Something we preach very strongly in our training is the importance of an understanding of the underlying technology / application / issues, and being able to dig into the core of an issue, not just try a trick or two and move on. Sadly, most people don't see it this way.
It's also somewhere between sad and frustrating for me that there seems to be an over-abundance of so-called "experts" in our field. While this isn't an issue for those who have a deep understanding, the fact of the matter is that for many of our customers, their key competence is their respective industry, and not information security.
Of course, this leads to much snake-oil and other uglyness...and to increased frustration for those of us who actually *are* trying to help our customers and add value. Let it be said right now that I don't by any measure regard myself as an expert on all things information security, but I'm more than happy to tell people when something is outside of my field of expertise.
I found an interesting piece in a book I'm currently reading called "Way of the Turtle" by Curtis M Faith - this is in the context of traders and the markets, but is more than applicable to our industry, practically verbatim. The snippet, from a sidebar in the book titles "The Myth of the Expert" follows.
The "don't optimize" counsel is an effect of what my friends and I like to call the myth of the expert. Unfortunately, in most fields the number of people who really understand what's going on is very limited. For every true expert, there are scores of *pseudo-experts* who are able to perform in the field, have assembled loads of loads of knowledge, and in the eyes of those who are not experts are indistinguishable from the true experts. These pseudo-experts can function but do not really *understand* the area in which they claim expertise.
True experts do not have rigid rules; they *understand* what's going on, and so they do not need rigid rules.
Pseudo-experts, however, *don't understand*, and so they tend to look at what the experts are doing and copy it. They know *what to do* but not *why it should be done*. Therefore, they listen to the true experts and create rigid rules where none were intended.
One sure sign of a pseudo-expert is writing that is unclear and difficult to follow. Unclear writing comes from unclear thinking. A true expert will be able to explain complicated ideas in ways that are clear and easy to understand.
Another common characteristic of pseudo-experts is that they know how to apply complex processes and techniques and have been well trained but do not understand the limits of those techniques.
In trading, a good example would be someone who can perform complex statistical analyses of trades, runs a simulation that generates 1 000 trades, and then assumes that she can draw conclusions from those trades without regard for the fact that they might have been drawn from only two weeks of short-term data. These people can do the math but do not understand that the math does not matter if next week is radically different from the last two weeks.
Don't confuse experience with expertise or knowledge with wisdom.
This rocks...I couldn't have said it better myself :>
** CRM114 Whitelisted by: From firstname.lastname@example.org **