Raw Version: Letter to an Insecurity Engineer

I published “Letter to an Insecurity Engineer” as an attempt to validate the insecurities and imposter feelings that often come up in the face of persistent hostility, criticism, and questioning of our competence, from our own colleagues within infosec.

That came out too stiff, so I’m sharing the deleted bits, because sometimes it helps to hear the raw screams of one person sharing their pain and pleading for help to prevent others from experiencing that.

(Why does sharing my pain come out as a persuasive memo? Probably some kind of dark magic.)

Letter to an Insecurity Engineer: Raw and Undercooked

The challenges we face in the security “community” are draining and unfair. The hostility is an unnatural, [hu]man-created artifact — but it’s not immutable, and it’s not your fault.

The Struggle is Real

It’s hard to distinguish which criticism is genuine. It’s hard not to react defensively to genuine criticism when so much of the criticism we face is hostile.

We need criticism! But that criticism doesn’t exist in a vacuum: it’s tossed in among a soup of past criticism, some of which was deeply unfair and toxic. Genuine, valid criticism intended to be helpful is thus soaked in the toxicity of past hostile criticism — so I hope it was encapsulated within a coating meant to resist those stomach acids so that it could be properly digested over time.

You might deeply question your own skills, and question your future. No one can answer that other than you. But I hope we can help you find the answer that is best for you before the energy vampires of infosec completely drain you.

The stakes are high — but I want to be a ladder to help you reach those stakes and slay those who pose as Monster in the Middle between you and your dreams of a secure infrastructure.

As experts in turning insecure postures into secure postures, let’s find the tools we need to mitigate the advance of persistent threats within infosec itself.

What is hostility from other infosec folks but an unauthorized privilege escalation against our own services as security professionals?

Jokes aside, I’m not saying it’s easy to repudiate their claims. It’s not a matter of applying some controls, putting in detections, and handing it off to SIRT.

We should all be detectors of discriminatory and hostile behavior. We should all be SIRT, responding to stop an attack, to prevent future attacks — and to support you beyond that moment as an empathetic and capable expert, as a person and as a colleague, with goals and dreams that you’re not working alone to achieve.

The Support is Real

Alernate section name:

“Truths that don’t help you distinguish that there’s no such thing as a malicious insider—just spoofed accounts/authenticity, and people incentivized to do things we want to prevent, such as stealing our sensitive Personally Identifiable Insecurities.”

Let’s be real: humans take time to process and heal. Your past experiences don’t evaporate. Trauma takes not just time and energy but the support of a community.

But that community you need support from? That community kinda sorta absorbed the embedded systemic oppression and toxicity that everything is soaking in. There’s no binary function a la the “Evil Bit” (RFC 3514) that distinguishes “good” humans from “evil” humans, because humans aren’t “good” or “evil” but some soupy melange of everything. Not ideal.

Thus, the “joys” of hypervigilance and C-PTSD: processing the sense of fear/powerlessness in the face of repeated or ongoing threats to our wellbeing.

The Conclusion is Real

But to emphasize: You’re not alone. This isn’t inescapable. You have support — and while words are powerful and essential for connecting us to each other, you have material support beyond words to change the situation you’re experiencing.

I can’t promise that any particular thing can or will be fixed. I can’t promise that this won’t happen again. I don’t make promises lightly, but I promise you this: we will try. We will try to provide what you need in words and in material actions to stop whatever you’re experiencing, to find opportunities to prevent future recurrence, and to help you recover and to help you work towards your personal goals and your career goals.

We will also sometimes fail at some of those, and I’m sorry for that.

This world is cruel and unfair. Our industry is hostile to people from marginalized, stigmatized, and minoritized groups. And you don’t deserve that. But I promise to do my best to make this industry less hostile, and when I fall short, I will try to fix the impact of my mistakes.

Like you, I won’t be doing this alone. We’re in this together.