Are Information Security People Arrogant?

I hate speaking in generalities, even though I do so often, but I’ve been thinking about something lately.

Are information security people arrogant?

This thought came to head a while back while I was visiting my mother. We were talking about life, and I was sharing some of my frustration in my line of work (information security). I was telling her that it frustrates me when people can’t seem to grasp the obvious.

She replied, “You’re arrogant. Plain and simple. You actually believe that people think the same way you do?”

My reaction to being called arrogant was a childish one (hindsight), so it’s fitting that my own mother called me out. I was offended. How dare she call me arrogant?! I’m frustrated that people can’t follow simple directions and basic logic. I’m not frustrated that they can’t figure out finite mathematics of anything!

Wait. Calm down. She’s right.

After five minutes or so of trying to defend myself against her attack (which wasn’t even an attack), I realized that I had no defense. She was right, I was being arrogant. I am arrogant. Actually, I have plenty of arrogance to go around. Not only do I have enough for myself, I have enough to share with my peers too, as we laugh together at the dumb things people do.

Thanks Mom!

Here’s the deal though, I’m not alone. Truth be told, there’s an abundance of arrogance in our industry. It seems as though some of the most esteemed information security people in our industry, or at least some of the ones in some high places, are full of arrogance.

Do we, as an industry, place a premium on being arrogant and full of ourselves? Good question. Scary thought, but I think there some truth here.

What is Arrogance?

Before I just start throwing words and accusations around any more than I already have, I should make sure I’m using them correctly. God knows, in our society we like to call people names and attach labels, regardless of accuracy or true meaning.

Let’s go to the dictionary and see.

Definition of arrogance is an attitude of superiority manifested in an overbearing manner or in presumptuous claims or assumptions.

Yep, I think I’m using the right word. Do you know of any information security people who have an attitude of superiority? Do you have an attitude of superiority, especially when referring to less skilled information security people or non-information security people (“normal people”)?

Is it manifested in any of these ways?

• An overbearing manner
• In presumptuous claims
• In assumptions

If your honest, you can probably thing of times when you’ve been arrogant. How often you are arrogant is another question. It’s something we all need to keep in check. We can all stand a little more introspection, like looking at ourselves in the mirror.

Common examples of arrogance

Here are five examples of arrogance that I’ve either been a part of or heard in the last week alone:

• Believing that you think what someone else thinks without asking.
• Getting frustrated when someone else doesn’t understand what you’re saying, and maybe even believing that they’re less intelligent.
• Telling someone what they think.
• Griping about some “stupid” thing someone else did.
• Calling or thinking someone is “stupid” for doing something that seems obvious to you.

None of these thoughts or actions are productive in our mission; making information security better (I hope).

Not All and Not Always

The downside in speaking or writing in generalities is the fact that I lump everyone together, even though I know there are exceptions.

• Not all information security people are arrogant, but too many are.
• Not all highly esteemed information security people (industry influencers) are arrogant, but some are.
• Even the arrogant information security people are rarely arrogant all the time.

I won’t call out the industry influencers that I think are arrogant. That wouldn’t help the cause at all.

I will call out some of the humble and less arrogant ones people in our industry. These are information security industry leaders that I respect, and that I feel are more humble and modest. This is based on my observations, and you may know them differently than I do.

Here are (only) ten of my favorites (in no particular order) along with links to their Twitter feeds if you want to follow:

1. Richard Bejtlich @taosecurity
2. Aloria @aloria
3. Tony Cole @NoHackn
4. Roger Grimes @rogeragrimes
5. Jane Frankland @JaneFrankland
6. Dave Kennedy @HackingDave
7. Dejan Kosutic @Dejan_Kosutic
8. Chris Roberts  @Sidragon1
9. Eleanor Dallaway @InfosecEditor
10. Mikko Hypponen @mikko

NOTE: This list is based on opinion. My opinion. Not fact, but my opinion. I stated that this is my opinion three times (now four) because you are welcome to disagree with me! If you’d like to add to my list, please do!

There are many, many more that can be added to this list, but back to our problem, assuming there is one.

Humble Yourself

Arrogance is bad, and there’s no place for it in our industry. When we see it in others, we should respectfully call it out. When we see it in ourselves, we should change our attitude. If we can’t change our attitude, maybe we should get some help.

Are you honest with yourself? Ask yourself the question, “Am I arrogant?” Get in the habit of doing this regularly, and things will certainly go better for you and those around you.

That’s all for now. Thanks!