"The infosec market has changed dramatically over the past decade. Changes in regulations, such as SOX, PCI DSS and Data Protection, and increased threats from online criminals have raised the profile of information security. At the moment, infosec in many regions is an industry with little or no unemployment and the market itself is predicted to grow to about $120.1 billion by 2017, double than the $63.7 billion size in 2011," says Brian Honan, infosec consultant and head of Ireland's CSIRT.
With the growing competition, it's only natural for some infosec professionals to be more vocal than others. They actively participate on social networks, write books, lecture at conferences, and work hard on creating a personal brand. Peers call them rockstars. But while some mean it as a compliment, others clearly don't.
"Like all markets in which the demand surpasses the supply, the infosec one attracts a number of individuals who claim expertise that they clearly do not have. They can be spotted and recognized by how they comment on topics on Twitter which they have no expertise in, hype up issues to create FUD, write blog posts that are inaccurate or present bad talks at conferences," observes Honan.
While some of these pundits are hailed as visionaries whose critical thinking urges hundreds to queue for event keynotes, others are regarded as self-proclaimed gurus whose main objective is to present themselves in the best possible light in order to score the next high profile job - without actually doing much of security work in the process.
Companies adore both types. But while only one type engages the community, both impress clients with their credentials and help score high profile jobs. You know the old saying: "It's not what you know, it's who you know".
Marketing is king
Marketing and corporate identity really are everything, even in this field.
Only on rare occasions can I talk to a rockstar on the record and not go through their PR person. Occasionally they have an entourage of four or more people sitting in the meeting with them, making sure the celebrity doesn't say something they might view as inappropriate, even when we're not even talking company news.
I often wonder if the goal of these people is to make the interviewee look more important. I know for a fact that for some journalists this approach works like a charm and they end up being impressed.
"If companies select their 'experts' based on the number of their Twitter followers or web page view hits to their blog, then perhaps we need to ask whether this is a fault of the market, the 'expert' in question, or the company hiring that person," says Honan.
Will the real professional please stand up!
So, what makes a good information security professional? Is it a long list of certification credentials? Never-ending passion? A large Twitter following? A dedicated PR army?
Security advisor Per Thorsheim believes that you are not a security professional until other security professionals start to refer to you as being one. I couldn't agree more. You can buy Twitter followers or pay to present at conferences, but getting the demanding security community to recognize you for your work is not a simple task.
What about those with a strong academic background in research?
"An academically employed security researcher may be considered a security professional as well, but really should be connected to real world challenges, not just hypothesize. Personally I like to differentiate between security professionals and security researchers. In some cases their projects might overlap, in others they are doing completely different types of work," comments Thorsheim.
First-rate formal education can only help, but nothing works like innate curiosity. Wim Remes, Managing Consultant at IOActive, agrees: "It’s not necessarily a matter of formal education but more about a trait the Italians call 'grinta' - a persistence to chase something relentlessly, educating oneself on the way to perfection."
Let's not forget that IT security work implies a great deal of responsibility and trustworthiness, traits that can't be acquired with a certification exam.
"The ideal security professional, one that I would look to hire, has a wealth of knowledge across disciplines yet continues to pursue knowledge and aims to become a better professional every day," concludes Remes.
I'm always interested in meeting information security professionals, so get in touch if you're at RSA Conference 2013 and let's have a chat. If your PR entourage needs to attend as well, so be it.
You can also follow me on Twitter.