After lurking for months... this is a topic I can finally break out of the shadows on. I laughed, I nodded, I cried inside. Holy hell does this capture the feels of doing...
After lurking for months... this is a topic I can finally break out of the shadows on.
I laughed, I nodded, I cried inside. Holy hell does this capture the feels of doing infosec/cyberz/new-hotness-words in the "we're trying to do this, not just sell it as-a-service" world of IT.
I don't think its far off of a lot of corporate BS. I'm blue collar, drive trains for a living. Last year we had new rest and hours of service rules come into effect. I'm deleting a few paragraphs...
I don't think its far off of a lot of corporate BS. I'm blue collar, drive trains for a living. Last year we had new rest and hours of service rules come into effect. I'm deleting a few paragraphs of rant and will simply say the company procrastinated for 2 years on finding ways to implement the new rules, didn't negotiate any changes to the union contract at a few opportunities, continue to implement policies that make the workplace shitty, coming up with creative interpretations of the new rules, and then tried to solve their problems by just hiring more employees (for train crews) at a time when our image problem and BS workplace culture drastically limits our ability to hire the younger generation.
Fun read. I don't work in security but I've been on several software projects where they hired expensive consulting teams that were incompetent but trusted more than those of us who knew the...
Fun read.
I don't work in security but I've been on several software projects where they hired expensive consulting teams that were incompetent but trusted more than those of us who knew the domain and would have to implement the dumb design. And I often saw that once the consultation started, we were interacting with apparent interns who didn't know thing one about basic software or UX design, and the project managers and development managers would think it was great, because apparently only the technical staff if ever educated in the business or has any standards to meet.
I imagine that dealing with this stuff in the security field would make me extra salty too.
The point of the expensive consultants is supposed to be to canvas the perspectives of all the individual contributors and break the logjams that have resulted from them all not being able to...
The point of the expensive consultants is supposed to be to canvas the perspectives of all the individual contributors and break the logjams that have resulted from them all not being able to coalesce on a common way forward. If the individual contributors (or, more likely, their management chains) were able to do that nobody would even think to hire the consultants.
I mean, my employer paid some good money to some consultant to help audit and recommend a path forward for our division. My supervisor promptly eviscerated them for not comprehending even the...
I mean, my employer paid some good money to some consultant to help audit and recommend a path forward for our division.
My supervisor promptly eviscerated them for not comprehending even the remotest fundamentals of what they were supposed to be auditing, as well as trying to sell us on a solution that would break approximately 2/3 of our environment to add a fancy dashboard on top of some logs.
I remember watching some of my friends go into consulting out of college and thinking it was crazy that they were going to be airdropped in to companies as experts at crazy high hourly rates when...
I remember watching some of my friends go into consulting out of college and thinking it was crazy that they were going to be airdropped in to companies as experts at crazy high hourly rates when they had zero experience in their industry. Most of them were business majors but going into technology consulting.
I think I blame the consulting companies really. They want to take advantage of the spread between the hourly rate they charge and the salary they pay their 23 year olds, and the 23 year olds don’t even necessarily know how little they know about what they’re doing.
Oh, they know. The quick learners or those with a bit of tech savvy are on their toes, hustling to grasp the ins and outs of their assigned fields, all while trying to keep their stress levels in...
the 23 year olds don’t even necessarily know how little they know about what they’re doing.
Oh, they know. The quick learners or those with a bit of tech savvy are on their toes, hustling to grasp the ins and outs of their assigned fields, all while trying to keep their stress levels in check.
Then there are those who aren't as adept. They master the art of bullshitting their way through things before swiftly moving on to less demanding "tech roles". It is amazing how many people after a short period end up as scrum masters, coordinators, etc.
This is based on my experience working for a consultancy company for a few years. Granted, I work for a division of a company where a lot of individuals are just hired out to companies to fill in spots in internal teams. But we sadly also have the sorts of teams discussed in the blog post.
A decade ago, I was hired as a 'test consultant'. At that time, the job was mostly presented to be about manual testing. We received what was called a 'testing masterclass'. It was essentially a course covering test theory for certification, some SQL, some course of specification reviews and all that over a few weeks. After completing this training, we were air dropped into projects with the promise of support from more experienced consultants. Getting a good project with decent support was a matter of luck. More often, we found ourselves figuring everything out from scratch, on our own.
