Posted on

Thought I Was a Security Rockstar. Was Just Stupid

In pretty much every industry of late, people of great talent, drive and achievement are being labeled rock stars. I certainly see it as I work in the information security industry.

Those who get the label tend to deserve it. But there’s a dangerous side-effect: The term rock star can bloat the egos of those it’s bestowed upon. It leads to big heads and bad attitudes. I’ve watched many handle it with humble grace. And I’ve watched a few fall into the trap.

Exhibit A: me.

Mood music:

As a security journalist who posted new content almost daily, I got a lot of praise and, yes, some called me a rock star. This snowballed when I started The OCD Diaries.

I found myself on more than one “security influencers to follow” list. People kept praising me for my supposed raw honesty. So I did what any good addict does: I drank it up, tied all my self worth into it and started to believe it all.

Don’t get me wrong. I think I’ve accomplished a lot of good stuff, and I’ve certainly been lucky in my career. But a rock star? Looking back on it now, I don’t think so.

I believed it when people told me, though. My head grew larger, while my brain went stale. I stopped trying. I truly believed I could pull off anything with little effort.

Of course, the real world doesn’t work that way.

I eventually found myself growing snobby, moldy and stagnant. Somewhere along the way as I bought into my own hype, I started to fail.

I lapsed into old habits. I began dialing in my work. The praise became chains, weighing me down like Scrooge’s old business partner in A Christmas Carol.

Sometime last fall, I went from being a rock star to the office jerk. It left me off balance and in a depression that deepened over the winter. I started to worry about being found out as an impostor. Worse, I found myself losing my usefulness.

Since then, I’ve been working hard to return to my roots. I feel like I’m starting to make real progress, but I still have a ways to go.

As for those in my industry who remain honest and humble, I aspire to be more like them. And I don’t fault those who are kind enough to put the rock star mantle on others. I simply see as lessons for all of us:

Never stop working your asses off.
Never stop seeking truth.
Don’t be like me — not too much, anyway.

 

 

Posted on

On Skipping Security Cons

On Twitter last month, friend and fellow infosec professional Marcus Carey suggested industry peers place too much importance on conferences:

One can take the tweet several ways.

Mood music:
https://youtu.be/gWWWBvxEXZM

Some might say he’s criticizing conference organizers for roping in people who spend all their time speaking at and attending conferences and too little time in their organizations working on the daily challenges the bad guys throw in front of us.

Others might say he’s picking on people who attend a lot of conferences simply to be seen. I don’t think he is, especially since every time I’ve seen him in person, it’s been at a security conference. The conferences I attend have a lot of repeat speakers who I’ll never get tired of listening to, such as security pioneer Dan Geer. (Watch him speak at Black Hat 2014.) Other famous speakers have done a lot of important work over time but have become less relevant lately. I won’t name names here, but yeah, I’m tired of seeing them as keynoters.

The debate over security conferences will go on into infinity. Carey’s soul searching sparked something within me, though, and it’s unlikely it has much to do with his intent.

I love security conferences. I love traveling around the world to attend them. I’ve made countless connections that have taught me many lessons in how this industry ticks. It wouldn’t be a stretch to say my conference attendance led to my current job.

But I have to admit that as the years have gone on, I’ve become almost obsessive about getting to conferences. To skip them is to be invisible and irrelevant. To stay away is to no longer be respected.
That’s how my mind presents it, anyway.

In an earlier post I called it the security rock star mentality — the notion that you had to be seen to be relevant and that by getting around a lot, I thought I was somehow better than I really was.
Early on, as a journalist, I had to attend as many conferences as possible to generate content and feed the needs of a daily news machine. In my current role, the mission is more about promoting what my company does and collecting research I can bring back to base for future use.

My current job also involves less frequent travel. Some of that is because I can easily communicate face-to-face with colleagues around the world through Skype and other video-conferencing programs.
But I’m also traveling less because there’s a lot going on in my family right now. My kids have a lot of activities I want to be there for. My father has been in hospice and I’m trying to get in all the time with him as I can. And so it goes.

I’ve noticed something since grounding myself, however: My absence at security conferences hasn’t hurt my career or workmanship. Not one bit.

The people I like to see at conferences are all available to me on Twitter, Facebook, and increasingly on Skype. Most talks are recorded and end up on YouTube within hours of being delivered. And most importantly, less travel has meant more time immersed in my company’s research. I’m working with some of the best researchers in the industry, learning more from them than I’d learn from a hundred conference keynotes.

I’m not retreating from the conference scene forever. I still get too much value from events like DEF CON, Black Hat, RSA, ShmooCon and BSides to completely stay away. I expect to travel more frequently next year.

In the meantime, I’m staying home, being around more for my family and constantly working to improve my craft.

RSA 2015 Crowd Shot