The world of computer security can often be a strange and compelling one. Many outsiders, or those with little knowledge of computers, just dont understand the whole uproar over various issues, such as whether Microsoft Vista is more secure then Linux or Mac. Its all moot as far as the general population is concerned. But, for those of us who work in the industry, it is just more grist for the mill.
Another facet of this industry, for those of use who are contractors in this environment, is the level of access we have to a clients upper management. Typically as a contractor retained perhaps for a pen-test or vulnerability assessment you will likely be dealing with the CSO, CIO, or other such high ranking individual. The same does not really apply to temporary system administrators or temp agency secretarial staff; they dont interact by default with the upper echelons of the corporation like the computer security contractor.
Which brings us to my point: It is no longer enough to have excellent computer security skills in your given domain; you must also possess excellent business savvy and people skills.
Heres a good example: Recently, a friend of mine had a contractor performing a remote pen-test at company X. I was around at one point and the guy came up to me and started yammering about how he had totally pwned the clients network, and then started going on in leet speak. It was a painful experience, and most irritating to listen to, but it nicely makes my point.
There was no way that this contractor should ever interact with the actual client, which meant that my friend had to handle the client himself when delivering the report and going over it. Not an ideal situation to have, really. Each person should be able to conduct the client engagement from start to finish.
I was reminded of this by a more recent incident that youre all likely aware of if you read SecurityFocus or the Matasano blog, specifically the latter, where they challenged Joanna Rutkowska on the ability to detect her BluePill rootkit. Her response was that she would happily accept the challenge if they would pay her the cost of having developed BluePill, which if memory serves was $400K by her account. Now, Im not a peer of either Joanna Rutkowska or any of the Matasano crew. Im not even a programmer, let alone an exploit seeker. With that said, Joannas response to the challenge strikes me as someone who was pissed off. And I cant say I blame her, really.
Likely a far better way for Matasano to have handled the claim of BluePill detection would have been to contact Joanna offline rather than challenge her as publicly as they did. That would have likely led to a far better resolution, and from a business perspective, made a lot more sense. Who knows, there could have been a third-party evaluation of the rootkit as a result. Business pays the office rent, and more importantly the mortgage. Backing someone into a corner, in a public venue no less, just isnt a good idea.
Another good example of hacker ego, or just plain bad business sense, is the way some exploit researchers have chosen to engage with commercial companies.
One such case is the much ballyhooed Michael Lynn versus Cisco debacle. Michael Lynn made claims about being able to hack Cisco routers, which would basically result in the widespread exploitation of the Internet backbone - and imagine what the result of that would be. This claim has led to Lynn being forced out of his job with ISS and large legal fees. And for what? Has the Internet ground to a halt? Is there widespread Cisco router exploitation? Nope.
Dont get me wrong here, I very much respect the ethics of people like Michael Lynn and the price he was willing, and did to an extent, pay. Personally, I just dont think it was worth it. He would have been far better to have worked with Cisco behind the scenes till whatever exploit he professed to have found was fixed. Nothing good came out of this, except for the titillation of Black Hat attendees.
It is no longer good enough to be a talented security researcher; you also have to have good people skills, as well as excellent business acumen. With no shortage today of skilled security people, you need to distinguish yourself from the pack by your actions outside of the binary realm. Being smart is a good way to start.