Prominent security evangelists say their credibility rests on sharing technical expertise, not marketing hype

The changing role of the enterprise security evangelist in a post-Covid era

Security evangelist. It’s a phrase often batted around the cybersecurity industry, but what does it actually mean?

You may have come across it by another name – security advocate or awareness educator to name a couple – but the role is largely similar regardless of the job title.

The Daily Swig spoke to professionals within the infosec industry to dig deeper into exactly what the job entails.

What is a security evangelist?

A security evangelist is employed by cybersecurity vendors and other industry organizations to promote awareness of their products and ethos to users, the general public, and the wider infosec community.

You’ll often see them popping up at conferences or on webinars, something they have had to do virtually since the coronavirus pandemic halted in-person events.

It’s often bigger companies with more generous budgets that can afford to employ a security evangelist – a position that can easily command a $70k+ salary.

Their role is varied, but the responsibilities are broadly part spokesperson for the company, part educator for the infosec community and wider public.

Javvad Malik, KnowBe4

Javvad Malik

Javvad Malik, security awareness advocate at KnowBe4, told The Daily Swig: “The job of a security evangelist (or advocate as I like to refer to my job as), is one that precariously walks the tightrope of sharing security knowledge in the PR department while avoiding falling into the bottomless void of marketing.

Read more of the latest cybersecurity industry news

“In simpler terms, it’s primarily an external-facing role which involves educating and sharing ideas on security matters.

“This can be offering insight to journalists, delivering presentations, webinars, writing blogs, or engaging in discussions across other channels.

“The ultimate goal is to rely on industry experience and ongoing research and share high quality content that helps and informs, which as a result builds trust in our brand.”

The popularity of said role has expanded in recent years, mainly due to the growth of the industry as a whole.

Marketing misconceptions

While these security advocates almost always have experience working in security teams, they are sometimes mistaken for marketing bods with little to no technical know-how.

“Within a business setting, misconceptions are usually if the expectation is for me to simply state a marketing message without having any real depth of experience,” Tim Mackey, principal security strategist at Synopsys CyRC, told The Daily Swig.

“It’s not uncommon for me to state in such situations that I’ll go as deep or as broad as they require,” adds Mackey, who gained extensive experience in software engineering before becoming a security evangelist.

Tim Mackey, Synopsys

Tim Mackey

Convincing IT staff, whether it’s developers or AppSec engineers, to take advice from someone who isn’t working on products themselves can often be challenging.

Augusto Barros, vice president of solutions at Securonix and former industry analyst at Gartner, said that having a technical background is paramount when it comes to engaging with security teams.

INSIGHT GitHub’s Nico Waisman: ‘Security is not just an opportunity, but a responsibility for us’

He told The Daily Swig: “Being able to properly communicate with such an audience also requires technology skills, but even more important, it requires experience in the field.

“Techies tend to listen to those that have gone through the same things they are experiencing.

“They will test you in your technical abilities before they decide to trust you and listen to what you have to say.”

For Mackey, sharing ideas and knowledge is the only way to stay one step ahead of cybercriminals.

This is true for both the workplace and the wider public, he said.

“Fundamentally attackers get to define the rules of their attack,” he said. “It’s through security awareness and sharing of experiences that we can remove some pieces from the game.”

Coronavirus curbs ‘hallway conversations’

Speaking face to face with peers is often the best way to build trust and make contacts.

A major part of the role of a security advocate involves networking with people across the globe at conferences and other events.

But since the Covid-19 outbreak has shifted the way we work, socialize, and travel, the industry’s biggest conferences have been either cancelled or moved online.

Mackey, Malik, and Barros all agree that the pandemic has adversely affected their day-to-day lives.

Malik said he is “greatly missing out on all the networking and learning experiences that come from live events. There is so much more to a live event than the presentations, and I’m feeling that the most.”

RELATED ‘Shift left’ becomes ‘shift everywhere’ thanks to increased adoption of automated security tools

Mackey said: “In recent years I’ve become a fixture at a variety of events. With travel restrictions, having the hallway conversations with peers is now that much harder.

“This has the unfortunate impact of reducing the volume of information coming my way meaning that keeping abreast of the latest shifts in the industry is a bit harder than it was in February.”

Looking ahead

With social distancing a likely fixture for the foreseeable future, Zoom meetings and virtual conferences could become an industry norm.

This year has seen Black Hat USA, DEF CON, and Black Hat Asia, held online, Black Hat Europe going virtual in December, and a host of smaller cons migrating to video conferencing – if they weren’t cancelled, that is.

Looking ahead to 2021, it’s unclear when and if our working lives will ever be the same again.

For Barros, the thrill of networking in person couldn’t ever be fully replicated by online web sessions – and won’t have to be.

Augusto Barros, Securonix

Augusto Barros

He said: “From the point of view of the interaction between vendors, researchers, and customers, I believe we’ll eventually return to how things were.

“Maybe we’ll see more virtual events as now more people feel confident they can find the information and insights they need through that format.

“But the ‘hallway track’ is hard to replace, so the regular conferences will be back for sure.”

Mackey, however, thinks the migration to online working could spell positive change for the industry as a whole.

“With businesses learning how to support distributed workforces, we could see a world where top security talent can live and work from anywhere instead of being required to move to tech hubs,” he explained.

“Over time, this should help reduce some of the skills gaps we’ve seen in recent years.”

READ MORE Growing ‘cultural divide’ between DevOps and AppSec teams could lead to less secure software