Librarium Whitehat
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one

Adeptus-Mechanicus - BlogMe

A “Sophie’s Choice”

There is a very interesting novel called ‘Sophie’s Choice’. Without giving too much away, the core fact of the book is a choice a Polish mother had to make in the concetration camps during World War 2 and the impact it had. It is a powerful book and the core issue has been identified with so much that it has become an idiom. To quote wikipedia: A “Sophie’s Choice” is a tragic choice between two unbearable options.

So what has this to do with information security you ask? Well recently I was reading an article which put forward that Senior information security staff are not technical staff but sales staff. They need to be able to sell the various intiatives in the best possible way. Now I actually do agree with this, but I do have a problem (or I would not be writing this obviously), and it is this: The predominant way this is put forward to information security people is that if you want to get ahead and effect real change and earn ‘big-boy’ money, you have to become one of these Senior IS staff. And thus you need to give up the technical skills and become a sales person.

This to me is a “Sophie’s Choice”. You can stay technical doing what got you into the field in the first place BUT you never earn greatly and you are limited in effecting business. OR you can give it up, and become a sales person.

My thoughts on IS folk with no skills is well documented in previous posts, and I know this is not the case at all companies, but it is the general rule with a few exceptions. And it is due to this that I lay the fact that we are losing the war on cybercrime. Businesses expect and reward political games, ass-kissing and spin-doctoring. Whereas the bad guys want technical people to do what they do best so they can make money, and they pay them for it.I believe this is why the bad guys are out-doing us across the board.

Yes this may be a whine, but surely our choices are not limited to sales or technical?

Published by erich, on August 8th, 2011 at 5:25 pm. Filled under: General,rantNo Comments

Still ranting

I am still thinking on these ideas of what it means to be a security professional. You see I keep getting this message that we need to learn to speak ‘business’. That if the business is not giving us what we need, not implementing our suggestions, that it is our fault for not communicating with them better. Once again I really do respect the people who say this. And I truly believe they are much better infosec professionals then me. But I am still going to call “Bull”.

You see a professional is something like a doctor, or architect, or engineer. Something requiring specialist knowledge. Now when I get sick, I do not blame doctors. When someone in the world dies, I do not blame doctors. If I doctor was directly involved in the death, then maybe. But just because there are doctors does not mean people are going to be healthy.

Unless people listened to doctors. That’s the catch. Doctors give us all lots of good advice. But we still have billion dollar industries around smoking and drinking for example. Because we do not listen to the doctors. Now do doctors beat their heads against a wall? Do they picket the factories? Do they change their educational needs to include better corporate communications or better client persuasion? Wait…. Wait…. No. Because they know that when we get sick we will go to them or we will suffer, and nothing drives human change like suffering. I am sorry to say that, but prove me wrong.

Now some doctors are preferred because they have better bedside manners. But I do not know about you, when I am coughing my lungs out, bedside manner takes a quick backseat to actual competence. Now I believe this was all driven by (a) doctors getting better and having more impact and (b) the big things like the black plague, outbreaks, etc – when we ignorant humans decided we really did not prefer dying to listening to those we called quacks.

So here is my pledge: I pledge to be the best InfoSec person I can be, I will read, I will listen. And IF I have time left over – I will try to learn how to tie a windsor knot and play golf. Because sooner or later, competence will be worth more then polished ass-kissing.

Alrighty then.

Published by erich, on February 18th, 2011 at 3:27 am. Filled under: General,rantNo Comments

The forgotten

First off, this is a rant. If you have a problem with that please leave now.

Right if you still are here, this is a rant that mentions Metallica, so that automagically means it is 100% better.

Anyway, I want to start with the lyrics from a Metallica song – Unforgiven:

With time the child draws in
This whipping boy done wrong
Deprived of all his thoughts
The young man strugggles on and on he’s known
A vow unto his own
That never from this day
His will they’ll take away

What i’ve felt
What i’ve known
Never shined through in what i’ve shown
Never be
Never see
Won’t see what might have been
What i’ve felt
What i’ve known
Never shined through in what i’ve shown
Never free
Never me
So i dub thee UNFORGIVEN

They dedicate their lives
To running all of his
He tries to please then all
This bitter man he is
Throughout his life the same
He’s battled constantly
This fight he cannot win
A tired man they see no longer cares
The old man then prepares
To die regretfully
That old man here is me

 Now to me that is information security in a nutshell. And allow me to be more specific, that is the “good guys”, the “whitehats”, the “defenders”. Simply put, people and companies do NOT care. The bad guys are winning in every way that matters and most that are for fun because being good at it matters to them and those that use them. For the good guys, no-one cares as long as they can get their porn, visit facebook and tick their compliance checklists.

Now if you are still reading you are probably thinking that this all sounds very familiar, that many people say the sky is falling, etc. And I have heard many information security folks say that this is wrong. That we just need to try harder, that we need to do a bit more, stop being so negative, and all the rest of the platitudes. And you know what? Most of those guys are great, they are very bright and mean well. But that does not stop it from being bullshite.

Saying all of that while you earn a great salary, or do not have kids, or are famous, or get to call the shots, or all those other things – then yes, your view of security and mine are very different. IF however you are a wage-slave like me then you do what you need-to to get by, survive and provide for your family. I try to do that to the best of my ability, but I tell you, we will NEVER win.

So to those folks who say I am upset because I lost my fire, or do not care anymore, or I am not trying enough…. tell you what, I challenge you to come spend some time in my shoes. Hell I will even provide a bed and meals. But come spend some time in my life, in my world,  and then see. For me I know I will probably “never shine through in what I’vi shown” in “this fight I cannot win”, but I will try and I know I am realistic and not living in some dream world.

alrighty then….

Published by erich, on January 31st, 2011 at 3:01 pm. Filled under: rantNo Comments