AI Generated Content Disclaimer
Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.
This keynote at DiverSecCon 2021, titled “My 2 Paisa on Infosec,” shares Anant Shrivastava’s perspectives from 15+ years in information security. The talk weaves together a distinction between hacking as passion and infosec as profession, a candid assessment of the industry’s hiring dysfunction, the post-COVID shift in work and threat landscapes, and pointed advice for both attackers and defenders. Drawing on his experience running open-source projects (Android Tamer, Code Vigilant, Hacking Archives of India) and operating a fully remote security company since 2015, Anant challenges the community to be enablers rather than blockers and to give defenders the credit they deserve.
The talk opens with a foundational distinction: hacking is not infosec. Hacking is about the rush of making a system do something it was never designed to do — not about ethics, money, or saving the world. Anant recommends “The Conscience of a Hacker” (the Hacker’s Manifesto on phrack.org) as essential reading for understanding the culture’s origins. The reality is that most people in infosec started in hacking culture and transitioned when they realized there could be a career path — but the two are fundamentally different mindsets.
Information security itself is positioned as a small cog wheel in business operations — important, increasingly prominent given the threat landscape, but not the entire puzzle. Multiple businesses can operate without infosec initially, even if they cannot sustain it long term. Anant describes the perception problem: infosec professionals often behave like the superhero who saved the city but refuses to help clean up. From a developer’s perspective, security people arrive, declare everything broken, and leave without helping fix anything. The call to action: “Be an enabler, not a blocker.”
Within infosec, offense is the loud subsection but not the most important one. Defense is actually where the greater impact lies, and the purpose of offense should be to facilitate defense. Anant frames the hierarchy clearly: business operations contain infosec as a small space, within which red teaming is an even smaller space whose purpose is to help blue teams do their jobs. The problem is that people become blockers in this process instead of collaborators.
The skill shortage discussion takes an unconventional turn. Anant argues that the industry has shifted from passion-driven to a multi-million dollar money-making operation, and that there is nothing wrong with people joining purely for income. Organizations need to accept this reality and act accordingly. The hiring critique is pointed: if the actual job is clicking “start scan,” pasting IP addresses, and passing results to the next analyst, interview for that — not for the ability to compromise the entire internet. Organizations that hire red teamers but then restrict them to writing bare-minimum PoCs without exploitation are wasting talent and contributing to the perceived shortage. The recommendation on certifications: if someone has the skills to pass OSCP, hire them and then sponsor the certification rather than making it a prerequisite.
Public work is not the only qualifier for talent. From Anant’s experience with Hacking Archives of India, there are equally (or more) capable people who never touch the conference circuit — people who make him feel like an infant in Linux administration after 20 years of experience, or who demolish his infrastructure hacking knowledge after 7 years of teaching it. The better interview approach: ask candidates to describe a project they are passionate about in as much detail as they wish, then explore through follow-up questions.
The COVID-19 section draws from Anant’s experience running a 100% remote organization since 2015. He argues that remote work opens access to untapped talent in tier 2 and tier 3 cities, using his own operation from “Popal” (starting with 4 Mbps, now on 1 Gbps) as proof. The critique extends to salary practices: instead of the HR calculation of “current salary + 30% hike,” organizations should create compensation brackets tied to roles and responsibilities, then have transparent discussions. Remote-first policies must go beyond providing laptops — they require email-first communication, asynchronous workflows, and genuine accommodation of different working hours.
Advice for attackers: learn emerging technologies (cloud, AI/ML, blockchains, Web3) but do not forget old technologies. IBM still sells mainframes profitably, PHP still serves a large chunk of the visible internet, C remains dominant in kernels, and Windows Active Directory persists in any organization older than a few years. Legacy systems where the original builders have retired and no one knows what is inside are “freeway passes for attackers.”
Advice for defenders: learn to collaborate like attackers do (Metasploit’s success is cited as the model). Sponsor open source instead of just consuming it. Contribute to frameworks like MITRE ATT&CK, D3FEND, and Sigma. Remember that fire prevention deserves as much credit as firefighting. Focus on detection and containment, not just prevention — assume breach will happen. And critically: take care of yourself, because information security is a never-ending war where going from battle to battle without pause leads to burnout that takes years to recover from.
The final nugget: “Attackers don’t play by the rules, but they play in your playground. You are the ones setting the playground.”