Infosec in APAC – A Very Summarised View

I spent a total of 16 years working in infosec in APAC – across the region as a whole except for India and mainland China. I was based initially in a pen test/research lab in Thailand with regional customers, and then later spent some time with big-4 in Thailand, before moving base to Jakarta for what will probably be my final stint in the region. As well as the aforementioned places i spent lots of time in Singapore, Taiwan, and HK. Less so in Malaysia, and i never worked in either of Vietnam, Cambodia, Laos, Myanmar, or the Philippines.

I was in APAC for most of the period between 1999 and 2013. My time with the consultancy which was based in Bangkok (although there was only one client account in Thailand) made up the formative, simulated-attack experience of my career – not a bad place to start. There were some brief spells away in the UK and Czech Republic (the best blue team experience one can hope to find). Overall i was lucky with the places I worked in, and especially the people I worked with – some of whom quit infosec not long after the Great Early Noughties Infosec Brain Drain. 

Appetite for risk is high in APAC – just look at the stats for insurance sales in the region. What results in infosec, even in banking and finance though, is exactly the same as the west – base compliance only. The difference is something like this: western CEOs showed interest and worried about cyber at some point in time, but when they went looking for answers they didn’t find any, other than buzzwords from CISSPs – result: base compliance – aka lets just get thru the audit. In Asia the CEOs didn’t go looking for answers – its just base compliance, do not pass go. But before you pass judgment on this statement – read on.

Where APAC countries were better was the lack of any pretence around GRC. You will never hear anything along the lines “security is not about IT” – i.e. there is no community of self-serving non-technical GRC folk spouting acronyms. Western countries blow billions down the dunny on this nonsense.

So both regions have poor security. Both face a significant threat. But if you measure security performance in terms of how much is spent, versus the results – there’s a clear winner, and that is APAC. Both have poor security, but one spends more for poor security than the other.

Information Security And A Pale Blue Dot

This article is about the place of ego and pride in information security.

Earth From 6 Billion Miles - Thanks To Voyager 1 - Courtesy Of NASA

Earth From 6 Billion Miles – Thanks To Voyager 1 – Courtesy Of NASA

At the request of the late Carl Sagan, as the Voyager 1 space probe was leaving the solar system, at a record distance of approx 6 billion miles from Earth, NASA instructed Voyager 1 to turn its camera back toward Earth.

Yes – the circled pixel sized dot in the image on the right – this is Earth.

But that dot – that is also a good representation of what you know about security, compared to the whole. Its even more than what I know about security, compared with what there is to know.

One thing i have been right about – security, in theory at least, is a fantastic world to be a part of. I left IBM in the late 90s because i had heard about a world that covered all bases in the IT world. And i wasn’t wrong about this. Things did get ugly in the early 2000s – basically IT folk and engineers weren’t welcome any more. This is why we’re in the mess we’re in now. But security, relative to other fields in IT, is still by far the best place to be, at least from where i’m standing.

Security is such a vast field, and whichever turn you take, you find another world within a world, and within that world, the more you discover, the more you realise what there is left to discover. So in other words – the more you know about security – the more you know you don’t know.

So given all this – does ego and pride have a place in this field? And how do you assess your knowledge compared to others? If you think about it in the context of the image above, if you show excessive ego, hold grudges, or get into regular arguments with others in the field – what this really demonstrates in itself is a lack of awareness of security and how vast it is. Given the vastness of the field, if you’re taking a mocking attitude (99% of the time this will not be communicated to the target of the mockery), i hope you can see now how ludicrous is that attitude? Its diabolical actually. If an Analyst comes from a different background, spent all their time in a certain part of the universe, why on earth (pardon the pun) would you be critical or judgmental of them if they don’t know your neighbourhood as well as you do?

Many believe that excessive pride is mainly in the territory of hacking conference speakers, and its here where things get out of control, because of the attention one can get just from doing something as simple as a wifi “evil twin” attack. But no, not based on what i’ve seen. There are security folk from all walks of the sector, and not just the self-proclaimed ‘evangelists’, whose level of self-importance goes as far as taking patronage over the whole sector.

From the outside looking in, we in security are viewed in a fairly dim light in many cases. While working in a small consultancy here in the UK, I’ve heard it said while management was assessing a candidate’s suitability for a Consultant role: “is he weird enough?”. Security seniors in that firm regularly used to get in to impassioned exchanges with C-levels, because of the issue as I mentioned of taking patronage over security. Disagreements would spiral out of control.

C-levels really just want to have the same understandable conversations, and see the same reporting, from security folk as they do from others. The whole security show does seem like a circus to outsiders, especially to folk in other IT departments. And yet many in this field blame the board (“they’re clueless”) when security is pushed further away from the board, rather than looking at themselves.

And as long we do not have a trustworthy means of proving our ability or experience in this field, there will be lots of issues. Many try to compensate for the aforementioned with self-proclaimed titles, and other little nuances. Many develop a whole persona around trying to show the world how great they are.

We’re renown for being different, and we are, but we can be more careful about how we show our uniqueness. It should be enough to just keep a lower profile and do our jobs. If we have confidently given our advice, got it in black and white somewhere, that’s all we can do. If after that, others still don’t agree with us, leave it at that.

Having an out-of-control ego also prevents us from being team players. We need to be open minded to the idea that others can learn from us and benefit us in return – we will always be stronger as a team rather than as an individual, and no one acting as a lone gun slinger ever helped an organisation to improve its stance in information risk management.

Here’s what the Dalai Lama said about ego: “The foundation of the Buddha’s teachings lies in compassion, and the reason for practicing the teachings is to wipe out the persistence of ego, the number-one enemy of compassion.”

Certainly – at least between ourselves, remember how vast a field is security, and don’t lose perspective.

As i mentioned above: the more you know about security, the more you know you don’t know. So try not to demonstrate a lack of knowledge by attempting to demonstrate lots of knowledge.