Skip to content

Infosec, and life, is ultimately based on one principle: personal responsibility. This principle is the cornerstone of all aspects of successful, sentient life. Everything that happens that is successful comes down to someone taking personal responsibility for something. Is the network secure? Someone took responsibility to build a perimeter. Someone took responsibility to tune the firewall rules. Someone took responsibility to set up logging, build an asset list, define priority systems, doing user education, configure e-mail protection, setting up A/V and EDR, setting up whitelisting, and – most importantly of all – tuning it all to the environment. In Infosec, we carry the burden of everyone’s responsibility, as our behavior and education and engagement spread out to everyone else. Ultimately, we are responsible for what happens on our networks, no matter who clicks on what. Every time we take responsibility to answer a question, tune a rule, or check on a reported phish, we demonstrate our willingness to put in the effort, and we make the institution we defend incrementally safer.

Personal responsibility begets ethics. It begets a code of behavior. More importantly, it shows a pattern of behavior and a standard. Good leaders notice. Users who care notice (everyone cares to some degree). Over time, one or more of the following will happen:

  • Others will start holding themselves to your standard, lest they look bad. You become patient zero for an improvement in culture.
  • People become more forgiving. If you make an error, or forget something once, people won’t then bring the hammer down on you. They recognize you are human, and realize this is the outlier, not the trend.
  • Leadership clearly identifies your value and invests more in your compensation and training to keep you around as long as possible.
  • You find out leadership and the users don’t care after all, but this clears up any imposter syndrome you have, and you can put together a clear concise resume full of measurable wins to move on to a better job. If you can demonstrate measurable value, good companies will extend an offer.

Understanding the nature of personal responsibility in people’s lives, the principle of working to change what one can for the better instead of whining about the unfair disadvantages and lack of equal outcomes in situations, is very comparable to taking a HUMINT course, or really learning about nutrition and calories. You can’t unlearn it. It will color every interaction you see, and every choice you make. It is Neo’s red pill. When Cypher understood the horrors of the real world, he wanted to go back. The laws of nature say it’s impossible.

Sometimes a coincidence is a coincidence. The other day when I went home, I was thinking about food, and I took the personal responsibility to skip the fast food and go to the grocery store. I then skipped the junk and loaded up on produce and meat. As I’m approaching the checkout line, I observe a situation that I can't help but view through this frame. I see the police and the store manager dealing with an elderly man. This man had been abusing the staff. I don’t know what his life is like. What I do know is some of the staff is afraid of him. He had been abusive. I don’t believe this was warranted. He made a choice to take his issues and be abusive to the staff. He was then banned from every one of this chain’s stores in the state. He thought it was unfair, and he made a stink about it. The parallels between this, and security professionals who abuse their users are all too common. They call their users stupid. The take punitive actions against uneducated users. They rail against the decisions of the business and those who make those decisions. Then they get fired. And it’s the shitty company, It’s the whiny users. It’s the underinvestment in technology. It is everything except their own behavior. Even worse is when that behavior isn’t addressed until someone goes to HR. Management is then forced to find a replacement, and the bad blood towards security was let sit that much longer.

Even when we deal with environments like that, our good work puts a shine on the most important asset we have. Our name. And everything that our name carries with it. In bad environments especially, take the responsibility to make yourself stand out by contrast. It will be noticed.

 

@infosec_samurai

Nobody wakes up one day and is a fresh Information Security professional. There is an idea you can follow the specific path and get here. There are many paths to becoming an Infosec Pro. This doesn't mean a rockstar or hero. An Infosec Pro is someone who does Infosec for a living. To get here, you will have to face trials. Ask any Infosec Pro, and they will tell you their history is littered with challenges, strife, and undocumented networks. Whereas all Infosec shares the common history of these trials, they are as individual as the people who slogged through them and persevered to be Infosec.

My first job in IT was in a call center that managed the user wireless experience in over 2000 hotels. The call center had no real visibility into the environments, and we had to try to talk the user through their issues on the phone, at the mercy of their ability to describe their problems in a technical fashion. Hotels underfunded their networks and let us be the bad guy when people couldn't connect. These were the hotels and nationwide chains that charged under $100/night. We had a few nicer hotels, but their gear worked and the wireless network was properly signal mapped (this is in the days of G, no G+, and certainly no N - some hotels still had B wifi). I moved from level I to level II support in three months, earning agent of the month and agent of the quarter status more than once. However, there was no difference in treatment or pay between the people who took 30+ calls a night, and those who took 5 calls. Management expected the turnover, but were still whiny as if those leaving for greener pastures had betrayed them. In an environment like this, you either learn to work with people, or to maim people, or you lose faith in humanity and end up working the fry station at a Burger King.

