2008-10-01
Abstract
Hannah Mariner shares her thoughts on how allowing people from diverse professional backgrounds to enter the AV industry can help strengthen, prolong and add direction to the industry as a whole.
Copyright © 2008 Virus Bulletin
If someone asked you to describe your first day on the job, in 25 words or less what would you say? My response would be this: I was as green as Kermit. After weeks in Malware 101, the concepts were still mysterious and hazy. I pretended a lot.
Having never imagined a career in the AV industry, it happened in one of those serendipitous twists of life. A three-month maternity leave vacancy opened at CA, the software company at which I worked, and I stepped up to fill the temporary role of technical editor.
I researched. I read numerous articles and dictionary definitions and security blogs and websites to try to familiarize myself with the material I was about to work with. Yet, I was desperately unprepared. On my first day, I might have been able to tell you what a virus was. Might have. As for ‘polymorphism’, ‘Browser Helper Object’, ‘rootkit’ – well, you’re kidding me. I hoped that my new team members were unaware of my feelings of fear at being lost, but as far as I was concerned, I was illiterate. If this was the alphabet, I was starting at ‘A’. I had no real knowledge or understanding either of malware itself, or of the industry built around it.
Hold on to your assumptions, though. My placement in the role was not a misplacement, as you might first think. I did have things of value to bring to the team. I had a broad knowledge-base of communication styles and strategies; I could talk to people, one-on-one; I dealt with spelling misdemeanours as smoothly and naturally as James Bond delivers a self-introduction; I liked to sit with a clunky paragraph for an hour just playing, as though with pieces of a jigsaw puzzle, until the words suddenly and gloriously began to belong to one another. Those skills, utterly unrelated to malware, were enough to keep things going day to day; and six months later when things relating to malware and the anti-malware industry had sunk in a good deal more, those skills allowed me to bring a new and fresh perspective to my co-workers and, I hope, the product we represented.
Aside from any personal meaning my story might have to me or even any humanist meaning it might have to you, I think that parts of my anecdote are important in a larger, communal context, in the sense of industry diversification, innovation and survival: the recognition that generalized skills can be put to wonderful innovative use, especially in a niche, highly specialized industry. While it is becoming more common to meet people successfully contributing to the industry without specific security qualifications, it is true to say that the anti-virus field is difficult to enter unless you already have an IT background. And while it is a technical field requiring technically proficient minds, it’s also, from my experience, a field that could reap sound rewards from looking for potential in applicants from non-IT backgrounds.
Recognizing this as an industry that tends to be closed, it is worth looking at some of the peculiarities that encourage this atmosphere. A caveat straight up: this is a broad-stroke piece based on a broad-stroke idea about widening the reaches of the industry in which I work, so some of these points will sound, well, broad.
The AV industry has a unique market position. From the beginning, the anti-virus industry has occupied a very specific, defined and distinct pocket of the software marketplace. It has traditionally sought workers either with these specific skills, or with as close a skill-set match as possible.
The AV industry is mature. When researching the historical annuls and putting numbers and years to things, this doesn’t seem like an old community. Some of the veteran anti-virus companies like Sophos and McAfee are 20 years old or slightly over. However, this is a mature, well-established field with solid social, financial and professional structures, and heavily reinforced processes and practices.
The AV industry has active stakeholders. Related to the point above, the industry has founders of sorts – pioneering researchers and managers who were there in the industry’s early years and who remain actively involved and invested in the business now. You could say that the industry has a fair bit of ‘living history’.
The AV industry values cooperative interpersonal networks and relationships. This is an industry based on prized and tightly woven professional networks. By its very nature, the anti-virus industry has had to be positioned, particularly in the past, to summon immediate, coordinated, global responses to alarm bells; for example, in times of virus outbreaks. In the past it has depended on interpersonal networks robust and secure enough to quickly communicate information and respond with solutions – and it still does.
The AV industry has an inner circle. Being a community of people committed to serving a protective function, there has been at least the perception of there being an elite, inner circle of knowledge-holders, in stark contrast of course to another group, the knowledge-deprived.
The last point is the one I’d like to pick up on a little more. It seems to stem from the conceptual themes behind the mission statements of most software security companies – that of protecting and defending those who don’t know how, the defenceless and unaware; that of participating in a classic ‘goodies vs baddies’ set-up and of the importance of trade secrets in keeping ahead in the battle. As in all industries, but especially in this one, the difference between the knowers and the don’t-knowers is crucial, and has been noted before. As pointed out by Peter Svensson on Security Focus, ‘Ludwig, who went on to write The Big Black Book of Computer Viruses and similar collections, believes the anti-virus industry thrives on secrecy and mystique and is loath to spread knowledge.’ [1]
The proposition of the knowers and the don’t-knowers was also dealt with in a 2005 essay by Jessica Johnston, who explains the purpose of CARO, a ‘very elite group of AV computer researchers created by the researchers themselves out of the necessity to share specialized, restricted and what they consider to be dangerous information’ [2].
Having introduced CARO, Johnston presents us with the juxtaposition of CARO and REVS, a now defunct group that was ‘started by a groundswell of frustration fuelled by the lack of information distributed by CARO when an actual global virus broke. REVS was an organization of AV vendors who shared information about viruses and virus outbreaks with each other.’ Eventually REVS disbanded, prompted, Johnston claims, by the fact that ‘people and organizations could not afford, literally and symbolically, to be out of the CARO information stream. The need to disseminate urgent and vital information about a global virus outbreak was repositioned by CARO as a dangerous attempt to spread secret information to untrusted and potentially unethical “anybodies”.’
While it’s difficult to ascertain how much of either of the former or the latter scenarios are true in practice, it is certain that the perception of the knowers and the don’t-knowers is real. Arguments about the reality of the situation aside, the perception is in itself an area for examination, reflection and potentially, change.
There is a notion in business theory which says that ‘any innovation is founded on novel knowledge or a novel recombination of existing bits of knowledge’ [3]. This idea of innovation through novel reapplication, with a specific focus on the anti-virus industry, was also touched on in a 1996 article by Sung Moo Yang, who makes a lengthy case for the idea that ‘innovation of AV technology could come from existing theories and technologies that are applied to AV’ [4].
Though on a small scale, my personal experience supports the concept that investing a little extra time into the development of talent from a non-IT background can actually bear fruit and be considered an investment in the literal sense, ‘the commitment of something other than money (time, energy, or effort) ... with the expectation of some worthwhile result’ [5]. I’m convinced that allowing people from diverse professional backgrounds into what can be an industry of knowers and don’t-knowers, is one way forward and is one viable way – among others – to strengthen, prolong and add direction, vision and life to the industry as a whole.
[1] Svensson, P. Antivirus industry steamed over virus article, college class 2003. http://www.securityfocus.com/news/5698.
[2] Johnston, J. Communications with Global Space: Negotiations of local/global tensions within the computer antivirus industry, p.6, 2005. http://www.mang.canterbury.ac.nz/anzca/FullPapers/12CultureCommFINAL.pdf.
[3] Ferreira, M. P.; Serra, F. A. R. Open and closed industry clusters: The social structure of innovation, p.11, 2008. http://www.globadvantage.ipleiria.pt/ wp-content/uploads/2008/06/working_paper-24_globadvantage.pdf.
[4] Yang, S. M. Productivity, Technology and AntiVirus Industry. 1996. http://web.archive.org/web/19990428133500/http://www.intergate.bc.ca/personal/yang/avindust.html.
[5] Retrieved on 20 September 2008. http://www.thefreedictionary.com/investment.
