. On Twitter, your blog, or whatever.

Also, once you declare yourself a member of a community, you open yourself up to people that wish to capitalise on your commitment or participation, be it through aiming products and services at you, or by tantalising you with a mega career somewhere other than where you currently work.

Finally, you also possibly and accidentally project yourself as an authority on a subject, often by simply serving up an honest opinion, retweeting someone else's content or by just using your voice. Even by starting out in a career and putting out a "Hello World" statement, you're running the risk of any or all of the above knocking down either or both your door, or your confidence.

The Great Pretender

Right, I'm a relative novice in InfoSec. I've been doing it for roughly three years (with an interest going back around five) and have been mostly focussed on web application security. A safe place, as for many years, I've been down in the weeds working with application developers and once I got the importance of AppSec, I was quickly able to engage with those people to make sure that security became a quality attribute of their product.

More recently, my focus has broadened to include infrastructure, networking and stuff like Things as a Service. Even physical security - building access and whatnot! Because I give a shit about security, I'm easily drawn (or thrown) into these new subject areas and of course because I give a shit, I want to get my firm into the best possible place it can be.

But the key thing is this, I'm not formally qualified. I don't hold a CISSP, CISM or similar badge of honour. I have completed certified ethical hacking courses up to my ears and I have subsequently gone about using those learnings to make my organisation a more secure one. But the point is that I don't have a wall full of certificates.

Because it isn't important. What's important is ability and above all else care.

You are what you do

This is a statement that I have lived by for nearly 20 years. It doesn't matter a damn what your job title is, or what your job description describes. What matters is the positive impact you have on where you work and how you drive or support improvements therein. Be that as a player in a firm, or as the sole player in your own game.

You are what you do, not what you say

That statement kinda leads me into the main purpose of this post. I needed the preamble, so apologies if it was a little long.

OK, so you've got your online profile all sorted; a Twitter account, your LinkedIn profile all polished and so on. That's great, but none of it really adds authenticity to your claims that you do what you say you do.

You can set up a website, that you have total control over and publish information about your excellence, but again it's totally moderated by you and ultimately nothing you publish can be independently verified, especially if you don't encourage feedback.

I suppose the same can be said for firms. Like most reading this post, my inbox is deluged with details about products and services that will cure all my security ills, be they related to 'guaranteed' DDoS prevention, email filtering, ransomware avoidance or doing my GDPR compliance for me. The list goes on.

It's known as snake oil. It's also all bollocks.

With firms, it's sort of understandable, because they're out to make a buck and I get that. But I disagree with firms that set out to sell you a total solution, because they don't have one. There isn't one.

They do it, it's not always right, but we accept it, or we politely or otherwise tell them to jog on. I guess.

Where I have a real ire is when it's individuals. People. Actual humans that are projecting their own order or idea of excellence, 'science' or security absolutism. That's where it really winds me up.

Trust me, I'm a Doctor

In parody, no one trusts that statement. It's treated with the same level of contempt as "The cheque's in the post" or "I'll gladly pay you Tuesday for a hamburger today".

There are people in InfoSec to whom the title of this section readily applies. They're folk that emerge from time to time, claiming infinite knowledge, or experience in the subject, yet when scrutinised or questioned objectively are found to be left profoundly wanting. Worse still, when confronted about their views in (often) the most reasonable way, rather than let their expertise do the talking, they'll round on people in the most vitriolic and disgraceful ways possible.

I'm quite an assertive being, but crucially only when I absolutely know my subject and the fine detail contained within. If I'm in any doubt or absolutely at a loss in any way, I'll happily let those in the know shine and absorb the understanding and utilise it another day.

The 'Trust me, I'm a Doctor' title also extends to another issue. People with qualifications hanging out of their ears. I can hang CISSP after my name and probably no potential employer would question it, especially as I maintain a public profile specific to my InfoSec goings on.

I could even conceivably invent qualifications and tag those on to my name:

Michael Thompson: HoS, MoS, CoS, GoS etc.

Head of Security, Master of Security, Chief of Security, God of Security

Meaningless shite. In no way whatsoever does that tell you as a firm that I'm capable of improving your security posture and of course, all of those accolades are made up.

There are firms out there that will sell you those titles. They're selling faulty services. They're inventing courses and self-assuring the quality and ultimately the outcome qualification you receive.

Michael Thompson: InfoSecGod

It's all rubbish.

In summary

I'm a novice. I hold no InfoSec letters after my name, yet I do a good job and my firm is reasonably secure as a result. Not because I have those certs, but because I really care and spend my time learning about relevant threats, mashing them into risk profiles that my employer can absorb and make decisions around. And then implement improvements.

Not because some blogger, twitterer, salesman or general charlatan offered me a cure for all my ills.

In many ways it's a real shame, as the vast majority of people I've encountered in InfoSec are genuine, passionate and knowledgable about the subject. I've written about this here. The problem is that sometimes, the few spoil it for the many and give the righteous mission we're on a bad name. This makes it really difficult to get vital messages across, such as that it is important to implement HTTPS and that it is important to patch the hell out of your things.

I take information from trusted sources and use it as effectively and as appropriately as I can.

You are what you do.

Thanks for reading.