PostHole
Compose
Login
The myth of the expert
Something we preach very strongly in our training is the importance of
an understanding of the underlying technology / application / issues,
and being able to dig into the core of an issue, not just try a trick or
two and move on. Sadly, most people don’t see it this way.
It’s also somewhere between sad and frustrating for me that there seems
to be an over-abundance of so-called “experts” in our field. While this
isn’t an issue for those who have a deep understanding, the fact of the
matter is that for many of our customers, their key competence is their
respective industry, and not information security.
Something we preach very strongly in our training is the importance of
an understanding of the underlying technology / application / issues,
and being able to dig into the core of an issue, not just try a trick or
two and move on. Sadly, most people don’t see it this way.
It’s also somewhere between sad and frustrating for me that there seems
to be an over-abundance of so-called “experts” in our field. While this
isn’t an issue for those who have a deep understanding, the fact of the
matter is that for many of our customers, their key competence is their
respective industry, and not information security.
Of course, this leads to much snake-oil and other uglyness…and to
increased frustration for those of us who actually are trying to help
our customers and add value. Let it be said right now that I don’t by
any measure regard myself as an expert on all things information
security, but I’m more than happy to tell people when something is
outside of my field of expertise.
I found an interesting piece in a book I’m currently reading called “Way
of the Turtle” by Curtis M Faith – this is in the context of traders and
the markets, but is more than applicable to our industry, practically
verbatim. The snippet, from a sidebar in the book titles “The Myth of
the Expert” follows.
-snip-
The “don’t optimize” counsel is an effect of what my friends and I like
to call the myth of the expert. Unfortunately, in most fields the number
of people who really understand what’s going on is very limited. For
every true expert, there are scores of pseudo-experts who are able to
perform in the field, have assembled loads of loads of knowledge, and in
the eyes of those who are not experts are indistinguishable from the
true experts. These pseudo-experts can function but do not really
understand the area in which they claim expertise.
True experts do not have rigid rules; they understand what’s going on,
and so they do not need rigid rules.
Pseudo-experts, however, don’t understand, and so they tend to look at
what the experts are doing and copy it. They know what to do but not
why it should be done. Therefore, they listen to the true experts and
create rigid rules where none were intended.
One sure sign of a pseudo-expert is writing that is unclear and
difficult to follow. Unclear writing comes from unclear thinking. A true
expert will be able to explain complicated ideas in ways that are clear
and easy to understand.
Another common characteristic of pseudo-experts is that they know how to
apply complex processes and techniques and have been well trained but do
not understand the limits of those techniques.
In trading, a good example would be someone who can perform complex
statistical analyses of trades, runs a simulation that generates 1 000
trades, and then assumes that she can draw conclusions from those trades
without regard for the fact that they might have been drawn from only
two weeks of short-term data. These people can do the math but do not
understand that the math does not matter if next week is radically
different from the last two weeks.
Don’t confuse experience with expertise or knowledge with wisdom.
-snip-
This rocks…I couldn’t have said it better myself :>
CRM114 Whitelisted by: From nick@sensepost.com