How do you define a cyber security professional?

Author: Dan Lohrmann, Chief Strategist and CSO, Security Mentor

Back in 2010, when I was the Michigan Government’s Chief Technology Officer, I wrote a blog for CSO Magazine entitled: Are You A Security Professional?

At the time, I was doing a series of blogs on Why Security Pros Fail – and what you can do about it, and I was getting lots of emails from all over the country asking various questions. Some of these questions included:

  • How do I define security professional?
  • Why did I consider myself a security pro if I was a Chief Technology Officer (at that time I recently left the Michigan CISO job)?
  • How can someone get into a security career field?
  • Are security certifications and advanced degrees worth it, and/or required to succeed?

Here’s an excerpt of how I answered some of those questions in that blog:
 

(Who is) a security professional? This may sound too postmodern, but my answer: you get to decide. If you believe you are a security pro, you probably are a security pro. Some hints: do you read security magazines and books, check up on security settings at home and work or attend seminars and topics on security? Yes, it helps to have certain skills, degrees, experience and other credentials. However, your business card is not the only (nor necessarily the best) indicator. If you’re reading this blog you get two points – just kidding.
 

Don’t get me wrong. I’m not making a judgment on how good a security pro you are, nor denouncing the benefits of more security training. And yet, I’ve met some excellent security experts who are self- taught with non-technical degrees or no degree at all. I’ve also seen people in security organisations (or even agencies like NSA or DHS) who do not refer to themselves as security professionals – even though the magic word is in their agency’s title.
 

As for me, a few years back I said that I think security is in my blood. No matter what my job title is, I see the Internet world through a strange lens that my teenage kids think is weird. I ask them how long their passwords are. I want to know if they’ve logged out of gmail or who their chatting with online. I check the anti-virus definition dates on their laptops. If you think or act like that, welcome to the club – for better or worse until death do you part.
 

My daughter once stared at me with a puzzled look and asked: You really care about this security stuff don’t you dad? Security is more than a job to you, isn’t it?
 

Read more: App security suffering as survey finds that most developers still aren't building for mobile

I paused, looked down and smiled. I didn't need to speak. She knew correct the answer. 

Fast forward to 2015


Would I answer the question the same way today?

I did some research and found several articles like this one from Michael Cooney over at Network World, who generally supports a more professionalised workforce, but also worries about the barriers it might create.

He says:

“Over time, professionalisation could help build a higher quality work force with a standardised set of specific skills and help employers identify the best candidates to meet their needs.  But this should be weighed against the changing context of cybersecurity that includes both evolving threats and fluid job responsibilities.  Although some measures can help increase awareness and desirability of the profession and increase the number of individuals who consider cybersecurity as a career, they can also create additional barriers to entry that inadvertently screen out suitable candidates, discourage out-of-the-box thinking, and narrow the pipeline of potential workers.”

Today’s question

Why bring this up now? The question came up again very recently in an interesting way. I received a LinkedIn related comment on my recent Government Technology blog entitled, Hacking: When your white hat is really a black hat. Here are the example news headlines at the beginning of that blog:

Enormous leak exposes Hacking Team as blackhat organization (In Italy)

23-year-old twins allegedly tried to rip off the State Department and sell a bunch of passport data 

Read more: ​The Internet; our first ‘cyber Orwellian State’

Cybersecurity intern accused in huge hacking bust

Man accused of hacking into college women's accounts, 'sextorting'

The thoughtful comment in the LinkedIn ISSA Discussion Forum was adamantly arguing against my examples of hacking by black hats, mainly because of my broad definition of cyber security professional. Here’s an excerpt of what he said:

“Hacking Team – An Italian commercial entity that buys 0-days and sells them as a service to ‘legitimate’ regimes and organisations. [Not a cyber security professional]

 

1 year old twins [editor’s note – referring to the 23 year old twins] - US citizens who allegedly commit credit card fraud and intended identity theft. [Not cyber security professionals]

Cyber security intern - US student and reverse engineer [accused of] writing malware [[If the accusations are true], a youngster with dubious ethics and a need to ‘grow up’ but not a cyber security professional]

 

Man accused of hacking into college women’s accounts – [Not a cyber security professional]”

I responded that I do believe several of these companies (such as FireEye and Hacking Team) are security companies with cyber security professionals and stated codes of conduct. I also agreed with most of his overall points regarding the good intentions and cyber ethics followed by most security pros in the industry.

But later, I pondered if these distinctions (and definitions) even matter to hacking trends in our society. 

One argument I’ve often heard: Why does it matter if Edward Snowden was NOT a cyber-expert or a security professional? He still was able to get other people’s passwords using social engineering and bypass security controls to get the information he wanted as an insider threat at NSA. The same could be true of these other people mentioned in those articles who allegedly performed illegal acts – even if they are not formally cyber security professionals.

Aren’t these people ‘professionals’ of some sort, being paid to do their jobs?

On the other hand, I think the LinkedIn comment does have some merit, in that organisations who hire cyber security professionals that work for technology or security companies are expected to act in ethical ways. These people are contractually obliged to perform certain security functions and not engage in other (illegal) acts with their system and data access. Like doctors and lawyers, security professionals have a reputation to uphold and codes of conduct to follow.

Most people believe that these formal definitions do matter (at least somewhat), especially when you are trying to get a first cyber job, build a positive reputation in social media and get promoted. They define ‘security pro’ by whether or not you are getting paid for performing a service.

However, other people even argue those points with good examples of respected professional hackers with no degrees or certifications or fancy titles or other exceptions to “stated professional definitions.”
 

Your turn − what’s your view?

I’d really like some feedback from other ‘cyber security professionals’ or anyone else with an opinion. 

How do you define a security or cybersecurity professional?

Do you need to be a cyber-security pro to be a ‘white hat’ or ‘black hat’ hacker?

Do these distinctions even matter in the examples of hacking given in the articles? Why or why not?     

This article was brought to you by Enex TestLab, content directors for CSO Australia.

Blast from the past!

Try our new Space Invadors inspired video game NOW

How far can you get ?

Tags blackhatNetwork Worldsecurity trainingHacking Teamgovernment technologyCSO AustraliaCSO MagazineSecurity MentorMichigan GovernmentMichael CooneyLinkedIn ISSAcyber security professionalCybersecurity intern

Show Comments