Infosec industry: Time to put up or shut up

The information security industry is one of the most exciting industries to be involved in. It offers many opportunities to exercise one’s passion and curiosity about technology and address the challenges of keeping that technology secure.

The endless technological innovations and the rapid adoption of technology by business, consumers, and society makes our daily lives increasingly dependent on technology. This means that we, as an industry, need to rapidly address the challenges this technology revolution brings, and make sure that these new solutions are as secure as possible.

To some this an opportunity to reach out to those outside of information security to help them understand how these technologies should be adapted in a secure manner. We see a number of people engaging with mainstream media or speaking at various conferences to try and help those outside the field to understand the issues. We see initiatives such as OWASP, and more recently I Am The Calvary, trying to engage people within and outside the IT industry.

This often involves speaking in terms and phrases that non-technical and non-expert people can grasp and understand. It requires a lot of time and effort to get the attention of those outside our industry. And once that participation has been achieved, it requires simplifying complex concepts and topics into terminology that non-technical people and society in general can absorb.

Unfortunately, instead of embracing these challenges, what I mostly see in the industry is an attitude of skepticism and in some cases even hostility to these initiatives. The accusations laid against those trying to engage others is that they are either doing it to raise their own individual profiles, or looking to raise the profile of their company or movement in order to attract investors. Also, that their efforts undermine and undervalue the “purity” of the technicalities and science that information security professionals engage in every day.

These skeptics are very often the same people that regularly lament the lack of engagement by senior management or by government agencies, and their unwillingness to invest time, money and resources for securing systems and data.

These purists also despise the term “cyber security” and complain how the term “hacker” has been devalued by media associating it with criminal activity. However, we need to accept that this is how mainstream society views and understands these concepts.

Our systems, networks, and data are under constant attack and threat. We are not going to be able to defend them solely by using technology, especially if those who control the budgets and purse strings do not understand or appreciate the problem.

We need to engage with other sectors of the business and society in general so that people are better educated and aware of the scale of the threats and challenges we face. So instead of shouting in an attempt to drown out the voices of those looking to create this engagement we should be shouting words of encouragement and try to find ways to amplify their message. If we cannot do this, then we simply should stay silent so as not to distract from or derail the message.