While attending CPX 2014, I had a mini-epiphany. This twitter thread got me thinking, “Why is CPX so much different than VMworld?” There’s an obvious size difference – 1600 attendees vs 28,000 – which leads to less sessions and smaller parties, but that’s a given. “Why is the InfoSec community different than the Virtualization community?” This is the real concern, the cultural differences between the two communities that have the most overlap with my job responsibilities and personal interests. One notable difference is that in InfoSec, there aren’t many well known practitioners of security, though there are heroes and rockstars. It also seems to be a less vocal community, and when it does speak, it’s in generalities and news, such as 5 Common Attack Vectors or Who Was Hacked This Weekend. In Virtualization, there’s a lot of public recognition for people, even the niche topics, and the community gets down and dirty and shares very practical information in addition to higher level concepts. So, why this startling difference?

Security Practitioners can be insular

Many of you reading this probably first visited this site for virtualization content – which makes sense, as my first posts were on PowerCLI and Auto Deploy. As such, you’re probably familiar with the drill for conferences: get caught up on your timeline by 7am, then prepare for it to be blown up all day long. Check out the feeds for Storage Field Day 5 (#SFD5), the OpenStack Summit (#openstacksummit), and of course, VMworld (#vmworld, #vmworld2013). Dozens, sometimes hundreds, tweet about each keynote, allowing those not attending the pleasure of knowing what’s going on in near-real time. You can sometimes even convince an attendee to ask your question of the presenter! This extends past the keynotes, which are sometimes streamed, to the individual sessions, which are frequently not streamed and sometimes never recorded or put online. Even if you attend, it’s still interesting to read because inevitably another attendee caught something you missed or saw it differently, giving you additional insight (who else learned from Twitter that Cisco wasn’t on the NSX announcement slide at VMworld 2013?). These interactions create a lot of content ancillary to, but just as important, as the conference agenda itself.

Compare this to the #CPX2014 timeline. I was by far the most prolific tweeter (in a nod to @PhoneBoy, who provided most of the tweets at CPX2013 but was not at CPX2014) and most tweets had zero interaction. The only followups I had were with PhoneBoy, a few tweets were favorited, and maybe 1-2 retweets. The largest response I got was to a humorous tweet. Looking around, it appears that the other tweets had the same level of interaction. (I don’t expect that my thoughts in particular are that valuable, but I didn’t have a lot to compare to! Little to no ongoing interaction means little to no meaningful conversations about Check Point products or InfoSec as a whole on Twitter. That’s just one medium, but for other communities – Virtualization, PowerShell, numerous vendors, even #CancelColbert – it’s an important medium.

Is the issue with Twitter specifically? If you look at blogs, InfoSec seems to have the same issue. There are a LOT of InfoSec blogs, just as there are lots of Virtualization blogs. In my (admittedly, cursory and one-sided) review, it seems that the two communities have dramatically different types of articles. Virtualization articles tend to focus on “how do I help my colleagues?” InfoSec articles tend to focus on “Look who got hacked!” or “Here’s a political issue surrounding InfoSec”. While these tendencies are not absolute, I see the Virtualization community as more empowering of participants and the InfoSec community as more sharing news. Just take a look at a self-proclaimed top 100 cyber security blog list, see how many are dispensing practical information versus industry news.

Need more proof? Of over a dozen presenters, only one presenter listed a personal blog (Brian Krebs of KrebsOnSecurity.com) and a whopping zero listed a Twitter, Google+, or other social media nickname. Some time spent searching the web for presenters showed this is because these people (again with the exception of Brian Krebs and Reuven Harrison of Tufin) don’t exist in the social media universe. Some of the vendors did not have social accounts, which just seems weird to me when even my dry cleaner has a twitter account.

OK, so social media is a bust. But we’re at a conference where we’re in physical proximity to each other, social media isn’t needed. However, meatspace interactions play out the same way. Sure, when vendors start buying free drinks, some people started to socialize, but even that was mostly clumps of people from the same employer or who already knew each other at one table and people from another employer at another table. Of the 1600 people, maybe 300 participated in these social events. Whether or not free drinks were involved, my attempts to socialize outside of my existing work circles were mostly met with a few short sentences, an awkward silence, and the end of the conversation. I would think that perhaps it is me, but my coworkers reported the same trend. Rare was the person who would split from their existing clique to hang out with some random strangers.

