Thoughts for the start of 2024- Part 1: What does it take to become a cyber security expert?

Late last year, A colleague passed on an article that referenced a member of the industry as a “cyber expert” even though their skills had little bearing on the article. The term is thrown around a great deal nowadays, especially if the media wishes to draw to attention a particular article of theirs with the reinforcement of expertise. In this particular instance, the data presented was inaccurate, conclusions were based on another expert's work, and unfortunately news articles have only so much time to present facts and to a broad audience, so it's often a challenge to convey the complexities of the domain conveyed effectively, and yet one can simply classify themselves as expert.?

Before we define experts, how do we define cyber?

A question I used to like asking when cyber was simply information security was “what is cyber.” It became the fastest way to silence a cyber expert. Is it computers, at which point why isn't it computer security? I’ve largely come to grips with what our industry battled with a decade ago as to defining what we are by simply conveying cyber as?

“the intersection between the digital, physical and social domains.”?

This definition allows us to extend beyond the technological aspects that bewilder many and ensures enfranchisement of expertise beyond “its computers” that all too often we get caught out by. We can encompasses the cognitive and social aspects that I believe we overlook as experts (fixated on technology) and ensure we can interoperate across multiple disciplines. In our definition of expertise, this allows us to acknowledge the domain is beyond computers, however we are finding that our experts are having to discuss areas of knowledge beyond their own area of expertise, so even sub definitions are helpful. We do not want to go to a surgeon when we need a dentist, and yet all too often this is precisely what we do.?

Its been interesting in my own business. I have defined 4x lines of expertise that cross pollinate, however the expertise and even sub expertise has allowed each to grow whilst creating their own bodies of knowledge to help clients.?

Expertise is important, however the individual is not as valuable as the team.?

Australia's greatest expert & why clarity matters (AKA WUT)

I cannot reference this country's greatest expert, however court documents identify them as WUT. The individual also compares themselves to a spy novel, which perhaps reinforces their need for secrecy and desire to take legal action any time someone critiques their activities.?

WUT has over 20 years experience, the power to stop 9000 IP addresses, and a penchant for threatening anyone that raises questions.?

However, my own experience and that of others has been largely negative. Whilst I won’t go into the detail of technical flaws in their activities, my last encounter with WUT was an approach from a domestic violence victim who has been fleeced $40,000 by WUT to investigate the activities of the perpetrator. The outcome was that a spreadsheet cataloging all of the victims' technology was generated, and that WUT made obnoxious calls to the perpetrator.?

Largely left unchallenged, WUT has operated with impunity and left in their wake a loss of trust and confidence in our services. Whilst this is an extreme example, I believe it is important that we call each other out, ideally in a logical and respectful manner.??

Addressing the issue of our oversupply of experts

I raised the last story to perhaps reinforce why we need to have a definition of expertise and a professionalisation of the industry. If all it takes to enter this space is a LinkedIn profile with accolades and 40 multiple choice certifications or simply paying for a position, we will have an oversupply of expertise.

Engineers Australia, ACS, AISA and ISC2 have all been working towards professionalisation. and Ideally sub-domain expertise needs to form part of this professionalisation to ensure we don’t hire a cyber security awareness trainer to conduct reverse engineering. We also need to explore a path of building out into expertise over time; it gives us an opportunity to enable a graduated approach to our workforce and an avenue to a rewarding lifelong career, versus an immediate state of expertise.