By the (ISC)² U.S. Government Advisory Board Executive Writers Bureau (EWB)
How many cybersecurity practitioners have had a colleague either in information technology (IT), or worse yet, from an unrelated field, offer advice on security matters and insist that they are a cybersecurity ‘expert’. This happens all too often to information security practitioners. While the IT staff considers that they have the prerequisite knowledge to manage security, and some do, often their knowledge is narrow in focus to the technologies that they are familiar with and their understanding relates only to the security practices for a particular area.
Just a couple of those who know ‘just enough about cybersecurity to be considered dangerous’ are those who either have pursued the mastery of physical security or those who have experimented with personal computers at home by downloading “security tools” (i.e., “I’ve used a scanning tool, so I know how to find vulnerabilities”). The true challenge comes when the latter group turns out to be a member of an organization’s senior level management.
For example, it is discouraging at best when a senior leader in government is convinced of the need to hire a hacker to test his/her agency’s security posture when he/she has no real understanding that scanning and penetration tools have the potential to inadvertently cause disruption of service to the agency. There are other examples of persons who consider themselves knowledgeable in a cyber environment, when really their knowledge is simply based on, let’s say, previous military experience. If only the relationship between physical security and cybersecurity were so easy! Having to explain that a firewall should be put in place first, rather than an IDS/IPS, to someone that insists on putting sentries out before the troops dig in, can be very unsettling.
So how can you recognize a true expert in cybersecurity?
- First, the person has taken the time to understand the complexities of applying security and has been validated by either a certification or degree in information security.
- Second, they demonstrate a knowledge of and willingness to understand all aspects of the business environment – policy, regulatory and IT – before trying to solve a problem.
- Third, they understand and can communicate risk principals in developing a solution.
- Fourth, they hold to a high standard of professional ethics, behavior and work experience related to the task at hand.
- Finally, they have a strong work ethic that is evident in both their daily responsibilities and their interactions with others in the profession.