I normally try to post only original content, but I ran into an interview with Matty Beddoes at Tripwire THE STATE OF SECURITY which is worth sharing. It is a good reminder that security is not just about controls and suits but also about hacking (learning driven by interest) and having the correct mindset really helps.
Here is the money quote:
It’s never a good idea to mess with a 16-year-old, especially one who can use a computer to cause chaos. Honestly, if they had said “Thank you,” things might have turned out differently. But they didn’t.
Sadly, that’s not a unique reaction in today’s industry. In fact, I find that IT staffs generally do not want their managers to know of a vulnerability for fear of looking bad at their jobs. This creates an unhealthy environment where no one wants to hear about vulnerabilities. If you talk to the staff, they will just ignore you, and if you contact the manager, they will take it personally and think you’re criticizing their staff. You’re blocked either way.
This problem is found all over the place but it usually changes after a company has been hacked. And that’s where I came in.
I have also seen this attitude a lot, although I welcome the people that find themselves at the other side of the engagement and see the opportunity that it being given to them to learn and grow.. event make a business or career out of the experience.