During the past few days a new online platform called pwnhead has emerged showing an online “ranking” where cyber security professionals from “all over the world” are listed and rated based on their professional and personal achievments.
Every year I use to attend to many different computer security conferences, to get a better point of view on whats is happening in the world, meet my friends and learn new things. It’s not a big surprise for me that the cybersecurity community, especially those who attend to conferences is not a really big community such as, for example, the community of web developers or more general categories like that one. And specially, if you look at countries like Spain, you can see that the community is even smaller I can name a lot of people who are like fixed attendants to every con, and sadly for the sake of diversity fixed speakers also.
We don’t need more ego, we need more people
If someone has a passion for what he/she does, does a pretty good job, he or she at the end will have a huge amount of experience to share and it is absolutely normal to see him as a guru and/or a leader in the community. The problem comes when there is a limited generational relief and that relief is not promoted by the community itself. Having the same people applying and getting selected for speaking at conferences year after year can be discouraging for newcomers and it may also be a negative factor for the development of the art as the lack of relief may make the actual gurus think they don’t need to innovate as they will be seen as leaders anyway, because paradoxically there is a limited (healthy) competition here.
To summarize a little bit, the lack of new blood in the community and the guru-culture can create closed elitist circles that end up limiting the generational relief and thus the innovation in this art.
I think that it’s pretty obvious that this is bad on many levels. In our industry, we are constantly facing new threats, cybercriminals are constantly innovating and they don’t give a damn about who’s ego is bigger or who’s on the top of whatever list as they care only on their objectives and profit. We already know that cybercriminals cooperate and cover their backs to maximize their benefits. Refusing to do the same is not an option.
We need to be open to everyone
When I’m asked on what is the best strategy to keep a company network secure, instead of talking about TDR, UTM, AVs and such I always say that the best strategy is user education.
What I intend to say with this is that we need to be open for and include all the tech community in the cibersecurity scene. If we get everyone to be conscious about the good and bad practises in coding, setting up servers and designing products, about the specific risks and their mitigations we will end up making our products more secure and thus we will reduce the risks. I know a lot of folks who don’t work in any security job, they are web developers, QAs and sysadmins and they attend to every single hacking conference they can and I think that is fantastic, as they apply their knowledge on making better products and performing better operations.
I totally support conferences that host specific tracks focused on a non-cybersecurity audience.
Becoming an elitist and closed community won’t contribute on making other people interested in joining.
The case of pwnhead
So recently a new website has came into play. pwnhead claims ot have a ranking of the top hackers in the world, classified by countries.
And I want to go straight to the point here, in an industry that is critical, small and already filled with egos a ranking like this may only contribute on increasing: unnecessary stress, lack of cooperation and a fake sense of elitism.
How do you measure your “talent” as a hacker?
I know a couple of folks who are pretty good at what they do, they can look at some hexdump and already know what is going on there, they are team players and well valued, but they are super shy when it comes to speaking at conferences and they haven’t released any tool yet: So how do you measure that? Aren’t they good enough?
On the other hand there is me, I’ve been talking at some conferences even outside of Spain and have code on github but I’m an absolute junior if compared to those people I know.
This is wrong on so many levels: What if companies start using these platforms on their hiring processes? Having this level of competition can force a lot of good professionals to sacrifice their personal time in the intend of accomplishing some random goals to “stay in the market”. Also to these goals have a clear correlation with professional success? Is someone who developed a tool a better professional than some other who don’t but have 10K more hours of practise on the field? As you can see trying to use static, maybe call it linear measures to measure dynamic and complex situations and contexts can lead to wrong answers and unaccurate analysis.
Data sources and cultural BIAS
The other important aspect here comes with the following question: How does pwnhead gets its data? According to their responses on twitter one can guess that they have some “editors” most of them related to the english-american scene
As every year I use to collaborate in setting up the overdrive conference along with the defcon170 team I use to coordinate with people from all over the world, and I know that different communities in different counties can have very different metrics related to evaluate success. Also one have to note that in cybersecurity some jobs have strict non-disclosure policies so measuring the success of professionals in that context can be really hard, but they can have pretty amazing skill sets.
What do we need?
If we remove unnecessary competition we’ll have room for what we really need and what can really help us. Some ideas may include:
- An online conferences directory/calendary
- An online tools directory
- A hacking communities dynamic map
- A cybersecurity companies directory
- A cybersecurity online mentoring site
Among many others and I’m pretty sure that some of these if not all already exist!
I really hope that our community is mature enough to avoid falling into this competitive spiral, but eventhough we get over this we still need to think about how to face some problems we already have, like getting new people in and spreading a cybersecurity culture among the general tech scene.