This blog post takes notes from an excellent talk by “Richard Hamming” called “You and Your research”
Full transcript here. It's interesting how some talks leave a mark and you derive your own conclusions and way forward when you think enough about the topic. Over a period, my thoughts have changed on this discussion and I have tried to outline those points below. Many people have talked about this talk in various manners so I would not like to do that again but point you to this and this.
There was a time when I used to refer to this to almost anyone of my colleagues in the information security industry that this is a must read / watch and look at what he is talking about: It made so much sense. However, I have stopped doing that now or rather i have started to caveat it a lot before i ask people to go through it.
There are some points about that talk which I kept missing:
Focus of the talk is “researchers”
They gave this talk to researchers who have volunteered and joined a program to be a researcher. The expectations from a researcher are much higher than a practitioner.
Information Security domain is maturing and people are not just in this domain for the sake of fun only, there is an established curriculum in picture which is creating the workforce now. With that in mind, each time you recommend this talk to someone, you might have to check about who they want to be a practitioner or a researcher. And let's be very clear both have their own place. No one is bigger than the other.
Similarly, Hamming brought out a point about “great research” early in the talk and specifies that the talk is about great research, not even first class work, only great research. There is a point being made about “Why shouldn’t you do significant things in this one life”. I agree with the sentiments personally and hence the reason I spend sleepless nights or focused months trying to figure something out and I still find myself far, far away from those legendary scenarios. However, this is the key point to remember the recommendations are for that narrow set of people who want to be the best of the best in that one specific area.
I also tweeted something on similar lines a couple of days ago
That brings me to an important point about this whole thing. You and your research is a must read/watch for researches amongst us, but not all of us want to be that and not all of us will make it. This is where we in InfoSec fail. Most of the time we have a go big or go home all in or nothing strategies as most of us have joined InfoSec as a lucky co-incidence of being in the right place at the right time and having a hobby which suddenly become a earning potential.
Around 2016–2018 timeframe, multiple individuals and concerned parents contacted me about cyber security as a prospective career. I made a slide deck in my early career which i would refer to individuals and lately also been giving this daniel miessler article. I would make a big deal that this field is constantly growing and people need to spend a lot of time to keep themselves up to date. While mostly true, this is again one of those scenarios where that worked for me, doesn’t mean it works for others. However, a key point I kept missing and failed to realize for a very long time. Not everyone is in this profession to be great. Not everyone is in this profession to be a researcher.
We will keep finding more and more people now who are in it just as a routine 9–5 job. As this sector pushes towards more organized way of working, those 9–5’s will effectively be most workforce and we all collectively need to come out of the grandiose delusions that we as in whole of cyber security is here for altruistic reason. Hacker as a keyword could be altruistic but cyber security as an industry is a organized sector industry with clear agenda’s and we either play by its rule or replace the rules but eventually we will work under stipulated conditions.
An important learning I have gotten in my years of mentoring is that what worked for you might be an edge case for your mentee. Always put yourself in other person’s shoes before you make comments or suggest changes.
Recently I was invited to Keynote at Diverseccon and I took my chance to explore more on this theme that InfoSec is much more than passion based hobby and we need to focus on making it a much more receptive environment
I still have a few more tangential thoughts that I would like to talk about, but that will have to wait till next blog post.