Guy Coma became an instantly forgotten star of television and the Internet when he was mistakenly interviewed on air by the BBC in place of an IT expert after a mix-up. Fact of the matter is that he just about managed to pull it off (you can watch it here) which begs the question of how you are supposed to recognise whether somebody really is an expert.
Reason I ask is because there's been a lot of chat within some of the LinkedIn Groups about why more IT Security folk aren't also experts on physical security or experts on application security. But define expert. My off-the-cuff and slightly cynical definition is that somebody becomes an expert because they can talk with authority on a subject in a language their audience understands, and know who and where to go to in order to get the information they need. That is nowhere near the same thing as having "expert knowledge" but then information security covers such broad scope that it would be impossible to be "expert" across all domains.
Subjects such as application security and physical security are disciplines on their own. We shouldn't be too quick to dismiss those - most - within the industry who don't know everything about every security domain. Almost, but not quite, the same as expecting a cardiac surgeon to know how to operate on a brain.
Recently I was in a discussion as to what rates I should be charging for the occassional piece of consultancy work, presentation and the like. On suggesting a figure sufficient to keep the bills paid at the country pad, the horses groomed, and the private jet fuelled the response was "oh, that's far to low. Nobody will expect to pay that little for an expert. You'll need to charge more..."
Reason I ask is because there's been a lot of chat within some of the LinkedIn Groups about why more IT Security folk aren't also experts on physical security or experts on application security. But define expert. My off-the-cuff and slightly cynical definition is that somebody becomes an expert because they can talk with authority on a subject in a language their audience understands, and know who and where to go to in order to get the information they need. That is nowhere near the same thing as having "expert knowledge" but then information security covers such broad scope that it would be impossible to be "expert" across all domains.
Subjects such as application security and physical security are disciplines on their own. We shouldn't be too quick to dismiss those - most - within the industry who don't know everything about every security domain. Almost, but not quite, the same as expecting a cardiac surgeon to know how to operate on a brain.
Recently I was in a discussion as to what rates I should be charging for the occassional piece of consultancy work, presentation and the like. On suggesting a figure sufficient to keep the bills paid at the country pad, the horses groomed, and the private jet fuelled the response was "oh, that's far to low. Nobody will expect to pay that little for an expert. You'll need to charge more..."
Comments (2)
On the subject of application security, there will be many "experts" and people with "expert knowledge" at the Open Web Application Security Project (OWASP) Summit EU 2008 in Portugal next month:
http://www.owasp.org/index.php/OWASP_EU_Summit_2008
Come along, share and learn. Faro is the nearest airport for any private jets.
Posted by Clerkendweller | October 16, 2008 10:28 AM
Posted on October 16, 2008 10:28
Wish I could make it - I went to the very first one in NYC some years ago. OWASP has the best guidance and documentation around on application security. I recommend it to anyone involved in development
Posted by Stuart King | October 18, 2008 6:46 PM
Posted on October 18, 2008 18:46