For me the experience was slightly different as I already did have a ton of technical skills. I had been programming since my teenage years a hobby but had initially taken a different path, ending up with a bachelors degree in education. So I knew I had a lot of the skills needed, but getting into IT without formal qualifications is pretty difficult.
For me, it was honestly an opportunity, although I had no clear idea of what I was going into as QA and testing really is one of those things not found in college courses.
Luckily for me, I came discovered the existence of test automation pretty quickly, saw it was already a hot commodity and that I actually already had more skills in that area than some seniors. This allowed to sidestep a lot of the panic infused hustle I saw my peers go through at the time.
I was also assigned to internal teams of companies. That alone did a lot to shield me from the internal bullshit of my parent company and allowed me to learn a lot of how things actually work.
Having said all of the above. Putting it purely on consultants is very easy. A lot of times, the bullshitting also does happen internally. People are comfortable where they are, a lot of people are just knowledgeable enough to do the job they are doing and have very little interest in any change at all.
Security theater is so annoying. I'm all for security-driven practices, but it needs to be practically implemented. An example from my employer: New policy that all container images must pass all...
Security theater is so annoying. I'm all for security-driven practices, but it needs to be practically implemented.
An example from my employer:
New policy that all container images must pass all security scans with a new tool. The old tool was fine, but didn't have a fancy dashboard. New scanning tool is stupid, and flags all sorts of packages and things that have been long-patched since kernel 4.4.
This of course, immediately blocks all the pipelines for anything that wasn't preemptively whitelisted, and now nothing is getting repaved. I have to sit down with the security team to ask for an exception and explain how blocking repaves for unpatchable issues doesn't actually improve security.
I don't trust any Infosec person whom doesn't know how to use nmap, and neither should anyone else.
A tad too edgy for me. I think there is a distinction to be made between what is business and what is security. The execs come with the ask to get ISO/SOC/whatever, that’s business. As in, we need...
A tad too edgy for me.
I think there is a distinction to be made between what is business and what is security.
The execs come with the ask to get ISO/SOC/whatever, that’s business. As in, we need this to sign a deal, complete some legal requirements, or they need it in order to be at “parity” with competitors.
That’s business. Hiring clueless consultants to do the audits. That’s business too. A good security professional should know better to find a good (or at the very least, reasonable) auditor instead and use this opportunity to push through actual security changes that otherwise might not have happened.
SSO? Security keys? 3rd party pentests? Actually doing backups? Put these as your controls and point to them to say we need to this to get X cert, because tons of companies are gonna cut corners if they can. That’s business. A good security program needs to understand that it’s part of a business and act accordingly. To quote Futurama, “When you do things right, people won't be sure you've done anything at all.”
I get the authors salt. I can't tell you how many times I've done audits for EHNAC or HITRUST and had the most unintelligent auditors. Going through big frameworks like that is also usually more...
I get the authors salt. I can't tell you how many times I've done audits for EHNAC or HITRUST and had the most unintelligent auditors. Going through big frameworks like that is also usually more an exercise in patience then actual security control implementation. But on the other hand it's good. Forces you to get your policies an procedures right and gives you a solid foundation to build on.
If I get the overall message (I woke up like 5 minutes ago and might still be out of it) I understand the authors gripes with non-technical people attempting to lead technical roles or oversee implementation of super technical controls but let's try not to be performative in security. I've seen sooooo many stupid things occur because of egos - both technical and non and it can be super frustrating.
The fundamental problem is the pay and trust disparity. Especially when the moron outsider being paid substantially more gets listened to because they said "Magic Quadrant" three times. (Guess...
The fundamental problem is the pay and trust disparity.
Especially when the moron outsider being paid substantially more gets listened to because they said "Magic Quadrant" three times. (Guess which consultants I hate the most)
If half the money spent on consultants was instead spent on paying the technical people whose job is to resolve these problems, there'd be a lot less salt.
To me, that only signals a fundamental flaw in certification. If it’s only used for business, and there are ways to game the system to obtain the certification more easily, then why even bother...
To me, that only signals a fundamental flaw in certification. If it’s only used for business, and there are ways to game the system to obtain the certification more easily, then why even bother security experts with it in the first place?
