Pseudonymous critic impugns integrity of all security professionals

*Author refutes reader comments.

In a recent response to an article on hiring hackers, a pseudonymous critic calling itself "Secure network..." posted a comment entitled "so called hacking and security professionals." It started with the run-on sentence, "Of course someone calling them selves[sic] a ‘security Professional’ would be upset, it's job security they're losing...."

Now, this rubbish could be flame-bait, and I usually don't respond to such nonsense. However, I was feeling irritable when I encountered it and decided to let this hidden commentator have a piece of my mind. [I edited my first draft heavily to remove all the invective before sending it to the publisher.]

So if I understand the comment, we security professionals are so corrupt that we are concerned about hiring criminal hackers primarily because they might reduce our opportunities for employment.

Give me a break.

If reducing the number of competent security experts defending critical infrastructure and national security is supposed to be viewed by professionals as competition and thus reducing our job security, why are so many of us involved in education and training – often for free? Why are we writing articles and editing textbooks to help students become security professionals – either free or for the equivalent of less than the minimum wage – if our motivations are so crass?

If the sneering commentator were right, security professionals could not possibly cooperate to further the interests of the field and of the wider public. For example, security professionals could never collaborate on research projects whose results are published for all to read – we should hide them and keep the results to ourselves for economic advantage. We could not recognize the achievements of our industry leaders because it might make the award-winners more competitive in the marketplace. 

And why would we even bother establishing standards for certification of professionals? After all, the work that goes into defining such standards is all done for free by – duhhh – security professionals. Why would anyone committed to reducing the number of competitors ever contribute their time and effort to establishing methods for inducting hundreds of thousands of newcomers into the field?

On the contrary, my 30 years in the field convince me that security professionals are unusually cooperative; for example, I was personally involved in the creation of the National Computer Security Association's Anti-Virus Product Developers' Consortium in 1991. We saw vigorous competition among members of the AVPD coupled with intense cooperation at the technical level to improve the state of antivirus products for the public. We established a common standard for nomenclature and built a certification process that deliberately ratcheted up the requirements for successful identification of viruses in the wild until we achieved 100% identification of in-the-wild for all the certified products.

At all the professional meetings I have attended, I have been struck by the friendly camaraderie of information security professionals even when their employers are in fierce competition. It seems to me that one of the pleasures of working in our field is that we all know that we are working on a common cause – defending innocent people and organizations from the depredations of The Bad Guys (and from the consequences of Acts of G-d as well when we think about business continuity and disaster recovery). 

Our colleagues show the highest level of generosity and commitment to young people interested in entering our field. As just one example, I cannot think of a single time that a security professional has refused an invitation to address one of my university or college security classes.

On a personal level, I happily accept invitations to lecture for free at professional association meetings, for community groups, before legislative committees, and in educational organizations. [On a side note, I will not, however, give my time for free to profit-making organizations that run conferences where the participants pay but all the speakers are unpaid.]

Yes, our employers compete and so do individual security consultants – but all of us (well, most of us) recognize the greater value to society and to our clients of information sharing and cooperation in the improvement of professional standards.

This pseudonymous commentator doesn't know what it's talking about.



Join me online for three courses in October and November 2009 under the auspices of Security University. We will be meeting via conference call on Saturdays and Sundays for six hours each day and then for three hours in the evenings of Monday through Thursday. The courses are "Introduction to IA for Non-Technical Managers," "Management of IA," and "Cyberlaw for IA Professionals." Each course will have the lectures and discussions recorded and available for download – and there will be a dedicated discussion group online for participants to discuss points and questions. See you online!

Learn more about this topic

Hiring hackers (part 2)

Hiring hackers (part 1)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.