The Shaming and Heckling of #Infosec

Do not let any unwholesome talk come out of your mouths, but only what is helpful for building others up according to their needs, that it may benefit those who listen.” – Ephesians 4:29

First, I understand this blog entry might sound a bit like “Monday Night Quarterbacking” or “Jumping on the Bandwagon”, and you are entitled to your own opinion.

Reading what my good friend Rafal Los wrote about “Living in Glass Houses – #Infosec Industry’s Culture of Shaming” wrote Monday evening, I have to agree with him. Information Security is Hard.

I like to equate being in the information security/cyber security industry being the same as in the intelligence community.

To quote the movie The Recruit,

Our failures are known. Our successes are not.”

The work and life of those in the intelligence community is a tireless and thankless job. Recognition is limited. Success stories are never told. Failures have repercussions and consequences.

The work and life of security and IT audit professionals share similar parallels. It is a tireless and thankless job. Recognition is limited. Success stories are never told. Failures have repercussions and consequences.

Security is, and will always be, challenging on both offensive and defensive. It is a matter of degree. Both sides generally lack the support and resources to do the job while at the same time are some of the first scapegoats in the wake following a security incident.

From an offensive/penetration tester perspective, there is always a finite amount of time and resources trying to rush in and identify risks without breaking the business or the piggy bank in the process. I somewhat question when a penetration tester announces they found a single vulnerability and concludes their job is complete. As part of any security engagement I have been on, there is always that lingering feeling that I missed something and warrants a closer look.

From a defensive/information security analyst perspective, it’s not easy as between managing the day job (Layer 1-7 issues, putting out fires, doing investigations on security incidents, and normal responsibilities) and managing the night job (Layer 8 and 9 issues: Finances and Politics), it is miracle in some sense that some firms actually have security in the first place given the finite budgets they are given to work with and the sheer level of red tape they have to go through to get anything accomplished.

Being part of the Western Regional Collegiate Cyber Defense Competition for the last four years has taught me that playing defense is never as simple as doing a single thing. Whether it be people, process, or technology, something will fail, and that failure will lead to the compromise of a system or entire network. These blue teams (defenders) consistently have to anticipate every single strategy the red team (attackers) will use and win every single battle red team wages. In contrast, red team has the opportunity to win a single battle (or a few small skirmishes) to win the war. The same is true in the real world.

I challenge anyone out there, whether you are in the information security industry or information technology field, or simply a bystander to understand the complexities we face together. The criticisms, and demanding someone should be fired for this illusion, this perception of incompetence needs to stop. The heckling, shaming must stop, even if it is at a cyber competition. There is no such thing as secure. Even security firms are a target.

I challenge everyone that instead of shaming or heckling, we should be encouraging, and edifying one another. Don’t tear people down. Build them up to be even better security professionals. As cliche as this is, we are all in this together.