Akamai Diversity
Home > Web Security > Revisiting My Earlier Argument About Security Curmudgeons

Revisiting My Earlier Argument About Security Curmudgeons

I've been thinking a lot about the culture of security since RSA Conference 2014, and find myself returning to a topic that got me in trouble three years ago.

In May 2011, while writing the Salted Hash blog for CSOonline, I wrote a post called "Take the Word Curmudgeon and Shove It." I took aim at those in the industry who pride themselves on being cynical and suggested that they cut the vitriol.

From that post:

A lot of people in security call themselves curmudgeon because they think it's a license to spew vitriol. It's time to throw that label in the trash. I've been thinking about this a lot lately because I see an increasing number of security practitioners who are good people and good at their craft who choose to screw it all up by taking their disposition into the gutter. When doing so, they often throw the word curmudgeon around when describing themselves. I'll hang on to the curmudgeon word for a bit longer because, for what I'm about to say, I'm at a loss for a better word at the moment. But my fingers will feel a little sting every time I use it... There are good curmudgeons and bad curmudgeons (twice in one sentence. My fingers are killing me now). A good one might complain a lot on Twitter. About the weather. About clueless customers. About a whiskey bottle that has run dry. But they don't rip apart specific people by name, and they mix their crankiness with a lot of useful advice for their audience. A bad one calls specific peers names because they disagree with a point of view. They drop one or more F-bombs per tweet and always brag about being drunk because they think that makes them cool.

I still see this as a problem, but back then I painted the community with too wide a brush. Attrition.org' Brian Martin wrote a post in response, saying, among other things:

Bill Brenner wrote an article titled "Take the word curmudgeon and shove it" in which he makes relatively sweeping statements about the "people in security [that] call themselves curmudgeon". As one of the long-time security curmudgeons, I took offense to his article, calling it pathetic ... When writing an article that lumps a group of people together, the least the author could do is cite a source or three. This is something that should be a fundamental part of how any blogger or journalist operates. Blogging foul Brenner. The second point I take issue with is his categorization of curmudgeons into 'good' and 'bad', with an inevitable shades of gray distinction coming shortly after I bet. How do I know? Because I am a 'gray curmudgeon' in his black and white world.

Why bring it back up after almost three years? A talk at RSA got me thinking about it again. The talk itself, by Mike Rothman and Jennifer Minella, was about mental health in the industry and mindfulness techniques people can use to combat burnout and depression.

They noted how being a curmudgeon is important to a lot of security practitioners. It's practically a job requirement, really, given the professional's need to look at the world critically. Exploring the Internet's dark underbelly also leads to a lot of paranoia in the community. These traits can be as damaging to the individual as they are useful.

Rothman noted, "I used to be angry all the time. I built my professional image around it." I remember him back then. He's had a big conversion in recent years, casting aside much of that anger and adopting a lifestyle based on mindfulness and inner peace. I've watched his transition with a lot of admiration.

But revisiting the issue is about more than that. After the talk, I went back and re-read my post, and though I still think there's a problem in parts of the community with throwing the curmudgeon word around, I also think my argument back then lacked balance. I essentially threw everyone with a spark of sarcasm and cynicism into the same pot without considering the different levels of curmudgeon Martin wrote about.

I can't help but think about an old friend in the community, Jack Daniel. Some of you know him as a dedicated volunteer and organizer -- a leader of the Security B-Sides movement and more. He's also known for tweets that are cranky and, in turn, humorous. During an appearance on the PaulDotCom webcast last year, Akamai CSO Andy Ellis made note of this. When asked to give advice, he said people truly have to love the work they're doing and that if they don't they should do something else. Some chuckles went in the direction of Daniel, a co-host on the show, to which Andy responded, "But who doesn't think he's having a blast the whole time?"

It's true. Daniel may play up the cranky curmudgeon image online, but he's also one of the kindest people you'll ever meet. And his dedication beyond the day job goes to show he loves it. He certainly brings something important to the table.

There are four conclusions for me after revisiting the issue:

  1. We are complex beings who can't be painted with the same brush. 
  2. We have personalities that are a lot deeper than what we may show in public.
  3. If someone wants to present a public dark side while still contributing good work to the industry, who am I to judge?
  4. Having said all that, the negative approach can and sometimes does go beyond the playful. To the individual, that can be a mental health risk. My wish above all is for everyone in the security community to take care of themselves. I'd rather they be around -- crankiness and all -- for a long time than to be cut down too soon.
Muppets2011Trailer02-67.jpeg

Leave a comment