I firmly believe that there is no substitute for operational experience. I try to make it a daily practice to read blogs, articles, and other posts from around the information security community. This allows me to keep up with the latest news and developments, as well as to understand and learn from the views of others. I find it rather interesting that I can usually tell the difference between authors who have operational experience in the security field and those who do not. I often check my assessment via LinkedIn, Google, and other means, and I am usually correct. I’ve always wondered why there is such a clear delineation between the writings of those with operational experience and the writings of those without.
As the Albert Einstein quote reminds us, “In theory, theory and practice are the same. In practice, they are not.” This is a salient point. There is no shortage of ideas, theories, and suggestions for improving the state of security, but how many of them are rational, practical, and realistic? Operational experience causes people to see the world from a different perspective. It causes people to identify practical suggestions that can be implemented and operationalized in a realistic timeframe and without an unrealistic amount of resources. Further, operational experience causes people to place more of weight on the ratio of the resulting impact to the effort required to produce that impact, rather than other potential decision making metrics. In my experience, operational experience enables better decision making and produces a better result, whatever the undertaking. This is particularly true in the security community, where resources are quite limited and expectations are quite high.
As the Albert Einstein quote reminds us, “In theory, theory and practice are the same. In practice, they are not.” This is a salient point. There is no shortage of ideas, theories, and suggestions for improving the state of security, but how many of them are rational, practical, and realistic? Operational experience causes people to see the world from a different perspective. It causes people to identify practical suggestions that can be implemented and operationalized in a realistic timeframe and without an unrealistic amount of resources. Further, operational experience causes people to place more of weight on the ratio of the resulting impact to the effort required to produce that impact, rather than other potential decision making metrics. In my experience, operational experience enables better decision making and produces a better result, whatever the undertaking. This is particularly true in the security community, where resources are quite limited and expectations are quite high.
So, perhaps it is important to think about key personnel and decision makers within your security organization, at your vendors, and at your consultancies. What is their level of operational experience and familiarity with the issues you face? Have they spent time in the trenches? Are they making decisions and offering advice based on a solid foundation of formal training and on-the-job experience? In my experience, these are important questions to consider when hiring, selecting vendors, and retaining consultants. There is really no substitute for operational experience.
No comments:
Post a Comment