Halfway through my time in Grist Mill Enterprises, I took a second job doing similar support and engineering for a business that did wifi in non major franchise coffee shops. The router/firewall combinations were advanced and capable for such small devices, but the GUI was simply a more visual CLI. You needed to understand the way it handles it's rules and routing. This hardware was commonly used by smaller ISPs. The customer support was easier. The engineering challenges harder, and I had no guidance. Like many small businesses, it failed, as sales wasn't selling (reoccurring theme in my career).

This was a stretch where I was putting in 60-80 hours working, and going to school full time. It sounds hard, but with no family or significant other, it wasn't impossible. It was a learning opportunity, and the beginning of understanding how culture affected the ability to get things done. A negative culture someplace pervaded the attitude of everyone. Even the highest performing people would be worn down, or leave for a better, be it money or environment. Irony was always bosses who treated their staff as expendable always got upset as if there was some great betrayal when someone left, as if they should have stayed a beast of burden until it was time to turn them into steaks. The worse they treated people, the bigger the explosion and cries of Judas.

And then 2008 happened.

I spent time bouncing between short term contracts since no one wanted FTEs (full time employees) on the payroll. I did side work, and at times my income was low enough to qualify for unemployment // underemployment benefits. I learned Contract to Hire meant Contract without the contract pay rates (the carrot on the stick is made of wax). I learned that when you are getting started, certifications do matter - anything to differentiate yourself. I learned in a sellers market, any promise of loyalty from a contracting company is worth less than a half eaten saltine. I kept my nose to the grindstone, working for small to mid size IT service companies, major retailers both online and brick and mortar, and worked as an independent repair consultant, while doing side work for the coffee shop people.

Then I landed at a major ICS manufacturer, working in the SOC. This was the first job with Security in the title. Working for a worldwide company as a SOC analyst, you get a diverse view of the world. I had to learn to work with not only different people in isolated business units, but with people in cities all over, on nearly every continent, language barriers and all. There were many lessons:

  • You speak to people in Brazil versus Argentina very differently, both in tone and attitude (and language, of course).
  • Chinese engineers have as much worry about the NSA as Americans do about APT 1 and 3.
  • Almost nobody wants more than a minimal presence in Russia.
  • Indian IT has a hierarchy that nearly mirrors a caste system.
  • Everyone targets offices in Dubai and the UAE. Everyone.
  • If you have to deal with foreign tech support, do it very early or very late. If you are lucky you get Malaysia. They speak better English than most Americans, and strive to be helpful.
  • Bureaucracy is bureaucracy is bureaucracy. Everyone, everywhere deals with it. It simply differs in type.
  • For all business classifications, lots of places deem Israel as European. Hence EMEA (Europe, Middle East, Africa). Lots of land, small quantity of time zones (comparatively).
  • In big enough environments, the various security teams are isolated from each other, and especially from other IT teams. This creates tension.

Here I had some great teammates and mentors, and I had people who were all that is wrong with Infosec. You learn to deal. I also learned to deal with people all over, and really started applying my knowledge of culture in IT and Infosec, and how it affects perceptions. I was able to get things cleaned up, and get resolution from groups others merely let sit as a repeat annoyance, because "those guys are just <derogatory comment> and their part of the environment will never be clean." Why do they behave a certain way? What do they have the power to do? How can I help augment that power? If I do more legwork, can I make their job easier?

When you need to use someone in another country whose language you don't speak, and they don't speak english, who has far less technical acumen than you, to hunt down a problem on a system you have never seen, in a location you will never go, in the hands of a user whose culture causes issues, and you succeed, it sends a message of reliability, and that together we can actually fix the issues we face. Suddenly you and this person aren't different. You are a team getting the job done. That is the ultimate foundational building block - the same blood in the same mud, and you succeeded. When you internalize that, everything becomes possible.

In most cities, there's that handful of employers who, once they are on your resume, open every door in the market. Suddenly, companies that wouldn't return my calls had recruiters calling repeatedly. It was a night and day shift. This led to another opportunity as a mid sized firm, which I eventually left to get to where I am now, coming up on three years.  Those lessons of culture, and common successes have been the cornerstone of what I've helped build at my current employer. Difficulties are minimal across teams, and very rarely due to personality issues anymore.

What does all this mean? Despite most major talking heads in the industry who followed nearly identical paths into Infosec (military/3 letter agency into private enterprise), their path isn't the only one. It's great for specialists. We generalists come up very differently. Try everything. Learn your passion. The path isn't supposed to be straight. And above all, learn about how to deal with people, their frustrations and their passions. Your users should be your biggest allies.

Only if you put in the work.

@infosec_samurai