Information Asymmetry & InfoSec: Negative Fun. Limited Profit.
In Wealth of Nations, Adam Smith starts to build out a concept called “Information Asymmetry” concerning free markets. I say he “starts to build out” because it wasn’t a focal point of the work and it wasn’t a topic given much ink for a few hundred years; give or take.
So, how then does Information Asymmetry apply to Information Security and, as our British friends say, what am I on about with all this?
I believe we have a considerable amount of Information Asymmetry in the InfoSec market and I believe it fosters con men (con persons? con people?), scammers, and charlatans. Simply put, I believe Information Asymmetry in the market empowers people and companies that are completely full of shit. This post will cover the symptoms, what I believe are the causes, and then how we in InfoSec address them.
We all know the script. Bob walks into a meeting or has a conversation, you know he’s 100% full of it. Yet Bob walks away with millions in funding or support from your C-suite. You say to yourself, “What just happened?” Perhaps you saw and heard Alice’s presentation on her new offering and product to the sales team and you were completely befuddled to hear the EVP of Sales say, “Now THAT was JUST what we needed." What sort of sorcery was that? How did Bob and Alice do the voodoo that they do right under your nose?
First, let’s cover the key attributes of the charlatan or the con man.
Confidence. Hey, you can’t have a con man without confidence. Every one of these charlatans that I’ve come across exudes confidence. When you first meet them, you’re blown away by their swagger. They seem impressive at first glance
Presentation. They dress the part. They speak and present themselves exceptionally well. They have energy. They can usually command a room or remote meeting. In an industry with so many introverts and socially awkward folks, these people shine. They stand out
Fraudulent backstory/anecdotes. Most of these folks have either small or large parts of their backstory that are completely made up. Jobs, people they know, projects they've been on: pure fiction
Constant movement (job hopping). I know a ton of people who move jobs every 18 to 36 months. I get it. No problem if that works for them. One thing I notice about the charlatan is they tend to hop jobs more than most. Of course, they rarely leave their last gig on good terms, and with HR regulations being what they are, you can never officially get feedback from their previous employers
Credit stealing. The fraudster never has a problem taking credit for good work that isn’t theirs. Of course, as we all know, they also never accept responsibility for their failures
Enough self and situational awareness to not get cornered or to dodge. I was in a meeting with a charlatan a few years ago. He was attempting to "educate" Haroon Meer on the difference between “honeynets” and “honeypots.” Laughable, right? Hilarious. Haroon politely asked for some one-on-one time to be educated. “Sure, I’d love that. Let me get back to you,” said the fraudster. Obviously, a follow-up was never scheduled. I knew another con man who would correctly read the room and then go just one level deeper than the audience. If someone more knowledgeable was there, he would either not attend or filibuster with bravado and nonsense. And it worked. He’s been hired by the likes of Cisco and other household names for years
Appeals and alignment with the right leadership. Con men and women are incredibly adept at reading the power structure of an organization and aligning themselves - sometimes in shockingly transparent ways - with leaders.
All this leads to a charlatan having the mindshare of people in an organization that matters. It’s a problem. It’s a problem because we have so few controls for these people. Additionally, the problems they can cause are considerable and wide-ranging.
This brings us back to our friend, Adam Smith, and his musings on Information Asymmetry. I’m suggesting our industry is broad, deep, and yet, still very niche and very technical. The individuals with whom the charlatan interacts can’t and don’t know the con man is a con man. They simply can’t tell the difference between someone who knows InfoSec and a scammer. They want to. They need to. And in most cases, they have the best of intentions. After all, who actively wants to be scammed? If you're the COO of an advertising firm, you're going to be the victim of Information Asymmetry. The same goes for the EVP of Sales. ... and so on.
What do we do? The first thing we have to do is acknowledge the problem. That’s easy; kinda. Most in the industry know it and we all see it. Next, I think we have to see what these charlatans do and how they do it. Then we have to acknowledge the outcome. What is it these people are doing? How does it happen? What does it lead to and do we care about it? Another area where I think we all need to do better is using our network to validate work history. I realize there are legal and HR implications here but honestly, what are the alternatives? Finally, I think we need to think about the task of building up the InfoSec consumer - the COO and the EVP of Sales in question from the earlier example - to minimize the impacts of Information Symmetry. That is one of the main points of this post.
How do we bolster folks who don’t have the skills to spot the local con man?
First, we have to realize we will never eliminate this problem. The charlatan is as old as humankind itself. But if you’re in InfoSec you have at least a passing understanding of risk management; we’re never going to eliminate the risks caused by con men because we’ll never eliminate the con men per se
Secondly, we need to accept the powers of confirmation bias and understand that some folks will simply believe the con man based on their own biases. For example, I knew people who were biased in favor of their own countrymen. So, if the presenter had a South African accent, they were 80% on their way to believing whatever was shoveled at them. I also know many people that implicitly (and sometimes, explicitly) trust military or former military personnel. No matter what the con man said or did, the fact that they served in the military was enough of an appeal to authority. Sometimes the “victim” falls for the con man's nonsense because they hired them or previously supported them in some way
Next, we need to lean on our networks. Yes, officially calling a former employer and getting feedback is nearly impossible (in the United States, at least) but we’re all one or two degrees of separation away from each other. It shouldn’t be hard to get a reference. (Now, what do you do with these references? That’s up to you. I once got nothing but bad signals through my network on a guy I was going to hire. I didn’t trust my network and hired him. I got burned. Badly)
The next task is education. I know this sounds trite or a bit like a cop-out. As people in good standing within the InfoSec community, it’s our job to demonstrate what quality, sincerity, and skill look like. We all need to continue getting better at meeting business leaders and consumers where they are. I say "continue" because I truly believe we are light years ahead of where we were 20 years ago. As InfoSec practitioners, we have access to nearly everyone in the organization these days. Let's use that access for progress and positive results
Finally, there’s confrontation. Look, I get it. Confrontation is never fun and it’s never really easy (for most). If you’re anywhere above junior level in your organization, you may have to confront the charlatan walking in your midst. There’s no hard-and-fast rule for this. I’ve tried, “No. There’s no way that’s true” and, “Can we cut out the hand waving and maybe talk clearly and directly - potentially with the whiteboard - about what you’re proposing?”
Cons work because we want to believe. Fraudsters prey on our desire for there to be a single, immediate answer. ...and clearly on our desire for the answer to be held in their heads. They also use Information Asymmetry to their advantage. They have their answer and they know the victim doesn't know any better. They know the victim is dazzled by their approach, their confidence, and their purported prior experience.
As hiring managers, as leaders, as buyers, and as humans, we have to do better at spotting, avoiding, and confronting them along with the snake oil they’re peddling. Additionally, we have to do better when it comes to helping those swindled by Information Asymmetry vis-a-vis these scammers.