Long Live Non-Profit's
The infosec community faces a unique challenge in persuading young talent not to do anything dumb or illegal and helping them positively harness their skills.
Despite its fair share of flashy marketing, enough IPOs and acquisitions to make your head spin, and the emergence of a thought leader army sprouting generic LinkedIn posts, it would be easy to forget just how immature the infosec industry really is. Despite all the progress being made in a sector moving as fast as greased lightening, the infosec space has plenty of challenges still to address.
These include a widely recognized skill shortage, ill-defined career pathways and a chronic lack of diversity. Whilst various factors explain why these challenges exist, a common theme throughout is a lack of infrastructure. More generic industries, by comparison, are replete with career guides, university courses and industry bodies.
Although both the public and private sector are stepping up, the current lack of infrastructure leads to a huge opportunity for non-profit and volunteer initiatives to make an outsized impact. This post explores some of the key areas where non-profits can and are contributing, and shows why we need more of these initiatives.
The infosec community is an eclectic bunch. Former intelligence operatives rub shoulders with staunch pro-privacy activists while educational backgrounds range from PhDs to high-school dropouts. Many sub-disciplines now also exist, such as threat intelligence, penetration testing and malware analysis. All of this means it is easy to feel outnumbered or that you do not belong. As someone coming from a politics and international relations background, I have had my own share of these experiences when surrounded by the, sometimes very technical, infosec space.
It is here that non-profit initiatives can play a significant role in providing spaces (whether online or offline), that help people find their tribe. It is all well and good for a teenager to teach themselves how to hack, yet if they are unable to share their journey, their enthusiasm can easily dwindle over time. Non-profits, such as The Many Hats Club, can build communities for people to discuss their ideas and challenges, as well as foster an encouraging and welcoming environment for newcomers.
Non-profits also provide supportive communities for underrepresented demographics in infosec — a range of women in infosec meetups and community groups are a vital part of overhauling the industry's diversity deficit for example.
This is not to say that businesses cannot do their part in building communities — whether through organising their own meetups or sponsoring non-profit events to ensure there is enough beer and pizza to go around. To their credit, many businesses take part in these initiatives without their being an obvious sales angle. At the same time, however, it is important for a volunteering spirit to lead these efforts.
Mentorship & Pathways
Related to building communities, non-profits provide important sources of mentorship. Infosec experts are typically very good at googling, yet no amount of online research is going to be as helpful as speaking to someone with practical insight. For someone starting out in the industry, it is not always clear how to get started or what firms are worth applying to. This is where wiser heads have the opportunity to make a real difference with non-profits one of the few sources that can facilitate these conversations.
Non-profits are also vital for providing career pathways. For all the aspiring teenage hackers, defacing the FBI website is inherently more fun than working for a big corporate. The infosec community therefore faces a unique challenge in persuading young talent not to do anything dumb or illegal. When someone under 18 is arrested for hacking, they are not the only one to have messed up — the broader community has also failed to show them how they can harness their skills in a positive way.
Secjuice is a platform that helps young talent straddle on the right side of the law and express themselves through their writing. Not only does new talent benefit from exposure to mentors in the field, but they are also able to learn about professionalization and the upsides of a white-hat career. By writing with Secjuice, getting feedback from experts and having their work looked over, members can build up a strong portfolio of work that will help get them hired in an industry that prizes passion and initiative.
For non-profits like Secjuice, the perils of monetization should also be carefully understood. Although Secjuice could certainly run adverts or charge subscriptions, this creates an economic model that prioritizes metrics and page views (an objective that runs directly contrary to providing a platform for unknown and untested talent).
Finally, non-profits provide a unique perspective when it comes to information security research. Most corporate researchers find themselves responding to client requests and questions driven by commercial incentives. This is by no means a bad thing, yet issues of wider importance are missed. By contrast, non-profits play a vital role in researching areas that would not otherwise be supported or engaged with.
The best example of this in action is perhaps The Citizen Lab, based at the University of Toronto. Whilst threat intelligence organisations provide governments and businesses with insight into the threat landscape, The Citizen Lab instead shines a light on how civil society actors are being targeted. Previous investigations have included research into online censorship campaigns, understanding how the Dalai Lama and Tibetan activists have been targeted, as well as how spyware is proliferating.
Going forward, infosec will increasingly collide with a host of ethical issues related to digital human rights and privacy. Here, non-profits will need to play an important role in independently scrutinizing these developments from a non-commercial perspective.
From its early days, grass-roots and volunteer-led movements have played a central role in the infosec story. As the industry matures, both private sector and government initiatives will become increasingly prevalent. Whilst this should be welcomed, the information security community should not forget its beginnings and the unique challenges that only non-profits can solve. Long live the non-profit I say.