Aug 21 2014
It’s true, we don’t want little things like experience and a broad knowledge of the landscape of technology getting in the way of our policy makers, now do we? Or at least that seems to be the way US White House cybersecurity coordinator, Michael Daniel thinks. Why get lost in an understanding of the big picture when you can make decisions based on the information fed to you by consultants and advisers with their own agendas to push?
In a way, I understand what Mr. Daniel’s point is; it’s very important for someone in his position to be able to understand the in and out of policy, perhaps at least as important as understanding the technology. I wouldn’t want most of the people I see at Defcon or a BSides event making policy decisions; they don’t have the understanding of the long term consequences policy has on the wider world. But by the same thought process, someone who doesn’t understand the deeper aspects of underlying technologies he’s making decisions about can’t understand the long term consequences of his decisions either. How can someone make informed decisions if they don’t understand the difference between a hashing algorithm and an encryption technology?
The cybersecurity coordinator role is a management role and most of us have worked with senior managers and C-level execs responsible for security with little or no security experience. And we know how well that’s worked out. In rare cases, you find a manager who knows how to listen to people and, perhaps more importantly, knows how to tell the difference between a trustworthy adviser and someone pushing their agenda forward without regard to the outcome. Those people can be successful as non-technical managers of technical people. But more often you get non-technical managers who don’t understand the landscape they’re expected to be responsible for, who don’t understand the decisions they’re being asked to make and who are easily led astray by those around them. And having a non-technical manager with the understanding to communicate with the management team above them is nearly unheard of.
Willful ignorance is never a feature to be lauded or boasted about. Being proud of your ignorance is a red flag, one that should be a warning to everyone around the individual that they are not currently mature enough for their position. Better to say, “I’m ignorant, but I’m learning.” to say that you know your limitations but are willing to overcome them than to embrace your limitations and act like they’re really a strength. Yes, your other experience can help you overcome the areas you’re lacking in, but you have to acknowledge the weakness and work to make yourself better.
As the Vox article points out, we’d never have a Surgeon General who didn’t have decades of experience in medicine, we’d never allow an Attorney General who wasn’t a lawyer and had spent years in a courtroom. So why are we allowing a person who couldn’t even qualify for to take the CISSP test to advise the leaders of the United States on how to deal with information security issues? Think about that for a moment: the person who’s advising the White House doesn’t have the experience necessary to apply to for one of the starting rungs on the information security career ladder. Scary.
Update: You might also want to listen to the interview with Micheal Daniel and the subsequent defense of his statement about his own ignorance.