Why is it this way, and should it change?

Quite possibly, this overall insular effect has to do with the subject material. Security is serious business, often requiring us to keep our mouths shut about specifics due to NDAs, security clearances, or just general trepidation. At an industry event, that leaves many with the impression that there is nothing significant to talk about but the weather. In a broader sense, being too well known might make people fear that they or their employees will become targets – something Brian Krebs can verify is NOT an idle concern. This combination of paranoia and company-mandated restrictions appears to have created a culture of insularity and non-socialization.

This has a few side effects. The most fresh in my mind is, it makes conferences boring. You leave knowing about the same number of people you knew when you went there and your interactions with the presenters are limited to the sessions and whatever facetime you might grab afterward. Another effect is that it leaves others in the dark about you. A paranoid personality that makes you a good fit for security also makes you a bad fit for social media, and thereby you become somewhat invisible to our modern, connected, social world, which is part of the feedback loop that leads to low interaction at conferences. It also means that when you look for a new job, you have to prove yourself every step of the way with every interviewer as there is no public portfolio to show what you are capable of. Finally, you can suffer from a lack of knowledge of changing trends, technologies, and skills in your industry.

That’s how things are now. Is this a good thing? Well, the lack of attention on an individual or company can possibly be a benefit. The rest of the effects are fairly negative. Low social interaction (physical and network-based), low visibility, and an inability to keep up with modern skillsets aren’t great tendencies. Each individual can overcome these negatives, but has to do it individually. This is where social media can become very helpful.

Social media, by its very name, will increase your social interaction with others, both within and without your community. This can lead to anything from interesting discussions with industry colleagues at another company, sharing war stories over a frosty beverage at a conference, or re-connecting with old friends and colleagues. It also makes you more visible, where others can see what you are doing and have done. Together, social connections and visibility build a positive feedback loop, which builds to more connections and more visibility, which in turn helps you sell yourself to your current or future employers. Some vendors and companies have rewards and recognition programs for social media evangelists, such as VMware’s vExpert, Cisco’s Champions, and EMC’s Elect programs. Being a recipient of such a program nets you great visibility with your peers and often access to software and licenses, great for growing a home lab and continuing your self-education.

The last benefit is in learning. By crowdsourcing learning, the responsibility is not on your shoulders alone. What happens if you chose to learn about the wrong thing? Well, tough. You might find a way to sell it, but it isn’t exactly a good fit. In a social world, you learn what others are learning about. This helps you do a few things: pick up new technologies quicker through the learning of others; focus you on technologies and skills that others have found to be a good fit (and possibly warn you away from bad fits); and give you knowledge of technologies that may benefit you in the future, even if you do not take the time to learn about them now. In our ever changing world that relies on constant learning, this is a huge benefit to everyone.

Making a Resolution

It’s difficult to overcome our paranoid tendencies, embracing the positives of social media and moving away from the negatives of being disconnected.  InfoSec people can still talk with each other, can still share general ideas and thoughts about their work experience without getting themselves or their companies into trouble, and can participate in social media without becoming a security risk. You can also help foster a more helpful InfoSec community. The virtualization community was lucky yo have John Mark Troyer (@jtroyer) who saw how to convert a social media wasteland into a vibrant community of colleagues. There is no @jtroyer of the InfoSec community that I am aware of, nor are there vExpert, Champion, Elect, etc. programs for recognition. This leaves it up to you and me to step up and address these issues.

I’m going to take the first step here in public and commit to addressing my own failings. In its first three months, my blog that is ostensibly about “Infrastructure, Virtualization, Security” has only one security article. In fact, where I do mention security, it’s usually to say something like, “Be more secure in production!” That’s not helpful and I’m going to change that, starting in July(*). My blog is going to start featuring security articles (about what, I’m not quite sure yet!) and my non-security articles will actually address HOW to be more secure in production. I’m going to discuss security more on Twitter. In all cases, I’m going to help foster novel content and an active InfoSec community.

* I do have some already-written content that I will not have the time to curate before it is scheduled to publish. Busy life is busy!

