There is no shortage of people presenting themselves as security experts. Some of them truly are. The others...

Joshua Goldfarb, Global Solutions Architect — Security

April 10, 2020

5 Min Read

The Latin phrase "caveat emptor" has become an English proverb, and for good reason. "Let the buyer beware" is an axiom that nearly all of us are familiar with. Most of us know the phrase in the context of retail purchases. We were taught, or have learned over time, to never take sellers at their word. We must always perform the appropriate research before making a purchase.

In security, unfortunately, we must practice a different type of caveat emptor. In recent years, security has become a hot field. And sadly, where there is budget and focus, there are also frauds and deceivers. There is no shortage of people presenting themselves as security experts. Some of them truly are. The rest of them, however, are keen to take advantage of security professionals who haven't yet learned to filter the real security experts from the fakes.

To help organizations avoid spending time, money, and resources on security frauds, I offer 10 ways to spot one:

  1. Big words: We all like to sound educated and well-read. There is rarely a point in obfuscating our speech with large, overly complex words that make it harder for others to follow what we're saying. But that is exactly what security fraudsters are after. Most of us are afraid of looking stupid, particularly around our peers. If we don't understand something, we may hesitate to ask for clarification. Frauds prey on this and purposely large words to appear knowledgeable and to confuse us. A general rule of thumb is: If you think you're hearing a large number of complex words in a row, and that when assembled together, they have no meaning, you're probably right. You're likely listening to someone actively looking to deceive you.

  2. Nothing in writing: Honest, hard-working security professionals have no problem emailing or otherwise putting agreements into writing. It's very common for a meeting to result in a follow-on email with minutes and action items. Security frauds can't risk having anything in writing because they can't actually deliver on their promises. If you find that someone repeatedly speaks or makes promises but never puts them in writing, it's a red flag.

  3. No actions: Most of us attend meetings now and again, but we likely spend most of our workdays doing our jobs. If you are working with someone who can never seem to get anything done or perform any tangible action, you might have fraud on your hands.

  4. Numerous lectures: If your job keeps you busy, you're like most security professionals I know. While we all need to take time to step back and see the bigger picture, we also need to balance that with meeting our deadlines and obligations. If you come across someone who always seems to be lecturing others on what they should be doing, how what they're doing is wrong, and/or how things would work in an ideal world, beware.

  5. Grand plans: Many security organizations have a vision. In addition to that, many members of the security team likely have quarterly, annual, and/or multiyear goals and priorities that they're working toward. It's good to dream, but if all you hear from a certain person are grand plans that are not grounded in reality or connected to the current work environment, they may be a fraud.

  6. Excessive name dropping: Many of us in security are fairly well connected. Over the years, we've worked with people, networked at conferences, and made a name for ourselves. But real professionals let their work speak for them, not the names of others in the field that they know. Someone who can't seem to describe the work they've done but is quite adept at name dropping is probably unlikely to actually know most of the people whose names they're dropping!

  7. Overly verbose LinkedIn profile or resume: A LinkedIn profile or resume is a great place to showcase your work experiences and your professional skill set. That being said, if someone's profile or resume reads like a short story or novel, it's time to move on.

  8. Amazing coincidences: There are coincidences in life and some of us have had the good fortune to be in the right place at the right time or the bad fortune to be in the wrong place at the wrong time. That being said, the number of times that most of us are involved in a historically notable event is fairly small. If you've come across someone who claims to have been involved in numerous notable events over time, they may be fibbing. Watch out.

  9. Too many stories: We've all met people who seem to have a story or anecdote for every topic of conversation. Some of these people, it seems, spend their days collecting stories and anecdotes, rather than working and building their skills and experience. These types of people aren't who you need for your security team.

  10. Loose lips: There is one particular Taoist quote that aptly describes the security profession: "Those who know do not speak. Those who speak do not know." If someone goes on and on about events that should be kept close, they're either a huge security risk or they weren't really there. Neither are good for the security organization. Stay away.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

About the Author(s)

Joshua Goldfarb

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights