As security practitioners, we are used to the notion of keeping our heads barely above water. Information Security is a thankless game, where our greatest success is when we remain at zero. If we succeed (or are succeeding), nobody notices. If we fail, everybody sees it or hears about it. The pressure to perform is intense and the margin of error is miniscule. During our careers, we make conscious decisions to either blend in with the herd, or stand out from the crowd. We may be rock stars in our own minds, but being in the limelight is something that many people simply do not have the stomach for.

Of course, with the recent rise of organized hacking organizations, it is becoming a dangerous game to be in the limelight. It seems that anybody can be a target of revenge at any time, and our digital footprints facilitate this revenge in ways that may not seem so obvious. It is no longer about losing credibility or reputation; it is much more serious. Our families, our friends, or coworkers and peers are all an extension of our drive to succeed; our digital tracks place everyone around us at risk.

By adhering to the principles of game theory, we realize that our best means of solving a global problem is through the cooperation of all actors. Information security is no different. However, the information security industry is faced with an identity crisis that needs to be discussed, as the incentive to rise above with innovative solutions is analogous to waving the red cape in a field of bulls. These bulls may be inexperienced, but more likely may include state-sponsored terrorist organizations or hacktivist organizations such as those operating under the guise of #antisec. As convenient as it is to visualize, hackers and security practitioners are not stereotypical harmless nerds with crooked teeth and glasses that so many think of.

So what is the net result to the industry as a whole? Have individuals produced novel suggestions and ideas that could advance and safeguard sensitive assets, yet thought through the consequences and decided to cast it aside? Has someone found a means to destabilize or destroy botnets like TDL-4 and fears coming forward? The bad guys hide in numbers; they do not have the same fear. They are searching for a response to Stuxnet. They are looking to take down our nation’s critical infrastructure and interrupt our commerce. Has intimidation and fear entered the world of information security; if so, what does this mean for the future of the industry at large? Some of us pursue knowledge with a child-like curiosity that has allowed us to succeed in ways that have been used for good guys and bad guys. It is our identity.

In a merit-based society, workers are judged by their accomplishments. When the incentive to succeed is eclipsed by our fear of failing, we become sedentary in our career. We begin assimilating into a bell curve that depicts the mediocrity of our capitulation. Our customers are expecting rock stars, yet so many of us are happy to be groupies of the band. This is accelerated when our own industry eats our own in a desperate attempt to remain relevant in the community. As an industry, we should become more supportive of our peers and colleagues, and accept that we are all part of the same environment. We should not laugh like hyenas when a breach is announced, because it likely could have just as easily been our work that was picked apart. We should avoid ostracizing the people that are not content with keeping with the herd; who take chances and may stumble along the way.