Tuesday, May 23, 2017

Where are all these people coming from, (cybersecurity experts)?

In 1997 I knew about half the packet ninjas in the world and if I needed an insight from someone I did not know I could get an introduction. As the security world grew and my focus started to change to general cybersecurity, I was able to track the majority of the folks with the time, talent, knowledge and name recognition to be a SANS Instructor. I even managed to keep up with things for a while as we started to break into disciplines, forensics, pen-testing etc.

I joined Linkedin in 2007 and soon worked my way up to about 200 connections. Fast forward 10 years and it is 11,337 according to the website. Do I actually know 11k people? I don't think so. When I read about conferences other than SANS, it is common for me to not recognize a single name. But if I look them up on Linkedin or some other source they are all world renowned experts in whatever cybersecurity field grabs their fancy.

One of the few things from my Virginia Tech Artificial Intelligence class in 1997, that is still with me, "The problem with expert systems is there aren't many actual experts to build them". Exactly.

Trying to keep up in this field is hard. You post a few packet decodes, marvel at some of the Wannacry decodes, even build a chatbot in case that is the new, new thing. But nobody on this planet is going to stay current in all the cyber disciplines.

Which brings us to the core issue of this post. How do you tell real balanced news from biased news from "fake news". It is a very hard problem. How can you identify a competent doctor from an incompetent one? Thank heavens it was a minor problem, but I visited three podiatrists in a row that did not appear to know a foot is the thing inside of a shoe. How can you tell a competent cybersecurity practitioner from the "fake news" version. Let me illustrate with a simple example. When Wannacry came out, everyone that was switched on was sharing information and had a pretty good idea of how it worked and what was vulnerable. Three days later you started seeing every security vendor posting a webcast, document, you name it. And the titles, some were straight out of the marketing department.

We have some tools to separate the cybersecurity wheat from the chaff. There are respected certifications, look for specifics on resumes like tools, publications and presentations certainly help. But it is tricky. Anyone that has been in the field for a while has had the unpleasant experience of interviewing someone for a job that sounded great and after onboarding couldn't even find the bathroom. I thank the Lord the first one of those I experienced happened three weeks after I took on a management role; I have been gun-shy ever since. I have also found some of the MSSP sales presentations to be jaw droppers. This is another case of being lucky over smart, one of my friends was director of operations for one of the first MSSPs. The would literally take people off the street, (with aptitude), give them three weeks training and shop them as experts.

To summarize. Not everyone in cybersecurity that claims to be an expert actually is, but hey, you already knew that. You also know one are more people in the field that have expertise, (at least in some aspect of security). Hang on to those connections, stay in touch, once or twice a year is plenty. Then, when you need information, use a validated source. You are going to pay either way, might as well get something useful for your money.


  1. "Packet ninja", huh? That is a new one on me. There certainly are a lot more than there were in 1989, but I take your point.


  2. What bugs me is when I meet someone new that works in "IT Security" and we talk about more and I learn they actually work in sales

  3. Good article, thanks for sharing your insight.