11. Infosec is a Modern-Day Secret Society

February 22, 2023

This blog started as a Mastodon exchange with Program J and Michael Olsen. They are not responsible for me stretching the metaphor to breaking point. Any similarity to real secret society ranks and titles is only meant to be illustrative.

Barriers to Entry

We have supposedly 3-4 million open cybersecurity position globally, and 700,000 alone in the US, yet it remains notoriously difficult for interested aspirants to break into the industry. Job requirements set unrealistic expectations, while candidates are expected to get a variety of certifications from organizations the industry doesn't even necessarily trust, and may still not get you a job because you lack experience.

Meanwhile those already in the industry, especially those in leadership positions and decades of experience, often got in by accident, through proven skill, or knowing the right people. Their own career trajectories are so often unusual to the point that it warranted its own podcast series on ITSP Magazine, The Uncommon Journey podcast series at some point.

Despite excellent work done by people and organizations helping those looking to break in, we seem to have a structural problem where we set unrealistic barriers we never applied to ourselves. That makes infosec less a mature profession than a modern-day secret society, a 21st century masonic lodge.

Entry through Introduction

Entry into secret societies is through introduction by an existing adept, vouching for the prospective initiate. Once you manage that first introduction and your first job, you've completed your initiation and are part of the group.

Regardless of your certs, the more senior the adept making the introduction, the higher the initiate's entry level. Tough luck if you don't know any, though.

Secret Codes and Symbols

The profession is filled with multi-layered secret knowledge and jargon, with lower levels of esoterica filled with alphabet soup acronyms invented by analysts, only to discover at higher levels of initiation that those are a smoke screen to distract you from the truth that DLP and DSPM are just aspects of data security; NGFW, WAF, IDS/IPS and NDR are network security; and Zero Trust, CIEM and IAM are identity, authentication, authorization and role-based access control.

Our rituals are conference talks, where we talk in jargon about esoteric topics showing terminal windows and code fragments, demonstrating exploits perhaps only some understand, filled with memes, troll faces and cat pictures to throw off the uninitiated. We perform ritual libations for first-time speakers. We post memorials on the blockchain.

Public knowledge is published in standards, but even then we might put them behind a paywall or require a membership. It comes from the cybersecurity vendors to sow fear, uncertainty and doubt. Increasingly secret and deeper knowledge is exchanged in podcasts, LinkedIn posts, blogs, social media (where we may switch platforms if we so wish without telling anyone), github commits or closed chat channels.

Some Masters are frauds, some turn out to be utter abusive assholes. Only insiders know who they are.

Tribes and Clans

We have tribal categories of Hackers and Feds, and separate ones of Red, Blue, and Purple teams with the first determining your Ancestry and the second your Guild – and that doesn't even include the Wizard tribe of cybercriminals who you don't meet until they join one of the main tribes, you gain their trust or they get arrested.

Seniority among the Hacker tribe is determined by how many Defcons you attended or villages you hosted, how many even more obscure Chaos Computer Club conferences you attended, or through legendary exploits. Seniority among the Feds is counted in years of service and what level of classification you're cleared for.

The tribes are broken down into clans whose characteristics you only learn through further levels of initiation.

The Policy clan of academics are idealists, whereas the Industry Analyst clan claim broad knowledge without worrying too much about the nature of True Reality. The SOC and SecOps clans, meanwhile, accept those with book knowledge are well-intentioned but insist they don't know what they're talking about.

Cloudsec and DevSecOps clans want to change all the others' mindset and update all the rituals, saying the old magic doesn't work anymore.

The Signal Intelligence (NSA, GCHQ, BND, etc.) clan doesn't talk, can't talk about anything, but lends credibility to your meeting with other tribesmen.

The Accountants of GRC and Audit, the State Regulatory Church, the serial startup founders and the corporate behemoths of the cybersecurity industry, the data privacy clan that isn't even sure if they're still in the same secret society anymore...

Can we talk about the Furries?

Ceremonial Robes

Security Researcher, Pentester and Red Team clans can wear pretty outrageous attire and facial jewelry. The SOC and SecOps wears dark and muted clothes. Cloud sec dyes their hair in all colors. They all wear hoodies.

The GRC clan, of course, wears collared shirts and shaves. Signal Intelligence khakis and blue blazers.

The Furries... well...

Not The Sign of a Mature Industry

However fun this all may be, this is not the sign of a mature industry or profession. It neither helps us bring in new talent, nor does it help us communicating to the business and the board room. However comfortable it may be, it has become self-destructive. It's time to throw open the doors and go mainstream.

Secret societies aren't bad. Masonic lodges promoted Enlightenment ideals when that was still radical, and allowed people to exchange ideas while transcending social classes. When society as a whole moves on, though, and hackers getting together no longer risk arrest but represent a 200 billion industry, protect trillions of economic activity and our integrity as humans and citizens, it is time to grow up.

cloud security posts without corporate approval @jaythvv@infosec.exchange