Skip to content


Community is an interesting concept. A collective group bound by shared values and beliefs - this is how community is defined. Now, even in the smallest communities (population 2) not all of the values and beliefs are shared. For a community to stand, the core values must be shared.

Infosec isn't a community. Infosec is a philosophy built around values and beliefs, potentially including a right to privacy, data security, breaking systems to fix them before someone else can break them, and control of one's data. People may have more to add to that list. People may not include everything on that list. Either way, how anyone defines Infosec is built around the values and beliefs they assign to the philosophy - and that isn't a universal list. This distinction of personally defined philosophy versus the values and beliefs that make up that philosophy matters.

A modern American philosopher I know hangs his hat on the credo "Acta, non verba." Actions, not words. We are defined by our actions more so than our words. Social media has amplified this disparity. Many will tweet about injustices. They will post selfies with pontification about wrongs on instagram. What they will not do is take any meaningful action to work to correct the wrongs and injustices. What makes it worse is they will actively decry a wrong in the world, and then demand someone who is characteristically unlike themselves to be the ones to fix it.

At no point in human history has that been the way things have worked. Ever.

History is replete with turning points built on the backs of individuals who take personal responsibility to be the change they want to see in the world. They lead from the front. They let their behavior set the example. Whether it was George Washington leading the rebellion, Dr. Martin Luther King Jr marching non-violently, or Elizabeth I pushing back against tradition, someone said the world shouldn't be this way and worked to change it. Successfully. They did this by establishing a like minded community of people willing to put in the work to change the status quo in a constructive manner.

This is why the concept of an Infosec community is poisonous.

Infosec professionals and aspirants are very active on social media. They share information, brag about accomplishments, and preach. A lot. When some grave ill comes to the attention of the Infosec people engaged on social media, the pitchforks are sharpened and torches lit. Vitriol is flung into the arena and guns start blazing. There is no time to wait, battle must be ensued. People have to be seen challenging this wrong from their phones, tablets, and laptops, and they need to be among the first to engage.

My guiding principle of incident response is simple. When all hell breaks loose, the very first thing you should do is nothing. The second is take a breath. Why? Either you have an incident response plan, which means the incident will be handled properly and timely, or you don't, at which point you are in grave danger of the likelihood of immutable damage occurring by you and your team's hand is taking exponential jumps.

When these horrible behaviors are brought up in social media (ALWAYS selectively edited for maximum impact as desired by the poster) the response is sudden, damning, and often without any analysis or rational thought. Combined with the need to be seen railing against the horrible thing, we start seeing a pattern of what defines the 'Infosec Community.'

You change behaviors by engaging constructively

The 'Infosec Community' chooses to name and shame, and condemn, and then only selectively based on who is in and who is out.

And here is where the concept of Infosec as community crumbles. The 'community' doesn't hold everyone accountable equally (making justice not a principle). The community will indict and sentence (without trial or defense) based on selective information (basing a declaration of attribution on a lone indicator. Due process, a search for truth // fact, and thoroughness out the window). The 'community' will take things out of context if it supports their side. It engages in whataboutism. The list goes on.

There isn't an Infosec community. There are communities that exist within the bounds of Infosec. Recognize them for what they are.

"All animals are equal, but some animals are more equal than others."

-George Orwell.


2 thoughts on “/Community

Leave a Reply

Your email address will not be published. Required fields are marked *