How do you define a cyber security professional?

Author: Dan Lohrmann, Chief Strategist and CSO, Security Mentor

Back in 2010, when I was the Michigan Government’s Chief Technology Officer, I wrote a blog for CSO Magazine entitled: Are You A Security Professional?

At the time, I was doing a series of blogs on Why Security Pros Fail – and what you can do about it, and I was getting lots of emails from all over the country asking various questions. Some of these questions included:

  • How do I define security professional?
  • Why did I consider myself a security pro if I was a Chief Technology Officer (at that time I recently left the Michigan CISO job)?
  • How can someone get into a security career field?
  • Are security certifications and advanced degrees worth it, and/or required to succeed?

Here’s an excerpt of how I answered some of those questions in that blog:

(Who is) a security professional? This may sound too postmodern, but my answer: you get to decide. If you believe you are a security pro, you probably are a security pro. Some hints: do you read security magazines and books, check up on security settings at home and work or attend seminars and topics on security? Yes, it helps to have certain skills, degrees, experience and other credentials. However, your business card is not the only (nor necessarily the best) indicator. If you’re reading this blog you get two points – just kidding.

Don’t get me wrong. I’m not making a judgment on how good a security pro you are, nor denouncing the benefits of more security training. And yet, I’ve met some excellent security experts who are self- taught with non-technical degrees or no degree at all. I’ve also seen people in security organisations (or even agencies like NSA or DHS) who do not refer to themselves as security professionals – even though the magic word is in their agency’s title.

As for me, a few years back I said that I think security is in my blood. No matter what my job title is, I see the Internet world through a strange lens that my teenage kids think is weird. I ask them how long their passwords are. I want to know if they’ve logged out of gmail or who their chatting with online. I check the anti-virus definition dates on their laptops. If you think or act like that, welcome to the club – for better or worse until death do you part.

My daughter once stared at me with a puzzled look and asked: You really care about this security stuff don’t you dad? Security is more than a job to you, isn’t it?

I paused, looked down and smiled. I didn't need to speak. She knew correct the answer. 

Fast forward to 2015

Would I answer the question the same way today?

I did some research and found several articles like this one from Michael Cooney over at Network World, who generally supports a more professionalised workforce, but also worries about the barriers it might create.

He says:

“Over time, professionalisation could help build a higher quality work force with a standardised set of specific skills and help employers identify the best candidates to meet their needs.  But this should be weighed against the changing context of cybersecurity that includes both evolving threats and fluid job responsibilities.  Although some measures can help increase awareness and desirability of the profession and increase the number of individuals who consider cybersecurity as a career, they can also create additional barriers to entry that inadvertently screen out suitable candidates, discourage out-of-the-box thinking, and narrow the pipeline of potential workers.”

Today’s question

Why bring this up now? The question came up again very recently in an interesting way. I received a LinkedIn related comment on my recent Government Technology blog entitled, Hacking: When your white hat is really a black hat. Here are the example news headlines at the beginning of that blog:

Enormous leak exposes Hacking Team as blackhat organization (In Italy)

23-year-old twins allegedly tried to rip off the State Department and sell a bunch of passport data 

Cybersecurity intern accused in huge hacking bust

Man accused of hacking into college women's accounts, 'sextorting'

The thoughtful comment in the LinkedIn ISSA Discussion Forum was adamantly arguing against my examples of hacking by black hats, mainly because of my broad definition of cyber security professional. Here’s an excerpt of what he said:

“Hacking Team – An Italian commercial entity that buys 0-days and sells them as a service to ‘legitimate’ regimes and organisations. [Not a cyber security professional]


1 year old twins [editor’s note – referring to the 23 year old twins] - US citizens who allegedly commit credit card fraud and intended identity theft. [Not cyber security professionals]

Cyber security intern - US student and reverse engineer [accused of] writing malware [[If the accusations are true], a youngster with dubious ethics and a need to ‘grow up’ but not a cyber security professional]


Read more: App security suffering as survey finds that most developers still aren't building for mobile

Man accused of hacking into college women’s accounts – [Not a cyber security professional]”

I responded that I do believe several of these companies (such as FireEye and Hacking Team) are security companies with cyber security professionals and stated codes of conduct. I also agreed with most of his overall points regarding the good intentions and cyber ethics followed by most security pros in the industry.

But later, I pondered if these distinctions (and definitions) even matter to hacking trends in our society. 

One argument I’ve often heard: Why does it matter if Edward Snowden was NOT a cyber-expert or a security professional? He still was able to get other people’s passwords using social engineering and bypass security controls to get the information he wanted as an insider threat at NSA. The same could be true of these other people mentioned in those articles who allegedly performed illegal acts – even if they are not formally cyber security professionals.

Aren’t these people ‘professionals’ of some sort, being paid to do their jobs?

On the other hand, I think the LinkedIn comment does have some merit, in that organisations who hire cyber security professionals that work for technology or security companies are expected to act in ethical ways. These people are contractually obliged to perform certain security functions and not engage in other (illegal) acts with their system and data access. Like doctors and lawyers, security professionals have a reputation to uphold and codes of conduct to follow.

Read more: ​The Internet; our first ‘cyber Orwellian State’

Most people believe that these formal definitions do matter (at least somewhat), especially when you are trying to get a first cyber job, build a positive reputation in social media and get promoted. They define ‘security pro’ by whether or not you are getting paid for performing a service.

However, other people even argue those points with good examples of respected professional hackers with no degrees or certifications or fancy titles or other exceptions to “stated professional definitions.”

Your turn − what’s your view?

I’d really like some feedback from other ‘cyber security professionals’ or anyone else with an opinion. 

How do you define a security or cybersecurity professional?

Do you need to be a cyber-security pro to be a ‘white hat’ or ‘black hat’ hacker?

Do these distinctions even matter in the examples of hacking given in the articles? Why or why not?     

This article was brought to you by Enex TestLab, content directors for CSO Australia.

Blast from the past!

Try our new Space Invadors inspired video game NOW

How far can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags LinkedIn ISSAcybersecurityNetwork WorldSecurity MentorHacking TeamCybersecurity internCSO Australiacyber securitycyber security professionalCSO Magazinesecurity trainingblackhatMichigan GovernmentMichael Cooneygovernment technology

More about CSOEnex TestLabFireEyeNSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dan Lohrmann

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts