Monday, May 23, 2016

Title inflation is killing infosec

Title inflation - we've all seen it.  I've worked for one of those organizations where everyone is a director.  Apparently clients feel better about the fact that they are being handled by a "director."  

As a side note, I often wonder if clients know they are being bamboozled by the company.  Probably not - we're wired to want to feel important, so it's probably better off to continue to accept that they are being handled by a "director" even if it is totally BS.

I was inspired to write this when I saw today on LinkedIn that a security wannabe with zero formal penetration testing experience was hired by a firm I used to trust and is now being billed to clients as a "senior penetration tester."  I almost lost my lunch picturing competing against this company down the road.

Why does title inflation matter?
Because clients don't often know any better.  Senior must be better than Junior.  Master must be better than Senior.  And what about the fabled Infosec Evangelist? Where do they rate?

Because there is no standard that specifies what a skills a senior person in any infosec discipline should have, it's easy for consumers to become confused.  It's pretty easy to think that none this matters.  But the FTC cares a lot about consumer education.  If the consumer can't figure out what they are buying, that's usually when the FTC steps in.  The FTC did it with cars (that's why the MSRP  sticker is on the car now).  

Personally, I'd prefer for the government to stay the heck out of infosec regulation.  This job is challenging enough without government coming in and regulating titles or licensing practitioners (which is arguably the easiest way for the government to regulate titles).  If you think that sounds crazy, know that the UK government already largely did this with CREST.  They then tried to bring this to the US with the NBISE, so it's not out of the realm of possibilities.  And once the government gets involved with regulating an industry, hold on tight.  In GA for instance, it's a crime to arrange flowers without a license.  Freaking ridiculous.

Anecdotal story time
At Rendition Infosec, we hire only the best.  But I also don't inflate titles (or egos).  But I have to deal with the fallout from lack of title inflation all the time.  I don't care what my employees call themselves internally - and I can't share some of the "internal use only" titles they've come up with for each other - but titles matter to clients.  

On a recent bid, a client came back and told us that they liked our bid but that a competitor promised to only use "senior penetration testers" on the engagement.  I asked if they understood what that meant.  They admitted they didn't know, but they must be better than the regular penetration testers Rendition had promised to use.  We took that challenge and provided resumes for our testers.  The competitor provided resumes for their "senior penetration testers."  Ours won hands down.  The client suggested that maybe we should give our employees new titles.  While I pragmatically agree that might help win some bids, I can't become part of the problem.

Parting thoughts
I would be happy to write some guides in helping consumers shop for infosec services if there are people out there that think they would be valuable.  In the mean time, educate the customer about what you can (and more importantly can't) do and check your inflated titles at the door.  If you manage people in infosec or are running a business, please stop over inflating the titles of the people who work for you.

1 comment:

  1. DoD tried to solve this problem with 8570 and all it did was over inflate the value of crappy certifications. CISSP and CEH 'qualifies' you for almost any Cyber job in the DoD. OSCP and GXPN aren't on the list so they don't count for anything if you want to be a DoD Pentester.


Note: Only a member of this blog may post a comment.