Are All Security People A**holes?
Myths, Truths, and Some Things In Between
As with any group of people, you have a variety and range of personalities, experiences, and temperaments. However, there used to be, and still is, a contingent of security people that don’t utilize modern psychology and business sense to do their job… giving everyone they work with a bad “taste” of security folks. This ruins it for others.
I was on vacation once recently and when I introducing myself, telling them I did “Information Security”… their response was:
“Oh you mean the people that yell at you when you click a phishing email?”
I’ve been in a situation many times before when I have to “undo” or “clean up” the emotional damage done by another team or security person. This could at a current company, or how security was engaged with someone earlier in their career. This ruins it for everyone else.
What Drives A Security Person?
From my interviews with many of those who have entered the security field I have found many to have this overwhelming sense of responsibility to help others as a motivating factor.
Other factors also included curiosity, sense of belonging, and better career.
Why So Difficult?
So if security people are trying to help others, why are so many hard to deal with? Why do they abuse their “authority”?
Here are some reasons:
Lack of empathy
Lack of self-awareness
Lack of speaking the right language
Lack of creativity
Well, let’s look at some other people in society that generally try to help others, but may be hard to deal with when they don’t utilize the above:
As a result, people will be less likely to engage with someone like this and be open to their suggestions.
But Why Are Security People Like This?
Successful ones are not.
To answer your question though, some of it comes from those that come via technical ranks that don’t have people/soft skills.
Others are from compliance/policy minded folks that don’t have the technical, business, and/or communication skills and rely heavily on black/white policy mandates and authority. They will hide behind and quote policy instead of actually working with you to help solve/understand your problem. Sometimes a policy mandate won’t even make sense with modern cloud technology!
Security is still a very nascent field, compared to many other parts of the technology industry. For the longest time it was never an official field, and was just baked into networking, infrastructure, or compliance departments. People had to wing it.
On top of that, there is a tremendous amount of responsibility security folks must bear.
They are responsible for protecting the company’s data.
They are responsible for knowing a lot of things about a lot of systems.
They are often facing a complex uphill battle to change human behavior, communicate risk, or come up with creative workarounds, choosing which fire to deal with, all the while dealing with pushback against their suggestions.
Many technology folks outside of security have similar responsibilities. Not everyone can handle the stress. This is common in many areas of tech, but sometimes more exacerbated in Information Security. Generally, emotional intelligence goes down when stress levels are high.
It’s not an excuse to be an a**hole… but as with any job, the right training and knowledge will help you be successful.
A Note On Ethics
Security folks will generally have a high sense of ethics. If they are put in a situation where they must do something unethical (like lie or bend the truth on a document), then you probably have a token security hire where they’ll be stressed and upset and/or should re-think the role of security in your organization and the jeopardy you are putting your business in.
Do Nice Security People Exist?
Yes they do! They are out there and there’s more of them than ever before. For all the examples of poor security folks out there, there are many more coming online that have matured, embraced self-awareness, and honed in the soft skills to make them successful. I for example include a chapter on Emotional Intelligence in everything I write and teach others.
Then there are unicorn security folks that are super technical, understand security governance, understand business, and have excellent personality and communication skills. Hold on to them for dear life! Clone them if you can.
Questions To Help You Find Good Security Folks
When I’m helping companies hire CISO’s, Infosec Leaders, and Engineers, I’m looking for either red flags or positive insight into their thinking. Look into how they answer the question and communicate. Here are some sample q’s to help you:
Tell me about a time that you suggested a security measure/control, received pushback, and how you handled it?
If the business really wanted an application, but it didn’t have appropriate security controls, what would you tell them? How would you handle it?
What are your thoughts on Chrome extension security?
How would you complete the answer to a security questionnaire, if the company didn’t have a control in place?
This is a complex topic, which requires a longer medium to fully cover, but something very dear to me. As mentioned before, I’m often in a situation where I’m working with someone who had a “bad experience” with security, and I have to help undo that emotional trauma as well as ensure that I am not seen with that same lens.
If you find this interesting, I did a talk on the Neuroscience of Hackers you might find interesting.