InfoSec

Thought Leading, Bias, Sponsored Mediocracy & Jettisoned Babies

This started life as a couple of peeves about security ‘expertise’, but it’s grown to include a few things I think do our trade no good.

Am I moaning about the inevitable, or calling out practices and habits we should all object to….you decide. Kicking off with the one that kicked me off:

Are you a self-proclaimed ‘Thought Leader’?

1288452919_w30A while ago I had a conversation with Kai RoerWolfgang Goerlich and Jenny Radcliffe about the term ‘Thought Leader’. I was bemoaning the growing number of people including it in their personal profiles on LinkedIn. As I said then and still believe, the accolade ‘Thought Leader’ (or some other less tarnished term for leading the field with original perspectives), is something you earn. It’s not a ‘fake it till you make it’ kind of thing.

I likened the feeling it gave me to being introduced to that chap at the party who gleefully informs you he’s “Crayzzzeee Fun”. The shame is that there are a number of truly smart and boundary pushing individuals doing this.

It’s not that you can’t become one if you have an open, creative and analytical mind. Keep faith, keep up the good work and look to the good guys who’ve made it. They are (if they’re worth their salt) looking for and helping people with great potential…but you can’t magic it up.

Declaring paymasters and ‘creative’ CVs

In a similar vein, there’s sometimes laxness about declaring a commercial or other interest when ‘expertly’ and splashily shouting about the next big thing (as the cartoon fabulously illustrates).

Little Bobby Experts.jpg

More generally there’s so, so much variance in the quality and experience of security pros. I’ve been forced to work with some ‘experts’ who didn’t know their proverbial from their elbow, but their CV was shiny enough to get them past HR. On the flip-side, I know of many forward thinking and super experienced pros who thoroughly deserve the title, but struggle to find work.

There’s little point me appealing to the former group to out themselves as mediocre, but we, as an industry, have to get better at signposting what’s good…starting with a move away from reliance on qualifications (I owe folk following me on twitter a write up of a great debate had on that).

Oh, and training company tweets like this don’t help anyone either:

Woe betide any eager girl or guy, at graduation day + 8 weeks, who walks into their place of work and declares themself to be an expert. It wouldn’t work in medicine, law, engineering or astrophysics and it won’t work in security. If you do do that ‘Duck and expect to eat humble pie for a loooong time’ would be my advice.

Rewarding failure?

Then there’s sponsored mediocracy, otherwise known as a Golden Parachute. Rewarding folk at the top with lucrative get-out clauses for shoddy performance – fantastic plan. With a shallow pool of great CISOs and hiring crises reported at every other level of the security trade, we’ll see more of this. Poor performers with highly polished CVs circulating round desperate companies leaving chaos in their wake.

Covert bias and statistics

Does this also sound familiar?

99% of the negligible amount of somewhat relevant people we paid to answer a carefully crafted survey said the security problem that creates demand for our product is their top priority.

People deserve to understand potential bias and sources for quoted numbers. If you don’t provide that, it looks like you have something to hide. If you do have something to hide, there is every chance it will come back to bite you.

A whole lot of people are rightly suspicious of poorly referenced headline statistics. The metric-poor, still maturing and variably standardised world of security is particularly fraught with data accuracy problems, but that doesn’t stop many shouting about what they put together with stickytape and wishes.

That last accuracy point brings to mind the furore brewing around a soon to be released Norse Corporation report. Norse’s assertions and the statistics used to support them are taking a bashing on social media.

I don’t know enough to verify or disprove all points made by critics, but I do know (despite the fact that I and many others enjoy their blog and happily use their products) this could seriously damage perception and even future sales.

Lessons for new management recruits?

There are also some transferable suggestions here for corporate bosses (security or otherwise). I don’t know of a single staff member who doesn’t dread the ‘new broom’ senior recruits so often come armed with. Sweeping away established practices and sending all kinds of babies flying with the discarded bathwater. That’s not a universal truth, but the need to establish authority and make a mark can be viciously strong.

images (16)It essentially creates a strategic blinker effect. After all, when one has been in the door for all of 5 minutes and one was recruited on the basis of being ‘remarkable’ (or thought leadery) in the past, where is your go-to place? It’s not often a slow start spending a couple of months finding out what’s right with your new domain before going delivery crazy. The upshot will often be quiet (and sometimes expensive) U-turns on a number of hastily made plans after getting a true feel for the specific capabilities and needs of a business.

We can’t blame all that on recruits. It’s partly the fault of impatient boards who want to see ROI for princely salaries as soon as humanly possible.

Keeping it really real

We need exceptional people and you may well be one, but can we also spare a thought for humility and personal growth please. What we all really crave and praise is confidence to be wholly and unashamedly all that we can be. That may be quietly demonstrated, or (in the bells, whistles, gifs and sound-bites world of t’interweb), it may be digitally screamed from the rooftops.

Circling back to those thought leaders, if you can find a real one you are onto a winner…

…unless they’ve been lulled, cornered or ego massaged into becoming an inward looking parody of themselves. A static version of their perceived ‘best’ self, forgetting to constantly scan the horizon for inspiring new people and ideas. Without which no-one can lead their field for long. Something as true for businesses as it is for the people who power them.


Some of this post might look familiar to people who follow this blog. That’s because it is an excerpt from an earlier one updated with that cracking cartoon and other points I’ve been wanting to call out for a while. I thought they were worth giving their own space.

Want to add to the discussion?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s