Seeing What Isn't There

May 1, 2004 12:00 PM, By Richard Thieme

From listening to dozens of information and computer security experts — who collectively have more than a thousand years of experience — it is striking how many critical insights emerge.

But the insights of the masters do not translate into rules. As Hubert and Stewart Dreyfus wrote in 1988 in Mind Over Machine, human experts reach a level of expertise that enables them to respond intuitively to whatever comes at them. That's why so-called expert computer systems do not work for areas of expertise requiring intuition. Experts routinely break the rules that beginners need. As beginners implement rules over time, they internalize them and discover when to break them. Knowing when it's OK to break the rules opens the door to what might be called the meta-rules.

Breaking rules feels like chaos to beginners, so it is best for beginners never to break rules. If you don't know when to break the rules, don't break them. When you do know, however, break the rules whenever security requires it.

Students of security must self-direct — in a holistic way — a process of lifelong education. They have to already know the Big Picture of what they need to learn.

It isn't enough just to know. You have to build in criteria for accountability for yourself so your actions are aligned with what you know. Otherwise, you will believe the map in your head instead of the one traced in the network by your unconscious behaviors. What you build as the architecture of the system will generate security, not what you believe you have done.

There is a big difference between belief and awareness. There is a trend, according to Sol Tzvi, senior security and privacy architect for Microsoft Israel, to buy black box appliances to embed in networks. Those appliances hide their operations from administrators. This means, she points out, that the feeling of being secure is increasingly substituted for an awareness of what constitutes security and the knowledge that it has been implemented. The modularization of network appliances results in administrators who believe in the security of their networks inversely in proportion to how much they know about it.

How can you tell the difference between belief and reality? According to science fiction writer Philip K. Dick: “Reality is that which, when you stop believing in it, does not go away.”

Often security practitioners lack this level of holistic thinking. The necessity for seeing the Big Picture as well as the granular details is highlighted repeatedly by Peter Neumann, principal scientist at the Computer Science Laboratory in Menlo Park, Calif. Neumann quoted Charles Munch, conductor of the Boston Symphony — who said, “The right hand draws, the left hand colors” — as a way to say that mastery of security requires integration of the left brain and its linear logical rationality with the right brain and its intuitive and imaginative powers.

That means resisting the default position — doing the granular task at the expense of seeing its impact on the entire system.

However much we know about a specialized field, unless we discipline ourselves to know what we don't know and then to learn it in order to see the Big Picture, we will be groping in the dark.

FOR THE RECORD

About the author

Richard Thieme (rthieme@thiemeworks.com) speaks, writes and consults about the human dimension of technology, management of change in the workplace and organizational effectiveness.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue