Infosec, and life, is ultimately based on one principle: personal responsibility. This principle is the cornerstone of all aspects of successful, sentient life. Everything that happens that is successful comes down to someone taking personal responsibility for something. Is the network secure? Someone took responsibility to build a perimeter. Someone took responsibility to tune the firewall rules. Someone took responsibility to set up logging, build an asset list, define priority systems, doing user education, configure e-mail protection, setting up A/V and EDR, setting up whitelisting, and – most importantly of all – tuning it all to the environment. In Infosec, we carry the burden of everyone’s responsibility, as our behavior and education and engagement spread out to everyone else. Ultimately, we are responsible for what happens on our networks, no matter who clicks on what. Every time we take responsibility to answer a question, tune a rule, or check on a reported phish, we demonstrate our willingness to put in the effort, and we make the institution we defend incrementally safer.
Personal responsibility begets ethics. It begets a code of behavior. More importantly, it shows a pattern of behavior and a standard. Good leaders notice. Users who care notice (everyone cares to some degree). Over time, one or more of the following will happen:
- Others will start holding themselves to your standard, lest they look bad. You become patient zero for an improvement in culture.
- People become more forgiving. If you make an error, or forget something once, people won’t then bring the hammer down on you. They recognize you are human, and realize this is the outlier, not the trend.
- Leadership clearly identifies your value and invests more in your compensation and training to keep you around as long as possible.
- You find out leadership and the users don’t care after all, but this clears up any imposter syndrome you have, and you can put together a clear concise resume full of measurable wins to move on to a better job. If you can demonstrate measurable value, good companies will extend an offer.
Understanding the nature of personal responsibility in people’s lives, the principle of working to change what one can for the better instead of whining about the unfair disadvantages and lack of equal outcomes in situations, is very comparable to taking a HUMINT course, or really learning about nutrition and calories. You can’t unlearn it. It will color every interaction you see, and every choice you make. It is Neo’s red pill. When Cypher understood the horrors of the real world, he wanted to go back. The laws of nature say it’s impossible.
Sometimes a coincidence is a coincidence. The other day when I went home, I was thinking about food, and I took the personal responsibility to skip the fast food and go to the grocery store. I then skipped the junk and loaded up on produce and meat. As I’m approaching the checkout line, I observe a situation that I can't help but view through this frame. I see the police and the store manager dealing with an elderly man. This man had been abusing the staff. I don’t know what his life is like. What I do know is some of the staff is afraid of him. He had been abusive. I don’t believe this was warranted. He made a choice to take his issues and be abusive to the staff. He was then banned from every one of this chain’s stores in the state. He thought it was unfair, and he made a stink about it. The parallels between this, and security professionals who abuse their users are all too common. They call their users stupid. The take punitive actions against uneducated users. They rail against the decisions of the business and those who make those decisions. Then they get fired. And it’s the shitty company, It’s the whiny users. It’s the underinvestment in technology. It is everything except their own behavior. Even worse is when that behavior isn’t addressed until someone goes to HR. Management is then forced to find a replacement, and the bad blood towards security was let sit that much longer.
Even when we deal with environments like that, our good work puts a shine on the most important asset we have. Our name. And everything that our name carries with it. In bad environments especially, take the responsibility to make yourself stand out by contrast. It will be noticed.