A brief answer to the question is of course you can know computer security without being a hacker.

However I will again re-emphasise that it depends upon your definition of a hacker.

I'm guessing that what is meant here is "Can you be a computer security expert without having the skills to compromise systems?"

And the answer to that is yes, easily.

In order to provide good security for my personal systems and those systems I am responsible for at work I do not require the ability to compromise any of those systems.

By reading AO, keeping the systems up to date, deploying a viable security model, making the most of AV & firewall, keeping security in the minds of IT staff & users, using vunerability scanners (such as nessus/ nmap etc.) and ensuring the internet profile shown offers little help to 'hackers' I am able to provide security to these systems that has so far has not been compromised.

I have no idea how to exploit a vunerable wuftp server, deface a website or other typical 'hacks'.

Now I am not stupid enough to think these systems are totally secure, but on a risk/cost analysis they are (so far) doing the job.

Being an expert at security in a business environment is all about the business case. Keeping the organisation's IT secure at a cost the business can understand and is willing to pay for, explaing to the business what isn't secure and why the costs aren't justified.

On a personal note, a security expert means that your home system hasn't been compromised.

Steve