Today’s post is an attempt to coin a new psychological response, that is often seen within Enterprises, specifically the Information Security Zealot – It is meant to be taken light heartedly, but with a serious lesson to take away at the end – So without further ado, if you currently display the following conditioned responses you are hereby classified as an individual suffering from Information Security Syndrome…

- You are incapable of mingling outside the security clique due to the obvious fact everyone on the outside is suffering from some form of security “ignorance”. As such, they [the non-security personnel] would be incapable of understanding the intricacies of your stealthy security work, and any attempt to explain your “advanced” job would be futile. Simply by applying the thin slicing techniques you mastered from your security ways [also cannot be discussed], you have perfected the art in knowing that they will never understand the true essence of what you do.

- At social events you have been dragged along to by your partner, outsiders keep telling you information about themselves they shouldn’t. You know it wouldn’t be elite of you if you were to use this information against them, so you politely inform them about phishing exploits, facebook worms, social engineering and the like. Oh no, you’ve again performed another security faux pas and are trapped talking to these newbies about security 101, like patching your system and firewalls [oh, so 2001].

- You are certain that everyone else has somehow gotten it wrong and every day is an amazing feat to wake up and discover the world hasn’t ended in a cyberwar that is imminently about to happen. Thank God for hackers publishing unpatched exploits to make the world a safer place and annual retreats to Black Hat and Defcon to lift your spirits.

- Life and work are not about reducing risks to an acceptable level, it’s about eliminating all vulnerabilities and tinkling with the latest bleeding edge coolest tools if possible.

- If your job were a metaphor, other people would describe you as a stage gate or an angry police officer best left alone. You know deep down you are fighting the good fight and tough guys don’t cry.

- At every security conference, everyone so gets you and you so get them. There is an unbelievable amount of head nodding going on, you’re amazed they simply don’t fall off.

- In the office you are forever getting pumbled by the ever increasing sea of threats and yet nobody sees or understands quite what you are talking about. There is an unbelievable amount of head shaking going on, you’re amazed they simply don’t fall off.

- You make abusive calls to people who have spyware, malware, viruses on their laptop and who so foolishly jacked into your LAN [Note, not the corporate LAN as you now are the official caretaker - self appointed]. You request they immediately remove the laptop from the network and hang up without any further support – After all, you’re a secret crime fighter and have other fires to fight – To the bat cave.

- You know very well that the most efficient solution to reducing phishing is to call CERT and have them immediately bring down the hacked site. But if you went and did that, how would you ever get a chance to try out the latest phishing kits or reverse engineer code and show how cool and smart you are. Your quest for knowledge and cyberdome wisdom far out ways the common persons problems.

- You can make moral choices on other peoples behalf because you are security demi-god.

—–
OK, OK, that’s enough of my attempts at humor to belittle and poke fun at the ever hilarious security zealot. I hope the above didn’t upset anybody, but at least calls out some home truths about when good intentions don’t result in good outcomes…

—
One issue that came to mind when writing this and that I also find extremely interesting, is the current disconnect between security and the rest of the population (i.e., real world). Reading any recent security whitepaper or report, visiting security blogs, or attending any recent security conference only reiterates that the state of cybercrime is alarming. So why is it that [in a proportion of cases], only the security zealot cares?

Why isn’t this information concerning ever new emerging threats and constantly changing risks being communicated to the people it impacts and who are also in charge of the purse strings and can do something about it [CEO, CFO, CIO, COO, etc]?

In order to answer this question, I am going to turn it around on you. It is up to you to honestly look firstly at yourself and then your team. Have you the right information in the right format for your audience? Have you the right personality and right attitude for your audience?

As a recommendation in resolving this pandemic, raising the issue to be discussed by an appropriate representative, such as the CISO, at a board level would be worthwhile if you had the above boxes ticked off.

Good luck!