I’d like it if you would join me. For InfoSec practitioners who are already active in social media, I ask that you spend less time repeating industry news and more time cooking up new content. For those who are not yet active in social media, I’ve created some guidelines that may help you get started:

• Investigate your company’s social media policies. Most companies have one by now and you absolutely need to comply with it before going any further.
• Seek out the proper audience. For example: Facebook is for keeping in contact with friends and family and sharing all of your information with the world; Twitter is for work communities; Blogs are great for introducing yourself to the world and sharing what you have learned. Google+ has some overlap with each but fewer conversations happen there (and even Google isn’t very upbeat about its future), but if you like it, use it. Stay away from security unconscious platforms like Facebook (or segregate them from your InfoSec personality) and stick to platforms where you have more control over what is shared, such as Twitter and Blogs.
• Listen first. Like all social communities, if you just run in and talk over everyone and disregard the social norms, you’re not going to get along well. The days of claiming false or exaggerated autistic tendencies to excuse inappropriate behavior are over (if you’re not autistic, don’t make it more difficult for those who are!) so take the time to feel things out, then participate. You can still get a lot out of social media without ever liking, retweeting, or creating content.
• Share what you want. If you’re complying with social media policies and are controlling everything, you can share helpful InfoSec tips or best practices or “what went wrong” stories without opening up yourself or your company to attacks. Be smart, but don’t let fear rule you.
• Find dissenting voices. It’s very tempting to follow a bunch of people you like and call it a day, but that just leads to an echo chamber. For example, Brad Hedlund, Scott Lowe, and Joe Onisick have some pretty fierce dialogs about NSX vs ACI. Being a VMware kinda guy, my natural inclination is to stick with Hedlund and Lowe. However, Onisick often makes good points and following him encourages me to investigate (and HEAR!) both sides of the conversation instead of accepting one as gospel. Take the time to find some contrary, but quality, people to follow. A good way to find these people is to review the full conversation when you catch the tail end of an argument someone you follow was involved in, someone in there might be worth following. (Warning: following Joe Onisick requires a thick skin. You’ve been warned.)
• Make sure you are actually contributing. This is especially important as you start out and find your voice. Before you hit send or publish, think to yourself, “Does this advance the InfoSec industry or my personal goals for using this platform?” Don’t be afraid to hit cancel. Once you get in this habit and find your voice it will become more natural, but never stop asking yourself that question.
• Remember that people aren’t 1-dimensional. That person you added because of the their job might have the same hobbies as you. They might also be interested in something you hate or think is dumb. You’re interacting with multiple, overlapping communities at all times. Be cognizant of how what you say may be received.
• Respect people. Don’t just avoid negative labels that end in ‘-ist’. Ensure you’re actually listening to the other side of a conversation and taking that person as seriously as you want to be taken. You’re going to be wrong, accept it gracefully.
• Focus on creating novel, useful content. This can be something you did that worked well, but it can also be something that ended in tears. Helping others avoid your pitfalls frees everyone up to do more useful things.
• Recognize others and their content. Promote those you know who are knowledgeable and helpful. Promote new participants so they can become part of the community faster. And if you’re in the rare position of power to reward the knowledgeable an active participants, do so in an appropriate manner. Hire/convince them to speak at a conference, get them some access to your beta software to help you improve it, whatever you can do to help the community and its members.
• Make time for real life. Don’t be overwhelmed by social media and become a stranger to your family.
• Have fun! If you’re not having fun, take a step back and figure out why. Maybe some time off will help, or maybe this just isn’t for you. Not everyone needs to be vocal in social media, go back to listen-only mode and see what happens.

I have one other tip that’s specific to Twitter, though it has analogs in other social media: learn the difference between retweets and favorites. When I spoke above about promoting people and content, that means retweet.

Feedback

This is my opinion on the state of InfoSec in social media. I hope that you’ll join me in creating an exciting, helpful, and vibrant InfoSec community across social media platforms. I also hope that you’ll give me some feedback on what you think. If I’m missing some great InfoSec recognition programs, or completely ignored a vibrant segment of the community, let me know. If you have your own thoughts for growing the community or general social media tips, let me know. Please forward this article to your colleagues, I’d love to hear from more people. Thanks!