Friday, February 6, 2015

Caveat Emptor

Although I'm not a Latin speaker, I am quite aware of the phrase "caveat emptor".  This phrase is most often translated as "let the buyer beware".  There are many contexts in which this phrase is appropriate, most notably when discussing contracts or legally binding agreements.  Unfortunately, I would argue that the phrase is becoming increasingly important in the field of information security.  What do I mean by this?  Allow me to explain.

I was fortunate enough to be invited to speak at a conference earlier this week.  Before my talk, I introduced myself briefly, as I typically do.  This particular time, it was a new crowd for me, and I did not know many people.  I was a stranger to them.  As I listened to some of the other talks, something dawned on me, and the idea of caveat emptor crossed my mind repeatedly.

When I introduce myself or talk about my background and experiences, I do so honestly.  People who know me and have worked with me in the past will vouch for that.  However, as we all know, not all people approach themselves in the same manner.  In fact, one speaker's introduction sounded nearly identical to mine.  What was the issue?  I have come across this individual in the past, and although I do indeed have the experience and skills I say I do, this particular individuals does not possess those same experience and skills.  Surely, we have all worked with or crossed paths with individuals like this in the past.  Where there's smoke, there's fire - except when there's not.

What's interesting to me is not necessarily that some people choose to embellish or blatantly falsify their backgrounds.  What's more interesting to me are two points: a) the rate at which these individuals seem to be appearing in the information security space and b) how hard they make life for the rest of us.

Regarding point a, this is perhaps not surprising.  Information security is now a hot field.  Whereas ten years ago, we were the obscure, quiet geeks in the corner, today, we are en vogue.  With the amount of money being thrown around in our domain of expertise, it's not surprising that there are suddenly countless new "experts" coming out of the woodwork.

Of course, with all these new "experts", it makes life that much more difficult for the rest of us.  I realized something very important when this particular speaker introduced himself.  To the crowd of strangers we both addressed, we are the same.  I'm not sure they can differentiate between who is real and who is not real.  At first, you may have an adverse reaction to this statement, but it is an important point.  Perception is reality.  This is unfortunate, and this is where the caveat emptor point comes in.

If you have ever been in or spoken with someone in a leadership position within an enterprise, you know that all day, every day, "experts" hound them.  After a while, all the buzzwords and marketing lingo begin to sound the same.  It makes it tough for both the enterprises, who very much need effective help (rather than ineffective or incompetent help), as well as the true information security professionals who are too busy working and solving problems to self-promote and shout above everyone else.

So what can we as a community do?  We can provide honest, truthful references and feedback.  We can vet people and companies we speak to.  We can seek out other opinions.  I fear that the days of taking what someone says at face value are slipping away from what was once a very tight and close-knit community.  It makes sense to vet.  Take care of the good information security professionals you  know - they need it.  We have entered the days of caveat emptor.

No comments:

Post a Comment