'Thought leadership' in security

Sometimes, I get accused of being a 'thought leader'. It's a word that gets bandied around a lot. People often self-identify as 'thought leaders' or even just 'leaders' in general. Fun fact - leading something you have to do before people call you one. Unless you have a LinkedIn account. Then, you can be whatever the fuck you like, and liberally sprinkle it with emojis like a real asshole.

Reality and truth don't matter anymore. Most of the people who call themselves 'leaders' in the industry are just confusing a middle-management job title in a despised department with something more meaningful. And most of them are lost. I know, I've talked to enough of them. Where do you think they are leading anyone? (And you should see how some of the biggest mouths did on The Bitter Pill every week, where I ran a poll on basic security risk knowledge and thinking. These people are still drawing salaries. Yikes.)

One person who labelled me a 'thought leader' was Professor Martin Gill - quite possibly the most respected security academic in the world. This happened during my appearance on his podcast, and I consider it high praise from such an esteemed individual. It was an enjoyable conversation, even if there are areas where we don't agree.

One of those areas is that I am not a 'thought leader'.

As I explained during the call, 'thought leader' is a term with a very specific meaning, and it comes from marketing.

You start a business. You're out there in the market, the same as everyone else. At the bottom end of the market, you are selling on price and become an unvalued commodity. That's no good for you. And price buyers are the fucking pits to deal with. Plus, you need more of them just to break even.

So you might begin to try to differentiate yourself and show the market that you know your onions. You start sharing your knowledge for free in an attempt to attract clients and build their confidence in you. This is what 'thought leadership' means - you are trying to lead your audience to you with 'free insight', so you can sell them 'the good stuff'.

Of course, it doesn't work. There a several problems with it.

1. Human nature doesn't work that way. People who like 'free shit' seldom pay for anything (being a filthy freeloader becomes a habit).

2. It devalues insight. It's worth every penny you ask for it. People look at what they get and what they paid, and think the price is the value.

3. You cannot suddenly start charging people for things you give away for free. The market won't have that.

4. You need to present an extremely sanitised profile so that you don't say or do anything that might repel your audience. This leads to the production of the same pathetic, saccharine, safe content as everyone else. Leaders lead because they have a vision, and they don't much care whether everyone agrees or likes it. Only the weak try to be all things to all people.

So, I don't give away 'free insight', and I don't care who I upset, so I cannot be a 'thought leader'. Sure, I share some ideas, and some people are sharp enough to dig a little deeper themselves and learn something. But most of the deeper thinking and nuance is chargeable. I'm a world authority on the subject of security risk management. What else would you expect?

Am I a 'leader' in general? I don't know. I certainly set an example that others in the industry follow - or not.

You can find my interview with Martin Gill here - https://www.securityinconversation.com/2317153/contributors/106625.