Header

Sat, 29 Sep 2007

The myth of the expert
Tags: silly-yammerings, public, about:usnick @ 09:07

Something we preach very strongly in our training is the importance of an understanding of the underlying technology / application / issues, and being able to dig into the core of an issue, not just try a trick or two and move on. Sadly, most people don't see it this way.

It's also somewhere between sad and frustrating for me that there seems to be an over-abundance of so-called "experts" in our field. While this isn't an issue for those who have a deep understanding, the fact of the matter is that for many of our customers, their key competence is their respective industry, and not information security.

Of course, this leads to much snake-oil and other uglyness...and to increased frustration for those of us who actually *are* trying to help our customers and add value. Let it be said right now that I don't by any measure regard myself as an expert on all things information security, but I'm more than happy to tell people when something is outside of my field of expertise.

I found an interesting piece in a book I'm currently reading called "Way of the Turtle" by Curtis M Faith - this is in the context of traders and the markets, but is more than applicable to our industry, practically verbatim. The snippet, from a sidebar in the book titles "The Myth of the Expert" follows.

-snip-

The "don't optimize" counsel is an effect of what my friends and I like to call the myth of the expert. Unfortunately, in most fields the number of people who really understand what's going on is very limited. For every true expert, there are scores of *pseudo-experts* who are able to perform in the field, have assembled loads of loads of knowledge, and in the eyes of those who are not experts are indistinguishable from the true experts. These pseudo-experts can function but do not really *understand* the area in which they claim expertise.

True experts do not have rigid rules; they *understand* what's going on, and so they do not need rigid rules.

Pseudo-experts, however, *don't understand*, and so they tend to look at what the experts are doing and copy it. They know *what to do* but not *why it should be done*. Therefore, they listen to the true experts and create rigid rules where none were intended.

One sure sign of a pseudo-expert is writing that is unclear and difficult to follow. Unclear writing comes from unclear thinking. A true expert will be able to explain complicated ideas in ways that are clear and easy to understand.

Another common characteristic of pseudo-experts is that they know how to apply complex processes and techniques and have been well trained but do not understand the limits of those techniques.

In trading, a good example would be someone who can perform complex statistical analyses of trades, runs a simulation that generates 1 000 trades, and then assumes that she can draw conclusions from those trades without regard for the fact that they might have been drawn from only two weeks of short-term data. These people can do the math but do not understand that the math does not matter if next week is radically different from the last two weeks.

Don't confuse experience with expertise or knowledge with wisdom.

-snip-

This rocks...I couldn't have said it better myself :>

** CRM114 Whitelisted by: From nick@sensepost.com **

No moderated comments yet

Leave a comment

Name*:
Email*:(Won't be displayed)
URL:
Comment*:
*required
Blog
Video
Research
QotW
Categories
.ac.za (1)
about:us (38)
analysis (1)
auctions (1)
auditors (1)
b-sides (2)
blackhat (17)
blog (10)
broadview (4)
build-it (1)
ccdcoe (1)
cloud (12)
community (16)
conferences (70)
consulting (1)
crypto (4)
estonia (1)
fail (3)
foos (1)
fun (51)
goodbye (1)
hackrack (2)
Hope? (2)
howto (9)
imsojaded (2)
infosec-soapies (25)
infrastructure (3)
interns (1)
ios (1)
jobs (1)
local (6)
mac (15)
management (12)
materials (3)
memcached (2)
metricon (2)
metrics (3)
mindless-politics (4)
mindmaps (1)
mobile (2)
modelling (3)
PCI (2)
penny (1)
phone (1)
pickle (4)
policy (1)
post-it (1)
presentations (1)
Press (1)
privacy (6)
product (2)
programming (5)
public (319)
python (5)
qo[w|m|?] (5)
rambling (1)
README (1)
real-world (16)
Release (1)
report-info (1)
research (49)
reversing (7)
risk (2)
SAP (1)
security-fyi (8)
security-news (6)
silly-yammerings (19)
suru (1)
tech-toys (3)
threat (3)
time-waster (6)
tin-foil-hat (6)
tools (49)
training (30)
travel (2)
tricks (1)
UK (2)
Uncategorized (3)
uncon (2)
vendors (7)
videos (6)
vulnerability (10)
wasc (1)
webapps (6)
web_x.0 (2)
windows (1)
writing-advice (1)
zaprize (2)
zen-hacking (6)
Archives
December 2011 (3)
November 2011 (2)
October 2011 (6)
September 2011 (3)
August 2011 (3)
July 2011 (3)
June 2011 (2)
May 2011 (6)
March 2011 (3)
Feburary 2011 (3)
January 2011 (1)
December 2010 (2)
November 2010 (4)
October 2010 (3)
August 2010 (4)
July 2010 (1)
June 2010 (4)
May 2010 (3)
April 2010 (3)
March 2010 (7)
Feburary 2010 (2)
January 2010 (3)
December 2009 (4)
November 2009 (4)
October 2009 (3)
September 2009 (5)
August 2009 (9)
July 2009 (1)
June 2009 (5)
May 2009 (4)
April 2009 (10)
March 2009 (13)
Feburary 2009 (12)
January 2009 (11)
December 2008 (9)
November 2008 (8)
October 2008 (5)
September 2008 (5)
August 2008 (6)
July 2008 (6)
June 2008 (6)
May 2008 (2)
April 2008 (3)
March 2008 (7)
Feburary 2008 (12)
January 2008 (9)
December 2007 (8)
November 2007 (4)
October 2007 (9)
September 2007 (14)
August 2007 (18)
July 2007 (13)
June 2007 (17)
May 2007 (2)
July 2006 (1)
April 2006 (1)
August 2005 (1)
June 2005 (1)
May 2005 (2)
Blogroll
JYeti
Dominic
Junaid
Archives
Conditions of use Privacy statement
Top of Page Legal stuff