I’ve been called a “security expert” many times and I’ve heard many times other people around me called the same.
The reason I am writing this article is that I am frustrated by how some security experts are seing and implementing security in their every day jobs.
But, let’s start with the beginning:
What does actually make someone a security expert? Or, when does someone become a security expert?
The first thing that comes into my mind is, of course, his or her level of knowledge in this area. The more he knows, the better. I guess that things like certifications in IT Security, articles written, books published are counting.
An important factor should also be some “on the field” experience (practical).
But is it enough to just be able to get a job properly done? Getting the job done properly, is translating usually to “make the system as secure as it can be”. We all know that this doesn’t mean anything these days because anything you do it is only valid for a very short period of time.
What about communication? It is not a secret that the biggest problem with IT security in companies is the fact that the security people are sometimes not doing a good job in “selling” security to those in the board. Often, this has as consequence that companies take security seriously only after it is too late. Fortunately, according to various media sources that performed surveys, security topics are now more often on the board meetings agendas. This is good, because it helps us become proactive and not reactive.
This phenomenon applies to the large masses of consumers as well: they also don’t get security seriously until it is too late. However, the reason for this is a bit different than in companies. Most of the time not the budget or other priorities are the problem, as it is the case with the companies. Here the problem is that they are not able to properly understand the consequences of their digital life. Many end users still treat their online life as if would be a game of some kind, where their actions don’t have a reaction in the real life (a.k.a. offline life). A security expert must be able to talk and work with persons who are using computers as a tool to do their job. He has to clearly explain the risks and help them to improve their security using a language they can understand.
It is important to understand from this rant that the reduce interest in security of most people (consumers or not) is as it is, not because they are stupid or less educated. People don’t like to deal with the topic because it is complicated, it changes very often, it is never finished, and, the most important of all, because it reduces the usability of whatever they want to do.
In my opinion, a real security expert must be able to create a trade-off between security and usability. A security expert has to master the art of defining the point where a system is “secure enough” but still usable for its users.
It has to be clear that it is not possible to achieve both in the same time: maximum security and maximum usability. This is why I think that securing a system is a job that is never finished: the systems to be protected, their users and the environment around them change as well as the security risks they face.
As a conclusion, here is my summary of what I think are the characteristics that make a security practitioner an expert in his field:
- Advanced theoretical knowledge proven by international certifications
- Practical experience in applying security
- Ability to communicate with all levels, according to their level of understanding, from board level to end-user
- Ability to find solutions which are not in books and prioritize them
- Ability to view the risks beyond the obvious and act upon – be proactive and not reactive
- Ability to choose a solution which represents a fair trade-off between security and usability
Do you agree with these? Do you have more to add ?
I would be glad to see your comments either in this blog or in my personal one.
Sorin Mustaca, CSSLP, Security+, Project+
Independent IT Consultant
Author of the “Improve your security” free eBook.