- Phil Venables
Field Guide to the Various Communities of Security
Which part of the security community are you in? Often, when one part of the security community talks about the overall community they are not really talking about the whole. Rather, they are talking about their part of the community as if it was the whole. In many cases some of these sub-communities or sub-cultures are actually oblivious to the wider community.
Worse, some of the less welcoming sub-communities are often publicly portrayed as being the whole community. This can dissuade people from seeking information / cybersecurity careers as they don’t realize that the less dramatized majority are relatively more nurturing. This perception is particular disturbing given our continued need for more people to take up this career. It is especially important to increase our collective intake for us to radically enhance our diversity, equity and inclusion. This is not just because it is the right thing to do, nor simply because it will tilt the numbers in our favor but more importantly because it improves risk management outcomes. Group-think is the mind killer of risk management and while you can introduce mechanisms to counter group-think, the easiest and best way to do this is to have a diverse team that feels able to voice their opinions.
So, let’s recap the various sub-communities of security, recognizing that even this long list might not be mutually exclusive or collectively exhaustive.
1. Enterprise Information Security
This is, perhaps, the largest part of the overall community from global corporations to medium sized enterprises. This is made up of a vast array of skills and experience levels, mostly blue team but also growing red (and other colors of the rainbow) teams. I find this community increasingly working hard to improve training, develop entry-level positions as well as cross-train other IT and risk staff into the security (or technology risk team). There is often collaboration across organizations (and across the public / private sector) through ISACs, ISAOs or other forms of trade or industry associations.
2. Technology / Platform / Cloud Companies
At some level these are similar to major enterprise teams, but have the distinction of often working at a larger scale, in some cases hyper-scale. They also have teams that are not just defending those companies but also are building capability and delivering security built in, not bolted on, into products and services that other organizations use.
3. Risk, Compliance, Legal (covering Security)
This is a relatively new sub-community of either former information security or technology risk staff who have moved into independent risk management roles, typically in regulated industries - or lawyers and compliance professionals who have taken up specialization in security.
More specifically, IT Audit, is a long-standing community that perhaps is older than enterprise information security. For as long as I’ve been in technology and security (a long time) there have been IT Auditors. As with other sub-communities they have their own culture, norms and challenges. But IT Audit, and Audit overall was earlier to formalize their body of knowledge and provide a degree of professional accreditation. Kudos to them.
5. Security Vendors and Service Providers
There is a bit of blurring of the lines here as technology platform and cloud companies become more fully fledged security players across products and services. However, there is still a distinct sub-culture of pure play security companies. There is also some degree of overlap among the specialist security / penetration testing companies with the hacking / research community.
From the “Big 4” to the specialist boutiques or one person shops, this is a large sub-community which also has a distinct culture. There is often a structured career development path but even with that they often struggle to create the right entry-level positions. Although, some might say that the junior consultants deployed onto your account are the entry-level for you to train (joke).
7. Hackers / Researchers
This can be one of the most vocal of the sub-communities and the one, I’ve often found, that is thought of as the community, as portrayed by the media or sometimes itself. Parts of this sub-community can sometimes seem unaware of a number of the other sub-communities. However, I’ve generally seen this sub-community actually welcome and collaborate with others when they’re exposed to them. In many cases you see some researchers (“hackers”) form deep partnerships with major enterprises with significant mutual support between the red and the blue teams. The rise of mature bug bounty programs operated by companies directly or through specialist companies, like HackerOne, have stimulated this. This is vital for the overall health of security across the board. Similarly, the embrace of community programs, capture the flag competitions particularly by the technology / platform companies and some major enterprises have further broken down barriers and increased collaboration.
This is an interesting one. For many years there wasn’t a large (relatively speaking) research community (universities, labs or other facilities) focused on security. There is now, and it is increasingly getting connected through research, sponsorships and other programs with the wider community. In general, though this is a community that has had a tendency to be more insular. This is something we should do more to correct as one of our major deficiencies, if we are to be a true profession, is the absence of tight connectivity between the science and the practice parts of our work. For example, in other engineering disciplines, whether it is electrical, electronic, civil, environmental and so on, there is much closer collaboration between research scientists and engineers to advance the state of the art and to take problems observed in the field into active research, and translate research into practice.
