<< Back to article Print this page Loading page, please wait...

AusCERT 2017 - The Balkanisation of the security community

Anthony Caruana (CSO Online)
16 June, 2017 11:14

Cisco's Kate Pearce presented at this year's AusCERT conference on of embracing diversity in the security industry and not living and working in an infosec echo chamber. Her focus was on the small differences we can bring in and the big difference they can make.

Pearce's examination of the importance of diversity started in an unlikely place – the world of film and literature. Starting with the division between fiction and non-fiction, Pearce drilled down through the various categories and genres under those broad headings until she ended up in the very specific sub-genres of Space Operas and Space Westerns: Star Wars and Star Trek respectively.

And while in much of the world, the difference between the two might be "very tiny" said Pearce, it is significant in some circles.

"Small differences can make a big difference, particularly where humans are involved," she said.

In her role speaking overseas and attending dozens of events in her home country of New Zealand, Pearce noticed a couple of things.

Different cultures exist not just within countries, but within companies, industry vertical and even teams within companies. When attending meet-ups and other industry events, very few people attend more than one or two different groups.

This creates fragmentation in the views of different groups who don’t communicate despite complaining about each other's actions. This was in direct contrast, Pearce highlighted, with the conference tag-line "United we Stand".

Many of the phrases and behaviours Pearce has observed fall under the term "collective narcissism".

Pearce said people are very good at separating into like-minded groups that can define themselves and define other groups. However, those definitions often don’t align – which was one of the drivers in using the term "balkanisation" in the title of her presentation.

Balkanisation occurred when large empires fell apart and groups coalesced according to their like interests. The same has happened in the infosec industry. People have come together based on shared values, ideas and understanding. There are a lot of biases that incentivise groups to coalesce.

"Dealing with 'not like me' is a lot harder than dealing with 'like me'", said Pearce.

Pearce asked the question "What is a security person?" highlighting that this definition is highly variable within the industry. People are often categorised into specific groups such as academics, military, law enforcement, business, industry groups or wildcards. But many people's interests, skills and motivation can put them in multiple groups – their identities come from different combinations. This, Pearce explained, is called Intersectionalism.

If we limit how we see a person, then we risk speaking to them in terms that are not helpful. And, often security people are not afforded high status – something reflected in where the CISO reports. Pearce noted this is changing.

"It's also important to understand that just because someone doesn't act like us, it doesn’t mean they are wrong," said Pearce.

One of the challenges faced when people are placed in organisations and groups that are different is culture shock – the feeling of disorientation and anxiety that occurs when the differences between the old and new become apparent.

When different groups meet, it is important that they take time to understand who they are dealing with and work to break down the differences so the impact of culture shock is minimised.

For example, military operators are often secretive and won’t share information. But by sharing some information, even if it is not valuable, they can break some of the cultural barriers between them and other groups.

Pearce said, every different group of security people can annoy how they interact with other groups. But by taking the time to understand the needs of other groups it's possible to break some of those barriers.

The final advice that Pearce gave was to not mistake difference for wrongness, don’t expect other cultures to play by your rules, don’t approach interactions convinced of your own superiority.

It is important to meet with other people outside your "normal echo chamber" and to seek common ground, she added.