The title says it all, time changes things. Communities change, adjust, split and reform. Your perspective changes as you wind up with more filters from more experiences. With all that has been going on in the infosec world, I think a non-technical article, a look at how things can and do change is relevant. All that follows is my opinions based on my observations.
There is a powder keg slowly exploding across the infosec community. Harassment, fragmentation, bullying, making fun of, changes to the way people view us and how we view ourselves. The infosec community has grown a lot over the years. Just take a look at not only attendance numbers for Defcon, Shmoocon, Derbycon and the other conferences out there, but look at how many conferences have come into being. As information security has become more relevant, the amount of people in it have increased. the first generation has given way to the second and third generation. Natural progression changes ones point of view. Adapt or become irrelevant.
I am not a Jack Daniel or Jeff Man, I do not have the honor of being well known or respected. Even with my age, I am not sure which generation of professionals I would fall into, but I love what I do, and have been impressed with the portion of the infosec community that I know. I have noticed a lot of issues with the community at large though. These issues have been growing over time, and I see it through various places, Twitter, Podcasts, meetups, and conferences. I am judging, because no matter what, that is what we all do. We cannot stop judging, that is what an opinion is, a judgement. I do what I can to stay neutral, to try and understand both sides, but it is hard. Now, lets start by looking at something that seems not related.
Ever look at a children in different stages of their life? If you can, go and watch a 0-2 year old for a while. It is even better if you can watch the same one every couple of months as they age. Watcher their wonderment, how open they are to things. How curious they are about everything, and how non-judgemental they tend to be. Race, gender, none of it matters to them. The try and learn, experimenting for the way to get something done. Sort of like the young person just getting into hacking/information security.
As that child grows, between nature and nurture, their world expands and their view on the world shrinks. Experiences, how others look at things around them, and what they are taught take hold. The wonderment disappears. Judgements become more serious. Friendships are formed and disappear, sometimes for good reasons, sometimes not. They integrate into society, after all we are communal creatures. The more information they have the more filters are put into their head about things until perspectives seem to become natural to them. Some see things and they want to change them for the better. Others want to maintain the status quo. Society itself changes around them. What was once acceptable might not be anymore. They are stuck though trying to change what has become their nature, or they go the way of, accept me as I am warts and all. This does not excuse them, but is just a fact. They tend to group with people who are more accepting of them, and put up defense mechanisms to keep their ego somewhat safe. It is part of being a person. It takes work to break that.
That sums up the basic idea of change over the years for a person, but how does this relate to the infosec community? Lets look at those last couple of lines though. We tend to group with those who are like minded.
I have and am in many different communities. some larger than others, some no longer exist or have changed a lot over the years and are not what they once were. All of them have fractured or become cliquish. An example is the local theatre community I am part of. The theatre I do most of my work with right now has its factions. The membership is small, but it has its cliques. People who are like minded gravitate toward each other. We still all work together to make some cool productions happen. We try to bring in new people to add onto our community and ensure the survival of it, but in the end not everyone agrees with each other, and not everyone likes each other. Still the group has continued on for 57 years, even with this splintering, the cliques that have formed and the disagreements that have been had. The larger community in the metro area looks at each theatre as its own clique. Some are harder to get into than others, some don’t like outsiders. This is what happens as groups increase in size. It does not mean the whole community cannot come together, for instance in helping raise money for relief in Puerto Rico, but it does mean cliques. They have always existed in our community, read team, blue team, dev, ops, noobs, kiddies and more. It take effort to overcome these stigmas, and some, maybe more that I realize, will float between groups. The more specialized we become the more tendency to be part of a smaller group of the whole.
Then there are the other issues that divide us. Harassment is the largest of them. I don’t have an answer for that. Some people are just going to harass others. The larger the group, the more chance there is for harassment. All we can do is report and try to stop it. Harassment I honestly feel comes from inferior feelings or wanting to be the center of attention. Some of it might just be trolling. The long term effect though scares people away from not only community events, but the field all together.
Speaking of the need to be superior, people get picked on for going for different certs. The CISSP is looked down upon by a lot of the community, yet it is something that does help in the long run, if for no other reason than it gets you past the HR guardians when job searching. SANS is one of the gold standards, but a new person, unless they have saved a decent amount of money, is not going to be able to afford that sort of training. We pick on people who were at companies that have been breached. We don’t know the full story, but we rip the hell out of these people. We are all jaded by our own experiences, our own perceptions and are all socially engineered by the masses constantly. Social Media is a wonderful tool, but like any tool it has up and downsides.
The best way that I can think of to help overcome some of these issues is to talk about them. Straight up, respectfully talk about them. That means listening and trying to understand what the opposite view is, even when the opposite view is obviously wrong. We have to get out of the habit of just flaming at each other. We have to get back into the habit of being in wonder and curious of the world around us. Most importantly, we have to realize that not only are we wrong at times, but being wrong or making mistakes is the way we learn. Passing on our knowledge is the way we survive, and just like we have to do with the technological aspect of infosec, we have to constantly adapt and learn from the changing social world around us, or we are going to be irrelevant.