I’ll admit that Bob Cringely’s columns have lost a bit of their punch recently as he has gone off on mortgage and other tangents, but his recent post on the cybersecurity myth redeems him somewhat.

Let’s ignore the overall article, which is pretty bang-on I think and focus in on the notion of expert.

“(It) depends on your definition of expert,” said expert number one, who works deep in the military-industrial complex. “If you mean someone who can spell ‘cyber’ then sure (there are 1,000). If you mean those who know that ‘cyber’ is short for ‘cybernetics’ and has little to do with computers then probably not.

Ah. So you mean we have to come up with some sort of common definition of what ‘expert’ means in a given context. Good luck getting that in the testing world where we are split over the very basic definition of testing.

“Define ‘expert,’ said another friend from behind Door Number Three, who comes from the security software business. “(An expert is) a person with a high degree of skill in or knowledge of a certain subject. Great, but the question is all about scope. I may be an expert cook – but can I run a kitchen? Same thing with security there are tons of experts – in specific areas. I was an expert in AV, IDS, and other areas. But I was not the all knowing security guru. (even though my knowledge base was very broad). This is where we run into unintended actuated consequences. An expert will make a choice and take an action. The end result may not be what they had anticipated because of other factors beyond the realm of their expertise caused an unanticipated consequence.

Well, we addressed the first problem about definition, but we’ve added that annoying wrinkle of scope. Well, there has to be some way of understand a person’s scope of knowledge.

*LIGHTBULB* We can certify them! Oh wait…

“DoD has established a number of credentials required to be classified as a security specialist like CompTIA Security+, CISSP, etc. None of this stuff has any practical application because it is hardware/software neutral.”

Oh riiiiight. Context matters as does hands-on, practical, real-world experience. Not just some letters behind their name. Good to know my industry isn’t the only one affected by this.