• Phil Venables

How to Tell if You Really are an InfoSec Professional

Some of you in the US, and maybe others, might be familiar with the ongoing, somewhat self-deprecating, Jeff Foxworthy skit of “You might be a redneck”. If not, then watch a few minutes of this video with one liners like, “If you’ve been on TV more than 5 times describing what the tornado sounded like……….you might be a redneck”.


Recently, in a discussion with some friends I realized just how much I know about criminal activity without ever having done anything criminal. It got me thinking how much of the equivalent exists in the rest of our world of information security. All the things we do that perhaps are more strange to everyone else than we would really care to admit.


So here we go, broadened out for all of security since I know our brothers and sisters in arms in other disciplines are blessed and cursed the same:


  1. If you believe the phrase “it’s not paranoia if they’re really out to get you” is a note of caution - you might be a security professional.

  2. If you sit in a room and instinctively look for cameras, alarms and escape routes - you might be a security professional.

  3. If you know some highly obscure pornography terms (from investigations) without otherwise being a consumer of such content - you might be a security professional.

  4. If one of your Board members offers to connect you with their “special contact” in “Government” that they met at a conference once because it will transform your program - you might be a security professional.

  5. If you fail your own security awareness tests because the right answer is somewhere in between the multiple choices - you might be a security professional.

  6. If you manipulate every URL on every web site you use just to see what happens then - you might be a security professional.

  7. If you know various means of conducting crimes and evading detection - you might be a security professional.

  8. If you don’t follow many of your profession's pronouncements because in most situations they really are just too inconvenient then - you might be a security professional.

  9. If your Board says they have no risk appetite for security breaches but insists on using their personal AOL e-mail for sensitive Board materials - you might be a security professional.

  10. If you get pitched by recruiters for junior firewall admin roles in your own organization - you might be a security professional.

  11. If research organizations want to pay you a Starbucks voucher for 3 hours of your time to talk about the XDR market - you might be a security professional.

  12. If vendors try to sell you products your organization also sells - you might be a security professional.

  13. If venture capital firms want you on their advisory boards so you can act as a virtual sales person then - you might be a security professional.

  14. If, despite having been a software engineer, you know you’d have a tough time writing secure code these days - you might be a security professional.

  15. If you can spot the failure modes of everything and delight in pointing it out to the annoyance of family and friends - you might be a security professional.

  16. If family members describe you either as a “hacker” or a “security guard” and you don’t bother correcting them anymore - you might be a security professional.

  17. If people are shocked that you understand business (or don’t always wear a hoodie) - you might be a security professional.

  18. If you spend most of your time at conferences commiserating with others on the crazy stuff you have to deal with - you might be a security professional.

  19. If certain business leaders you work with think the phrase “explain it to me like I’m a young child or a Golden Retriever” is a badge of honor - you might be a security professional.

  20. If you get Calvin Klein underwear sales people from China with “glamor” images as their profile picture try to connect with on LinkedIn regularly - you might be a security professional.

  21. If you are pitched on roles as “it pays top of market” to then discover that the market rate is equivalent to a Yak-herder in the Himalayan foothills - you might be a security professional.

  22. If every hot start-up pitched to you by VCs has at least one former head of Unit 8200 on its leadership - you might be a security professional.

  23. If you have to explain to your leadership why you’re not buying AI products marketed in The Economist or FT - you might be a security professional.

  24. If you have more than 5 ways of communicating with industry colleagues over secure messaging apps but you still text each other - you might be a security professional.

  25. If you are deluged with people on LinkedIn trying to help you get more certifications - you might be a security professional.

  26. If you’ve given up on even trying to read all the Slack channels you are a part of - you might be a security professional.

  27. If you keep getting invited by marketing companies or vendors to attend events to network with your peers (many of whom you’ve known for longer than the existence of those companies) - you might be a security professional.

  28. If you try and explain to Bank call center workers how to better tune their fraud detection algorithms and are surprised that they don’t appreciate you for that - you might be a security professional.

  29. If you have no incidents for a year or more and you then get serious questions as to whether you are overspending on security - you might be a security professional.

  30. If you have incidents as a result of budget cuts and you then get serious questions as to why you didn’t spend more to prevent those - you might be a security professional.

  31. If an incident occurs in relation to a previously “risk accepted” risk and you are asked by the people who accepted the risk why you let them do that, then - you just might be a security professional.

  32. If you still have to explain to people that Y2K wasn’t a false alarm and that it was a non-issue because a ton of people worked really hard to make that not be an issue - you might be a security professional.

  33. If you hate everyone else’s security analogies but shamelessly use your own catalog of them - you might be a security professional.

7,554 views0 comments

Recent Posts

See All

How much of your work that you would like to describe as a “grand” challenge is really more of a “grind”? As an industry we like to talk of grand challenges, moonshots and other grandiose terms. At on

Which part of the security community are you in? Often, when one part of the security community talks about the overall community they are not really talking about the whole. Rather, they are talking

Since I first wrote this back in 2021 (titled "CISO: Archeologist, Historian or Explorer?") it seems ever more true that complex and pernicious dependencies are at the heart of most security risks. Th