Information security: Become a hacker, not a consultant

Epistemic Status: I have worked for 1 year in a junior role at a large consulting company. Most security experts have much more knowledge regarding the culture and what matters in information security. My experiences are based on a sample size of five projects, each with different clients. It is therefore quite plausible that consulting in information security is very different from what I experienced. Feedback from a handful of other consultants supports my views.

I was very happy to learn that information security has recently been considered a promising career path for people who want to do good. I wondered whether information security would be a thing for me too. So I set out to look for jobs and ended up with one at a large consulting company pretty quickly.

It will likely never be easier to get jobs in information security than now. There is a so-called skills gap. The demand for security is going up swiftly as the importance of electronic information systems is ever increasing. Since training people takes time and scaling up training takes even more time, the current demand for security experts is far greater than the supply. Consultancies are lacking competent workforce quite badly. The CEO of the company that hired me said that “we have way more opportunities than we have people”. Right now, some companies are inclined to hire any person that is capable of shouldering some workload and has some basic knowledge of IT-systems.

I thought, perfect! Maybe my search for a fulfilling career as a do-gooder is over. Not only do I get my hands on securing information systems for companies, nation-states and other groups, I also get to do consulting! Consulting has also been considered a promising path for various reasons.

Why I no longer think that consulting in information security is a good option

I was very interested in learning how my pre-existing theoretical knowledge compared to the practices in the company and how exactly projects would be like. To my surprise, I quickly found out that most projects are really poor. Few of my colleagues felt as strongly about this as I did, but most agreed. What do I mean by “really poor”?

Most projects have a flawed methodology that leads to no actual improvements in security

In fact, most projects had no methodology or theory of change at all. These projects would be like this:

Consultant: Do you have [some software] installed?

Client: Well, we have tinkered with it, but decided against it, it is just too expensive.

Consultant [writes a report]: There is no instance of [some software] installed. The solution is therefore highly insecure.

And that would be it. Other projects had a methodology that did not work. My personal favorite is the use of subjective scores, like 1 to 5, to grade the security of a solution. After a meeting with a client we would be like: “They do not have [a software that I happen to know] installed, that is no better than a 3, don’t ya think?”. We would then do all kinds of fancy arithmetic with those numbers, finally extinguishing all meaning that they originally had, to come up with a picture that we thought the client would like.

People often lack necessary skills to carry out the project

I guess that my colleagues by and large do not sense that what they are doing is not benefitting the security of the client. Information security experts are often great in a specific technical field, be it hands-on networking, programming or configuring machines. When it comes to research and study design however, my colleagues lacked important skills.

Furthermore, I noted very often that even basic terminology is not clear. Words such as remediation, vigilance, resilience and others are quite frequently used without a shared definition. Basic terms like security and risk, are often used wrong, indicating that the person does not really know what a risk is. In fact, I estimate that only around 1 consultant out of 10 has a probabilistic understanding of the concept risk. I still have no sufficient explanation for this.

Overall, there was a very heterogeneous people-landscape in the company. Some new-joiners had no IT-related experience. They then sat next to security-crackheads that have spent the last 25 years pentesting various systems.

Projects are just as good as they need to be

Most consultants are primarily motivated by 1) money and 2) social prestige. Both only weakly relate to security improvements. The goal of projects is not to secure the clients assets as well as possible, but rather to secure additional funding with as little effort as possible. Whilst that is obvious, it is astonishing how inefficient projects are.

The attentive reader might have asked himself by now: If the consultants do not produce high-quality work, lack skills and fail to secure the clients assets, why in the world would anyone in their right mind pay for such projects?

This is something that I am still very confused about. My leading theory: The clients are not in their right mind. The companies that have the weakest security posture and the greatest demand may purchase consultants in the hope that they will help them. But these companies are the ones that are incapable of overseeing the work of consultants. I am sure that there are tons of groups who have great security programs, but these are not the ones that would have hired us.

The culture in InfoSec consulting is harmful for effective security

There is a lot more to this than I can present here. I also do not know what parts of the culture come from the field of information security and which do come from consulting.

