Besides the white hat/black hat divide implicit within the world of InfoSec, there is another divide of mindsets—that of the corporate InfoSec individual and the government security individual. Their career paths are similar: They go to school, learn on the job, and hang out at conferences and user-group meetings. They decry the problems that software developers put in their paths and passionately debate how to fix the technical problem that is their personal pet peeve.
But there are differences in some very fundamental ways. The corporate InfoSec employee is working to protect his or her company from hackers, script kiddies, and potentially even some nation-state hacking, although that would be on the extreme side. DDoS protection, intellectual property, and similar words roll off a corporate InfoSec person's tongue pretty often.
The government security employee's thought processes are rolling around terms like, "criminal prosecution," "chain of custody," and "intelligence briefing." Nation-state-sponsored hacking is a normal issue for them, not an extreme one. So where does this divide start?
Right from recruiting. A couple of years ago, the National Security Agency (NSA) had recruiting booths at various information security conferences. So did other companies, of course, but the emphasis is different. There isn't the emphasis on the awesome pay, or the Foosball table in the breakroom. Instead, it's about protecting the country, getting a security clearance, and working with some of the most advanced systems in the world.
And those differences are important! Want to work with a startup with an exciting idea, little structure, and the space to improvise? Fantastic! Go for it! Heck, even the CIA started a venture capital fund!
But they didn't start an incubator. Those types of companies are commercial, not government. Government work is a bit more structured, a bit more methodical and purposeful. And the purposes are rarely the next Facebook.
Instead, its purpose is to attack, defend, examine, analyze, and understand the systems of other nation-states, or of hacktivists, or any group threatening our country. Or, in the case of law enforcement agencies, it's a lot of forensics and some interesting hardware hacking.
So why does this matter? Because the people who work for the government can cross over, and vice versa. Because sometimes, it's possible to get an amazingly talented startup worker out of government service. And sometimes it's possible to get a red-tape cutter into government service. The advantages of either are hard to overestimate. DARPA did billions of dollars of research for a few hundred thousand dollars with Pieter "Mudge" Zatko's CFT program. Trace GIS (Geographical Information Systems) pedigree, and you go back to satellite imaging from the military and intelligence communities.
There are entire offices, groups, companies, and communities devoted to helping government benefit from industry, and industry from government. These groups are devoted to wringing every last iota of value out of the money and effort spent on ideas and technologies from and for the government. Most of them are free, and all of them are used to helping shepherd people through bureaucracy.
Could your company or agency benefit from looking over the fence at the grass on the other side?