A while ago there were a number of stories about investigations into serious assaults at a private school. These assaults have gone way beyond hazing and into sexual assault, and even, because the episodes were filmed, possible child pornography charges. The situation has been very disturbing.
Hazing, and hazing culture, are often "justified" by the assertion that "mild" forms of hazing are harmless. This statement ignores two important facts. One is that hazing inherently relies upon a culture of silence. In any such situation there can be no controls, and therefore no ability to ensure that "mild" hazing does not escalate. The second point is that hazing is a form of bullying, and it has been amply demonstrated that any form of bullying has long term negative impacts, both on the victims, and on the perpetrators.
I've never understood hazing. Not really. It happens a lot in sports, and I've never been into sports. It happens in some professions, but not the ones I've worked in. As far as I can determine, hazing, and all the culture that goes with it, indicates that your job is either a) not very important, or b) doesn't require any skills.
I can't say I've experienced it in information security. I started in malware research, which has always been occupied by charter members of "Egos-BackwardsR-Us." Back when I started you had to be not just a systems programmer, but a specialist systems programmer to make a significant contribution to the field, and those guys have always been the elite. Even so, if you studied and made even a modest contribution, you were in. I wasn't a systems programmer, and my contributions were very modest. But I was accepted.
It's probably because the job was so big, and the workers so small (or too few). Anybody who wanted to help was welcome. Anybody who wanted to do some research would be given some tips and starters. Anybody who helped was in the community. Nobody had to jump through artificial hoops because the real barriers to entry were already formidable enough.
(Actually, there were some in computer security, back then, who did try to keep you out. They were the ones who knew barely enough to charge for computer security consulting. Some of them claimed that computer viruses were not a security issue—mostly because they didn't know what computer viruses were.)
Come to think of it, I've never really seen hazing in the tech field, as such. Oh, there are jerks, I grant you. There are those who are so into the technology that social skills, human communication, and even personal hygiene take a very distant back seat to whatever they are working on right now. But, generally speaking, they don't try to keep you out. They may have given up trying to teach people what it is that they are doing but, if you take the time to try and learn, they are generally delighted to have someone to talk to. (They may not show it very well.)
(The closest I've ever seen hazing in tech is the ITIL certification. Since ITIL is a library, it's hard to figure out how to certify that someone knows it. Since it's hard to assess that, you just drown the poor candidate in work and hope that the ones who don't know it will give up before they get to the end of the process. I think PMP runs it a close second.)
I suppose I have to address the issue of women in tech. Yes, women are definitely underrepresented in tech. And, yes, there is a lot of irrational bias against women, as you find in any male-dominated field. (Not just from the techies: I've found it in management, too, where you'd think they should know better.) I do not want to minimize the issue: misogyny anywhere is ridiculous and wasteful. But sometimes it doesn't take much to make geeks realize they've been sexist jerks, and make some (possibly modest) changes. In one department I came in to manage, they regularly went to strip bars after work, and had a signed poster from one of the "performers" up on the wall. As I was hiring the first (female) secretary for the office, I noted that this wall decoration might be subject to less prominent placement. I never saw the poster again, and the team also removed the pr0n directory on the development server (which I'd never mentioned).
I can't claim that all is sweetness and light in the security community. There are infights: there are personality clashes. And there are those who are in it just to claim status. The community usually sorts them out in short order. Status, in security, is most often achieved by helping others. If you can answer newbie questions; if your answers are true and useful; then you have status. If you try and claim status, and try and hold others back in order to hold onto it, you are the one who gets shunned.
In information security, we have too much work, and too few resources. We don't have time to waste on hazing. We also aren't going to block anyone who actually wants to help. In any security community I've been part of, newbies are welcome. OK, dumb questions may get sarcastic responses, but they have to be pretty seriously stupid to make the grade. Otherwise, if someone wants to get in and help, those of us who can answer questions do. Ask, and a pointer will be given. Seek, and ye shall be given a direction to go find. Knock, and the door will be opened, and you'll be hustled in, and usually put to work right away.
Well said, Mr. Slade, albeit, my experience is different than yours, for I have encountered hazing—from mild to criminal—continuously since childhood. As an adult, I've found it in every profession I've served in, from the military, in corrections, in law enforcement, in the private sector, and now as a government IT contractor. Many of these jobs require a tremendous amount of skill, and, in my opinion, are very important.
(I left home as a teenager and never went college, so I have no personal experience with college hazing, although I understand it to be common.)
In my experience, the new person is invariably given some impossible task, subjected to some degrading situation, deeply embarrassed, or harmed in some other way. And harm it is. As you pointed out, it is never justifiable, nor is it productive; quite the opposite in fact. In my view I don’t see much difference between hazing and bullying; it is bullying, plain and simple.
