Information Security and Network Awareness

Hurricane Labs

Subscribe to Hurricane Labs: eMailAlertsEmail Alerts
Get Hurricane Labs: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: PC Security Journal, Security Journal, Haiti EarthQuake

Blog Feed Post

Beware The Expert IT Security Culture

I have been in IT a really long time with an interest in technology that far predates my career, think Commodore and Atari, and every expert I’ve ever met had exactly one thing in common. They are all narrow minded. Sure most of them are nice enough, some of them are even engaging and charming, but their most fatal flaw is they assume they’ve mastered everything in their field and have simply stopped learning. This is where it gets dangerous because that sounds horrible and no self-respecting expert would ever admit to such a thing but you can recognize them by their tone. “That person is an idiot, it should be done this way” or “That person isn’t a threat to you because I would attack your network this way.” They’ve become completely unable to think outside of the magical expert world they’ve created.

Take the recent retail breach for example. Every expert on Earth (before any details were out of course) said it had to be the work of a super complex, advanced ring of international hackers who were way more advance than our paltry defenses could stand. Turns out, it was originally reported to be a 17 year old Russian kid that actually wrote the software. I’m sure there was probably some more involved “criminal” types, but that super advanced piece of malware was written by a 17 year old. Experts could not fathom a world where a PCI compliant, big time company with all the “right” consultants and all the “right” protections could be breached by a kid. Now the same folks are saying that someone else was indeed involved and that the 17 year old kid had not acted alone so, experts get a lot of things wrong too. That, to paraphrase Yoda, is why experts fail.

Expertise is a disease of the mind. It basically reinforces the fact that you can’t move higher or further in your field. It limits you, greatly. It starts innocently enough “hey that guy is really good with computers” or “hey she’s a pretty talented programmer” and then progresses to “just ask Steve, he knows everything, he’s an expert.” If you were Steve, would you bother to pick up a book again? Probably not, not if that sort of thing persists. All of this ends up with the attitude that you can’t be wrong, you’re an expert. Expertise forces you to start accepting your own theories as proof, your word becomes all you need. This is why in academia there’s a general rule against providing yourself a source in a paper, not only is it self-serving, but it’s very bad form, “this is true because I say it is true.” Does that sound like someone who would take advice from a novice in the field even if that novice has a genuinely better idea? No, because few if any experts can recognize a better idea because that sort of thing doesn’t exist in their bubble.

Of course there are exceptions to every rule so you can save me the commentary that you’re an expert that doesn’t act like that because, really, we all do it in some way. Whether in our personal lives or professional lives we all have something we feel expert in and we’ve just stopped trying to get better at. It is a curse that afflicts all of us at one time or another but in IT, especially in IT security, if you’re not taking into account anything but your own limited worldview, you will fail and you will fail big. Basically this was a very long-winded way of saying, don’t be an expert, strive only to be a student, that way you will know you don’t know enough just yet.

The post Beware The Expert IT Security Culture appeared first on Hurricane Labs.

Read the original blog entry...

More Stories By Hurricane Labs

Christina O’Neill has been working in the information security field for 3 years. She is a board member for the Northern Ohio InfraGard Members Alliance and a committee member for the Information Security Summit, a conference held once a year for information security and physical security professionals.