I've been thinking a lot about the culture of security since RSA Conference 2014, and find myself returning to a topic that got me in trouble three years ago.
In May 2011, while writing the Salted Hash blog for CSOonline, I wrote a post called "Take the Word Curmudgeon and Shove It." I took aim at those in the industry who pride themselves on being cynical and suggested that they cut the vitriol.
From that post:
A lot of people in security call themselves curmudgeon because they think it's a license to spew vitriol. It's time to throw that label in the trash. I've been thinking about this a lot lately because I see an increasing number of security practitioners who are good people and good at their craft who choose to screw it all up by taking their disposition into the gutter. When doing so, they often throw the word curmudgeon around when describing themselves. I'll hang on to the curmudgeon word for a bit longer because, for what I'm about to say, I'm at a loss for a better word at the moment. But my fingers will feel a little sting every time I use it... There are good curmudgeons and bad curmudgeons (twice in one sentence. My fingers are killing me now). A good one might complain a lot on Twitter. About the weather. About clueless customers. About a whiskey bottle that has run dry. But they don't rip apart specific people by name, and they mix their crankiness with a lot of useful advice for their audience. A bad one calls specific peers names because they disagree with a point of view. They drop one or more F-bombs per tweet and always brag about being drunk because they think that makes them cool.
Bill Brenner wrote an article titled "Take the word curmudgeon and shove it" in which he makes relatively sweeping statements about the "people in security [that] call themselves curmudgeon". As one of the long-time security curmudgeons, I took offense to his article, calling it pathetic ... When writing an article that lumps a group of people together, the least the author could do is cite a source or three. This is something that should be a fundamental part of how any blogger or journalist operates. Blogging foul Brenner. The second point I take issue with is his categorization of curmudgeons into 'good' and 'bad', with an inevitable shades of gray distinction coming shortly after I bet. How do I know? Because I am a 'gray curmudgeon' in his black and white world.
- We are complex beings who can't be painted with the same brush.
- We have personalities that are a lot deeper than what we may show in public.
- If someone wants to present a public dark side while still contributing good work to the industry, who am I to judge?
- Having said all that, the negative approach can and sometimes does go beyond the playful. To the individual, that can be a mental health risk. My wish above all is for everyone in the security community to take care of themselves. I'd rather they be around -- crankiness and all -- for a long time than to be cut down too soon.