This is a continuation of part 1 of my series on personal codes of conduct.
Maxim 3: Your most important asset is your name.
Of all the things you carry as an Information Security professional, and as a human, is your name. Your name carries your reputation. Think of any famous person's name. What image does that conjure? What do you automatically think when hearing that name? Is that person pretty? Talented? Caring? Aloof? Cruel? Crazy? Think about how most people view that person. The views are filled with the bias of personal experience. However, Those images are cultivated carefully. Now think of your boss. Think of your employer. Think of your best friend, or your significant other. How are they viewed, by you and the world at large? What behaviors do they exhibit to cultivate that reputation?
As you think of the good and bad of it, their history and how that has affected their reputation comes to mind. One malicious act carries more weight than all the good they may have done. Have they repented? Have they worked tirelessly to rebuild their reputation? Are there people who still think of them as bad or untrustworthy based on that event?
I have a problem with this in modern discourse. Look at the political arena or social media. When one side wants to prove someone is bad, they have to go in the way back machine to find one prior bad act (usually inappropriate speech as a younger person). And this is used - mostly wrongly - to excoriate that person. Social media takes away that passage of time making such words ever present, even if the person who used them is no longer here. It's one thing if the attitude hasn't changed. But if the person no longer exhibits that behavior, they grew as a human. They are greater than their past self. There is no greater achievement.
Corollary: You can destroy your reputation in an instant. Be warned.
Think about Infosec explicitly. The example of Terry Childs is perfect. He locked out the city to prove a point about the security of the network, and potentially in defense of a malicious insider. He took it to an extreme, but his actions have ensured that no one but the most desperate of need would hire him to do any job that carries a burden of trust, or responsibility. I have often received calls from network contacts to ask if I know their applicant and what I can tell people about them. Sometimes I have glowing reviews, sometimes I have very little to say either way. Only three times have I ever directly said, "Do not hire this person. I can't tell you why, but I would expect lots of time spent with HR // disciplinary measures // zero productive work." My name carries trust. I go out of my way not to torpedo someone unless they have a series of behaviors that are disruptive and dangerous. I account for the passage of time. Between them and I, the value of my recommendation comes down to both our names.
Maxim 4: Title does not equal mastery.
We've all met that person. They have certifications galore (MCSE anyone?), or held a job title for a while. You interview them, and they talk a good game. You hire them on, only to find out they couldn't admin their way through the drive thru at a McDonalds. It's especially frustrating with technical certs, where (in theory) a level of mastery must be demonstrated to get the certification. If you are old enough, you remember the days of the certification mills in the XP/7 days. These people were trained to take a test, and could then pass the test.
I worked with several at a previous job, where they all have a slew of Microsoft certs, and I had an Associates degree in Computer Networking Systems. They "took a chance" on me as I didn't have the credentials the others had. We were all on the same project duty, migrate a series of systems from Win 2K to Win 2K3. The process would take 8-9 hours depending on transfer speeds. Sometimes they would have problems with the process, or didn't understand what to do when basic errors cropped up. They had been there for a month, and I was brought on because they couldn't find a fourth otherwise. Within the first week, I had found ways to increase my productivity so I could finish the process in 6.5-7 hours every day, three of which were just waiting for transfers to complete. The processes weren't difficult. The scripts may have been intermediate to advanced, but the process was rudimentary. One guy quit because it was "too hard." Another left for an opportunity from a buddy. We still finished the project on time.
We chase the titles, as early on they get us past HR. However, without the mastery, that bluff doesn't last. I disagree with talking heads that say certifications are a waste for new Infosec talent, as those talking heads already have the mastery, and it is tied to their name (see maxim 3). They don't need them. Just remember that the certifications are a means, not a goal, on the path to continued excellence (see maxim 2). You can build upon mastery much easier than building upon certs and titles.
Maxim 5: Never lash out in emotion.
In Infosec, even when people despise how you "get in the way," you are their rock. If you are calm, everything is ok. You may be a pain in their ass, but there's no reason to worry. Subconsciously, they understand that you carry a burden of knowledge, an awareness of what can really go bad. If you are calm, then everything is all right.
If you, security, the rock on whom they are forced to trust, the one with secret knowledge, are all worked up, how screwed is everyone else?
Think of the reputation of your team (maxim 3 - these reenforce each other. There's a lesson there). The expectations that come with that. Think of what security means to everyone. Do you think we're just people? We can have bad days? Imagine if the CIO when running down the hall grunting. What would you think if the CEO was walking around with slumped shoulders? Assume your boss, or your CFO was screaming at people. What crosses your mind? How much does your foundation shake?
The fear of a kaboom is one side of the coin, both bad. Emotions are about control (see young Spock in the 2009 Star Trek). An adversary, even (and more likely) one working for the same institution, will work to get you to pop off. When they do, they exhibit control in a situation where you can't. To anyone else, who shows better they can handle whatever the argument is about? Who is better equipped to handle the strain of what needs to be done? Who is more likely to rupture, cause an incident, or walk out? People are going to test you. In Infosec, we carry one of the greatest burdens of performance of any role in the institution. That's the price of the role. Don't let emotions taint that burden, and how people see you carry it (#3, yet again).
Maxim 6: At some point, you will lose.
Corollary: You can be absolutely right and still lose. Be prepared.
Axiom: Just because you lose, doesn't mean you have to like it.
Tell me if this sounds familiar. You have an obvious gap in your institution's security. Maybe it's a vulnerability (having unsupported .Net for legacy apps), maybe it's a capability gap (not logging relevant windows events). There is an obvious fix that takes time, money or training. The damage that can come from this security risk is quantifiable. It may be widely exploited. You make a solid case why you need X to fix Y, as an issue with Y will cost $Z. This can't be refuted, and everyone accepts this as both truth and fact.
Then the decision makers say no. They're willing to accept the risk rather than create a new app. Their financial priorities place new office furniture above training to fix an issue. Or worse, they won't spend the money on a new capability, because an existing tool says they can do it (albeit with the need for several custom virtual machines).
And you are left wondering how someone so dumb is higher up the food chain than you.
Most of the time, this is your bias getting in the way. As techs, we don't see the operating budget as a whole (usually). We don't know revenue streams. We don't see risks outside of our own. We don't have to deal with the wants of external customers. We don't see the choices they have to make. They can be ignorant or self serving. My belief in humanity tells me they are more likely dealing with the world as it is (#2), and they understand the value of their name (#3), and wouldn't be willfully acting against that.
Think about your rules as an Infosec professional. I still have (currently) seven to share. Stay tuned.