Category Archives: Security

The fine art of shutting up

A few years ago, I attended a two-day work meeting with a few dozen others from all over the world. The latter part matters: though the meeting was conducted in English, a majority of the attendees weren’t native English speakers and in quite a few cases not exactly fluent in English. (I lived in England for many years and consider myself a fluent speaker, but I am not a native speaker.)

At the end of the meeting, a brave individual pointed out that most of the talking had been done by a small number of individuals, all of whom were fluent in English. By the time he himself had put his thoughts into English words, he said, someone else had already started speaking.

He was right. And I had been one of those individuals.

This was rather awkward, as once upon a time, I too had been one of those people for whom attending a meeting in English meant spending a lot of effort just to comprehend what was being discussed. It made it harder for me to be an active participant, just like now it was harder for others.

There is a relatively simple solution to this: the use of microphones and session chairs who ensure that people only speak up when they have a microphone; and ideally also make sure that it’s not always the same people who are speaking.

Since that meeting, I make a point of only speaking when I have been given a microphone, even when a chair doesn’t enforce this rule. But also, because I know I may forget this when I get passionate about a subject, I try to take a seat at the back of the room, from where I can’t easily start having a one-on-one discussion with the chair.

Finally, this isn’t just about non-native speakers. It is known that women and other members of underrepresented groups tend to be disproportionally ignored in meetings. These rules should also help make them equal participants in such meetings.

De-escalation of privileges

There are a great many diversity initiatives in the tech and security community. They make me excited, optimistic and occasionally a bit sceptical about the real intentions of the company organising them. They rarely if ever make me feel uncomfortable.

That is strange. I am a white man to whom you can easily apply half a dozen other adjectives to show I don’t belong to an underrepresented group. In a parallel and more diverse universe there are fewer people like me on company boards, on conference programmes and in your Twitter timeline. And maybe one of these fewer people like me would be me.

I am used to talking about my career in security as one where I have combined hard work and talent to find the right opportunities. But that is only half of the story.

The other half of the story is that to many people I will have looked like the kind of person who could do the job, or give the talk. Research shows that this too makes a different even among people who don’t think they have such biases. (Which, no doubt, includes me.)

And thus I got my first role at a security company as a Perl developer based on three websites I had once built and a few scripts I had written in the decade previously. And thus no one ever questions my credentials as a ‘former academic mathematician’, even though I never finished the PhD thesis I was paid to write. (I don’t think anyone has ever asked me the question how I deal with a big deadline four years into the future. They should have.)

On the contrary, people regularly overestimate my knowledge on technical subjects and confuse an ability to casually discuss a subject with a thorough understanding of it. When I quietly correct them, it is from a position of confidence, not from one where I have to worry I confirm to biases they had about me. I can afford such a position.

Those two paragraphs were surprisingly difficult to write. It is very tempting to think that it wasn’t me but that loud-mouthed CEO or that misogynistic programmer that benefited from the lack of diversity. That I am a neutral outsider in this story. But diversity (and the lack thereof) is far more subtle and complicated than that and I think it is crucial to acknowledge how my privilege has affected me and my career.

So if your diversity initiative doesn’t make me — and people like me — feel at least a little bit uncomfortable, chances are it isn’t very good. And if I don’t use my privilege to actually try to make this community more diverse and more welcoming, even if this would make things comparatively more difficult for future versions of myself, I had better stay out of all the diversity excitement.

So let me do that. And you are welcome to hold me accountable.

Public service announcement: links to blog posts I’ve written

I have been doing a lot of security blogging recently, at Virus Bulletin, but also at other places. I will collect these articles here on this blog, with the permalink going to the respective articles. If you care about the things I write, you may want to add the RSS feed to your RSS reader.

Don’t hesitate to contact me if you’d like me to do some writing for your blog or website.

(And please bear with me while I will add blog posts I’ve written in the past three months.)