The information security industry is a curious thing: Growing from early hacker culture, it has its roots in teenage bedrooms equipped with acoustic couplers sneakily attached to unsuspecting parents’ phone lines. It is easy to forget that this entire field of research is actually not that old and has, over the past years, experienced a massively growth. Just for the sake of reference: 2600: The Hacker Quarterly was founded in 1984, the German CCC in 1981. Of course hacking as a general concept predates both of these cultural institutions by far: Phreaking was big in the sixties and one might argue that trying to understand how something works and how to make it do things it was not intended to work, the core essence of what hacking is, predates even that possibly by centuries.
Yet, here we are: In a world where technology is ubiquitous and augments our daily lives, Spass am Gerät (fun at the device), as the catchphrase of the CCC promotes, is no longer just that: We are now faced with security challenges left and right, wherever we go and the industry that has grown from those casual beginnings is now considered a multi-billion dollar industry in most countries on this planet. We, as an industry, have been thrusted into the spotlight. Not because we are super amazing, but because we are needed.
I had the privilege to spend the majority of my adolescent years as well as all of my adult life in the hacker community and the security industry and I am deeply grateful for all the things people way more experienced and smarter than I have taught me along the way. I am now also in a position where I get to mentor people who are breaking into this industry or have been in it for a couple of years. And for these people, and everyone else who is willing to listen, here are three things that I would like to make you aware of because quite frankly I think they are more important than all the technical know-how you can gather altogether when it comes to not only survive but thrive in the information security industry in the next ten years.
This is the most grating thing that I experience when working with security people. The developers are using X to do Y, which is obviously a stupid idea. Is it? Is it really? Do you understand what this person is trying to achieve? What are the requirements? Do you have a better solution? It’s easy to use cynicism as a protection mechanism for your own insecurities and just pretend like security is the only thing that matters. But it’s not.
You might be in a position right now in which you can stand on the sideline and heckle other people’s work without ever having to step up and present a better way to do things, but a time will come when you will be replaced by somebody who does not talk smack about other people’s ideas, but embraces these ideas and adapts them with his own security mindset to improve the overall product. It is my firm belief that the time in which security’s primary purpose was to keep people in check and function as an internal watchdog is over. The question you need to ask yourself is no longer Is it secure to do X, it’s How can we do X securely.
The discussion about political correctness is complex and goes way beyond what I am trying to say here. But given its rowdy history, the information security industry had its fair share of ill-advised habits. An unhealthy glorification of the consumption of alcohol is one of them, the sometimes unacceptable behavior of single community exponents towards minorities, historically particularly women, is the other one. In the past two years, there have been massive, laudable efforts by a variety of people to make things more inclusive and to provide people with a more safe and professional environment to work and collaborate in. For example, a Code of Conduct is now considered good form when running a security conference and given the number of qualified experts in our field, diversity has become something that is universally recognized as a strength, not as a quota.
This is important, not just because I think that we should strive to be kind; it is important because as I initially outlined, our industry is currently dealing with a massive technological revolution that is still accelerating and we truly need everyone with the will and the talent to make a difference, no matter their ethnicity, gender identity, religion, or other personal background criteria. It is crucial that we allow these people to feel at home in an industry and a community that shares knowledge and fosters collaboration.
I am not talking about entire risk methodologies like FAIR, I am talking about the simple consideration of the likelihood and impact of an event in a specific scenario. It is extremely interesting to me, how often this is completely neglected due to misguided technical fundamentalism and a lack of pragmatic thought.
This relates to point number one of this list to a certain degree: Nothing is secure. Everything has flaws. Every system can and will eventually be compromised. It is not a question of if, but when and what that means for its owner. Be realistic about what a vulnerability really means in terms of risk and prioritize accordingly.
Over the past six months, I have repeated these things over and over in meetings, talks and in one-on-one mentor sessions and I think it is worth repeating here. Information Security is not an exclusive club anymore: We have grown into a massive industry that has a responsibility not only towards their own but also towards society. I suggest we try to live up to it.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here