Having some unremarkable traits has let me be invisible, like a ghost.

Here are things I’ve learned while being invisible. A thread.

Brief aside, I am a Ninja. As in, an authority bestowed upon me the title of Ninja. It was a 6th degree Akido Dan who needed to borrow my WiFi once a week, and the title was the cost.

There are several layers of irony and silliness there.
Your users aren’t as stupid as they lead you to believe. They understand the cleverness and ease that exists in feigned ignorance.

Anyone who has worked a physical job with migrant labor knows this as the “no ablo engles” effect.

Your org does, in fact, understand #infosec risk. They have tunnel vision on availability. That makes sense in a hospital or an online game, even banking.

The failure is yours if they don’t see the importance of C and I, like banks didn’t in the early carbanak days. 4/X
To understand the businesses view of the cost of risk, you need to understand the basics of assets and liabilities and cash flow. This is the language of business, so you can’t let this be indecipherable hieroglyphs. You work for them, learn the language.

I appreciate this sounds like “if you come to America, you better speak English.”

Cold truth, you don’t have to speak English to survive here. But it does make life easier.

From a business standpoint, and here is such a thing as acceptable losses. We find this abhorrent, due to the bias of security.

We know it’s really bad to pay a ransom - we see the second and third order effects. The biz sees do we reopen or close for good.

Yes, our adversaries understand that he language of business. Effective cybercrime operators are bound by the same rules.

If someone releases an OST without documentation on how to detect it, they are knowingly causing harm to every small and medium size org.

Period. Full stop.

The goal of small and mid size shops who try to do security is to cover as much ground as possible with as little money. There isn’t a focus on advanced defense, because they can’t afford it nor have the expertise to make use of it.

Just keep the org heart beating.

Mid size shops have security assets whose primary job is to work with the MSSP doing the work the org can’t afford to do with FTEs.

Good shops make sure it’s a technical infosec asset, not the usual grc asset.

Do you need certs? The experts say no.

Specifically the experts with 15-20 years who can get a job with name recognition. Bias of their viewpoint.

Certs are like degrees, they are differentiators for HR. It’s not about what’s right or good, it’s about what is.

If you don’t think it’s fair, then take a low paying job in HR and dedicate your career to changing that at one org.

Can you learn the things very classes teach independently? Yes.

The classes make it easier because they show you what you didn’t think to ask.

Never undervalue expertise. Never undervalue your time.

What I would do differently?

1. Intern with a major Corp while in college.

2. Self finance one major cert class early on.

Both create a large amount of opportunities unseen by most.

One of those courses can cost 8k!

Yep. It will take a lot of sacrifice to afford it early in a career.

But this is #infosec - sacrifice is part of the package. Always having your gear even on vacation, being on call, the time spent in continual learning is why we get paid.
There is so much gods damn drama in #infosec

That is the only downside. There is no #infosec community. There are many clique ridden pockets masquerading as the community. I’ve been part of some. I couldn’t stand it. Especially around cons.

The best cons are smaller local cons starting out (unless they are run by all the same people).

Here you will see people giving talks with passion for both the material and the opportunity, not the ones let through the gates by the infosec politburo.

18 was definitely one of these

On Twitter, find good resources who are largely outside drama.


Good shepherds in different disciplines who are knowledgeable and good resources.

Also, sometimes you need knowledgeable but silly. We take ourselves far too serious.

@da_667 - because sometimes you need a healthy dose of tank fornication (and lab build expertise)

@CharlesDardaman - evasive who doesn’t like memes

Also, don’t die on a digital hill. You get nothing from this, and your stand will be forgotten so fast as the infosec mongeloid zeitgeist (tm) moves on to the next thing.

Always better to live to fight another day.

And it’s ok to be a little hypocritical. We’re human. And in that vein, hills where I will die:

Tea > fermented cow urine > coffee

Little Caesars makes a good product.

Infosec drama sources do not correlate with gender.

No one is coming to save you.

Finally, have an #infosec exit strategy. You shouldn’t have to do this forever. You shouldn’t have to do it until retirement age. Make sure you have passions that don’t involve the digital. Yourself 1/10/25 years later will thank you.

Post script:

When the job is done, and you are at home, in private, it is perfectly ok to get giddy as shit when @SwiftOnSecurity likes some of your tweets. But only at home and in private.

Please excuse me, as I am at home and in private.
You can follow @InfosecGhost.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: