CrankySec

It's Who You Know

About a year ago, I was driven out of a job by a very incompetent person. The consequences of that departure are being felt to this day because I had to tap into my savings to, you know, eat, and I had to take a hometown discount on my compensation because the market for cybersecurity professionals has been utter shit since 2018 or something.

That job was kind of bonkers because, even though the industry that company belongs to shouldn't exist, the job itself was interesting and I was super excited when I joined, which is not something that happens regularly. Fully remote, no micromanagement, smart people, tech that wasn't from the 1950s, and the team I was managing was extra cool. I was supposed to be doing risk management stuff, under a director of risk who reported to the CISO.

And, for all intents and purposes, the CISO was a technically capable person. The problem was the entourage of people who kept following the actual competent human being from job to job to job. CISO gets a good offer to go work somewhere else? Pack your shit up, boys and girls. We're all moving.

The problem with bringing people with you anywhere you go is that you stop being objective. People who tag along know the shortcuts to make you happy. They exploit this borderline (and sometimes actual) personal relationship to get what they want, even when what they want is not the thing that you want, or what's best for the job. Add some intense aversion to conflict and a dash of inability to say no, and your entourage is set for life.

The consequences of that are obvious. It's one of those very few cases where you can actually experience something trickling down: you put incompetent people in charge of other people, the other people tend to be incompetent, too. Sometimes is not even malicious. It's just that they don't even know what competence looks like. So there I was, reporting to a member of the entourage, surrounded by people who couldn't tell the difference between incident and risk. People who told an external auditor with a straight face that "We don't use likelihood when performing risk assessments because anything that can happen will happen." I shit you not.

This kind of people have a tendency to complicate things that are simple while, bizarrely, simultaneously underestimating things that are complicated. The kind of people who will hear someone say OKR and immediately try to implement it where they work, even when it leads to some other people making "Lower the risk by 5%" a goal even though your risk management methodology is qualitative. What's 5% of Medium? Who the fuck knows? But that's old news, right? The world is full of Objectives without Key Results. Key Performance Indicators that do not indicate the performance of anything. They love busywork. They love tools that make busywork even more impressive. That's why you need to suffer shit like Jira, Confluence, Sharepoint, and the rest to the gang. It's not for you. You're just catching that stray.

Jesus is coming. Look busy

One time I pitched the following idea to help manage the lifecycle of policies and procedures:

  1. Create a git repository
  2. Write the policy in Markdown
  3. Changes to the policies are merge requests
  4. Policy approvers approve the merge requests
  5. That's it

Writing Markdown doesn't require anything more elaborate than fucking Notepad. The GitLab instance was already there. It was just a matter of learning 3 git commands, if that. This was deemed too complicated, so they went with a Confluence add-on that was about $50,000 per year and did basically the equivalent of a Shields.io badge.

Static Badge

If you've been following along, and I hope you have, this is the kind of stupidity that grinds my gears. I am extremely vexed by busywork. I do not like to do more than what's needed to achieve a particular goal. Less is more. Function over form. Keep It Simple, Stupid.

You won't believe what happened next! One enterprising member of the CISO's entourage sniffed an opportunity to take over someone else's role, and get a cooler title and a bigger team to boot. This person became the Senior Director, and, after taking me out to lunch to "pick my brain", promptly found an excuse to take away my team, my title, and send me to Siberia "Operations" as an Individual Contributor.

And, look, I will be the first one to admit that I am a major pain in the ass to work with sometimes. I take this shit way too seriously, I have a loud mouth, I tend to not respect authority for the sake of respecting authority, and I openly show my disdain for performative busywork. I will get in anyone's face. This, of course, led to clashes with this person who has never ever managed a cybersecurity team before. Their boner for Jira/Confluence/Agile/Daily Standups was all the evidence I needed to conclude that this was not a good fit for anyone involved. Which is fine, really. Sometimes shit just don't jibe.

What bothered me somewhat — or a lot, since I'm almost 1000 words into this diatribe — was the lack of gamesmanship. The blatant undermining crudely disguised as some elaborate, machiavellian, inscrutable 6D Chess was just disrespectful, you know? I didn't lose because you bested me. I lost because you were overpowered. But, then again, expecting more from someone whose only qualifications were "I've been working with the big boss for decades" is unwarranted, and that's on me.

All of that was a very contrived way to tell you something you probably already know. That, for better or worse, it doesn't matter how good you are as long as you're well connected. These connections are not necessarily nepotism or favoritism. Professional connections can and are established and maintained on the basis of competence, too. It's a little harder, but it's not unheard of. If you get out there and show the world that you know your shit, you're planting that little seed that can grow into a fruitful professional relationship.

And, shit! What do you know? We have a sister site now! It's called 32x33 Institute, and we're posting some stuff there. It's "pay if you want", and, if you'd like to write with us about cybersecurity, do reach out because we want to make it a place where readers write, and writers read what the readers wrote. Find me at our Discord, or send an email to editors {at} 32x33.institute. Check out our store, too!