Information security (IS) is a very large arena. Currently, most IS professionals are expected to be experts in everything; but that’s like thinking that all engineers are experts in electrical, mechanical, chemical and civil engineering. I am an electrical engineer and know precisely nothing about civil and chemical engineering. Why would I? In the IS world, however, what we have not done effectively as a profession is to clearly segment areas of expertise so that you can be, for example, a ‘network security manager’, where that means something specific like ‘electrical engineer’. There are some elements of this within certain organisations but these are not defined roles and can end up crossing over. Is the network manager in charge of security on our web applications? Just the network bits? Is that the role instead of the application security engineer? Like most things, having something to begin with, even if not perfect, is better than being entirely ad hoc. One problem you see frequently is the lack of formal education or qualifications required to enter the world of digital. Sure, a designer might be able to produce good designs without formal education (even if it would still help) but can we really carry on allowing just anyone to set up a ‘web design company’ writing production systems that are storing user data, processing card transactions and so on? An example encountered recently is that of a system a colleague saw that is still in use at airports and which could be used trivially to dump information onto TV screens such as bomb hoaxes or other inappropriate content. Why is it easy to hack? Because it was written by people who didn’t really know what they were doing. It’s not uncommon for developers to know virtually nothing about web application security. Does training guarantee they would know more? No, but it would certainly put things on the radar for most organisations, since a single person is all it takes to bring something good to the wider team