Ask any InfoSec person the following question:
What do you lack most in your job?
Can you predict the answers? Of course you can. Most InfoSec folks will answer that they lack money, and resources (also known as “people”). Some of the more creative types will also mention that they lack time.
These are all good answers, but they don’t answer the question. These answers indicate what most InfoSec people need, rather than what they lack. What we lack in the InfoSec community is exactly what will allow us to fulfill those needs.
I was listening to a recent Lawfare podcast. This episode featured a speech given by Chuck Rosenberg to law students at University of Virginia law school. If you are unfamiliar with Chuck Rosenberg, he served as Chief Of Staff at the FBI under James Comey, as well as counselor to FBI Director Robert Mueller. Mr. Rosenberg has an impressive history. His speech was about leadership, but he mentioned something that made me consider the question “what do we lack most in InfoSec?”
Take the following scenario as an example. An attorney for the Eastern District of the United States stands before a court, ready to present a case. Once the court is called to order, the attorney introduces himself. He will customarily stand, and say:
“Chuck Rosenberg, on behalf of the United States of America.”
Those words have implied power. Not because it is Chuck Rosenberg saying them. There is much more to it; those words carry inherited credibility. Their power is derived from a storied institution of power.
Inherited credibility is what we lack most in InfoSec. You can be the world’s most elite hacker, capable of popping a shell faster than anyone else in town, but you will only get odd stares if you walk into the CEO’s office boasting of that credential. Most corporate cyber positions, from the security analyst, all the way up to the CISO, simply do not carry any inherited credibility. This is mostly due to the newness of cybersecurity positions in most organizations.
We may still be quite a distance from creating an inheritable empire. According to a February 2018 report by the Council of Economic Advisers, there is still no common lexicon for categorizing malicious cyber activities. This is especially true when discussing cybersecurity events. If we have yet to develop a common language, we are still too far off from closing the credibility gap.
We may currently lack inherited credibility, but this puts us in a unique position, as we are the trailblazers who can build that inheritance for our successors. If, however, you are working in InfoSec for your own self-aggrandizement, then you are sadly on a path to failure, but that is a broader subject.
Inherited credibility is what will move us from need to surplus. (Perhaps “surplus” is a bit too optimistic, but you get the point.)
The more important question you can ask yourself every day is: How can I build the credibility that will give my successors the power to continue to grow this meaningful work?