There is no one more dangerous in the sky than a pilot with a hundred hours of flying time.

Just enough experience to think they are a master of the skies, but not enough experience to know they are barely an apprentice.

We see this in all domains of expertise, and this rule holds true in cybersecurity as well.

Perhaps even more so in cybersecurity because the field is so new. Everyone has read an article about hackers and is now an automatic expert on cybersecurity, amirite?

This is fun times if you’re an armchair quarterback or down at the pub, but if you let such people run an enterprise security program then that’s a recipe for a Cessna nosedive into the pavement.

Real pilots just do their job.

So how do you know who is an expert and who is not?

Ah, but there is the rub. Cybersecurity is such a new field that there are no universally agreed upon standards of expertise. In law, lawyers typically take a law degree and then must pass the bar exam to practice. In medicine, doctors likewise must undergo rigorous training. And even then those qualifications are no guarantee of a good lawyer or a good doctor—but this process of qualification derisks selecting a professional to rely on.

In cybersecurity, we rely little on degrees, only somewhat on certifications, and quite a bit on industry reputation. But good security practitioners recognize each other by their security mindset.

For security practitioners, it is immediately obvious whether someone possesses an adversarial security mindset or they do not. From there establishing technical competence is a trivial matter of asking the right questions.

So if you want to know if someone is really a security expert or not, what do you do? What does due diligence look like when hiring a CISO, or evaluating an external security partner?

Ask them smart questions, but since you may not yourself be a security expert, you need to rely on other members of the security tribe to evaluate competence. I myself am not competent to evaluate the merits of say a cranial surgeon. Are they good? Are they bad? No idea. I have to rely on other cranial surgeons, or even surgeons who operate in adjacent fields, in order to have a reasonable approximation of an opinion.

Bottom line: A lot of people think they are security experts. They are not. It takes years of work and study to become proficient in the field.

If you trust your life to a pilot with a hundred hours of flying time, you are going to get rekt.