Spot the security expert

Guy Coma became an instantly forgotten star of television and the Internet when he was mistakenly interviewed on air by the BBC in place of an IT expert after a mix-up. Fact of the matter is that he just about managed to pull it off (you can watch it here) which begs the question of how you are supposed to recognise whether somebody really is an expert.

Reason I ask is because there’s been a lot of chat within some of the LinkedIn Groups about why more IT Security folk aren’t also experts on physical security or experts on application security. But define expert. My off-the-cuff and slightly cynical definition is that somebody becomes an expert because they can talk with authority on a subject in a language their audience understands, and know who and where to go to in order to get the information they need. That is nowhere near the same thing as having “expert knowledge” but then information security covers such broad scope that it would be impossible to be “expert” across all domains.

Subjects such as application security and physical security are disciplines on their own. We shouldn’t be too quick to dismiss those – most – within the industry who don’t know everything about every security domain. Almost, but not quite, the same as expecting a cardiac surgeon to know how to operate on a brain.

Recently I was in a discussion as to what rates I should be charging for the occassional piece of consultancy work, presentation and the like. On suggesting a figure sufficient to keep the bills paid at the country pad, the horses groomed, and the private jet fuelled the response was “oh, that’s far to low. Nobody will expect to pay that little for an expert. You’ll need to charge more…”