One thing stands out: It seems to be general practice to over-inflate your abilities and to come off as much more knowledgeable than you are. Colleagues of mine openly shared strategies for doing so.

Interlude (solely for purposes of entertainment):

How to come off as though you know what they are talking about but you don’t

1. Ask questions using the others language

2. Sit through the awkward silence

Possible situation—Variables (A;B;C;D) mark terms and concepts that are unknown to the consultant:

Client: We did have trouble fixing B, due to A.

Consultant: Oh yeah, A is tough for other clients as well. How are you dealing with B now?

[awkward silence]

Client: Umm, I am not sure what you mean exactly.

[awkward silence]

Client: Do you mean how do we address C to enrich B with D?

Consultant: Yes.

Client: Ahh, well, we … [potentially understandable information]

I did not learn a lot that I would consider valuable for solving pressing problems. Most of the skills that I acquired related to getting through the administrative overhead quicker. That is, I learned to half-ass fancy slides.

80000 Hours has stopped recommending general consulting as a viable career path to do as much good as possible. My impression is that they also think that the acquired skills are not very valuable for other areas.

Information security consulting is unlikely to improve your relevant skills as much as other options and there is a great chance that you have no impact.

The better alternative: self-study information security

Next to my job in consulting I also self-studied. I discovered that many of my colleagues had poor knowledge of topics and concepts that one stumbles over really quickly. Most employees in information security seem not to concern themselves with textbooks. Rather, they learn from others and from formal training. I think that self-study is going to get you into a position where you can have an impact much sooner. Note that this is rarely the only alternative, but one that many people have. Here are some recommendations and places to start.

Do

You need a quantitative understanding of security which you wont get from reading most of the literature. The book is a must-read.

  • Properly build and secure your home network

This provides a way of getting hands-on experience with common network components.

  • Do CTFs

You can do CTFs alone here or here or in many other places. Finding or founding a CTF-Team is great but difficult and not at all necessary.

Offensive experience gives you a better understanding of what kinds of systems are easy to hack and which are more secure. It allows you to take the perspective of an attacker and better estimate the security of a solution.

This newsletter covers a very broad range of topics. This will broaden your understanding of what kind of topics are part of information security and discover what you find interesting.

  • Learn the basics of cryptography

Cryptography is the reason that secure communication is possible at all. Most security solutions rely to some degree on cryptographic concepts.

Do not

  • Use buzzwords

  • Pursue formal certificates

I have one and the test was so cheap that I am now ashamed of having done it. I have not told my superiors or anyone else that I passed and will not show it to anyone else. Also, the “learning materials” vary in quality. You will learn quicker on your own.

  • Learn about industry norms

Norms are often a good source of inspiration, but usually poorly written and sometimes even plain wrong. Most people that I have met treat norms and standards as if they were written by a benevolent god. But if you think about it, even if the people writing those standards have perfect subject-matter knowledge (which I assume they do not) then they still have no incentive to put additional effort into fine-tuning these standards so that they provide value for applied information security. As a result, the standards are a pile of ideas and should be consulted with this consideration in mind. Industry norms are widely trusted, independent documents. Therefore, they are often misused to justify recommendations. A consultant relying heavily on industry norms is one to stay away from.

I am aware of one high-impact job in information security. According to their website, Anthropic is looking for a person to secure their assets. The picture below is an excerpt from the ad.

The people from Anthropic also seem to value hands-on experience over formal training. If you want to make a difference, become a hacker, not a consultant.


Biosecurity: I have witnessed and survived the use of non-mathematical metrics, poor standards and non-probabilistic security concepts. To protect myself, I have developed something like an antenna for such bullshit. When I read about biosecurity, my alert goes off. I do not know anything about biosecurity, but if the field suffers the same issues, that is a much bigger problem. Do not hesitate to contact me if this rings true to you.

If you are working in information security, consulting or both: Leave a comment and let the community know what you have experienced, especially if your experience contradicts mine!