The term cybersecurity expert is overplayed. There is no official or legal definition, and between companies, the meaning of “cybersecurity expert” can vary greatly. When we talk about cyber, we need to understand our audience and trust the “experts” we rely on for information. As we talk to others, what attributes do we use to signal that we are cybersecurity experts? As we interview people for job openings, how do we qualify and differentiate between all of the candidates calling themselves “experts”?
Claiming to be a cybersecurity expert is essentially saying you have expertise in all forms of mathematics. But let’s be honest, no one can be a true expert in all areas of cybersecurity (or math for that matter). Most “experts” specialize within a given field and have general knowledge of surrounding areas. So, this begs the question, how can you measure this expertise? Education is a start but can be outdated as technology is continuously advancing. Your job title also does not work. If you are implementing requirements, it does not necessarily mean you understand them. Instead of these measurements, we suggest the following levels.
Cybersecurity levels based on the Kardashev Scale
We draw our inspiration from the Kardashev Scale, which measures a civilization’s level of technological advancement based on the amount of energy it uses. The main idea is those tech advancements are needed to control and produce larger and larger amounts of energy. Achievements are used to gauge expertise and mastery rather than generic certifications or titles. Since a true expert in cybersecurity does not exist, perhaps a scale like this could clear up how much knowledge so-called experts have. Our proposed cybersecurity levels are:
- Level 1
- Ability to articulate in general terms a given cybersecurity topic
- Able to answer basic questions on a given topic
- Example: Can provide a general overview of RSA and answer general questions about it and its importance.
- Level 2
- Ability to either code or describe mathematically a given cybersecurity topic
- Able to talk about the inner workings of a given topic
- Able to describe the purpose behind a cyber policy or the high-level workflow of a specific cyber protocol
- Example: Understanding the math behind the concept or the purpose of a policy.
- Level 3
- Contributed to the discussion by providing new information that is beyond general knowledge
- Typically, patents begin at this level
- Example: Improved the efficiency of a given algorithm or combined novel ideas to provide a new concept/product that better solves a problem.
- Level 4
- Created a new discussion by introducing new concepts/ideas that revolutionize a given field in cybersecurity
- Typically, this requires either new math or the use of math concepts used in a unique way
- Example: Inventing quantum approaches to cybersecurity
REDCOM and cybersecurity
REDCOM is committed to continuous cybersecurity improvements. Our zero-knowledge authentication capability is built from the tactical edge up, focusing on interoperability and data protection using a “brilliance in the basics” approach. While we don’t consider ourselves cybersecurity experts, we strive to be level three or higher on our zero-trust architecture solution, ZKX. REDCOM’s new disruptive authentication technology, ZKX, offers seamless and frictionless multi-factor authentication designed to embody the foundational principles of zero trust. ZKX is designed atop a foundation of zero-knowledge proofs — longstanding mathematical functions used to prove one’s knowledge of secret information without revealing what that secret information is.
No one individual or organization is an expert in all aspects of cybersecurity. We believe a focus on measurable accomplishments is a better method of judging cybersecurity knowledge than titles or degrees. If you want to understand a person’s cyber competence, ask specific questions to deduce their level of expertise. Ask them what they’ve done in the field, what subfield they are focused on, or how they accomplish certain tasks. Be cautious of individuals or firms that refer to themselves as “cybersecurity experts” and be prepared to ask probing questions to classify them into one of the levels outlined above.