Information Security - Three things you need to hear

Information Security

Three things you need to hear

Stefan Friedli
by Stefan Friedli
time to read: 6 minutes

The information security industry is a curious thing: Growing from early hacker culture, it has its roots in teenage bedrooms equipped with acoustic couplers sneakily attached to unsuspecting parents’ phone lines. It is easy to forget that this entire field of research is actually not that old and has, over the past years, experienced a massively growth. Just for the sake of reference: 2600: The Hacker Quarterly was founded in 1984, the German CCC in 1981. Of course hacking as a general concept predates both of these cultural institutions by far: Phreaking was big in the sixties and one might argue that trying to understand how something works and how to make it do things it was not intended to work, the core essence of what hacking is, predates even that possibly by centuries.

Yet, here we are: In a world where technology is ubiquitous and augments our daily lives, Spass am Gerät (fun at the device), as the catchphrase of the CCC promotes, is no longer just that: We are now faced with security challenges left and right, wherever we go and the industry that has grown from those casual beginnings is now considered a multi-billion dollar industry in most countries on this planet. We, as an industry, have been thrusted into the spotlight. Not because we are super amazing, but because we are needed.

I had the privilege to spend the majority of my adolescent years as well as all of my adult life in the hacker community and the security industry and I am deeply grateful for all the things people way more experienced and smarter than I have taught me along the way. I am now also in a position where I get to mentor people who are breaking into this industry or have been in it for a couple of years. And for these people, and everyone else who is willing to listen, here are three things that I would like to make you aware of because quite frankly I think they are more important than all the technical know-how you can gather altogether when it comes to not only survive but thrive in the information security industry in the next ten years.

1. You don’t need to be negative and cynical about everything

This is the most grating thing that I experience when working with security people. The developers are using X to do Y, which is obviously a stupid idea. Is it? Is it really? Do you understand what this person is trying to achieve? What are the requirements? Do you have a better solution? It’s easy to use cynicism as a protection mechanism for your own insecurities and just pretend like security is the only thing that matters. But it’s not.

You might be in a position right now in which you can stand on the sideline and heckle other people’s work without ever having to step up and present a better way to do things, but a time will come when you will be replaced by somebody who does not talk smack about other people’s ideas, but embraces these ideas and adapts them with his own security mindset to improve the overall product. It is my firm belief that the time in which security’s primary purpose was to keep people in check and function as an internal watchdog is over. The question you need to ask yourself is no longer Is it secure to do X, it’s How can we do X securely.

2. Culture matters

The discussion about political correctness is complex and goes way beyond what I am trying to say here. But given its rowdy history, the information security industry had its fair share of ill-advised habits. An unhealthy glorification of the consumption of alcohol is one of them, the sometimes unacceptable behavior of single community exponents towards minorities, historically particularly women, is the other one. In the past two years, there have been massive, laudable efforts by a variety of people to make things more inclusive and to provide people with a more safe and professional environment to work and collaborate in. For example, a Code of Conduct is now considered good form when running a security conference and given the number of qualified experts in our field, diversity has become something that is universally recognized as a strength, not as a quota.

This is important, not just because I think that we should strive to be kind; it is important because as I initially outlined, our industry is currently dealing with a massive technological revolution that is still accelerating and we truly need everyone with the will and the talent to make a difference, no matter their ethnicity, gender identity, religion, or other personal background criteria. It is crucial that we allow these people to feel at home in an industry and a community that shares knowledge and fosters collaboration.

3. Think about risks, not about vulnerabilities.

I am not talking about entire risk methodologies like FAIR, I am talking about the simple consideration of the likelihood and impact of an event in a specific scenario. It is extremely interesting to me, how often this is completely neglected due to misguided technical fundamentalism and a lack of pragmatic thought.

This relates to point number one of this list to a certain degree: Nothing is secure. Everything has flaws. Every system can and will eventually be compromised. It is not a question of if, but when and what that means for its owner. Be realistic about what a vulnerability really means in terms of risk and prioritize accordingly.

Conclusion

Over the past six months, I have repeated these things over and over in meetings, talks and in one-on-one mentor sessions and I think it is worth repeating here. Information Security is not an exclusive club anymore: We have grown into a massive industry that has a responsibility not only towards their own but also towards society. I suggest we try to live up to it.

About the Author

Stefan Friedli

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

You are looking for a speaker?

Our experts will get in contact with you!

×
Active Directory certificate services

Active Directory certificate services

Eric Maurer

Specific Criticism of CVSS4

Specific Criticism of CVSS4

Marc Ruef

The new NIST Cybersecurity Framework

The new NIST Cybersecurity Framework

Tomaso Vasella

Ways of attacking Generative AI

Ways of attacking Generative AI

Andrea Hauser

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here