One Man's Life on the Security D-List

At Security B-Sides, infosec author Andrew Hay explains the four pillars for moving from the bottom of the IT security shop to a place of respect, and why getting to the A-list isn't all it's cracked up to be.

SAN FRANCISCO -- It used to be that security practitioners were seen as propeller-hat wearing introverts hunched over computers in dark, cold basements for weeks on end, shunning daylight and anyone who tried to start a conversation with them. Times have changed. But the path to respect isn't always what you'd expect.

Thanks to the blogosphere, social networking sites and podcasting made easy, many security pros are taking on a much more public persona, becoming near-rock stars. Evidence of this can be seen in abundance at this week's RSA conference and the nearby Security B-Sides event.

True, many security pros still prefer the quiet, isolated life. It's also true that the introvert tag was never a fair fit for many people. But several conference attendees acknowledged theirs has become a much more public profession. It's a necessity, they say. To truly improve security, people need to be out there communicating the threats computer users face and how to take the proper defenses.

Andrew Hay, information security analyst at the University of Lethbridge, opened Security B-Sides with a talk about his life on the "Security D-List" and the four pillars one can use to move higher up the ladder.

Hay, a specialist in forensics, incident handling and network security management, explained there are few celebrities in the security industry and many who are but don't know it. Then there are those who are stars and will let you know it at every opportunity.

"When we start our career, we are on the D-List and it's a tough climb out," Hay said. "Many are happy to stay there, others want to do great things. Very few see themselves as A-List. Many think they're above D-List."

Using an unscientific pie chart, he estimated that 84 percent of security practitioners are on the D-List. The A List are made up of those who are asked to present at conferences, get comp time from their employer to do it, and have invented something everyone has used.

Those on the B and C lists write blogs and have achieved some notoriety, but are harder to pick out in the crowd, Hay said.

"When you start you're just a security grunt in the trenches and it's really hard to blaze a trail," he said. "I started doing dial-up tech support, then I got into network security, and became a product manager."

He described the four pillars he used to advance in the security profession:

  • 1. Blogging and writing
  • 2. Going to conferences, gatherings and groups and networking
  • 3. Social networking -- getting one's voice out there by such vehicles as Twitter, Facebook, LinkedIn etc. (Hay described Twitter as one of the best things to happen to security. "I wouldn't know half the people in this room otherwise," he said.)
  • 4. Participating in online communities

All that said, Hay said it's not always best to move from the D to A List. In fact, moving to the top can corrupt a person's perspective and make them less useful to their peers.

"The problem with the industry is the 'I'm better than the D-List' mentality," he said, noting that A-listers can "think they are higher in stature and it's an unfortunate place to be. I'm happy on the D-List."

(Security B-Sides is being held today and tomorrow from 10 a.m. to 5 p.m. at the pariSoma Innovation loft at 1436 Howard St. (at 10th), near the Moscone Center, where RSA 2010 is being held. The event is free, though representatives from the Electronic Frontier Foundation will be accepting donations.)

Copyright © 2010 IDG Communications, Inc.

What is security's role in digital transformation?