Security Quackery

I am an old git. I am 54. Yes, I do look much younger, thanks for noticing. If you are an old git like me, then you never had social media as a youngling. Your social network was as far as you could ride your bike, typically the next village; your music tastes were influenced by Top of the Pops, or a copy of the NME bought at the newsagents; your clothing tastes were influenced by walking up and down the local high street, and your views on the world were heavily influenced by the BBC Nine O’Clock News. Your humor was influenced by Not the Nine O'Clock news.  Those were the days.

I acknowledge that today, things are radically different, with TikTok, with Instagram and with Twitter, but I think that it's just the effectiveness of the delivery mechanism that has changed. People always have, and always will, try to influence others, it is just that it is now free, global and fast for anyone to do it. The key word here is ‘anyone’.  And along with the rise of social media, we have seen the rise of creative people like Mark Rober and Colin Furze and toxic people like Andrew Tate and Alex Jones. 

In the security world we are also starting to see another phenomenon, the rise of the social influencer who has never held an operational security job in their lives. These are people telling other people how to do security, having never done it themselves. These are people building personal brands, based on watching, and not doing. 

Back in the Foundstone days we used to say “Do you want to learn from the people that write the books or the people that read the books?” People who read the books, go on to write the books, but only when they have the scar tissue. 

The best people to tell you how to do somthing are the people that are there, or have been there and done it. They are the pros. Gary Linekar for football, Chris Boardman for cycling, Gordon Ramsay for cooking, Mark Rober (former NASA engineer) for glitter bombs, and countless others, but since when has a recruiter ever been qualified to tell people how they should be building an appsec program? Yes WTF, recruiters with security podcasts, inviting experts onto the show, only to interject with opinions delivered as facts. I was forced to listen to one by a friend and found myself getting quite angry. I get why they do it, it's the attention economy, and the attention gets brand recognition, and that leads to sales, but bull-shitake is bull-shitake, and this has to stop. It's 100% quackery. 

The downstream effect of this phenomenon, is that the echo chamber that many people like me believe is now thriving in the industry, has the unqualified quacks, sucking any oxygen from it, in but pumping in toxic gas. An echo chamber with toxic advice is really dangerous because consensus from people who should be able to be trusted is now consensus from people who shouldn't be trusted. I hate it and I think others should as well.

We need more full time practitioners being influencers. Full-time employees at financial services, health care, tech and gov, shouting about what they do and why they do it. These are the people that should be given priority speaking slots at conferences and these are the people we should pay attention to.  

I hope CSOs reading this will make it a part of their program to have their operational teams share their knowledge and develop the type of security influencers we need. The industry needs it. 

Footnote : Someone is bound to write a rebuttal, “What makes you qualified to write this article and call BS?”. Well I have implemented appsec as the leader of large (several hundred people) engineering teams, run an appsec program at a global financial services company, started OWASP and now the SSP, and built security tools, so at least I have some credibility to offer an opinion. Whether you like my opinions or not is another thing, but it’s not like taking medical advice from a quack.