I’ve never hidden the fact that I’m a bit of a rebel. Okay, to be honest, I’m proud of being a stubborn contrarian who’s going to do what he thinks necessary, despite what it might cost in the future. Part of the reason is that I’ve always been smarter than average and I feel that I see and understand things in ways many others don’t or can’t. And as long as I’m being honest, I also enjoy the chaos this engenders and the ability to thumb my nose at convention and authority. I like upsetting people’s preconceived notions and making them think about things they might normally shy away from contemplating. I want improvement over the present and I despise the status quo. And I don’t think I’m at all unique amongst security professionals; we’re almost all rebels to one degree or another.
I believe people who love security as a career are similar to me in large part. We’re people who see a problem that needs to be solved, puzzles that need to be unlocked and mysteries begging to be revealed. Constant learning is something that is the hallmark of a good security professional. If you look at the most successful hackers, they got to the top because they can’t pick up a piece of electrical equipment or software without trying to see how it works. We want to understand, to unlock and hopefully to gain just a little more knowledge about how the world around us works. And yes, I include ‘hackers’ in the continuum of security professionals, as a subgroup who tends to embrace the chaos more than the more corporate professional.
Let me give you an example. Over the summer at a small conference in Las Vegas, a select group of us met at a restaurant for dinner, a not uncommon occurrence for that time of year. What was a little unusual was that when we sat down, the waitress handed the group a set of iPads with the drink and food menus on them. Apparently we were meant to place our orders through these devices and the waitress would magically bring them out several minutes later. But you should have seen eyes light up around the table as everyone started considering how to break out of the menu app and make the system do things the restaurant had never meant for their app to do. It was like Christmas in July! Needless to say, it was only a few minutes before we had to hand one of the iPads back to the waitress with an explanation of “Umm, we think this one is broken, it shows another restaurant’s menu.” They’d figured out how the tool worked, unlocked the puzzle and had some fun, all in one fell swoop. This curiosity is the core of who we are.
This need to understand is one of the things that makes many security professionals hard to work with. We don’t take orders well, or at least I don’t. We want to understand the underlying logic of a decision; we want to understand the thought process that went into making the decision and why it’s the best decision. ”Because it’s always been done this way” is the bane of our existence; when was the last time anyone examined why of that way? Does doing it that way still make sense? Is there a better way of doing it? Does doing this actually accomplish our goal, or is it just busy work? Managers don’t want to explain, they just want to get the task done, despite the fact that the task might not be leading towards the actual goal, but away from it instead. And sometimes that’s the right thing to do.
We, as security professionals and hackers of the reality around us, have to be aware of this need to understand and unlock within ourselves and take steps to counteract it when appropriate. Personally, it’s hard for me to accept “this is just the way it needs to be done”, but sometimes that’s the correct path. Those moments are relatively rare; I prefer to have the people giving me direction to explain what it is they hope to accomplish and let me figure out how to do it best. In the main, we have the time to discuss, to understand and to come to an optimal solution for the problem, and often if we take the time to do so, we realize the problem we were really trying to solve is not the problem we thought we were trying to solve.
It’s always important to understand your own motivations in decision making. It’s also important to understand the motivations of the people around you in that same process. I don’t claim that every security professional is driven by chaos and curiosity, but most of the ones I gravitate towards are. We see chaos as a method to drive improvement. But being aware of that motivation and how it influences the decisions we make will help us not only make the right decisions, it will help make those decisions in a way that is less stressful for us and those around us.
So let your coworkers know that you’re not challenging them, you’re challenging the decision making process and seeking to understand why a decision was made. You want to understand what the goal was and how the decision leads to that goal. But also understand that sometimes the analysis of a decision is not a luxury that can be afforded at a particular point in time. There are times where we just have to take orders and shut up. It seems to go against the grain of who we are, but it’s an unfortunate necessity in some cases.
I’m lucky in that I’m at a point in my career, in my life and in my role that I’m not only accepted as someone who’s supposed to question the decision making processes, it’s expected of me. You can’t be a ‘thought leader’ if you never question authority, never question the status quo, never question the reasoning that brought us to this point. But I also have to be cognizant of the fact that what is generally one of my strengths can also be one of my greatest weaknesses if I’m not careful. Giving into the desire to understand when things just need to get done leads to frustration for everyone involved, and harmful to the mission when done at the wrong time.
I may be grossly generalizing my own rebellion onto the entire security and hacker community. I know a lot of people are going to say, “I’m not at all like that”, and they may be right. Each of us have our own unique set of motivators that push us into the decisions we make. But this is a set of motivators I see as a commonality in the community I live in. Understanding your own motivations is one of the best ways to combat the frustration we often feel when dealing with people who don’t see the world as a puzzle like we do. And knowing they don’t see it the same way might help us communicate in ways that settle some of their frustrations as well.