Like lots of people, I have an account on LinkedIn, the social networking website used by so many professionals in IT (and other areas, of course). It must be said, though, that at this point I don’t access it much. Being already semi-retired, I’m not too concerned about having a network of people I can approach about alternative employment if I suddenly lose my customers in the security industry. The groups I’m a member of sometimes flag an interesting issue, but an increasing number of the messages I get via LinkedIn are a little annoying. For instance:
- People I barely know hoping I’ll get them a job at in the AV industry, or help them to sell their technology to the company from which I get a large proportion of my income, or persuade it not to detect their applications. Sorry, but I don’t work at or even directly for any AV company: I supply one particular company with services, and those services don’t cover HR, business development, or detection maintenance. I think that’s pretty clear from my profile, but there seem to be people who aren’t clear on what I actually do and are hoping that my role and their needs will coincide. Hopefully, one or two of them will read this article.
- Editorial staff from certain publications hoping to get another free article out of me – yes, I do write for free from time to time, and sometimes they’re even time-intensive technical articles. However, I do expect commercial concerns to ask nicely, and if I agree, I expect them to give due credit to me and the company that pays for the time it takes me to write a ‘free’ article… There are, in fact, publishers whose staff I won’t accept as LinkedIn contacts anymore because to do so is always followed by requests for freebies for which they’ll expect me to sign away all the rights. (Sorry, guys, I’m not that desperate for exposure at this point in my waning career.)
Then there are the recommendations and endorsements.
Recommendations are, more often than not, requested by one LinkedIn subscriber from his or her LinkedIn contacts, though there’s no reason you can’t recommend someone spontaneously just because you think they deserve it. Obviously, if they request a recommendation and you don’t think it’s appropriate, you have the right to decline. However, it’s basically an opportunity to say something nice about someone in your own words, so might be of some use to a third party who trusts your judgement enough to find your assessment helpful.
Endorsements are a little different. Again, you can attribute some desirable skill to one of your contacts, whether or not they ask, though you can’t qualify it with free text. In fact, they may not need to ask you because sometimes LinkedIn will prompt you with questions like ‘Does Fred Bloggs know about sheepshearing?’ One reaction to this might be ‘How would I know that? I only know Fred because we’re both directors of the Bank of Ruritania!’ Another reaction – I suspect more common – might be ‘I didn’t know that, but if he says so, I guess he does.’ Certainly, if one of my security contacts had told me directly that they have particular expertise in SCADA (Supervisory Control And Data Acquisition) or SIEM (Security Information and Event Management), for example, I’d be inclined to believe them, if only because it’s commonly part of the security geek mindset not to claim knowledge you don’t have.
As it happens, having spent a great deal of time in other areas of security before I was assimilated by the anti-malware industry, it didn’t worry me at first when I started to see people endorsing me for areas of expertise apparently relating to my earlier career in more general security rather than anything directly related to the anti-malware industry, which has provided the bulk of my income since 2007 or so.
But then I started to see endorsements in my mailbox for my expertise in PCI DSS. Well, I’ve heard of it – I don’t spend all my time thinking about botnets – but I had to check exactly what it stood for (Payment Card Industry Data Security Standard, in case you were wondering).
Well, I didn’t get here – wherever here is – without knowing something about credit card fraud and so on. I even know something about a whole load of standards like BS7799 and its close relatives (for obvious reasons, I’m better on UK standards than US) but I’ve never claimed expertise in PCI, in a social network profile or anywhere else. And while I was putting this article together, I also found that I’d been endorsed as CEH (Certified Ethical Hacking) certified. I’m not, even though I’m not entirely ignorant of the gentle art of penetration testing (but it's never actually been part of my job, so I don't claim that as a skill either).
So where does this imaginary expertise of mine come from? I can only think that people are seeing ‘Does David Harley know about PCI DSS?’ prompts and assuming that I must have claimed that I do, whereas LinkedIn is simply guessing that I might have some expertise in the topic, perhaps because some algorithm related to analysis of security professional profiles does include the string ‘PCI DSS’.
Well, I suppose that’s also a guess rather than a conclusion. But it does seem clear that while you might trust your friends and contacts to claim only the expertise that they actually have, you can’t trust LinkedIn to assess accurately what their expertise might be: the question ‘does X know about Y?’ seems to be semi-random, rather than reflecting claimed expertise.
So to all the people who’ve kindly endorsed me on LinkedIn, thank you, but there isn’t going to be a quid pro quo, however often LinkedIn tells me “now it’s your turn…” While there are many LinkedIn contacts in whom I can place a great deal of trust, I can’t trust LinkedIn to ask the right question, and I’m not comfortable endorsing people for a skill if I don’t know that they’ve got it, or even claimed to. LinkedIn’s suggestions are evidently too random to be trusted.
In fact, it seems to me that this random prompting makes the whole endorsement exercise essentially valueless, so I won’t be making any more endorsements at all. And, of course, I won’t be approving endorsements from others for skills I don’t have. In fact, right now, I’m wondering if there’s any point in my having a LinkedIn account at all, except to avoid confusing a sizeable network of contacts.
David Harley CITP FBCS CISSP
Small Blue-Green World