9. Small Businesses
I pull this out as a sub-community in its own right because it is vastly different from larger enterprise information security simply due to the resources and depth of skills. In many ways the small business security community are a community of part time IT workers, or even business owners themselves who double-up as security people. Which is why the technology / platform companies need to keep doing more for this community to make security built-in and not bolted on to the services they use.
10. Government / Public Sector IT
There are a large number of security professionals in government at national, state, and local levels across various specialisms in government IT, military, intelligence or other roles. At one level this, mostly blue-team community, is somewhat similar to the enterprise information security community. However, it is worth distinguishing them because they tend to work as a community distinct from the enterprise information security community. They have developed a distinct culture driven from the standards they often have to follow and their challenges of resource scarcity and legacy infrastructure. But, when this community does interact or intermix with the enterprise information security community there is a lot of mutual respect and sharing of experience. For example, I’ve known plenty of federal government security people teach others a thing or two about how to get security done in heavily resource constrained environments that has benefited a lot of enterprise security people.
11. Government / Policy Makers / Regulators
Interestingly, historically I didn’t see a lot of inter-mingling between the government / public sector IT security community and their colleagues in the various government policy and regulatory roles. But, they have in recent years in many countries made remarkable efforts to work with the other communities to learn more about what appropriate government policy, legislation and regulation would be useful, appropriate or at least not be counter-productive.
In my view this shouldn’t be a sub-community in its own right given that people here are typically drawn from academia, government and perhaps some of the other sub-communities. However, they often do develop a culture of their own, sometimes an echo-chamber, which can be a problem especially if governments overly rely on their output. But, there are an increasing set of positive examples, like the CFR which relies on a quite broad based membership to aid their work.
13. Trade Associations and Industry Groups
I was undecided whether to call this out as a sub-community because often such trade associations / industry groups are aligned around the other sub-communities, mostly the enterprise information security community. However, they do seem to have a distinct sub-culture especially given the growth of ISACs, ISAOs and very well structured groups like World / Security 50 and others.
14. Offensive State Security Groups (Intelligence and Military)
There are offensive security teams across the various military, state security, law enforcement and intelligence apparatus in most countries. As many of you will know or suspect this has its own sub-culture as well. It is, unsurprisingly, quite distinct from many of the other sub-cultures.
15. Related Disciplines
There are many other risk communities that have high degrees of connectivity and professional inter-dependence with technology risk, information and cybersecurity. Some of these, over time, could well be considered sub-communities of information security in the most general sense given the increasing overlap between their activities and, in some cases, the merging of these teams into security in an increasing number of organizations. These include:
Physical Security. Physical security, from facilities, executive protection and crisis management is a broad and vibrant profession in all types of organizations with many shared standards and professional communities.
Business Continuity Planning. Business continuity, resilience and disaster recovery is, again, a rich field of professionals with a body of knowledge and associated accreditation schemes.
Privacy. There is some merging or closer alignment between enterprise information security and the privacy community as more InfoSec and Privacy teams come together on controls implementation. However, privacy as a professional field remains distinct and well-codified and ever more challenging.
Fraud and Loss Prevention. Often associated with either physical security or information security in many organizations where it is not a major risk. However, in organizations like financial services or retail where it can be a dominant risk it does have a distinct community of its own.
Trust and Safety. This can mean many things for different companies. But, in platform, communications or social media companies there is a significant set of requirements for content moderation, handling abuse, misinformation/disinformation, and dealing with specific requirements such as the protection of minors. Again, this gives rise to a specialist community with links to other risk and security functions in those organizations.
Where this can get really interesting is to look at the intersections between these sub-communities, or actually the lack of intersection or collaboration and all the missed opportunities that result from that. Having each work together to learn, to encourage mutual respect, collaborate on risk mitigation, and to support more career cross-over is vital if we are to develop as a more integrated profession.
More people should personally try and span these sub-communities. This will improve you as a professional and lets you be one of the connectors that improve the sub-communities you connect. While most of my formal career has been in the enterprise information security sub-community and of late the technology / platform space, I have learnt some immensely useful ideas and techniques from interactions across government, academia, think-tanks, researchers and many others.
Bottom line: be aware of the many sub-communities of security. Don’t fall for the generalization that the culture of one sub-community is emblematic of the whole. Most importantly, no matter which sub-community you are in then do your best to put a foot in some of the others to connect and cross-fertilize ideas. We all need it.