Inspired by the BSides Cheltenham 2025 Infosec Influencers Panel Discussion with Ian Thornton-Trump, Daniel Card and Sophia McCall.

In the cyber security community, there’s a growing tension between those who build genuine expertise through decades of hands-on work and those who’ve mastered the art of algorithmic visibility. As someone who has witnessed this evolution firsthand, particularly highlighted during the recent BSides Cheltenham 2025 panel on infosec influencers, I find myself compelled to address why the label “infosec influencer” fundamentally misrepresents what many of us actually do.

The Substance vs. Surface Problem

The cyber security field faces unique challenges that require depth, experience, and genuine understanding. Unlike lifestyle brands or consumer products, cyber security advice can have profound consequences. When someone follows poor security guidance, they don’t just waste money, they potentially expose themselves, their families, or their organisations to devastating attacks.

This is why the traditional influencer model, built on engagement metrics and aesthetic appeal, feels so fundamentally wrong when applied to information security. We’re not selling lifestyle aspirations or consumer products. We’re sharing knowledge that could prevent the next cyber-attack, data breach, protect critical infrastructure, or help someone recognise a social engineering attack.

The practitioners who have built significant online followings, those with decades of real-world experience, professional qualifications, and tangible contributions to the field, find themselves lumped together with content creators whose primary skill is producing viral content. This false equivalency does a disservice to both the community and those seeking genuine security guidance.

The Authenticity Question

Real cyber security expertise comes from years in the trenches: responding to incidents, building security programs, conducting penetration tests, investigating breaches, and yes, making mistakes and learning from them. It comes from understanding that security is fundamentally about people, not just technology. It emerges from the humbling experience of being wrong, adapting approaches, and continuously learning in a field that evolves daily.

Many of us who share our knowledge online do so because we’ve lived through the consequences of poor security. We’ve seen what happens when organisations cut corners, when employees aren’t properly trained, or when security teams are under-resourced. Our motivation isn’t follower growth or brand partnerships, it’s the genuine desire to prevent others from experiencing the same failures we’ve witnessed or caused.

The “influence” we may have stems from credibility earned through professional achievement, peer recognition, and demonstrated expertise. It’s the difference between someone who has spent years building and implementing security programs versus someone who has mastered the art of creating engaging security-themed content.

Beyond the Algorithm

The most troubling aspect of the “infosec influencer” phenomenon is how it prioritises engagement over accuracy. The social media algorithms that drive visibility favour content that generates quick reactions: outrage, fear, oversimplification, or controversy. These dynamics are antithetical to good security communication, which often requires nuance, context, and acknowledgment of complexity.

Effective security education sometimes means delivering uncomfortable truths: that perfect security doesn’t exist, that trade-offs are inevitable, that the latest security tool won’t solve fundamental organizational problems. These messages don’t typically go viral, but they’re essential for building mature security programs and realistic expectations.

When we allow the influencer model to dominate cyber security discourse, we risk prioritising what’s engaging over what’s educational, what’s shareable over what’s substantial.

The Community We Actually Need

The cyber security community thrives on genuine knowledge sharing, peer collaboration, and collective problem-solving. The best security conferences, like BSides events, succeed because they create environments where experienced practitioners share real insights with those earlier in their careers. This isn’t about building personal brands or follower counts, it’s about advancing the collective security posture of organizations and individuals.

Those of us who write, speak, and share content do so as an extension of this community ethos. We’re not trying to “influence” people to buy products or adopt lifestyle choices. We’re sharing hard-won knowledge, providing practical guidance, and contributing to the professional development of others in the field.

With Platform Comes Responsibility

Anyone who has built a significant platform in cyber security carries the responsibility to use it thoughtfully. This means fact-checking content, acknowledging the limits of our expertise, avoiding sensationalism, and prioritising the security of our audience over engagement metrics.

It means being transparent about professional relationships, avoiding conflicts of interest, and declining opportunities that would compromise our ability to provide honest, unbiased guidance. It means understanding that our “influence” comes with the obligation to earn it continuously through consistent, valuable contributions to the field.

A Different Kind of Impact

Rather than seeking to “influence” in the traditional sense, many of us are focused on education, community building, and knowledge transfer. We measure success not in followers or engagement rates, but in the security professionals we’ve helped develop, the organisations we’ve assisted in improving their security posture, and the contributions we’ve made to advancing the field.

This approach recognises that cyber security is a collaborative discipline where individual expertise contributes to collective security. It’s about building a stronger community of practitioners rather than personal brands.

With Full Disclosure 

I must add at this point in this article something that I want to be honest and upfront about. As a journalist (and yes, I have a valid press card) I have written reviews for this blog. Those reviews are on a wide ranges of subjects, topics and themes from reviewing restaurants I’ve eaten in, to books I’ve read, to concerts I’ve been to, to items I use such as stationary, journals and gadgets, to software that I use in my day to day work.

I have chosen every review that I’ve done myself. If I’ve been approached by an organisation to write a review of a product whether that be a physical product or a digital one, it is not an endorsement of that product by me. I pride myself on being authentic and if the product is not what I expected, I didn’t enjoy it or if it doesn’t work as well as I expected, then that is the review I will write. I’ve written reviews of restaurants that have been below standard, books that I have not enjoyed as much as I thought I would and if a product I review does not work as well as it should or solve the problem it claims to solve, I will write about that warts and all.

So when I’ve been asked to review books in the cyber security space, or been asked to review software or tools, my thoughts can be good or bad depending on how I personally find the book or software. I will NEVER write about something positively just because I’ve been asked to review it. I will always provide my honest thoughts for anything I review.

Moving Forward

The cyber security community needs to maintain the distinction between genuine expertise and algorithmic popularity. We need platforms and recognition systems that reward substance over style, experience over engagement, and community contribution over personal brand building.

For those of us who have built significant online presence through years of professional work, the goal should be using that platform to elevate the field, not to elevate ourselves. The influence we have should be wielded in service of better security outcomes, not better engagement metrics.

The “infosec influencer” label may be an inevitable product of our social media age, but it doesn’t have to define how we approach sharing knowledge in the cybersecurity community. We can choose to prioritise expertise over algorithms, substance over style, and community benefit over personal brand building.

In the end, our industry needs practitioners who happen to have platforms, not influencers who happen to work in cybersecurity. The distinction matters, for our community, for our profession, and for the organisations and individuals who depend on us to help them stay secure in an increasingly dangerous digital world.

This article was inspired by discussions following the BSides Cheltenham 2025 infosec influencers panel and reflects ongoing conversations within the cyber security community about the role of social media presence in professional practice.