It seems everyone I meet is an expert on security!
What defines a computer security expert?
+3
A:
You're lucky - make the most of the opportunity to learn from all the experts you meet. And learn how to detect which of the self-proclaimed experts actually are experts and which are just trying to jump on one of the current band-wagons.
Regarding your second question: caution
Security experts seldom take anything at face value. They investigate and check. And they don't proclaim until they're sure.
Jonathan Leffler
2009-05-26 02:02:20
I'd add "paranoia", too; the people who are good at security are basically those who can think like an attacker. I'd also agree that few people are actually "experts" in anything; especially something so twisty and fast-paced as security.
Rob
2009-05-26 02:06:30
Paranoia is good. I've run a presentation (in lengths from 1 hour to 4 hours - that was more of a tutorial) called "Is Your DBA Paranoid Enough?".
Jonathan Leffler
2009-05-26 14:38:38
@Jonathan Leffler do you have this on the web somewhere?
Nitrodist
2010-05-19 23:25:40
Using Google with the title as a (quoted) search term gets you to the [IIUG](http://www.iiug.org/kciug/kciug-200410-g08-paranoid-dba.ppt) web site.
Jonathan Leffler
2010-05-20 02:39:36
Thanks very much.
Nitrodist
2010-05-24 20:07:11
A:
I guess no one appriciated the joke -_-
In my opinion, a security expert is someone who fully understands the material he/she is talking about.
Someone who keeps up to date with security exploits and vulnerabilities so they are never kept in the dark.
Ozzy
2009-05-26 02:02:36
+17
A:
Really, as someone who's been a computer security researcher for, oh, 25 years, I know exactly what you mean.
Personally, I think someone who claims to be a security expert should be able to at the very least:
describe CIA — "confidentiality", "integrity" and "availability" not the other one in Langley.
identify basic security concepts like "trust" and "policy"
understand threats, threat modeling, and how to build a threat pofile
understand how cryptography can be used to preserve all three of the CIA triplet.
know some of the general protocols, like SSL, Kerberos, and so on
know enough to laugh when someone says "I want a completely secure system" or "my system is completely secure"
Surprisingly many of them can't.
Charlie Martin
2009-05-26 02:07:13
+2
A:
I'm not. I gladly defer to anyone who wants to take responsiblity for it. (But I don't have much use for assertions made without taking responsibility for the consequences.)
The only people I've met who claimed to be, and whose judgment I trust, were explicitly local. And usually quite humble. A cocky security expert is a non sequitur, IMHO.
le dorfier
2009-05-26 02:07:44
+2
A:
Start -> Control Panel -> Windows Security Centre
:)
Because they don't know what they don't know, and the repercussions of that have not yet hit them.
Because there is always someone else they know who knows less about computer security than they do - by comparison they are an "expert".
Because to be an expert in computer security probably doesn't require that one is an expert on computer security in all domains - one could be an expert in, say database security for MS SQL Server while knowing very little about database security for MySQL.
Because there are so few real computer security experts out there, there are very few people capable of telling the difference.
Jeffrey Kemp
2009-05-26 02:09:39
A:
In my opinion, all programmers should try to become security experts - the one who is writing the code is best positioned to know how that code will behave, and if they have an understanding of the common attacks, they can improve the code from the get-go.
Jeffrey Kemp
2009-05-26 02:14:13