Most of the infosec people I work with would score exceptionally low on the questions in TFA. That's because to do their job they have to argue with management, get buy in etc. Unless there's a gaping hole they're going to go with whatever the product does. They're not going to get involved with key exchange algorithms because the tool abstracts that. They're going to get involved with compliance. That's why we have things like FIPS-140-2, Common Criteria, EAL, CAPS etc.
Is that a bad thing? Possibly. One would hope that such products do a proper job. The realisation is not always so. We've broken two FIPS-140-2 products in the past 3 years, one of which was used in the Chinese olympics bid with dangerous results.
Personally I think knowing your boundaries and being able to express them (for example whenever people mention crypto I tell them I'm not the right guy, and if it was transatlantic I'd definitely say tptacek would be someone more worth talking to in that area) is more important than attempting to be a one-stop shop for all things security.
Most of the infosec people I work with would score exceptionally low on the questions in TFA. That's because to do their job they have to argue with management, get buy in etc. Unless there's a gaping hole they're going to go with whatever the product does. They're not going to get involved with key exchange algorithms because the tool abstracts that. They're going to get involved with compliance. That's why we have things like FIPS-140-2, Common Criteria, EAL, CAPS etc.
Is that a bad thing? Possibly. One would hope that such products do a proper job. The realisation is not always so. We've broken two FIPS-140-2 products in the past 3 years, one of which was used in the Chinese olympics bid with dangerous results.
Personally I think knowing your boundaries and being able to express them (for example whenever people mention crypto I tell them I'm not the right guy, and if it was transatlantic I'd definitely say tptacek would be someone more worth talking to in that area) is more important than attempting to be a one-stop shop for all things security.