Human Potential in InfoSec (We’re Losing)…
Updated: May 23
I’m concerned about human potential.
20-25 years ago, when I was a teenage hacker, I would go through a couple of 4-500 page technical books every week, endlessly google/Yahoo! things, download new OS’s on old PCs and tear them apart, read through countless Linux and BSD man pages, etc.
I would spend my day on Internet Relay Chat talking with other hackers. It was all very competitive and elitist. I remember lots of kids from all over the place. Turkey, Norway, the UK, Holland, etc. Their English was all perfect. It was such an elitist culture that no spelling or grammar mistake would be tolerated. If you mispelled something they’d rub it in your face. You had to show you were smart.
Relatively speaking, my rate of knowledge acquisition was staggering during this period. I feel like a broken old goat by comparison nowadays… I don’t see how it could ever have caught up to the level of some of those guys though, they were awe inspiring (although, I now realise, maybe more focalised).
When I was 18 I started picking up a lot of IT/InfoSec certifications. I remember getting one in particular (a CompTIA post on LinkedIn last week gave this certification their highest rating: “Expert” level) and telling my online friends about it. Their response when I told them I’d passed the certification exam? One said: “Congratulations, you can read.” The others laughed.
Compared to what most of these teenage kids figure out by themselves, the highest level of InfoSec certification in the industry is an absolute joke.
Things get really worrisome when you look at how we use and interpret these certifications.
I see a lot of people identifying themselves as experts or qualified because of their certifications. Hackers, malicious hackers, would laugh them out of the room.
To those hackers these people not only look ridiculous because they think they’ve got everything covered when they don’t have a clue in the grand scheme of things, like a 2-year-old that thinks it can outrun Usain Bolt at the Olympics because it can hobble from one side of the living room to the other, but also because they’ve just signalled a level of indoctrination by linking their abilities to a certification. Indicating an inability to work things out for themselves, to see the big picture, or anything else not spoon-fed to them.
How can they possibly compete?
In the article I linked above I explained how certifications were, at best, a starting point. We really need to shift our perception of scale. An “Expert” certification, isn’t. It is, very, very basic. There simply aren’t any certifications that we should consider “Advanced” or “Expert.” You become an expert through thinking and experience, by constantly pushing, and in the case of this particular field it’s also a moving target, because some of our adversaries are pushing very hard indeed.
To get back to another analogy from that article, it would be like thinking you know everything about driving because you just got your driver’s license, then stepping into a formula one race. You wouldn’t even be able to get the tyres warm enough for the car to work.
Let’s up our game.