An Information Security Place

The recent uproar, pandemonium, mayhem, hubbub, bedlam, and other synonyms caused by “The List” has taken us security bloggers in a direction that we might just need to help us look at the security industry and ourselves in a new light.  Take a second to read Mark Curphey’s post about the issue over at SecurityBuddha.com.

Here are some excerpts from the post:

Last Friday I decided to leave the Security Bloggers network… 

…for me the Security Bloggers network had a low signal to noise ratio and some of the other members were not folks I want to be associated with. This came to a head when ITSecurity.com produced a blog baited list of the top 59 most influential security people. The list is farcical in so many ways; no Dan Geer, Mike Howard, James Gosling, Andy Jaquith, Phil Venables, Spafford and so on.

This first point about leaving the security blogger’s network was disconcerting to me at first.  I am a member of the Security Blogger’s network, and I am proud of it.  But Mark’s point came through that he just thought the bad stuff is outweighing the good stuff on the network.  I admit that I do not always read the feed coming from the network (I subscribe, but I usually pick out individual blogs), so I can’t say that I agree or disagree.  But Mark’s comment that he did not want to be associated with some of the members is hard stuff indeed (there’s nothing wrong with the statement, by the way).

But the above statements were also referring to the list, so let’s carry on with that.  Another excerpt:

The noise of self congratulation for “falling f0r for it” became deafening and very annoying. Over the last month I have also read some ridiculous blog postings about PCI from people who I honestly doubt have ever held a corporate security job in their lives and just don’t have a clue (and yes, I am happy to debate you charlatans on a public stage at a conference of your choice about that topic if you have the balls).

Some speakers and projects seem to spend more time telling you about why they are such experts and “thought leaders” than they do producing anything of value.

Well then.  That makes the first excerpts look like child’s play.  These words are harsh and hard-hitting.  And when I read them, I had to take a step back and look at my thought processes on blogging about security.  Of course, my low self esteem kicked in, and I thought I might be one of those charlatans.  I had posted a good deal about PCI in the last few months, so I had to self reflect to make sure I was on track and had not tried to misrepresent at all.  Also, it made me think that I was one of those that was happy to be on the list (I’m a sucker that way).  While I also publicly stated that it was obviously a ploy to generate traffic to IT Security’s site and was not very representative of the true influencers in IT security, I still admit that I patted myself on the back a bit.  And that leads me to my ultimate point, and I’ll start make that point by quoting myself (how’s that for conceited).  Here’s some of what I said on my comment to Mark:

That is a very bold statement, and I was going to comment to your post by saying that you need to call out the charlatans instead of just posting that statement. But by your reply to Alan [blogger's note: read the comments for context], it looks like you are going to do just that. I don’t think the security blogging world and the security industry as a whole would be hurt by some kind of shakeup, and if you feel like the one to do it, then I say more power to you.

I have stated this before on private conversations to other bloggers, but I think the security blogging family is getting somewhat incestuous, and we are possibly breeding malformed kids (everyone seems to want to jump on the security blog train). Of course, as Alan said in his comment, I also think that most of these will be weeded out eventually.

So what do I mean by “incestuous”?  Simply, I think security blogging has become a huge fad in the industry.  That’s not necessarily a bad thing, and there are a lot of people saying a lot of good things out there.  But when you have this many people blogging about so many related subjects, it gets kinda crazy.  There are only so many issues to blog about, and people start feeding off of other people, and you inevitably get those who really never say anything original or do say stuff that is original but is plain wrong.  And you get events like the blogger’s gathering at RSA (which was a great event that I vow to attend every year it is held) where we all get together and pat each other on the back and tell each other how cool we are.  I just think it all has the propensity to lead to many of us becoming legends in our own minds, and I think we all need to make sure that does not happen.

We all just need to take a step back, think about where we are in security as individuals, where we are in security as an industry, and where we are in security as a community of bloggers.  Are we making a difference?  Are we putting out good information?  Are we posting just to post so we can grow or maintain our readership and be part of a group for ego’s sake, or are we trying to help?  And notice that I am using the word “we” throughout.  I am not exempting myself from this reflection and honest appraisal of my worth to the security community. 

As for whether a blog is good or bad, honestly, I am not of the mind to start judging blogs.  As was said in the comments to Mark’s post, if bloggers write good stuff, then their readership will grow.  If not, people will unsubscribe, and eventually the bad ones will die on the vine.  But we also have a duty to call out those that misrepresent for selfish purposes or those that simply post from a faulty foundation.  The former would be the ones that need to be drummed out.  The latter need to be shown the error of their ways.

Again, please don’t think me arrogant in this posting.  I truly believe this is something any industry needs after a while.  Honest self reflection is always a good thing, and we might just bring about some honesty and good direction for the security industry.

And a last couple of points:

First, I am impressed by Mark Curphey’s blog.  He hits hard, but he calls ‘em like he sees ‘em.  LoverVamp called it when he commented on Mark’s latest post: “For being new to blogging, you have a particular clarity and honest rawness to your postings. You could have fooled me!” 

Second, his Security Bullshit cartoons are genius.  I am sure someone has already made the connection, but this guy just might be the Scott Adams of security.

Vet