Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Tony the (Paper) Tiger.

Okay, I just can’t take it any more.

If I hear anyone else billed (or worse, billing himself) as “one of the top security professionals in the country,” I’m going to do something drastic.  I don’t know what it is yet, but you have been warned.

I know several of the “top security professionals in the country,” or at least read them on a regular basis, and almost without exception, none of them bills him/herself as a “top” anything.  They describe what they’re really interested in, what areas they focus on.  Their net.presence shows a lot of passion for what they do.  But they don’t lay claim to any titles, unlike the poor schlub who thinks virtualization security is all about the hypervisor, and only speaks at conferences where his company pays for the slot.

Here are some signs that you’re dealing with a “paper tiger”:

- His CISSP is up front and center on everything that lists his name.  I’m sorry, but a CISSP is like a bachelor’s degree:  if you have to brag about having one, you probably have nothing else going for you.

- His LinkedIn profile describes him as an “expert.” 

- None of the real deals has ever heard of him.

- He talks about everything in terms of compliance.  (Ouch!)

- He can’t get passionate about any given security topic because he doesn’t know it well enough. 

- If he’s published at all, he focuses on writing Security 101 articles for “management.”

- If there’s anything remotely technical to be discussed, he lets his staff or other managers do the talking.

- He’s billed as being great in security because he once worked for a “financial institution.”  Really, as if that were the defining gold standard in security or something.  Besides, do you know how many hundreds of thousands of security professionals work for some kind of bank?

- The definition of “worked for a financial institution” turns out to be “was put on a team that consulted to a financial institution.”

- He treats his name as if it were a personal brand and puts it on everything, as if it were more important than the actual topic.

(Oh, and he doesn’t have to abuse the word “cyber,” but it helps.)

What other telltale signs have you seen of bogosity?

Posted by shrdlu on Friday, March 06, 2009
(7) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon
Page 1 of 1 pages