No Such Thing as a Stupid Question: Why Knowledge Shaming is Making Us Less Secure

Conference:  BlackHat USA 2021



Encouraging knowledge sharing in the cybersecurity industry
  • Define target audience
  • Set clear rules for interacting with information
  • Ensure give and take in knowledge sharing
  • Use appropriate medium for sharing information
  • Learn outcome-based storytelling
  • Develop solutions collaboratively
  • Leverage trusted networks and connections
  • Establish frameworks for safe knowledge sharing
  • Contribute to the industry and seek out opportunities for knowledge sharing
  • Treat others with kindness and back yourself
Two companies from different sectors and regions collaborated during an investigation of unusual activity, leading to a successful incident response process and knowledge sharing without the need for commercial discussion or ownership disputes.


One only needs to hop on social media in the aftermath of any breach to see the 'hot takes' that abound. It seems many people forget we're all one step away from being in their shoes! So it's little wonder that there is hesitation from many to show any sort of vulnerability (personal, not technical!). Due to the unique nature of many cybersecurity roles, they are naturally insular. When you combine that with a keyboard mob who are ready to ridicule anyone who stumbles, it's no surprise that knowledge sharing in our industry is fundamentally broken. As someone who is relatively new to infosec, I have this internal battle every time I learn something new (which is often!). I get so excited about sharing it - and then almost immediately begin to doubt myself. In doing my research for this talk, I spoke to some highly-respected figures from the industry and was shocked to hear that they experienced the same issue. The thought then started to snowball - if we, as a collective, are keeping these insights to ourselves, how much better off would we be if there was no fear of retribution? And so, I began to dig. Who does knowledge sharing well? What are the blockers that prevent us from being more open, and how can we overcome those? And finally, how do we become better at disagreeing? This is, therefore, a rallying cry. It is a call-to-arms for everyone to take these lessons to heart so we can all do our part to make the industry a better place. I don't say that to be naive or idyllic - I genuinely believe that if we can harness the collective knowledge that we are missing out on currently, we can take an incredible leap forward!