I think of an expert as an individual who has attained superior performance in a particular domain. According to Dr. K. Anders Ericsson’s research on the topic, expertise is accomplished by instruction and extended practice, even though experts' performance might look "so effortless and natural that we are tempted to attribute it to special talents."
How can one become an information security or cybersecurity expert? What does it mean to be one? Three types of expertise come to mind…
An Expert in Cybersecurity
A classic way of thinking about an expert involves focusing on the specific area in which the person possesses expertise. Even though the field of cybersecurity is a niche in the larger context of IT or hi-tech jobs in general, security has numerous areas of specialization, including:
- Application security
- Network defense
- Intrusion detection
- Digital forensics and incident response
- Endpoint protection
- Governance, risk and compliance
One way to consider whether someone is a cybersecurity expert is to consider the extent to which the person has attained superior performance in one or more of the security domains.
A Cybersecurity Expert with Business Savvy
Individuals who do not exhibit superior performance in multiple security domains—sometimes called generalists—wouldn't necessarily fall under the definition of an expert proposed in the beginning of this post. However, another category of aa security expert is a person who has extensive understanding of business practices relevant to security.
Since cybersecurity exists in support of organizational goals, rather than an end in itself, security professionals can stand out in their ability to understand the business processes that influence their decisions and actions. This is why some information security professionals have perused an MBA education or are focusing on learning the business of the organization where they work.
"Business" isn't a subset of cybersecurity, but rather the context within which security is conducted, which is why I didn’t list it above among the security domains. Also, note that business savvy is different from the skill of managing people.
An Expert in Combining Cybersecurity Components
Another type of a cybersecurity expert is a person who is able to piece together components from various security domains into a cohesive entity, be it a solution to a particular problem or an overall security program. This type of an expert is sometimes called an architect, as he or she is able to design a greater whole from the individual building blocks.
Security architecture could be listed as one of security domains. Yet, I see it as an overarching skill that typically stems from the experience of succeeding and failing at integrating security controls with each other. In the best case, such expertise is paired with the business savvy I mentioned above.
One perspective on expertise, described by Dr. Ericsson, is that experts “acquire a larger number of more complex patterns and use these new patterns to store knowledge about which actions should be taken in similar situations.” This, in my mind, is the key characteristic of an expert security architect.
It's easy to mistake an expert security architect for a generalist, because such a person might no longer have in-depth expertise in any one of security domains.
Becoming a Cybersecurity Expert
A common path of progressing in an information security career involves mastering one security domain, then possibly another. The person might then find the need to obtain business expertise and also develop architecture skills. Those who achieve superior performance at one or more of these area are considered experts. Yet, like with all generalizations, this is one of many possible paths.
Becoming an expert is usually a matter of spending sufficient time on attaining the expertise. However, time alone isn't enough. Dr. Ericsson points out that:
"Most individuals who start as active professionals or as beginners in a domain change their behavior and increase their performance for a limited time until they reach an acceptable level. Beyond this point, however, further improvements appear to be unpredictable and the number of years of work and leisure experience in a domain is a poor predictor of attained performance."
Then what’s the magic ingredient? In addition to time spent practicing in the relevant field, a critical element is the extent to which the practice is deliberate, focusing on improving specific aspects of the person’s performance. This is where the individual’s education, training and apprenticeship experiences probably come into play.