Have we seen how toxic Cybersecurity really is?
Neal Bridges
Hacker || CISO || Content Creator & Event Speaker (bookings available) || TV & Media SME (see portfolio) || “All warfare is based on deception” || Need cyber advice? Lets chat!! topmate.io/neal_bridges
The DerbyCon announcement is now about two days old (Source: https://www.derbycon.com/blog/derbycon-9-0-every-beginning-has-an-end/). After a couple of days, and a chat with a close friend, I have decided to comment. This will come off as a rant. I’m passionate about cybersecurity, and things like this are not good (IMHO).
Frankly, it pisses me off.
Standard Disclaimer: I have no idea what prompted the team to make this decision. My own opinion follows.
What I do believe is that this is NOT GOOD for our community. We have a serious, and fallible elitist problem. We also have a misogyny problem, but thats a different soap box. Whether you like it or not, admit it or not, or accept it or not - when an organization like this chooses to shutter its doors to the idea of spreading information and learning throughout the community, we have FAILED.
WE ALL HAVE FAILED.
We have pushed an organization to literally QUIT in the mission of sharing and making the world safer in cyber, and I believe a large part of the problem in this community is the feeling that we have to put people down to promote our own success.
Does this sound familiar: “Oh you can’t figure that problem out. Well you should try harder. In my day I didn’t have google, and couldn’t search for all the answers, and so you should just try harder, and then when that fails, try harder. If you still can’t figure it out than maybe this isn’t right for you.”
This is only one example. In the post that David Kennedy put out he echos it:
"Instead of working hard in research, being a positive force in the industry, or sharing their own unique experiences (which makes us better as a whole), they tear others down in order to promote themselves. This isn’t just about DerbyCon, it is present at other conferences as well and it’s getting worse each year. We’ve spoken with a number of conference organizers, and each year it becomes substantially more difficult to host a conference where people can come together in large group settings. It’s not just conferences either. This behavior is happening all over the place on social media, in our industry, targeting people trying to do good. As a community, we add fuel to fire, attack others, and give them a platform in one massive toxic environment."
This toxicity is affecting not only those who have been in the industry for years, but also those coming into the industry for the first time. Those of us who came up through cyber, started in more modest means of some type of networking or desktop/server engineering. Today, you can go get an undergraduate degree in Cybersecurity. This means that tomorrow, you could have a fresh 22 year-old standing at your door eager to learn all the things you learned. A sponge that you can mold into your creation, and we have chosen to mold them into these toxic personifications of our own insecurities in this space.
Now, I am not a "try harder" hater by any means. Insert whatever reason you want about people asking questions without searching for things first, how easy information is to get, or levels of effort, whatever happened to just being a decent human being and wanting to help people be better. At some point in time, everyone has asked for help in their career. If they haven't, they are either lying or aren't pushing themselves hard enough. The language above is very indicative on narcissistic behavior, and I have heard it used time and time again to people coming into this industry either for the first time, or from other career fields.
Can we ask ourselves "Why could this be happening"?
Are we worried about people taking our jobs? Remember: We have a TALENT SHORTAGE in cyber security. So helping people in this career field isn’t going to take jobs away from the rest of us. There are literally more problems than we can solve in a lifetime in our industry. So there should be no shortage of bug bounties out there to be obtained, new technologies to be invented, or new start-ups or consulting firms that need to be stood up to address this. The statistics for how much cyber as an industry is set to grow just in the next few years is staggering.
I ask honestly; why does it make sense for us to create toxicity in our community?
Case in point (and what drove me to this rant today): I was chatting with a colleague of mine who has recently taken on a stretch role as a penetration testing manager. I say "stretch" because, while he has amazing leadership skills, his "experience" is limited to CTFs, home labs, and self learning - little to no practiced experience. However, he has an amazing aptitude and drive to understand - and has the leadership qualities you look for in todays leaders.
We were reviewing a penetration testing report from one of his testers, and I made the comment to the effect that "if this tester has the modicum of experience you described, its not reflected in this Pentest report." There were content issues, and findings that you would have expected out of someone just learning how to interpret the results of tools. Not someone who claimed to have had this vast experience testing web applications, as he self proclaimed. I proceeded to explain to him how reports are the proof of value to our customers (internal an external).
He agreed with me about the quality of the report, but then added: "I wanted to ask him if he used tool XXXX during the test, but was afraid too because of how much more experienced he is than me."
THIS my peers, is a problem. We have created a scenario where people are afraid to ask for help, assistance, or share knowledge. DEFCON, BlackHat, and DerbyCon were started to SHARE knowledge. This individual has been deprived of the ability to LEARN because of a fear of the elitism we have created.
We are no longer socially awkward nerds hanging out in dark rooms (and hoodies) doing things that no one understood. We are now in the front and center of C-Suite conversations, board room meetings, and regulatory requirements. I thought our vision, as a community, was to make the world a better (safer) place because of our efforts in cyber. This is not how we make the world better. Internal fighting over whose "hack" was better, and then resorting to playground tantrums of insults when asked "how"it was done is not a recipe to solving the problems we have to solve.
From one cybersecurity profession, and human being to others: WE have the ability to fix this before we create a community that is so toxic, no one will want to be in it, or work with us. Let this be the last conference we lose to this behavior.
Senior Information Security Analyst | Penetration Tester | Malware Analyst | eWPTX | eCPPT | CEH Practical | YouTuber
3 年That's so TRUE ! I think people are afraid of asking help because, 90% of people will offer a helping hand for their own benefits only.
IT/Infosec Enthusiast
4 年Yeah, I know this is an old thread, but I am a student and I just got my blog post reamed by a cyber professional. It was really disheartening and for a good hour or two I was contemplating giving up on my dream. Everyone starts where they start and I have a lot of obstacles to employment even if my education goes perfectly. If he would have sat down for math help in the only job I have ever enjoyed as a tutor, I would not have torn him down in private or public. I would have invested myself in his learning process with patience and a genuine desire to see him succeed. I hope this is not typical of what I will see trying to work in cyber. I felt stupid until I remembered I am not. After seeing most of his public comments were very negative I have discounted this experience as trolling. Now I understand what my mentor has been saying about the community. Thank you for the thoughtful article Neal. Maybe I can TryHarder to make people feel welcome and appreciated for whatever reason they want to contribute.
Staff Threat Intel Analyst, Adversary Tactics
5 年The simple fact that there truly are some people who just want to watch the world burn.? That's how it is...and the Internet just extends the reach.? Some level of toxicity is not limited to our field; its everywhere. It's what you do about it that matters. I've been in a position to do something, and I did.? I was at a social event during a conference in Austin, and a young man at my table made some very rude comments about our waitress, after she left our table with our drink order.? She was the same age as my daughter, and I let the young man know that his comments were not wanted.? As individuals we make the decision as to what to do when this sort of thing happens.? Do we stay quiet, making the behavior "okay"?? If we cannot say something ourselves, do we have trusted allies, someone we can go to and ask, "did I see/hear this the way I think?"? More importantly, do we have trusted allies we can seek out if we find ourselves the target of such behavior??