Security Geeks: From Isolation to Rock Stars

WASHINGTON D.C. — Security practitioners used to be seen as propeller-hat wearing introverts hunched over computers in dark, cold basements for weeks on end, shunning daylight and anyone who tried to start a conversation with them. But times have changed.

Thanks to the blogosphere, social networking sites and podcasting made easy, many security pros are taking on a much more public persona, becoming near-rock stars. Evidence of this can be seen in abundance at the ShmooCon 2009 security gathering in the nation’s capital this weekend.

One example was a Friday lunch gathering of the Security Twits — a growing group of security pros who communicate with each other and the rest of the world via the Twitter micro blogging site. Another example was an evening meet-up of security podcasters.

True, many security pros still prefer the quiet, isolated life. It’s also true that the introvert tag was never a fair fit for many people. But several conference attendees acknowledged theirs has become a much more public profession. It’s a necessity, they say. To truly improve security, people need to be out there communicating the threats computer users face and how to take the proper defenses.

“We’ve morphed from living in the basement to being a far more interactive group and sharing information,” said Toronto-based IT security pro Dave Lewis, keeper of the Liquidmatrix blog and known on Twitter as “Gattaca.” This, he said, is for the betterment of the industry because such information sharing and online bonding helps everyone do their jobs more effectively.

“My site was borne out of necessity,” he said. “I had a hard time finding articles on security when I started 10-11 years ago. I realized a lot of other people had the same problem, so I started posting stories and it eventually morphed into a blog. This has been a necessary evolution, the move from the parents’ basement to the new-media-empire-types many have become through the likes of Twitter, Facebook, LinkedIn and blogging.”

Robert Fuller, a security architect based in the D.C. area known on Twitter as “mubix,” organized Friday night’s meet-up of security bloggers and marveled at how people of all security industry stripes have successfully taken up podcasting, a trend helped along by the availability of easy-to-use recording software like Audacity and Apple’s GarageBand program. Fuller notes that everyone from IT security administrators to code writers and academics are doing it and drawing ever-growing audiences.

Asked if the number of security podcasters showing up to the meet-ups is growing with each event, Fuller said, “Oh, yeah, definitely. And that’s a good thing because those who are really dedicated to it always have good stuff. It’s great for anybody to start a podcast because they have something they’re passionate about. Podcasting is so easy, all you need is a mic or headset and a recording device and it’s easy to get the word out. That’s what Web 2.0 is all about.”

And, echoing Lewis, he said the proliferation of security podcasters means more important information is getting shared, allowing security pros to engineer a more effective cyber defense.

Agreeing with these views is Chris Hoff, chief security architect for the systems and technology division at Unisys and keeper of the Rational Survivability blog. But, he noted, a vast majority of IT security pros are still introverts working from the basement, and these people should never change, despite the growing belief that everyone in this profession should be required to have strong writing and public speaking skills.

“The notion that everyone involved in security needs to be able to put themselves out there, get up and give a presentation to the board of directors is ridiculous,” said Hoff, known on Twitter as “Beaker.” “We still need skilled operators in the trenches, continuing to do what they do in the basement. Do I want to discourage someone who is fantastic at pen testing by telling them their career will be limited if they can’t put together a PowerPoint presentation for the board? If you want to be a technician, be a technician. I have guys I wouldn’t bring out in public but I rely on them to get the job done.”

Hoff used a military analogy to make his point. There are generals who are meant to be the public face and lead, and there are the soldiers who spend all their time muddy and bloodied, quietly taking the fight to the enemy.

“We need all of these people in security,” he said.