Let's talk about quitting

There are a few things about how I got here that are important to share. Rest assured, once I have got this out of the way, I won't be using this site (or business) to whine endlessly about the security industry or my career in it. That said, it makes sense for me to talk about quitting - because that is what I've pretty much done.

I've become (probably) the most qualified security risk management practitioner in the world. I'm not saying that I'm the best (whatever that means), simply that I have achieved more educationally than anyone else.

An MSc (with distinction) in security management.

A professional doctorate in security risk management.

Countless lower-level certs in a range of security and risk-related subjects.

In the final year of writing my doctoral thesis, I also took (and passed first time) CISM, CRISC, CISA, CGEIT, CISSP, Sec+, ISO27001 Lead Auditor, ISO27001 Lead Implementer, CDPSE and a bunch of other things that I didn't claim and have forgotten about. Note that - at the same time as completing my doctorate. Most people would struggle to do one of those things. I did them all at the same time.

I'd been around in the industry a long time, and was well aware of what was wrong with it. I've seen behind the scenes of some of the major organisations, and I know where the bodies are buried. I felt that, because I had done all this, I had a responsibility to other practitioners to share what I had come to understand. That doesn't mean teaching them for free. Nobody values free education, and giving it away (or for cheap) devalues knowledge. Plus, it had cost me a personal fortune to acquire. I'd lived hand-to-mouth while struggling to pay for it all. Instead, I mean helping security practitioners to understand more about the actual concepts they need to be effective, and understand more about the industry side of what they are doing.

So, out I went into the world as the most informed person on that subject on the planet.

And nobody cared. They already thought they knew it all. Learning requires humility and an acceptance of inferiority. These are not common traits these days, and certainly not in security.

So, they actively attacked me for the things I was saying instead.

I had IT people trying to debate security principles with me, some of whom were in their first entry-level position after being a waiter the year before. I kid you not. One guy told me that I was 'bad for the mental health of the industry' and that he was going to 'raise an army' and 'come after me'. 'Your time is nearly over, ' he said.

Not an isolated incident. I had a mountain of hatemail - mostly from Americans, it has to be said. I'm not a fan, as a rule, and have started avoiding the news. Corruption, stupidity and low-calibre have not just become normalised - they're rewarded. I can't watch. If I were Thanos, I'd put on some jazz and start snapping for real.

So, the very people in the industry I had come to help were fighting me off. I was routinely brigaded, libelled and slandered all over the internet. And by people who, if in the same room as me, would have likely wet their pants rather than open their mouths. (When I say that I am a psychopath, I'm not kidding. I'd happily nail these people to a table and justify doing it. I am not someone to fuck about with in person. My willingness to choose violence is matched only by my aptitude. I'll talk more about it in a later post because it is helpful to think about.)

Social media didn't help. It gives everyone the 'right' to a platform - regardless of the quality of their character or what they have to say. I consider the right to free speech to be matched with a duty to shut the fuck up about things you don't know anything about. But LinkedIn gave people badges and accolades for posting mindless, incorrect information. It was all about applause, and that, folks, is actually all about personal inferiority. When I defended myself against these attacks, the automated systems for my 'protection' banned ME. Apparently, telling someone to 'fuck off' in a single interaction constitutes 'bullying and harassment' - without looking at what I was responding to or any consideration of the legal definitions of those behaviours.

When the people I came to defend fought me off, but still claimed to be serious about something that I was actually serious about, I took a different stance. I became openly hostile to the industry as a whole. My 'Dr Rich' persona amplified the more aggressive parts of my nature. I became what the platforms and industry made me. If I am attacked by insects, it's only just and reasonable to swat them. That is not an excuse, merely an explanation. I don't make excuses.

If it was a fight they wanted, the charlatans could have one. To take money for protecting other people (or their interests) but to fake it? That is the very worst betrayal, in my books. To make public statements about how 'serious' you are, when it is proven that you know nothing about the subject? That deserves contempt in my book. So I went after them. I exposed them, week in, week out.

It has to be said that I never directly attacked an individual. I attacked organisations, behaviours and ideas. These 'serious, ethical professionals' did not show me the same courtesy. I didn't even name and shame the people who really deserved it.

It's a strange thing, to be an autistic psychopath. By rights, I should be out there, taking advantage of the Stupids and making bank in the process. It's certainly in my nature, if I give in to it. Instead, I sought to protect them. Security people and their clients. While I generally detest the human race, I don't believe that they should be preying upon each other. I've had quite enough experience of that, thank you.

I knew that there were others out there like me. Not necessarily with the same neurology, but with a genuine desire to protect others. I decided to try to protect them from the rest of the predatory elements of the security industry. The certification bodies and bad training firms, primarily. The 'security leaders' who were misinformed, inferiority-riddled bullies were also in the firing line.

It turned out to be too big a fight. There are too many of them. I'm outnumbered but never outgunned. I just realised I stopped caring about it.

The security industry - the thing that I dedicated myself to - is dead. It's now full of IT tourists with a job delusion. Nobody knows anything about security, and enough stupidity has been repeated often enough to have become doctrine. Forget the actual foundations of the subject.

My contribution to the security industry is four books (3 of which are worth reading, if you are in that field), and numerous new concepts and models to clarify and demonstrate the value of security work. I've given more to the industry than anyone. I've taken very little for myself in return. That is not an opinion. It's just a widely ignored fact. I am fine with it.

I realised that my cause was wrong. Nobody cares about security. The people who ought to don't (until they become a victim), and the people they pay to provide it aren't interested in learning about it. For the avoidance of doubt - corrupt organisations get what they deserve, and protecting them from their just desserts stretches the credibility of 'ethics' in practice. They all deserve one another.

And so I have walked away from it. I've walked away from the years of sacrifice and the 'status' that I earned. I've done my bit. Nobody could have done more. Real Security Doctor Limited will continue to trade as long as it remains viable, but Energeia is where my contributions are now being made. Fuck 'security people' - I'm here for REAL people - whatever they do.

Now - how many years, how much of your money, how much recognition, title and accomplishment would YOU be willing to walk away from? How bad would it have to get for you to bail out and choose a new path?

We should talk about it.