Information Security is Full of Cannibals
I am not quite sure of the reasons why, but the fingerprint is unmistakable when it is observed from a distance. The amount of cannibalism in information security is staggering. It needs to stop. Look across other industries and you will see just how big of a barrier a brilliant jerk can make things for others. Any surgeon in the medical field can (and likely has) lost a patient on the operating room table. Yet, I rarely see the venom manifest the way we manifest against our own industry. The fact is that we are not stack ranking the merits of an information security practitioner against each other. A composite score does not make one practitioner better than another. It is an illusion to believe that there are only a certain number of people that can be winners in an infinite game. As Simon Sinek has evangelized for years, there are two types of games in game theory: finite games, or those with fixed rules, and infinite games, or those where the objective is to extend the game. Some of us are clearly playing the wrong game. Most of us do not want to play a finite game. However, the brilliant jerk only wants to play finite games.
The overwhelming majority of practitioners in our industry are rational, supportive, and empathetic towards other practitioners. We do not have to agree with one another philosophically all of the time, but we also do not need to be cutthroat in our pursuits of success either. There is plenty of room for people to win at the infinite game, and as Sinek states in the video above, we simply need to agree to the rules of the game we are playing, because when all players agree to the rules we are playing, the system is stable. When there are discrepancies, there is chaos. Is this how the industry matures? I do not think so.
Recently, I had an engagement on social media with a colleague whom I had a lot of respect for. He was positing that analytical skills that are born from coding and analytical muscle memory are not required to break into the industry in the role of a SOC Analyst. When I challenged his thought process, he mistook that for a personal attack and subsequently blocked me on that platform. This practitioner was not playing an infinite game. He was big mad that I was threatening his business model that he was trying to launch that is directly correlated to his ability to touch the money. Is he a brilliant jerk? No, we just did not prearrange the rules of the “game” we were playing. Regardless of how you feel about the role that coding has on your ability to perform your job as a SOC analyst, that was not the point. The fact that he had to be right, and his belief that there could only be one winner is just but one example of the dissonance that the industry has on measuring success.
Getting Ahead at All Costs
The brilliant jerk must find a way to win by whatever metric is important to him or her at the time. Maybe it is enrollment in a School for SOC Analysts. Maybe it is the number of secure lines of code that one can put out there. The point is that until all players agree to the game they are playing, information security will never make the leaps and bounds that other professions enjoy. You do not hear teachers bragging about how they are a better teacher than so-and-so. You don’t hear doctors criticizing another doctor’s diagnosis. You don’t see scientists and researchers measuring the size of their findings against each other.
The strong leader will not pit one person against another; he or she will figure out how to best utilize their strengths, all while eliminating weakness. We could stand to take a play out of that playbook. The reason why brilliant jerks are not tolerated at companies like Netflix is simple: it erodes trust worse than nearly every other fault a person could possess.
Nobody wins when the goal is to push somebody else’s head under water just so he or she can use it to tread water for a couple of extra minutes. Eventually there are no more heads to dunk. Game over.
Tolerating the Brilliant Jerk
I have some news… If being a brilliant jerk is tolerated, you have lost the locker room, Coach. Brilliant jerks are like coyotes in sheep’s clothing. If you spot the coyotes before it is in the chicken coop, the chickens will survive. If you tolerate the coyote, the chickens will perish. One should not be surprised on the outcome either way.
If I had my druthers, every job description and interview would contain a no brilliant jerk clause. My friend, Peter Schwacker recently posted about the flaws of hiring for attitude, and you know what? He is absolutely correct as he framed the term attitude to mean agreeableness. Where I disagree with him is where the brilliant jerk fits into the picture. Some managers would tolerate the brilliant jerk if it meant shipping code 2 weeks earlier than intended. However, in an infinite game such as business or information security, is that the only criteria for attitude? I make no apologies that if I smell a brilliant jerk, he or she is not getting the job. I would rather be losing the infinite game for the short term than to lose my culture and identity due to attitude. As a Senior leader in my organization, culture of the team is the one metric that I consistently focus on. It’s not MTTD, or MTTR; those numbers will fluctuate temporally.
To wrap up this post, my message is clear: Do not tolerate a brilliant jerk in your span of control for any reason. There are very few things that you could do as a manager than to tolerate it… especially if you are playing an infinite game.
