My favorite movie is Top Gun (there are levels to this question because it’s actually Shawshank Redemption, but indulge me). That is to say, I love the hero’s journey, and for some reason, I cannot let a Tom Cruise movie go unseen regardless of my thoughts on his personality outside of the art – I enjoy his popcorn chomping action stuff. Top Gun had me thinking I wanted to be a pilot in the Navy from a young age. I never enlisted, instead opting to work for Best Buy right out of high school. I got a taste for making money in sales and retail management and decided that was the direction. Then I saw behind the curtain.
In retail you need to know the right people, always be positive, always execute regardless of circumstance, and there is no room for error. Things are great when things are great, and they’re not so good when they’re even ok. I saw friends fired or transferred or finding new jobs because their department/store/district took a slight downturn, or the manager above them had competing priorities, or some combination of this and/or losing the cheerleader mentality could do you in. My lens needed not just an adjustment but a totally different objective.
A few years later and now I’m in Information Security, picking up who to follow on Twitter/LinkedIn, and reading up on Medium as well as other places just on what the general pulse in the field is. While I consider myself still learning, I do see some valid criticisms of the field at large and the way we act/talk/react to events on a daily basis. Now I’m a positive person, and pride myself on being able to recognize when I’m thinking a little too negatively – stopping, taking a breath, and understanding things could always be worse (thanks to my very cursory understanding of Stoicism) and re-engaging. Lately a great Twitter thread popped up that got me thinking on a much deeper level about Information Security, language, and mindset when working.
The drive to be a rockstar/ninja/warrior
Loder makes a point I hadn’t thought about in detail whatsoever – there’s a drive to self-identify and recognize others who are rockstars, ninjas, warriors, battlers of the ever-present threat of malware/identity theft/social engineering and advanced persistent threats. Loder argues those days are well behind us, and what we as an industry need is a community in the form of a more scientific almost medical approach to the day-to-day. There’s an argument here for a (I typed army out of pure habit) large group of individuals forming a larger community working 9-5 focused on furthering the field, on diagnosis, prognosis, and treatment of the syndrome and not the symptom.
The argument for a larger field of individuals with the pure and sole focus of reducing the damage that a vulnerability, exploit, or threat may do indicates a requirement for shifting of mindset and language. We cannot focus on battling malware or blowing up social engineering forever – instead we should take interest in the dissection of technology and the way it’s leveraged for mal-intent in 2018.
War, war never changes
Wars in the greater context of actual battles and decade-long campaigns rarely pay off in a way that is beneficial for any given party. The war on drugs, terror, and more are interpreted as dark spots and largely ‘not good’ in the end, although their aim to reduce/eliminate their focus is noble. Though the terminology, and honestly the motivation present in dictating a campaign or event as a battle, fight, operation, etc. are sometimes engaging and can be temporarily beneficial, when viewed at a higher level we really see that they’ll just never end. We’ll never reach threat level zero, vulnerability presence zero, and risk level zero – this battle or this war, will never ever cease.
Medicine and science give a great framework (despite your thoughts or the facts on US Healthcare) for analyzing and transforming the field of Information Security. If we are the doctors or scientists in the field, we must not think of our role as eradication, but first understanding via education. We analyze, interpret, parse, and seek to make connections using critical thinking in a way that dictates a solution. We see a machismo in the language of Information Security that’s honestly a little much sometimes. I say this, knowing full well there will be scenarios where language needs to be that way in order to convey urgency, importance, and impact. However, even coming from a person who listens to the Jocko Podcast to get pumped up. I use the terms “prioritize and execute”, “maneuver”, “attack”, “flank”, and more in-the-moment. I’m as guilty as the rest, and honestly the language is sometimes just plain cool and fun to use. I do, however, recognize the need to calibrate the language and dial in how we talk about information security going forward. If you constantly present things to the C-Suite in language fitting of war, don’t be surprised when the responses and language coming back at you are equally strong and puts them in a defensive posture immediately.
The Point
Coming back to ownership, I take it upon myself to change my language. I love science, as do a lot of people in the field, and will commit to finding language and adjusting presentation to be less aggressive, and incorporate language typical of the method in my day-to-day. Although we work in an aggressive, sometimes violent, sometimes unavoidably war-like field, we owe it to ourselves and stakeholders to speak responsibly about issues and events. There’s plenty of already scary stuff out there, and the industry/twittersphere/linkedin networks don’t need us fanning flames of criticality unnecesarily.