Since the first time I was beat up by the school-yard bully in first or second grade, I learned how to fight back. I have always had what is known as a “zero tolerance policy” on this, although a few were a bit slow to understand that. I know that some can’t or won’t fight back, and although my childhood was what you might call “a bit rough,” I don’t advocate violence as a “solution” because sometimes it creates more problems than it solves.
In recent years it's manifested for me when younger coworkers want to haze or bully the old man (me) that has suddenly appeared in their domain. It's easy to stop it before it gets off the ground, when I bring everyone together and point out that "ism" motivated behavior will not be tolerated whether it's toward me or anyone else. (Sexism, racism, ageism, and so on.). Sometimes one or two of the denser folks don't get the message, but their immediate termination reinforces my message for everyone else.
I see it everywhere, as noted, and I find it unfortunate that people who are otherwise looked upon favorably for their intellect engage in such behavior. Admittedly, it's not always obvious, and it's underreported, as are sex crimes and domestic violence, so you have to know what signs to look for in behavior and mannerisms, but I was surprised to read your statement "Come to think of it, I've never really seen hazing in the tech field, as such."
It appears that you and I have worked in very different environments.
I'm also curious about your comments on ITIL and the PMP. I hold both certifications, and haven't found that assessing a person's knowledge is a challenge. The ITIL library is pretty comprehensive, yet it’s easy to understand how to apply it. I'm only certified in the Foundations, but since it's a requirement to implement the entire library at most U.S. government agencies, I've become intimately familiar with every component and found nothing confusing about it, or difficult in its execution.
Admittedly, the first time I was tasked with implementing the ITIL Framework at a federal agency, it did take me nearly a year. However, I take the blame for that; my relative ignorance made it more arduous than it should have been. In those days I didn’t understand how simple it was to coordinate it with CMMI practices and cybersecurity. I learned a lot.
I can say the same about the PMP. It's easy enough to verify a person's mastery of the PMBoK, and validate their experience. While my focus in recent years has been to move agencies away from rigidity (as expressed in an SDLC) and toward agility (by whatever the most appropriate methods are for them), the processes and knowledge areas in the PMBoK are straightforward.
I will go on the record and say it "Hazing is stupid." People want to feel special and needed and be in some "unique" club and thus the hazing ritual is what gets you into the "club". I haven't experienced it in InfoSec or IT but have experienced it in mild to severe forms elsewhere. I agree that hazing should be categorized as bullying and should be eliminated from our society. I am not advocating for a "Everyone gets a participation trophy" society, I believe hard work should be enough to be successful. No one should have to go perform some stupid trick, act, or series of actions to be in "the club". If you are a person that conducts or condones hazing, then you are in the wrong. It's time for you to grow up and add things that actually contribute to society rather than encourage bullying.
My personal opinion... I’d look beyond just stumbling blocks around knowledge sharing, and just getting the job done, or even a clique of youngsters picking on the old lion or even common or garden discrimination - hazing(initiation ceremonies as they were more commonly called on the other side of the pond) is really institution specific organised systematic bullying of newcomers. Decent intelligence will not make people immune to this and I think it needs vigilance.
Having served in the UK military starting from just after the end of the Cold War I’d say that the practice is corrosive, leaves lasting harm(decades of it) and is deadly serious to @CISOScott‘s point servere is really very servere indeed. I think it generally stems from dehumanisation, and there are a lot of little tells along the way.
Just as an anecdotal example during a recruit Instructors course around 2002. The purpose of this course was to try to to eradicate some of the prevelant issues ( see https://www.bbc.com/news/uk-england-35458611 for a flavour of what was being dealt with) that had grown up over the years. Unfortunately the instructor Instructors were somewhat of a chip of the old block, so there was a irony in that the Juniour NCOs going through the training were far better(though far from perfect, it does have to be said) examples than the senior NCOs instructing them on morality, ethics an and how not to bully. At root there was a fair bit of hazing of the course attendees by staff such as indefensible positions being given to students in role plays to defend and then belitleing the roleplayer publicy With a view to humiliate. Anyway, a long story - probably the high point in terms of hypocrisy was a Senior Warrant Officer telling a young artilleryman on the course that he “should be ashamed for reporting sick” with a migraine in front of everyone, right after the lesson that reinforced the absolute right of soldiers to use the medical centre. This was much commented on by the by the group.
Fortunately to Rob’s point I think the problems in IT, Security and
professions around it are not so pronounced, and the trends and the macro cuture is moving away from the set of behaviours known as hazing, in this environment It’s going to be more subtle -likely around knowledge - think left handed screwdrivers, Long weights etc as the likely entry point. Proper hazing I think requires a stream of inexperience people without confidence, to be preyed on by unpleasant people.
In terms of the key questions I think a leader needs to ask the self - Is the culture they are engendering in the organisation and the groups and individuals that make It up intelligent, considered and strong enough to avoid the influence of the pack and it’s aberrant, charismatic sociopaths that it throws up from time to time? If discovered do you re-educate, retrain and ultimately remove? How do you prove this?
Transparency is our friend.