I recently read some posts from information security people who seemed to lack confidence in their abilities. Citing imposter syndrome, a feeling that they are not as competent as people think they are, they mused over whether their own skills and experience justified their roles as security professionals. This post is to spell out plainly what makes a good security professional. Are you a fraud? Read on and find out.

There are three essential elements to being a security professional in any field. First, a security professional has a vigilant mindset. Everything is a potential threat to security. Second, a security professional knows and understands his or her organization’s security policies. It is important to know what is allowed and what is not. Third, a security professional maintains situational awareness. To the greatest extent possible, you need to be aware of everything around you.

The Vigilant Mindset

​A security professional understands that everything is a potential threat to continued operations. There are three main categories of threats: people make mistakes, things break, and bad people do bad things. Mistakes are by far the highest risk you should worry about. Some people, especially in technical fields, feel like mistakes are bad and can be avoided. Nope. People make mistakes all over the place and all the time. That is part of the human experience and cannot be avoided. A security professional needs to understand people make mistakes, anticipate those mistakes, and have plans for what to do when people make mistakes.

Things break. Software has bugs. Physical machines fail. Nature lashes out. (Think of wildfires, hurricanes, and earthquakes.) It is the nature of the universe to have things break all around us, all the time. A security professional needs to understand things break, assess the most likely things to break, and have plans for what to do when they break.

Bad people do bad things. The world is full of people that, for various reasons, like to do things we might call socially unacceptable. Bad things can range from unwise pranks to mass destruction. A security professional understands that adversaries are always out there, always trying to perpetrate mischief. A security professional has plans for what to do when they make contact with the enemy.

A vigilant mindset might border on paranoia. That is okay. The security professional’s job is to be the paranoid one in the organization. If it is any consolation, being the paranoid one allows everyone else to feel normal.

Security Policy

​A security professional knows and understands organizational security policies. Do you know what is allowed and what is not allowed? If you do not know if something is allowed, do you have a way to find out? Sometimes crazy things are allowed, especially when the executives of an organization decide they are willing to tolerate significant risk. If you ever find yourself in the position where your advice on security policy is disregarded, do not loose sleep. So long as you stay vigilant and understand the current policies, you are doing good. (How the executives should evaluate risk is a topic for another day.)

Situational Awareness

​A security professional knows what is going on. The security professional needs access to information about the operations and environment, and needs access to and an understanding of tools used to process that information. This is the part where technology is most relevant. This is the part where a security professional should constantly be learning, adapting to new processes and technologies adopted by the organization.

​Are you a good security professional?

​To be a good security professional (in any field), you should be vigilant, understand security policy, and maintain situational awareness. In the realm of information security, the there seems to be a constant stream of news about this or that new zero-day exploit, along with many people that seem to stress the importance of esoteric details. Don’t panic. Don’t be distracted by details that will draw your attention away from the basics. If you find yourself being stressed by an onslaught of details, then your performance as a security professional will suffer. So long as you stick to the basics, you will be a good security professional.


​How to create and maintain good security policy is a different topic entirely. Let me know if you find yourself in the role of having to create and set policy. Alternatively, let me know if nobody at your organization is setting policy.