This is a rebuttal piece to We Are Infosec Professionals - Who the Hell Are You? (2011-07-15) by Javvad Malik.
This is likely to be one of the shortest rebuttal pieces produced thus far on attrition.org, and the main reason is fairly simple: I don't really believe in giving a lot of "airtime" to certain aspects of the industry, especially those that I already experienced previously in my life by going through junior high and high school. In an Infosec Island post titled "We Are Infosec Professionals - Who the Hell Are You?", Javvad Malik certainly came up with an interesting title for his article, and many of us can probably relate to some of the anecdotes that relate the information security arena to the fields of insurance and medical care. Hell, I even wrote an article comparing information security to professional wrestling, so I can't really criticize anyone for making an apples-to-oranges comparison between infosec and any other profession.
The article itself is clearly an opinion piece, which is pretty obvious since there really aren't any hard facts included anywhere in it. It's not an outstanding article, but also not one that should be overly maligned... at least right up to the last three paragraphs:
"I work in an industry with people who have more talent in one finger than you have in your entire existence. A place where hundreds of thousands of websites take payment online without being hacked, where billions of records are stored in databases which are secured by people like me."
"Where investigators actually trawl through logs line by line to piece together where things went wrong to prevent them happening again. We don't give up like the police because we can't be bothered. We don't put in temporary fixes like doctors to keep you dependant upon us unnecessarily and we certainly don't provide you with a false sense of security like insurance companies."
"We're the people who do our jobs - who the f*&^ are you?"
Unfortunately, the line "people who have more talent in one finger than you have in your entire existence" belies what I believe to be the major problem with the security arena right now: those whose egos have led them to believe that the information security "industry / community / arena / whatever" is a "special snowflake" (™ Cupcake), and thus, by virtue of one's participation in the field, they too are "special snowflakes", more unique and MORE BETTERER THAN YOU. Please do not misunderstand the previous statement; there certainly are many very intelligent and very talented people working in information security, and I've had the pleasure of knowing and working with many of them over the past several years. I've also known quite a few who were prone to "give up like the police" and "put in temporary fixes like doctors", for whatever reason. Just like any other profession, information security can be fun, challenging, and rewarding. It can also be frustrating, boring (at times), and even lonely depending on who you are and what you do.
: This. Does. Not. Make. You. Special.
As Malik writes:
You go to Doctors and they are just as incompetent. Firstly, they have never done any research into medical conditions themselves or the effects of medication. They leave that to pharmaceutical companies to sort out. They just end up trying to match symptoms to a drug.
I understand the point being made above, and while I don't necessarily agree with the over-generalization provided by Malik, it frustrates me to see that someone who is supposed to be talented as an infosec professional would show such disdain toward and misunderstanding of an entire profession, just as the comment in the first paragraph of the article was made toward him and his profession. Javvad, being in information security doesn't automatically make you or anyone you know smarter or more talented than the police officers or the doctors mentioned in your article. Are there crappy cops and doctors? Sure! Yes! But there are also equally crappy information security "professionals". Attrition.org keeps a list of some of them, as well as some other asshats who I won't mention, but who ironically usually have the same problem that you exhibit in your article: an inflated sense of self-importance based on the profession that you are in and the small role you play in it. "Small role" is not meant as a personal dig toward the author, by the way. Each person involved in information security contributes only a tiny fraction of a percent to "the industry", some more than others, but it's all of those small roles combined that are important. As infosec professionals, we are NOT rock stars, despite how some people in the field act and what they would have others believe. We are not the aforementioned "special snowflakes", and if a lot of people in the field would spend more time promoting information security as a whole instead of promoting themselves, maybe the people who bitch that "nothing has been done in the last 20 years" would have less to bitch about.
We are not The Beatles. We aren't Avenged Sevenfold or (god forbid) Van Halen either, and the idea that we are "rock stars" or "special snowflakes" to anyone except our own little circle is one that's time should be in the past.