Select Page

For Information Security Newcomers, It’s More Good than Bad.

by Dennis KuntzGood versus bad

Most people like attention. Just like we did when we were kids, to get that attention we sometimes engage in good behavior and sometimes in bad behavior. As a parent I know that a sound approach is to focus on and reward the good behavior, while not giving the attention sought via the bad behavior.

A perspective among some information security practitioners seems to have emerged: This industry is mean to newcomers. People I respect – though admittedly only through my exposure to them via Twitter and some subsequent blog reading – have recently lamented the current state of the information security community vis-a-vis its collective attitude toward newcomers and those who legitimately want to learn.

One from Rafal Los goes so far as to say that “Infosec is Rotten”, and elaborates from there. The other, from Dave Shackleford, is less strident but offers a similar stance (and offers a lot of practical advice for those new to information security practice, by the way). Their main points are:

  1. There are cliques within the established information security community

  2. Members of those cliques seek to humiliate those asking certain questions – especially when those asking identify themselves as “new” to information security

  3. As a whole, the information security field is not “welcoming, or mentoring, or open-minded about new people coming in.”

Based on my own experience, I’ve seen what they’re talking about when reading responses to blog comments, on social media outlets, and in forums, etc. I have wondered about it myself: What motivates it? How pervasive is it? How much of an impact does it have on those trying to enter the industry?

It has intrigued (but not surprised) me that a group whose genesis (it could be argued) stems from being socially outcast would naturally create socially-oriented subgroups that outcast others: Narcissistic exclusivity happens.

However, I don’t think it’s as widespread as some make it out to be. There may even be a more powerful trend of good people reaching out to assist others. Either that, or at least the positive influences in information security deserve an equal – or greater – due as do any negative cliques.

When I have had questions or needed a boost, there have been positive voices willing to reach out and lend a hand. And they have never asked me whether I am seasoned, green, or somewhere in-between.

From Michael Santarcangelo (@catalyst on Twitter) who has had nothing but guidance and help to offer, to Jamie Levy (@gleeda) who has helped me – pleasantly – with questions ranging from general forensics to troubled PyFlag installations; from Rob Fuller (@mubix) who has offered assistance with Offensive Security training, to H.D. Moore (@hdmoore) offering his thoughts on VM’s “endian-ness”.

The resumes of the names I have listed are impressive – these are not information security lightweights. And the exciting part is that these are only some of the people who routinely help others – I couldn’t begin to name all of the ones from whom I’ve had helpful, generous contact.

The good elements of information security are there, and they are active. Maybe we need to do a better job of seeking them out, engaging them, listening to and amplifying their efforts. Certainly their knowledge should be absorbed, and their l33tness bowed down to, but just as importantly, their generosity should be acknowledged and they should be thanked. Giving more public props to and highlighting the efforts of those who are doing The Right Thing will help to steer those impressionable newcomers in the right direction. We should also individually strive to emulate these people. This will put the attention and focus on what – and who – is more productive and better represents what we think our industry should be like. Ultimately this will be better for all of us.

(A note: yes, everyone I mentioned is on Twitter; that’s where I’ve “met” more information security people than anywhere else. I’ve met some in person and even become friends with some. And it’s a good place to interact with and learn from them).

Most people like attention. Like we did as kids, to get that attention sometimes we engage in good behavior, and sometimes bad. As a parent I know that a sound approach is to focus on and reward the good behavior, while not giving the attention sought via the bad behavior.

A perspective among some information security practitioners seems to have emerged: this industry is mean to newcomers. People I respect – though admittedly only through my exposure to them via Twitter and some subsequent blog reading – have recently lamented the current state of the information security community vis-a-vis its collective attitude toward newcomers and those who legitimately want to learn.

One, from Rafal Los goes so far as to say that “Infosec is Rotten”, and elaborates from there. The other, from Dave Shackleford is less strident but offers a similar stance (and offers a lot of practical advice for those new to information security in practice, by the way). Their main points are:

  1. There are cliques within the established information security community

  2. Members of those cliques seek to humiliate those asking certain questions – especially when those asking identify themselves as “new” to information security

  3. As a whole, the information security is not “welcoming, or mentoring, or open-minded about new people coming in.”

Based on my own experience, I’ve seen what they are talking about when reading responses to blog comments, on social media outlets and forums, etc. I have wondered about it myself: What motivates it? How pervasive is it? How much of an impact does it have on those trying to enter the industry?

It’s intrigued (but not surprised) me that a group whose genesis, it could be argued, stems from being socially outcast would naturally create socially-oriented subgroups that outcast others: narcissistic exclusivity happens.

However, I don’t think it’s as widespread as some make it out to be. There may even be a more powerful trend of good people reaching out to assist others. Either that or at least the positive influences in information security deserve an equal – or greater – due as any negative cliques.

When I have had questions or needed a boost, there are positive voices willing to reach out and lend a hand. And they have never asked me whether I am seasoned, green or somewhere in-between.

From Michael Santarcangelo (@catalyst on Twitter) who has been a had nothing but guidance and help to offer, to Jamie Levy (@gleeda) who has helped me – pleasantly – with questions from general forensics to troubled PyFlag installations; from Rob Fuller (@mubix) who has offered assistance with Offensive Security training to H.D. Moore (@hdmoore) offering his thoughts on VM’s and “endian-ness”.

The resumes of the names I have listed are impressive – these are not information security lightweights. And the exciting part is that these are only some of the people who routinely help others – I couldn’t begin to name all of the ones from whom I’ve had helpful, generous contact.

The good elements of information security are there. And they are active. Maybe we need to do a better job of seeking them out, engaging them, listening and amplifying their efforts. Certainly their knowledge should be absorbed, and their l33tness bowed down to, but just as importantly, their generosity should be acknowledged and they should be thanked. Giving more public props to and highlighting the efforts of those who are doing The Right Thing will help to steer those impressionable newcomers in the right direction. We should also individually strive to emulate these people. This will put the attention and focus on what – and who – is more productive and better represents what we think our industry should be like. Ultimately this will be better for all of us.

(A note: yes, everyone I mentioned is on Twitter; that’s where I’ve “met” more information security people than anywhere else. I’ve met some in person and even become friends with some. And it’s a good place to interact with and learn from them).