top of page

“Noise” in the Cyber Security Community

  • Sep 12, 2025
  • 3 min read

In the past decade, cyber security has become one of the fastest-growing fields. With the expansion of digital services, cloud solutions and reliance on online communication, the demand for expertise has never been greater. Organisations – from small NGOs and SMEs to government institutions – are all seeking solutions to protect their data and infrastructure.



Unfortunately, this growth has also brought a problem that is often left unspoken: “noise” in the cyber security community.



The rise of self-proclaimed experts


CCyber security is “in”. It features in the media, at conferences, and even in political debates. It attracts attention because it carries weight and urgency. For this reason, it is not unusual to see individuals with only partial links to the IT sector presenting themselves as cyber security experts.


Examples are plentiful: a system administrator presenting themselves as a network security specialist, a developer branding themselves as an application security expert, or even an IT project manager offering “consulting services” in cyber security without practical knowledge. It is not uncommon for people from entirely unrelated professions to join in and present themselves as part of the cyber security community, relying more on the popularity of the topic than their own expertise. We do recognise the breadth of themes covered by cyber security – from technical to legal and organisational aspects – but there is still a clear need for basic knowledge and proven expertise in the “core” domains before someone can legitimately be considered a professional.



Good intentions, a road to...


The situation becomes even more problematic when international organisations and foreign donors, in search of local partners, engage these self-proclaimed experts. The motivation is understandable – donors want to act quickly, avoid lengthy verification, and believe they have found “local capacity”. But the result is the opposite of what is intended.


By awarding projects to individuals without real expertise, a form of artificial credibility is created. One engagement leads to another, and then another. In the end, a person with no fundamental understanding of cyber security becomes a “recognised expert” in the eyes of institutions, while the community and end users are left with projects that have little real impact.



Consequences for quality and the community


This practice has several direct consequences:

  1. Poor project outcomes – measured by activities, not results. Instead of building capacity or real protection, projects boil down to workshops without depth and reports without practical application.

  2. Marginalisation of real experts – those with genuine knowledge and experience are often overshadowed by louder voices that thrive on self-promotion.

  3. Loss of trust – institutions and users, after repeated poor experiences, grow sceptical of cyber security itself and the projects associated with it.

  4. Weakening of local capacity – instead of building sustainable expertise, a generation of “paper experts” emerges whose influence rests on project involvement rather than professional competence.


Why this is especially dangerous in cyber security


Cyber security cannot be reduced to theory or PowerPoint slides. It is a field where one wrong decision can mean compromised data, service disruption, or even national security threats. Unlike some other sectors where superficiality may go unnoticed, in cyber security the consequences are immediate and costly.


False expertise is not just an image problem – it is a direct risk to the security of systems and users.



What can be done?


here is no quick fix, but several clear steps are necessary:

  • Standardisation of education and certification – organisations should demand relevant international certifications (e.g. CISSP, CISM, OSCP) or require education in relevant cyber security topics. While a certificate alone does not guarantee competence, it does represent a minimum baseline.

  • Transparent evaluation – donors and institutions must invest in verifying the actual skills and experience of those they engage. References should be checked, and previous results must be measurable.

  • Support for expert communities – instead of hiring individuals on an ad hoc basis, there should be a stronger focus on organisations and centres with a clear mission, infrastructure, and team capacity.

  • Accountability of donors – international organisations carry responsibility towards local communities to channel resources where they will deliver real impact, not just where engagement is most convenient.



Conclusion


The “noise” in the cyber security community is not a harmless phenomenon. It erodes trust, lowers project quality, and prevents real experts from driving meaningful change.


It is time for us, as a community, to acknowledge the problem, name it openly, and begin to build standards and practices that reward genuine expertise. Only then can cyber security in Bosnia and Herzegovina – and beyond – move beyond a fashionable term and become true protection in the digital domain.

Comments

Badge.png

CSEC

t. +387 33 448 280

e. csec_official@csec.ba

a. Gradačačka 114

    Sarajevo, Bosnia and Herzegovina

White BA logo.png

The establishment of CSEC has been supported by the UK Government.

Subscribe to Our Newsletter

Thanks for submitting!

Follow Us On:

  • Facebook
  • LinkedIn
  • Instagram
  • Twitter
bottom of page