Sunday, October 21, 2012

On Security Evangelists and Thought Leaders

A couple days ago at work a few of us were debating whether a person was a "thought leader" or a "security evangelist."  It seems to me that most of the time when I hear someone use one of those words they are using to describe someone that has a lot of fans but is not well-liked by the person using that term.  But the conversation was interesting because we were discussing what makes a person an actual thought leader.  I had a few ideas that I'd like to share with the Internet.

I think defining a thought leader is actually pretty easy.  Lots of people will say they are thought leaders or will have others call them thought leaders.  But in my opinion, you're not a thought leader unless you meet these criteria that I'm going to lay out.  First of all, you can't be a thought leader unless you have original ideas.  Now I'm not saying that none of the ideas can be derivative, but your conclusions should be your own.  If I'm just rewording and repeating everything that Wade Baker says then I'm not a thought leader.  So thought leaders have thoughts, and those thoughts are their own.  Thought leaders also need to have followers.  You can't lead if nobody is following.  So when Wade Baker talks about Evidence Based Risk Management and I say "ERMAGERD!  He's totally right" then I'm a follower of Baker's.  If you get enough followers and enough original thoughts then you're a thought leader.  People that meet my criteria to be called thought leaders are rare, but they do exist and should be recognized as such.

Notice that I didn't say anything about the quality or correctness of your thoughts or followers.  I don't think that being right is a requirement for thought leadership.  You can be a bad thought leader.  The fact is we need to have thought leaders that are saying a variety of things some of which are destined for failure if we're going to have a security ecosystem that produces good work.  This is one of the main points of a book that I read recently called "Adapt: Why Success Always Starts with Failure."

Further down the hierarchy we have "security evangelists."  For me, the evangelist serves a vital role for the thought leader.  It is the job of the security evangelist to bring the ideas of the thought leader to the masses, just like a religious evangelist brings the gospel to remote parts of the world.  Security evangelists may have many people that listen to them, or just a few.  When you go to the application developers at work and start talking to them about how to integrate security into their development lifecycle you're being a security evangelist.  And in some offices the work is just as dangerous.  There are application developers that will kill a security evangelist for coming to their village.  Security evangelists are typically evangelizing a message that was created by a thought leader.  A thought leader can be his or her own evangelist, but needs to get some other evangelists to prevent becoming irrelevant and not have enough followers to be called a thought leader anymore.  So the security evangelist is not usually preaching his own ideas, but a good evangelist will know how to craft the message to the audience.  It is fairly common for a security evangelist to be credited as a thought leader.

Now I know that some people loathe the term "security evangelist."  There is an article by Bill Brenner [1] where he talks about the gut wrenching feelings that some people get from the word, in part because information security is not a religion and we shouldn't be using religious terms like evangelist.  Kevin Riggins said very nicely that you didn't write any of the Gospels [2].  Kyle Maxwell told me that the term really rubs him the wrong way.  I get that, I really do.  But I think it's kind of like arguing about the terms "Hacker" and "Cracker."  I know a lot of people really wanted cracker to win out when describing malicious computer users, but it didn't.  Everyone uses hacker and we have largely come to accept that.  I think that security evangelist is winning the war in terms of what words are being used and we should just accept that and move on.

Next up we have the security practitioners.  These are the people that are just working their job and trying to make things a little better in their organization.  They listen to the evangelists and try to decide which ones they're going to pay more attention to.  They are going to try out the ideas that the evangelists bring to them and either accept them or reject them.  If an evangelist is rejected by too many practitioners then the evangelist may stop evangelizing for that thought leader.

What happens to a thought leader that can't get enough evangelists and followers?  Or thought leaders that lose all of their followers because their ideas didn't work out?  Well they have several choices.  A thought leader can continue to hold on to the idea serving as his own evangelist while fewer people pay attention to him.  At that point he becomes a kook.  Or, the thought leader can invent a new thought and start recruiting a new group of followers.  And of course some of them will just go back to being practitioners or evangelists.

So there you have it, my definitions for thought leader, security evangelist, and practitioner.

No comments: