Aren’t all Security Professionals Evangelists?

Tuesday, May 08, 2012

Andrew Weidenhamer


So after three years of internal debate, I finally decided to join Twitter.

Prior to a couple of months ago, I simply did not see the benefit of joining Twitter and, as such, decided against it (granted much of this had to do with my ignorance).

To me Twitter was just another website I had to worry about collecting my personal information with very little insight as to their Information Security/Privacy Policies and Procedures and Controls.

The main reason I finally gave in is I have since resigned from my previous position and no longer have access to the technical security resources that I once did. Upon my departure, I asked my technical resources where they received most of their information security news and they each responded with “by following others on Twitter”.

So after 23 followers, following 62, and 9 tweets later, I am now part of the Twitter community (@AWeidenhamer).

So where am I going with this and how does any of this have anything to do with the title of this blog? Up to this point I have had mixed feelings about Twitter. Although, it is a very good resource to stay up-to-date on Information Security related topics, it’s also a playground for people to push their own agendas and let everyone else know how sweet and smart they are.

Some of the Security Professionals I follow literally tweet multiple times every half hour. Some of the tweets are simply retweets of the tweets that the person posted a half hour prior (if that makes sense). At times, it feels like spam. It’s difficult and time consuming to actually wade through all the tweets that are useful and those that are not.

Many of the compulsive Information Security tweeters call themselves Security Evangelist and some even hold this as an official title for their respective companies. These people possess quite a bit of information security knowledge and are typically very well ingrained within the Security Community (as I’m guessing is part of what they are paid to do).

I often wonder is Evangelist really the right title for these individuals. Perhaps “Strategic Marketer” or simply “Intelligent Information Security Professional and Educator” would be more appropriate. Most of the companies that actually hire a fulltime FTE to hold the “Security Evangelist” title are doing so for marketing and sales purposes.

In other words, many tweets and conference presentations are based on topics in which the respective company has a solution for (i.e. Mobile Device Management, Server Consolidation, Bandwidth, etc).

I think if you actually research the origin of Evangelism, most would agree this term was used originally to preach the Christian gospel with the main goal being to CONVERT. Considering that the main audience for these quote unquote “Security Evangelists” is to the security community, I’m not entirely sure how much conversion is actually happening as we all understand the importance of security.

To me it would be more evangelistic to tweet and present on Information Security topics to those that do not understand the importance of security. CEO’s, line-of-business managers, human resource personnel would all fall into this category to name a few.

Perhaps it would be more evangelistic to speak at a Forbes CEO Conference as opposed to Defcon or BlackHat. Obviously, the specific conference would have to accept CFP’s based on these sorts of topics.

This blog isn’t meant to offend anyone and especially those that actually hold this title. As already mentioned, many of these individuals possess quite a bit of information security knowledge and many have contributed greatly to the community.

However, it’s very difficult, in my opinion, to be evangelistic if the main audience is of that of your peers and many seem to be pushing a company agenda. I suppose it would be possible to be an ENTER COMPANY NAME HERE Security Evangelist.

If the only qualifying point to be a “Security Evangelist” is to promote Information Security, than all Information Security professionals are evangelists. I am Andrew Weidenhamer, QSA, CISSP, CISA, CIPP, PA-QSA, and Security Evangelist.

- Andrew Weidenhamer 

Possibly Related Articles:
Enterprise Security
Information Security
Twitter Security Awareness Social Media Marketing Information Security Infosec Professional Conferences Security Evangelist
Post Rating I Like this!
Ian Tibble I totally agree Andrew, and this is why we have problems being trusted by our customers (C-levels, service provider customers, other BUs).
"Evangelist" there a long, arduous program of accreditation that one needs to sweat long hours to get through, before one can finally call themselves officially an Evangelist? Is there an official, globally recognized certificate or badge from a reputable accreditation body, that one can wear with the word Evangelist on it somewhere? Nope.
Evangelist is a title that is entirely self-proclaimed by those hoping to market themselves with words, rather than a foundation of acquired knowledge that is valued by businesses.
Most evangelists I came across are offering little more than quoting "best practices" - information their customers can get with a 10 minute Google.

The sooner we improve our accreditation in this sector, the better, for everyone.

Marc Quibell Haha great post! I agree with both of you. And I still don't tweet; thank you for reaffirming my reasoning. I'm also tired of reading IT SEC "news" stories that turn out to be ads for a product. Like this page:

"We did a study, and here is the dire news - we are all doomed. Oh and we also offer a solution."

But it's one thing I really like about this site; keeping one informed.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.