Infosec shouldn’t eat their own, we’re better than this

infosec media relationshipSecurity teams the world around are putting in hours every day to keep their company’s most prized assets secure. These are professionals that have spent considerable time honing a varied set of skills, often on their own time. They are passionate, gifted, and dedicated. There’s also not enough of them.

We often forget that these professionals have not only invested in themselves, they have also committed to supporting their team members. Independent of hierarchy, security professionals support each other.

An esteemed colleague and mentor of mine once likened our profession to the circus culture. Not because both crafts count many clowns in their ranks, but specifically because they rely heavily on a knowledge acquisition culture. When we hoard knowledge and information we all go backwards. When we share, we get better together. I couldn’t agree more with this comparison.

The foundation of such a work relationship is trust. In the absence of trust, there is chaos. In the absence of trust, we all lose. This is the point I feel needs to be addressed today. “Trust is what you can count on someone to reliably do,” said Felix “FX” Lindner. If trust is breached, irreparable damage is inflicted on a team’s dynamic.

Most recently, a journalist thought it necessary to write an article based on (recorded) comments made by Facebook CISO Alex Stamos during an internal meeting. The journalist, not hampered by any subject expertise, saw an opportunity to win some clicks and sell some ads. After all, Alex is an easy target – high trees catch a lot of wind.

Of course there is the fact that someone has leaked these recordings to the journalist. The problem I have is not with them. The problem I have is with journalists who do not realize the impact of their articles on the security teams, and the security of their companies.

I have no doubt that it is fairly easy to sit in a Starbucks and push out 200-1000 gems of pure wordsmithing, preferably with a title that makes people want to know “what happened next.” Thinking about the relevance of said writings and their eventual impact may need a level of intelligence beyond that, but that doesn’t make it less important.

As professionals we rely on an informed press to convey information to a variety of audiences. Here, too, we require trust to build an efficient relationship. If journalists breach trust like this they jeopardize more than their own employ and I firmly believe that they should feel the consequences of these actions.

Dear journalists,

Where there aren’t enough of us there are plenty of you. Most of you have the right intentions but we can not maintain this trust relationship when you condone the vultures in your ranks. Please identify them, and take action.

Dear security professionals,

We owe it to each other to stand up. When a journalist attacks our colleagues, our peers, or our teams, we have to make it clear that their presence is unwanted. I, for one, will no longer share with the involved journalist. The same goes for journalists that make similar choices in the future. I sincerely hope we can do this together. We are responsible for the message we send.