How to be a security expert
There are two ways to be a security expert.
First, the bad way:
Publish articles saying "you should do things like I say, because I'm a security expert, and this is how you secure computers".
Then, the good way:
Answer questions that people throw at you with other questions. Here are some example questions you might try:
- What's the risk you're trying to protect against?
- Is the risk likely / realistic?
- What's the benefit of protecting against the risk?
- What damage could be caused if you don't protect against the risk? [Can the CEO go to jail? Maybe that's a risk worth taking!]
- How many different ways can we protect against the risk?
- What is the cost of protection?
- What are the side-effects of protection? [Technically, side-effects are often 'costs', but can be benefits in themselves.]
There are further depths to which you can refine these questions - for instance, consider potential risks and damage in terms of compliance regulations and sanctions, business costs, public relations, technical effort, etc.
In the Information Security field, we often get so wound up in our own technological solutions that we lose sight of the problem we were trying to solve, or the magnitude of it.