Recently, I've had an opportunity to ponder these questions and I find that there are obvious answers. But I'm not completely sure they are the right answers. Consider...

Information security is like the expanding universe – it is going to continue to grow in scope and complexity, indefinitely. It has only been recently that we have begun to see credible education programs in information assurance (IA) at the university level. True, there are old and noble programs such as CERIAS at Purdue and a few others, but the notion of IA in higher education is just beginning to gain critical mass.

That means that we are beginning to turn out IA practitioners who have more than the patchy training available from training companies and conferences. However, the bottom line is that we are beginning to see a generation of educated not just trained infosec professionals. Their viewpoints differ. Many have master's degrees. They understand both the technical and the business aspects of IA.

There will continue to be trained technicians, of course. They come from the training companies, community colleges, trade schools and other so-called "hands-on" training environments. But they are technicians or, at best, engineers. Ignoring those who develop the infosec tools we use for now, that leaves us with two very distinct audiences: the technicians/engineers, and the advance practitioners who are the managers, supervisors, architects and consultants. What are their needs, and are they, individually, significant audiences?

Those are hard questions to answer. Starting with the second, I would say that there is a significant, and growing, audience at both ends of the IA spectrum. To the first, I'm not sure. What I do know, however, is that these senior practitioners and many of the more senior and experienced engineers need every tool they can get their hands on. It really doesn't matter whether those tools are theoretical, practical but unpackaged, or slick vendor-supplied and maintained.

The notion of tools that vendors don't find profitable is the driver behind open source efforts. But, more importantly, the IA community faces new and novel threats on a daily basis. Just because a solution to those threats is complicated, theoretical, proof of concept, or any other moniker you wish to hang on it, doesn't mean that it doesn't have value.