As AI takes over the routine recall that once signaled domain expertise, the experts who stand out are the generalists who understand the business and the architects who integrate the pieces. Those strengths come from deliberate practice, not years on the job alone.
I think of an expert as an individual who has attained superior performance in a particular domain. According to Dr. K. Anders Ericsson’s research on the topic, expertise is accomplished by instruction and extended practice, even though experts’ performance might look “so effortless and natural that we are tempted to attribute it to special talents.”
How can one become a cybersecurity expert? What does it mean to be one? Three types of expertise come to mind.
An Expert in Cybersecurity
A classic way of thinking about an expert involves focusing on the specific area in which the person possesses expertise. Even though the field of cybersecurity is a niche in the larger context of IT or hi-tech jobs in general, security has numerous areas of specialization, including:
- Application security
- Network defense
- Detection engineering
- Digital forensics and incident response
- Offensive security
- Cloud security
- Identity and access management
- Governance, risk and compliance
One way to consider whether someone is a cybersecurity expert is to consider the extent to which the person has attained superior performance in one or more of the security domains.
A Cybersecurity Expert with Business Savvy
Individuals who do not exhibit superior performance in multiple security domains—sometimes called generalists—wouldn’t necessarily fall under the definition of an expert proposed in the beginning of this post. However, another category of a security expert is a person who has extensive understanding of business practices relevant to security.
Since cybersecurity exists in support of organizational goals, rather than an end in itself, security professionals can stand out in their ability to understand the business processes that influence their decisions and actions. This is why some information security professionals have pursued an MBA education or are focusing on learning the business of the organization where they work.
“Business” isn’t a subset of cybersecurity, but rather the context within which security is conducted, which is why I didn’t list it above among the security domains. Also, note that business savvy is different from the skill of managing people.
An Expert in Combining Cybersecurity Components
Another type of a cybersecurity expert is a person who is able to piece together components from various security domains into a cohesive entity, be it a solution to a particular problem or an overall security program. This type of an expert is sometimes called an architect, as they are able to design a greater whole from the individual building blocks.
Security architecture could be listed as one of security domains. Yet, I see it as an overarching skill that typically stems from the experience of succeeding and failing at integrating security controls with each other. In the best case, such expertise is paired with the business savvy I mentioned above.
One perspective on expertise, described by Dr. Ericsson, is that experts “acquire a larger number of more complex patterns and use these new patterns to store knowledge about which actions should be taken in similar situations.” This, in my mind, is the key characteristic of an expert security architect. It’s easy to mistake an expert security architect for a generalist, because such a person might no longer have in-depth expertise in any one of security domains.
These distinctions matter more when AI tools handle a growing share of routine security work. When an AI assistant can recall reference details and draft a working configuration on demand, knowing the facts of a single domain stands out less than it used to. The business savvy and the architect’s skill at integrating components are harder to automate, because they depend on judgment about a specific organization rather than knowledge anyone can look up.
Becoming a Cybersecurity Expert
A common path of progressing in an information security career involves mastering one security domain, then possibly another. The person might then find the need to obtain business expertise and also develop architecture skills. Those who achieve superior performance at one or more of these area are considered experts. Yet, like with all generalizations, this is one of many possible paths. Becoming an expert is usually a matter of spending sufficient time on attaining the expertise. However, time alone isn’t enough. Dr. Ericsson points out that:
“Most individuals who start as active professionals or as beginners in a domain change their behavior and increase their performance for a limited time until they reach an acceptable level. Beyond this point, however, further improvements appear to be unpredictable and the number of years of work and leisure experience in a domain is a poor predictor of attained performance.”
Then what’s the magic ingredient? In addition to time spent practicing in the relevant field, a critical element is the extent to which the practice is deliberate, focusing on improving specific aspects of the person’s performance. This is where the individual’s education, training and apprenticeship experiences probably come into play.