I would love it if certification actually meant something. That getting certified actually caused some headaches. That it would mean actually adopting new policies, internalizing importance of following good standards, etc. That would lead to actual improvements, improvements you, as a company, could be proud of. It should lead to accountability, and fear of being held accountable. Right now, companies only fear losing that one check mark that could hurt business.
I therefore feel like this post touches on very important shortcomings, even if it’s harshly worded. But even is easy to look past because it must be very frustrating to deal with ignorance on a daily basis.
Why are you doing this to me? This thread isn’t fun at all, this hurts. Having gone through ISO certification and bickering with consultants before, this is triggering the entirety wrong emotions...
Why are you doing this to me? This thread isn’t fun at all, this hurts.
Having gone through ISO certification and bickering with consultants before, this is triggering the entirety wrong emotions in me. I love the cooperative spirit of developers and that’s what keeps me going. But what I wouldn’t give to get rid of all the corporate BS. There’s so much energy lost on jumping through arbitrary hoops that don’t result in anything other than a tick in someone’s spreadsheet. Aggravating.
After lurking for months... this is a topic I can finally break out of the shadows on.
I laughed, I nodded, I cried inside. Holy hell does this capture the feels of doing infosec/cyberz/new-hotness-words in the "we're trying to do this, not just sell it as-a-service" world of IT.
The crassness just freaking speaks to me today.
I don't think its far off of a lot of corporate BS. I'm blue collar, drive trains for a living. Last year we had new rest and hours of service rules come into effect. I'm deleting a few paragraphs of rant and will simply say the company procrastinated for 2 years on finding ways to implement the new rules, didn't negotiate any changes to the union contract at a few opportunities, continue to implement policies that make the workplace shitty, coming up with creative interpretations of the new rules, and then tried to solve their problems by just hiring more employees (for train crews) at a time when our image problem and BS workplace culture drastically limits our ability to hire the younger generation.
Fun read.
I don't work in security but I've been on several software projects where they hired expensive consulting teams that were incompetent but trusted more than those of us who knew the domain and would have to implement the dumb design. And I often saw that once the consultation started, we were interacting with apparent interns who didn't know thing one about basic software or UX design, and the project managers and development managers would think it was great, because apparently only the technical staff if ever educated in the business or has any standards to meet.
I imagine that dealing with this stuff in the security field would make me extra salty too.
The point of the expensive consultants is supposed to be to canvas the perspectives of all the individual contributors and break the logjams that have resulted from them all not being able to coalesce on a common way forward. If the individual contributors (or, more likely, their management chains) were able to do that nobody would even think to hire the consultants.
I mean, my employer paid some good money to some consultant to help audit and recommend a path forward for our division.
My supervisor promptly eviscerated them for not comprehending even the remotest fundamentals of what they were supposed to be auditing, as well as trying to sell us on a solution that would break approximately 2/3 of our environment to add a fancy dashboard on top of some logs.
I remember watching some of my friends go into consulting out of college and thinking it was crazy that they were going to be airdropped in to companies as experts at crazy high hourly rates when they had zero experience in their industry. Most of them were business majors but going into technology consulting.
I think I blame the consulting companies really. They want to take advantage of the spread between the hourly rate they charge and the salary they pay their 23 year olds, and the 23 year olds don’t even necessarily know how little they know about what they’re doing.
Oh, they know. The quick learners or those with a bit of tech savvy are on their toes, hustling to grasp the ins and outs of their assigned fields, all while trying to keep their stress levels in check.
Then there are those who aren't as adept. They master the art of bullshitting their way through things before swiftly moving on to less demanding "tech roles". It is amazing how many people after a short period end up as scrum masters, coordinators, etc.
This is based on my experience working for a consultancy company for a few years. Granted, I work for a division of a company where a lot of individuals are just hired out to companies to fill in spots in internal teams. But we sadly also have the sorts of teams discussed in the blog post.
A decade ago, I was hired as a 'test consultant'. At that time, the job was mostly presented to be about manual testing. We received what was called a 'testing masterclass'. It was essentially a course covering test theory for certification, some SQL, some course of specification reviews and all that over a few weeks. After completing this training, we were air dropped into projects with the promise of support from more experienced consultants. Getting a good project with decent support was a matter of luck. More often, we found ourselves figuring everything out from scratch, on our own.
