We're all DEVO
There was a time back in the mid-to-late aughts where it looked like being in cybersecurity (née information security, a.k.a. infosec) was a good way to make a living: it was an interesting field that required a lot of knowledge about a lot of things, most of them cool shit. It was the post-phreaker, post-hacker era, when a lot of the folks who invented the field by accident realized they could make money out of their habit of being nosy. The post-Aleph One era. The post-cDc days. The post-L0pht times.
Those days were easy in the sense that things were not this complicated, and we were all mainly figuring things out as we went, with a boost from the prevailing cultural tailwinds of a time when hacks and leaks were deemed serious and an existential threat to businesses big and small. If you knew your stuff, you were a hot commodity.
I spent the vast majority of my career doing cybersecurity audits and consulting, and that shaped the way I look at the practices, what works, what doesn't work, what's theater, and what's not. That has kept me gainfully employed for the past 25 years, with a couple of months of unemployment here and there. In other words, this thing we do has kept a roof over my head, and the lights on for a quarter of a century. I am forever grateful for the opportunities, but, make no mistake, I had to do the work.
I'm not here to argue about people coming into this profession with the "right" or "wrong" intentions, but the reality is that we've been teaching folks how to do this job wrong. We prioritize memorizing bits of cybersecurity trivia over the basics. We all but force people to spend a lot of their time chasing letters to put after their name on LinkedIn. We tell people to learn products and services that will become obsolete in 5 minutes. We teach people how to play the part in this big theater. Because that's what it is most of the time: theater.
Metrics that make no sense, products that don't do what they say they do, problems that were solved long ago that keep popping up because your boss is chasing some new fad, trying to AI their way out of irrelevance. Trying to preserve the status quo. Trying to show everyone that we're the smartest of them all, that the world does not function without us, that our every warning should be heeded without question.
But people are not stupid. I mean, some definitely are, but that's not the point right now. What I mean is this: we've been living in this age of extreme reliance on computer systems for the better part of four decades now, and pretty much every apocalyptic prophecy issued by cybersecurity godheads came and went. With very few exceptions, nothing of note happened. Which is good in the sense that, you know, nothing happened. But it's bad in the sense that people are starting to realize that, you know, nothing happened.
And "nothing happened" in a variety of ways: some problems were identified and fixed, and some other problems that were identified as problems turned out to be not that big of a problem at all. But also, actual problems were identified, people decided that they didn't give a shit, and we just "learned" to live with them. Some corporation leaking every single detail about you? Must be Monday or some other day that ends with Y.
Things have changed, and this industry doesn't want to acknowledge that. Because acknowledging that would mean coming to terms with the fact that we're not these indispensable warriors tasked with the noble mission of keeping the world "safe". And that hurts some egos. This beast has grown too big, and we need to keep feeding it if we're to keep enjoying our status in this modern age. The problem is: it's not up to us. The world has moved on from the old way of doing things, and we need to keep up. Even if that means accepting that we're not this fundamental pillar of society. Organizations get popped, they recover, life goes on.
This shift towards a cybersecurity industry with less bullshit needs to be top down, though. And we do have a bunch of fools running the show. We've talked about this. This industry has a very bad habit of confusing accountability with persecution. Which is funny, because when actual persecution happens, no one seems to give much of a damn. Just sign a letter, and you're good to go.
While lEaDeRsHiP is gallivanting around RSAC jerking each other off while trying to figure out ways to bail unscathed when something happens on their watch while the plebes go down with the ship, we're here fighting for our lives and worrying about job security because these fucks might hear some sales pitch while at Moscone Center from some asshole bUsInEsS dEvElOpMenT eXeCuTiVe who promises your CISO that your job can be done by ChatGPT. It cannot. But your boss's boss will bite, even if they don't actually believe it. It's just that everyone else is doing it. You don't want to live in the past, right? Which is exactly what you've been doing all along, and exactly what you will continue to do unless you start thinking about what matters.
What matters is knowing what you need to protect. What matters is context. What matters is being able to look at the big picture, and having the capacity to understand the details when you zoom in. We don't need yet another phone company ad masquerading as a report to tell us shit we already know. We don't need to know what happens inside cybercrime organizations. That's just gossip. In reality, we don't need to waste time doing a lot of things that are considered "best practices" by someone who thinks changing your password every 90 days is sound advice. We don't need operational guidance from people who think there's no development methodology not named waterfall. We need to stop listening to these idiots, because they're dragging us down.
We need to rethink how we approach cybersecurity. We need to advocate for actual regulations that incentivize organizations to not fuck up. We need to tell those CISOs who keep whining about "personal liability" to shut the fuck up and do their jobs, like everyone else. We need to call bullshit on the nonsensical practices. We need to tell ISACA, ISC2, and SANS that we don't need their multi-thousand dollar certifications that prove nothing. We need to enable the next generation of practitioners to do a better job through mentoring, exchange of ideas, and community. I'm getting old, and retirement is not that far away from me. And I'm just a mote of dust in the grand scheme of things. This thing we do is devolving, and we can't let that happen. Not because we're the last bastion of brainpower, but because we do have a role to play here. Just like everyone else in society. Thank you for reading, and for your support. Let's fucking go.
- Previous: There is no "community"