Today I find it necessary to move away from the technical side of this website to an opinion piece.
I have been in the cybersecurity sector for 5 years. Specifically, in offensive cyber security. I have been lucky enough to go straight into cybersecurity work, which is rare. The most common thing is to find profiles that have a background in development or systems administration and decide to leap into IT security.
That is why I cannot compare it with other sectors, not only in the labour market but also in computer engineering itself.
But I can tell you about what I have seen during these 5 years, in which I have worked for companies in 3 different countries and I have met people of all nationalities.
And what I have seen is that the world of cybersecurity is toxic.
The level of pressure that can be reached in a company is extremely high. You might think that this pressure comes from the workload, from the boss who exploits the worker. But in our sector, this is not the case. At least not in my experience. In our sector, it is the co-workers who create a toxic environment for each other.
The need to be accepted
I have actively participated in dozens of chats in which colleagues were criticised. The world of cybersecurity is complex, and mistakes are made. Especially when you are a noob. But in these environments, a mistake means that others will point and laugh at you. They won’t do it in front of you, in fact, when it happens they will help you and explain the mistake, demonstrating their knowledge of the subject. However, before the end of the working day, your mistake will be talked about in the next building.
This makes us all try to hide our ignorance at all costs. You don’t want to be like that fool who tried to SSH into a server by opening the browser and typing ssh://<ip>.
We all want to be on the side of “the good guys”. Those with the highest technical level. So it’s time to pretend and be part of the mockery. Because admitting that you didn’t know that this can only be done with FTP and not SSH would be admitting your ignorance and becoming the focus of ridicule, and you can’t allow that to happen. It would lower your social status within the company.
The difficulty of learning
In such an environment, where you are under pressure all day long to be careful not to make any rookie mistakes for fear of what people will say, it is very difficult to find someone to teach you. On the one hand, you are afraid of asking something silly and having your ignorance exposed. On the other hand, you fear that you will answer wrongly and the same thing will happen. The “good guys” will help you from time to time, but don’t expect to find someone who can mentor you and help you on your way.
It is true that in our sector it is relatively easy to use the internet and train yourself. But it is also true that I have learnt the most through practical examples by observing others, asking questions and trying to understand. And it’s a pity that among colleagues we don’t help each other more. But how can we do that when we are under constant pressure from each other?
Security by Obscurity
All these points mean that in our sector we generate the “security by obscurity” that we later report so much about when it is our customers who use it.
The less we share, the less chance we have of looking bad. We are too affected by what people think of us, we need to be accepted by others. In such an environment, it is very difficult for transparency to prevail.
Anyone who tries to stand out is criticised. No matter how good you are, no matter how you expose yourself and try to do something out of the ordinary, you will soon find detractors among your own colleagues. Just look at cases like Chema Alonso or S4vitar. They are people who have managed to go far and stand out in the world of cybersecurity. Thanks to the content sharing that they do, the offensive security community grows every day, we are given more visibility and companies understand why we are necessary. And that translates directly into money in your pocket.
Of course, envy abounds, and it is more common to hear comments like “that guy? he doesn’t deserve the money he’s getting paid, he’s just a schmuck who gets his certifications by asking for hints, I’m much better than him”.
All the pressure we are under in our industry is not just from the outside. You are worse than anyone else when it comes to judging yourself.
In an environment where you have to keep yourself afloat by pretending and seeking the acceptance of others, it is logical that when you stop to think about it you realise that you are not that good, that others see you with the image that you are reflecting but that it is a lie. You are an impostor and the only thing left for you to do is to keep on pretending because if they find out how little knowledge you have, they will fire you.
This is what is known as Impostor Syndrome, and it happens very frequently. As we advance in a field, we discover more and more complex things that require a lot of research time. Each step you take reveals three new paths to follow.
The more you learn, the more you become aware of your ignorance. But that doesn’t make you an impostor, on the contrary. If someone comes to me and tells me that working with Beacon Object Files on Cobalt Strike is painful, I don’t think they’re an impostor. I think it’s someone who knows the C programming language, uses Command and Control servers and has enough knowledge of systems to say that it’s really a nudnik.
The real impostor is just someone who claims to be able to do things he has no idea about.
Our sector has many benefits. The possibility of teleworking, moderate workload and (for me the most important thing) a tremendously funny and exciting job.
But there are some things we need to improve. Criticism of colleagues is one of them. And mind you, I don’t want to give the impression that going to work every day is hell. In this post, I only expose some behaviours that we all have had at some point.
Since I started, I could not be more grateful to the different colleagues I have had. They have been a great support for me and it is partly thanks to them that I am in my current position. But we can create a much healthier community if we eliminate these toxic behaviours that we all eventually have.
I hope you don’t mind that I’ve changed the theme of the website a bit with this more personal article. I’ve been reflecting on it for a few days, and it seemed appropriate to communicate it, in case anyone else feels the same way.