For me the experience was slightly different as I already did have a ton of technical skills. I had been programming since my teenage years a hobby but had initially taken a different path, ending up with a bachelors degree in education. So I knew I had a lot of the skills needed, but getting into IT without formal qualifications is pretty difficult.
For me, it was honestly an opportunity, although I had no clear idea of what I was going into as QA and testing really is one of those things not found in college courses.
Luckily for me, I came discovered the existence of test automation pretty quickly, saw it was already a hot commodity and that I actually already had more skills in that area than some seniors. This allowed to sidestep a lot of the panic infused hustle I saw my peers go through at the time.
I was also assigned to internal teams of companies. That alone did a lot to shield me from the internal bullshit of my parent company and allowed me to learn a lot of how things actually work.
Having said all of the above. Putting it purely on consultants is very easy. A lot of times, the bullshitting also does happen internally. People are comfortable where they are, a lot of people are just knowledgeable enough to do the job they are doing and have very little interest in any change at all.
Security theater is so annoying. I'm all for security-driven practices, but it needs to be practically implemented.
An example from my employer:
New policy that all container images must pass all security scans with a new tool. The old tool was fine, but didn't have a fancy dashboard. New scanning tool is stupid, and flags all sorts of packages and things that have been long-patched since kernel 4.4.
This of course, immediately blocks all the pipelines for anything that wasn't preemptively whitelisted, and now nothing is getting repaved. I have to sit down with the security team to ask for an exception and explain how blocking repaves for unpatchable issues doesn't actually improve security.
I don't trust any Infosec person whom doesn't know how to use
nmap
, and neither should anyone else.A tad too edgy for me.
I think there is a distinction to be made between what is business and what is security.
The execs come with the ask to get ISO/SOC/whatever, that’s business. As in, we need this to sign a deal, complete some legal requirements, or they need it in order to be at “parity” with competitors.
That’s business. Hiring clueless consultants to do the audits. That’s business too. A good security professional should know better to find a good (or at the very least, reasonable) auditor instead and use this opportunity to push through actual security changes that otherwise might not have happened.
SSO? Security keys? 3rd party pentests? Actually doing backups? Put these as your controls and point to them to say we need to this to get X cert, because tons of companies are gonna cut corners if they can. That’s business. A good security program needs to understand that it’s part of a business and act accordingly. To quote Futurama, “When you do things right, people won't be sure you've done anything at all.”
I get the authors salt. I can't tell you how many times I've done audits for EHNAC or HITRUST and had the most unintelligent auditors. Going through big frameworks like that is also usually more an exercise in patience then actual security control implementation. But on the other hand it's good. Forces you to get your policies an procedures right and gives you a solid foundation to build on.
If I get the overall message (I woke up like 5 minutes ago and might still be out of it) I understand the authors gripes with non-technical people attempting to lead technical roles or oversee implementation of super technical controls but let's try not to be performative in security. I've seen sooooo many stupid things occur because of egos - both technical and non and it can be super frustrating.
The fundamental problem is the pay and trust disparity.
Especially when the moron outsider being paid substantially more gets listened to because they said "Magic Quadrant" three times. (Guess which consultants I hate the most)
If half the money spent on consultants was instead spent on paying the technical people whose job is to resolve these problems, there'd be a lot less salt.
Preach fam.
To me, that only signals a fundamental flaw in certification. If it’s only used for business, and there are ways to game the system to obtain the certification more easily, then why even bother security experts with it in the first place?
I would love it if certification actually meant something. That getting certified actually caused some headaches. That it would mean actually adopting new policies, internalizing importance of following good standards, etc. That would lead to actual improvements, improvements you, as a company, could be proud of. It should lead to accountability, and fear of being held accountable. Right now, companies only fear losing that one check mark that could hurt business.
I therefore feel like this post touches on very important shortcomings, even if it’s harshly worded. But even is easy to look past because it must be very frustrating to deal with ignorance on a daily basis.
I both love and hate this article. Also: What does a consultant actually do? (SLYT)
Why are you doing this to me? This thread isn’t fun at all, this hurts.
Having gone through ISO certification and bickering with consultants before, this is triggering the entirety wrong emotions in me. I love the cooperative spirit of developers and that’s what keeps me going. But what I wouldn’t give to get rid of all the corporate BS. There’s so much energy lost on jumping through arbitrary hoops that don’t result in anything other than a tick in someone’s spreadsheet. Aggravating.