Who are your experts?


With press coverage, be wary if you are reading a column about security one week that was about the latest digital cameras the week before. (Some reporters are security-fluent, but too many are subject to pressure from editors wanting coverage on whatever topic is hot in the news. Security, particularly in the data-breach era, fits the bill.) With consultants, what sort of resumes are the "experts" bringing to the table? Business cards are irrelevant; you want to know what the consultants were doing on their last few assignments.

Security is now a front-page topic. That means that a lot of people are jumping on the security bandwagon, and some of them believe that they have been "security experts" for years because they've added a number or some mixed-case letters to a few passwords. In Spies Among Us, I detail the case of Alexey Ivanov, a key figure in a Russian cybergang. He would break into Web sites and then attempt to extort money from the companies to fix the problems. Every so often, one of his victims would hire a "security consultant" to lock Ivanov out instead of paying him off. None of the consultants was ever able to accomplish that lockout.

Ivanov says that he never did anything brilliant, but the consultants never did the basic security measure of reloading the systems from scratch to remove backdoors. The one thing that Ivanov is most mad about regarding his convictions is that he has to reimburse the companies for the cost of the "experts" who were never able to keep him out!

Hopefully you know that a travel writer on a diet is not by default a travel diet expert. Likewise, I hope that you know that a computer consultant who simply uses 133t-speak in passwords is not a security expert. In a highly technical field such as security, talk and titles are both less significant than experience and deep knowledge. Bad advice can mean you lose a lot more than a few extra pounds.