This blog post takes notes from an excellent talk by “Richard Hamming” called “You and Your research”

full transcript here. Its interesting how some talks leave a mark and you derive your own conclusions and way forward when you spend enough time thinking about the topic. Over a period of time my thought’s have changed on this particular discussion and I have tried to outline those points below. A large number of people have talked about this talk in various manners so i would not like to do that again but rather point you to this and this.

There was a time when I used to refer to this to almost anyone of my fellow colleagues in the information security industry that this is a must read / watch and look at what he is talking about: It made so much sense. However, I have stopped doing that now or rather i have started to caveat it a lot before i ask people to go through it.

There are some points about that talk which I kept missing:

Focus of the talk is “researchers”

This talk was given to researchers who have volunteered and joined a program to be a researchers. The expectations from a researchers are much more higher then an practitioner.

Information Security domain is maturing and people are not just in this domain for the sake of fun only, there is an established curriculum in picture which is creating the workforce now. With that in mind each time you recommend this talk to someone you might have to check about who they want to be a practitioner or a researcher. And Lets be very clear both have thier own place no one is bigger then the other.

Simmilarly Hamming brought out a point about “great research” early in the talk and clearly identifies that the talk is about great research not even first class work only great research. There is a point being made about “Why shouldn’t you do significant thingss in this one life”. I agree with the sentiments personally and hence the reason I spend sleepless nights or focused months trying to figure something out and I still find myself far far away from those legandary scenario’s. However this is the key point to remember the recommendations are for that narrow set of people who want to be the best of the best in that one specific area.

I also tweeted something on similar lines a couple of days ago

after spending a decade or more with self motivated people and communities built around propogating a specific technical specialization it gets hard to realize that someone people in IT(sec) might just want to do job for money and not for greatness or altruism. And thats OK

— Anant Shrivastava (@anantshri) March 22, 2021

Cyber Security: passion or profession

That brings me to an important point about this whole thing. You and your reasearch is a must read/watch for researches amongst us but not all of us wants to be that and not all of us will make it. This is where we in infosec fail most of the time we generally have go big or go home. all in or nothing strategies as most of us have joined infosec as a lucky co-incidence of being in the right place at the right time and having a hobby which suddenly become a earning potential.

I remember a few years say 2016-2018 timeframe multiple individuals and concerned parents contacted me about cyber security as a prospective career. I made a slide deck in my early career which i would refer to individuals and lately also been giving this daniel miessler article. I would generally make a big deal about the fact that this field is constantly evolving and people need to spend a lot of time to keep themselves up to date. While mostly true this is again one of those scenarios where that worked for me doesn’t necessarily means it works for others. However a key point i kept missing and failed to realized for a very long time. Not everyone is in this profession to be great. not everyone is in this profession for to be researcher.

we will keep finding more and more people now who are in it just as a routine 9-5 job. As this sector pushes towards more organized way of working working those 9-5’s will effectively be the majority of workforce and we all collectively need to come out of the grandiose delusions that we as in whole of cyber security is here for altruistic reason. Hacker as a keyword could be altruistic but cyber security as an industry is a organized sector industry with clear agenda’s and we either play by its rule or replace the rules but eventually we will be working under stipulated conditions.

An important learning I have gotten in my years of mentoring is that what worked for you might be an edge case for your mentee. Always put yourself in other person’s shoes before you make comments or suggest changes.

Recently I was invited to Keynote at Diverseccon and I took my chance to explore more on this theme that infosec is much more then passion based hobby and we need to focus on making it a much more receptive environment

I still have a few more tangential thoughts that I would like to talk about, but that will have to wait till next blogpost.