I think of an expert as an individual who has attained superior performance in a particular domain. According to Dr. K. Anders Ericsson’s research on the topic, expertise is accomplished by instruction and extended practice, even though experts’ performance might look “so effortless and natural that we are tempted to attribute it to special talents.”
How can one become an information security expert? What does it mean to be one? Three types of expertise come to mind…
An Expert in an Area of Information Security
A classic way of thinking about an expert involves focusing on the specific area in which the person possesses the expertise. Even though the field of information security is a niche in the larger context of information technology or jobs in general, infosec has numerous areas of specialization, including:
- Application security
- Network defense
- Intrusion detection
- Digital forensics and incident response
- Endpoint protection
- Governance, risk and compliance
Therefore, one way to consider whether someone is an information security expert is to consider the extent to which the person has attained superior performance in one or more of the infosec domains.
An Information Security Expert with Business Savvy
Individuals who do not exhibit superior performance in one of the information security domains—sometimes called generalists—wouldn’t fall under the previous definition of an expert. However, another category of an information security expert is a person who has extensive understanding of business practices relevant to security.
Since information security exists in support of organizational goals, rather than an end in itself, infosec professionals can stand out in their ability to understand the business processes that influence their decisions and actions. This is why some information security professionals have perused an MBA education or are focusing on learning the business of the organization where they work.
“Business” isn’t a subset of information security, but rather a context within which security is conducted, which is why I didn’t list it among the infosec domains in the previous category. Also, note that business savvy is different from the skill of managing people.
An Expert in Combining Information Security Components
Another type of an infosec expert is a person who is able to piece together components from various security domains into a cohesive entity, be it a solution to a particular problem or an overall security program. This type of an expert is sometimes called an architect, as he is able to design a greater whole from the individual building blocks.
Security architecture could be listed as one of infosec domains. Yet, I see it as an overarching skill that typically stems from the experience of succeeding and failing at integrating security controls with each other. In the best case, such expertise is paired with the business savvy I mentioned in the previous scenario.
One perspective on expertise, described by Dr. Ericsson, is that experts “acquire a larger number of more complex patterns and use these new patterns to store knowledge about which actions should be taken in similar situations.” This, in my mind, is the key characteristic of an expert security architect.
It’s easy to mistake an expert security architect for a generalist, because such a person might no longer have in-depth expertise in any one of infosec domains.
Becoming an Information Security Expert
A common path of progressing in an infosec career involves mastering one security domain, then possibly another. The person might then find the need to obtain business expertise and also develop architecture skills. Those who achieve superior performance at one or more of these area are considered experts. Yet, like with all generalizations, this is one of many possible paths.
Becoming an expert is usually a matter of spending sufficient time on attaining the expertise. However, time alone isn’t enough. Dr. Ericsson points out that:
“Most individuals who start as active professionals or as beginners in a domain change their behavior and increase their performance for a limited time until they reach an acceptable level. Beyond this point, however, further improvements appear to be unpredictable and the number of years of work and leisure experience in a domain is a poor predictor of attained performance.”
Then what’s the magic ingredient? In addition to time spent practicing in the relevant field, a critical element is the extent to which the practice was deliberate, focusing on improving specific aspects of the person’s performance. This is where the individual’s education, training and apprenticeship experiences probably come into play.