Monday, 2 May 2016
Infosec? What Country Is That?
I am familiar with the pains of discussing information security with “outsiders”, thanks to my Romanian origins. Explaining my country to non-Romanians is not much different to talking to non-technical people about security. Everyone has a vague idea of what it is, everyone knows a couple of standard stereotypes (thank you, Hollywood!), everyone has some expectations of what its inhabitants should look like.
Note: All the questions below have been posed to the author at one point or another, by various friends, acquaintances, strangers on the bus. You always start the conversation with the premise that no one will know what you are talking about, so you must accommodate the interlocutor and provide some context about the information security industry, clarify it’s a self-standing profession, and not to be confused with the more generic IT-support.
Interlocutor 1: So, is Romania a part of Russia?
Alina: No. Part of the former eastern European communist bloc of countries, but that ended in 1989, with the revolution. We’ve been aboard a merry democratic transition ever since…
Interlocutor 1: Ah… so it was part of Russia?
Interlocutor 1: I don’t get it. Sorry, I wasn’t very good at Geography. To be honest I don’t know much about Romania. It’s one of those places that you know they exist, but you don’t really hear much about.
Alina: That’s ok. It wasn’t ever part of Russia. We have lost Moldova (which is occupied by Romanians) to Russia, but Romania was never assimilated.
Interlocutor 1: Is it civilised? Do you have normal amenities?
Alina: What’s a normal amenity?
Interlocutor 1: Don’t know… electricity?
Alina: Mhm. We kinda need it. For, you know, essential living arrangements… like heating, lightning, Internet. Don’t get me wrong, we like living in caves heated by fire, as much as the next guy, but once in a while the iPad runs out of power.
Then, the dialogue seems to get a little more on track as people start recalling some names, or stories they may have read in the news. Hacking stories are not necessarily the most high-profile, but they do manage to draw some interest, awe or fear. Hollywood does drive some form of cyber awareness, at least. Problem is Hollywood also has a knack for exaggerating.
Interlocutor 2: Ah! Romania… I remember… Ceausescu. And that vampire… Dracula, right? He was some kind of a leader or king in your country, wasn’t he? Was he really a vampire?
Alina: Leader, yes. Vampire, not quite. Hollywood hasn’t got a great track record with sticking to facts and accuracy.
Then follow the natural confusions between the bad guys (cyber criminals) and the good guys (ethical hackers). Changing the perception that not all hacking is bad hacking and explaining that there is an actual need for ethical hackers (or penetration testers) to use their knowledge for good is always a challenge.
Interlocutor 3: I read that there are lots of Romanians begging on streets, in many European countries. Doesn’t make your people look very good. You see them in the news. I have to say it is a bit worrying.
Alina: Only a small proportion of the ones reported in media are actually Romanian. However, semantics, misleading information and lack of interest result in a wide-spread confusion outside of Romania’s borders.
Altogether, we have good and bad just like anywhere else, but when you’re an immigrant, you get scrutinised under microscope. Social issues get magnified to suit political agenda, and you find yourself in a very generic box with the label “dangerous” attached to your forehead.
Next, you explain the language. The technological lexicon can put off even the most patient, well intended ear. Most of the lack of interest towards cybersecurity stems from the intrinsically discombobulating vernacular attached to the industry. All the while, the more popular siblings such as mobile apps, web clients, social media have entered the colloquial jargon thanks to necessary integration into people’s professional and social lives. You would be hard pressed today for example, to find people not knowing what Microsoft Office is, or how to operate Skype.
Interlocutor 4: What kind of language do you speak in your country?
Interlocutor 4: Is it like Russian, Polish? It sounds a little like it.
Alina: Haha! More like Spanish and Italian rather. Romania is part of the countries speaking
Romance (or Latin) languages
Interlocutor 4: What did you say it’s called?
Interlocutor 4: I don’t believe you.
Finally, gently break the expectancies of what the information security professional should look like. These particular stereotypes are a direct result of media portrayal of “geeks” as socially awkward people, mostly men (which in turn reflects the gender imbalance the industry deals with), that have little else in their lives aside from computers and gizmos. Is there any wonder that future generations may not want to be associated with these negative portrayals?
Interlocutor 5 (knowledgeable in ethnic physiognomy): I like Romanian girls. You don’t really look Romanian.
Alina: What does a Romanian look like?
Interlocutor 5: More blonde, with paler skin… I mean you obviously have a light skin, but you are not blonde, are you?
Alina: No. Neither is a large proportion of my co-nationals. But go on, what else should a Romanian look like?
Interlocutor 5: Don’t know, but they are usually very pretty. Alina leaves pondering over her national identity… and over her hair colour.
Much like a state, the information security industry has a different language, interesting people, its own pet hates, achievements, heroes and villains. That is not to say that it should remain marginalised and isolated from the rest of the society. Ignoring computer security is no longer a choice anyone can afford to make.
A country’s need for tourism, foreign policy and defence drives the national brand marketing. For an industry, bridging the communication gap means patience, cutting through the jargon and breaking stereotypes through education.
There is another problem that plagues the industry, and that is the “tired professional”. The IT professionals that after many years spent working with IT illiterates have got fed up with explaining and prefer to keep the strangers outside. Putting this in the same perspective of encountering people from all over the world, should you stop explaining to people where you come from just because they don’t know? Should they stop explaining to you about things you don’t know? Is there any point in harvesting knowledge, if it can’t be shared with others?
Credits goes to - http://cybersecurityauditing.blogspot.com/2015/08/infosec-what-country-is-that.html