InfoSec, like many professions, has a known echo chamber. The same people that joke about it are the same people that contribute to it the most.
The repetition appears in tweets, blog posts, podcasts, and at conferences.
While the InfoSec space has a fairly large echo chamber, it is also a rather harsh space in which to work. Someone makes a mistake – tweets goes out, blogs are written, podcasts analyze it, and a TV reporter might conduct interviews about it. How often do people in the InfoSec space praise each other? While it might be difficult to recognize successes in InfoSec, there are far more companies that don’t make the news for negative reasons. I would like to think that the people securing the companies are doing something right or well. People that read this are probably thinking that any company not exposed for a compromise must be hiding or not sharing information. If a company is compromised and immediately takes the necessary steps to fix the problem without the company making headlines or killing a twitter feed, is that a bad thing?
The echo chamber makes me laugh at least once a day with the over use of acronyms and repeated “this doesn’t work, we need to change” mentality. As I watch my twitter feed roll by with a fair amount of negativity, I wonder where the leaders are with ideas on how to change and improve the InfoSec space. I believe that many of them are working quietly and implementing controls to keep their company or business safe. I would love hear from them, but suspect they feel safer keeping quiet.