Go to the profile of Not A Security Guru
Not A Security Guru
Working for the Info Security Industry for too long, I’m now suffering from migraines, pessimism and people who always click the wrong links.

A Window into Darkness: The Infosec Playlist

Spoiler Warning: this post contains no useful information

Many people ask me almost on a daily basis. “Hey, Not a Security Guru, tell us what it is that keeps you occupied during the day, what it is that keeps you awake at night and how is it you’re such a handsome fella even with all that pressure”.

OK, the previous statement is a lie. I haven’t been asked that on a daily basis. I’ve been asked that at least twice. In my lifetime.

But the rest is absolutely true.

At least some of most of it.

But I digress.

And so I find myself sometimes having a difficulty explaining the job to people outside the security industry, and especially people who are not technical.

These days, largely thanks to Swordfish, Scorpion and Mr. Robot most outsiders think that security professionals:

  • Always wear a hoodie (and that our rank in the guild is presented by how ornament is the hoodie)
  • Can hack into the Pentagon while drinking a bottle of Merlot in less than 30 seconds
  • Need at least 8 screens arranged in a semi-circle in order to perform complex tasks.

I feel bad telling them about the harsh truth. The manual scripting. The KPIs. The KRIs. The never ending budget sessions. Explaining to people that “yes security is a real concern and the fact that your Facebook account now spawns ISIS propaganda should be a proof of that”. The Firewall change approvals, the Flash patching (GOD DAMN IT! THE FLASH PATCHING! MAKE IT STOP ALREADY!). It seems so much like not fun even though we like our jobs.

We really do.

So instead of sitting down with an interested party look calmly in their eyes and rave about Flash patching (OH GOD! MAKE IT STOP! MAKE IT STOP!) I’ve decided to describe typical Infosec management assignments via a playlist. I call it… SONG OF ICE AND FIRE ahem, A WINDOW INTO DARKNESS

(technical note: the following is based on Spotify links that may or may not work on your browser. Browsers with DNT enabled on them will get a big ugly warning from Medium before the content is displayed. Click it. Click it like you mean it. Click it like it’s a phishing email)

Prologue: where our hero describes the essence of Information Security:

Alan Parson’s Eye in the Sky. If you don’t know this song you’re too young to read this article. Go away.

Hiring Personnel in a World Missing Thousands of Experts

James Blunt’s I’ll Take Everything. No, that doesn’t mean you. You’re not worth that much money.

Being called by a recruiter:

Sympathy For The Devil is fitting here due to all those cold calls starting with: “Please allow me to introduce myself I’m a man with wealth a taste” and ends with *click*

Bonus Track: when your employees leave you for someone who pays four times what you offer and gives them a Ferrari as a company car

James Morisson’s Nothing Ever Hurt Like You (since the last one that left for a Ferrari)

Approving new Security Projects

Mission Statement

Let’s Clean Up The Ghetto by The Philadelphia International All Starts. Because it is a known fact that most vulnerabilities come from a Ghetto. In Philly.

Scare tactics, reminding of previous incidents

Bastille’s Things We Lost In The Fire. It was mostly our spare socks and our dignity.

Bonus Track: Your project is approved

Sleepwalking by The Chain Gang Of 1974. What? GTA is known for its excellent soundtrack.

On the painful transfer from IT Security to Cyber Cyber

Seasick Steve singing how You Can’t Teach An Old Dog New Tricks. In fact, his name works very well with my opinion on the Cyber Hype.

The Seven Stages of a Security Incident:

  1. Incident identification, classified as a PRIORITY ONE EVENT
The Blind Boys Of Alabama explain how you will be Way Down in the Hole when your CXO discovers that you forgot to plug that vulnerability

2. Calming down the team and management, avoiding knee jerk reactions

Listen to Louis Armstrong soothing voice as he advises that We Have All the Time in the World. It’s a blatant lie but everything sounds better with Louis.

3.Privately panicking when no one is there to see:

This is Muse, your train is now arriving at Panic Station. ALL ABOARD!

4. Incident Containment

STOP! IN THE NAME OF LOVE! (and if you don’t like The Supremes, well, then you have a much bigger problem than incident containment).

5. Eradication:

Nightwishe’s Over The Hills And Far Away. In case you’re not familiar with this group, trust me — it doesn’t get better than ERADICATING with a FINISH HEAVY METAL BAND PLAYING IN THE BACKGROUND (make sure to vacate any Swedes from the immediate vicinity)

6. Recovery:

Let Leonard Cohen wash over you with Closing Time. It’s all good now. It’s all good.

7. Root Cause Analysis:

John Barry’s From Russia with Love.

Summarizing the constant state of mind of the Infosec professional:

Black Sabbath’s Paranoid. If you play it backwards at 354RPM you hear them swear allegiance to Anonymous.

Uber bonus track: patching Flash one last time (OH MY GOD ADOBE WHY?! WHY?!)

Moorhead’s On Your Feet Or On Your Knees. A tender song of love and harmony, sang by one of the greatest Yodel artists of all times.

There you go boys and girls, next time someone asks you what a typical day in your professional life looks like, just tell `em that you’re getting into the office, put a grim face on, put a pair of your favorite headphones on (NOT BEATS) and you just headbang until your manager comes over and asks you if you need the day off.

You’re welcome.

Weekly infosec department staff meeting