Wednesday, 12 August 2009

Chuvakin wades in on 'so called' Security Experts.

Hacker Intelligence Reports:
Ok, in the spirit of disruptive naughtieness i thought i'd publish this report by Anton A. Chuvakin Phd considering the Myth of the Security Expert. Whilst i don't necessarily agree in what he says about "how security experts must be accorded authority and status by their peers or the public in order to be credible", i do agree with him that Security Experts should try to develop their careers around one particular area of specialism. I also understand the dilema that security people face where clients expect generalist all round knowhow. My own advice being for security people to develop a broad perspective on the security and intelligence world, but concentrate more accutely down one particular line.

Anyways, here is Anton's report.

In the future, it will become clear why I am writing this... For now, please treat this as some random analysis of our profession as well as of the dreaded definition of “a security expert.” Some might say it is a rant, but I prefer to tag it as “musings.”

Lately I’ve run into too many people who [claim to] “know security” or are [claim to be] “security experts.” Now, as some of you recall, I used to do theoretical particle physics before I came to information security. In my physics days, I’d be pretty shocked if I were to meet a colleague in the hallways of the C.N. Yang Institute for Theoretical Physics who would self-identify as “a scientist” or, for that matter, even as “a physicist.” It is overwhelmingly more likely that he would say “quantum chromodynamics” or “lepton number violation in electroweak gauge theories” or “self-ionization of the vacuum” or some such fun thing :-) However, as we all know, some folks in our industry have no shame introducing themselves to a colleague as “security experts.”

So, you are “a security expert.” Awesome, happy to hear it! Please let me know whether you are Case A or Case B.

Case A: you know more than an average person on the street about every single area (or many, many areas) of information security: from ISO27001 to secure coding in Ruby?


Case B: you know more than your peers in security about one particular area (or a few areas) of information security: log management, Java security code review, penetration testing, NIDS/NIPS rule creation, firewall management, wireless scanning, etc?

Let’s see which one is consistent with how people in other professions define “expertise.” The obvious start is Wikipedia. As of today, entry says:

“An expert is someone widely recognized as a reliable source of technique or skill whose faculty for judging or deciding rightly, justly, or wisely is accorded authority and status by their peers or the public in a specific well distinguished domain. An expert, more generally, is a person with extensive knowledge or ability in a particular area of study.”

Other sources (such as Google “define:expert”) present similar results; expert can only be an expert in a specific narrow area.

Now, notice that the farther you are from a certain area, the more it seems like a narrow one (example: “science” to a average janitor is a narrow area). On the contrary, the deeper you are inside a particular area , the more it seems like a wide area (example: “brain tumor surgery” to a neurosurgeon is a broad area or “quantum gravity” to a physicist).

Despite such relativism, other professions somehow managed to converge on their definitions of “an expert.” After all, you don’t get to “enjoy” a neurosurgery from somebody who “knows more about medicine than an average layperson.” However, as we all know, many organizations “enjoy” having their NIDS tuned by a just-hired CISSP (aka proof of being “a light-year wide and a nanometer deep” in security :-)). What’s up with that?

I think this has a lot to do with the fact that the area of security is too new and too fuzzy. However, my point here is that a little common sense goes a long way even at this stage of our industry development. In light of this, next time you meet “a security expert,” ask him what is his area of expertise. If the answer is “security”, run! :-)

Finally, career advice for those new to information security: don’t be a generalist. If you have to be a security generalist, be a “generalist specialist;” namely, know a bit about everything PLUS know a lot about something OR know a lot about “several somethings.” If you ONLY know “a bit about everything,” you’d probably die hungry...

No comments: