The Carpenter, Not the Hammer, Builds the House March 8, 2012Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management, weapons and tactics.
Tags: Chris Mark, cybersecurity, InfoSec, mark consulting group, risk management, security
I was in a discussion yesterday with a friend of mine who happens to be the Editor in Chief of The Counter Terrorist Magazine. Chris and I served together long ago and I always enjoy talking to him as he is one of the most insightful people I know. He mentioned what he felt was the over reliance on technology in CT operations and how it was causing people to lose sight of the fact that it is the people that matter and not the tools.
I find this particularly relevant in all areas of security but especially in information security. In a past life I operated as a Marine Scout/Sniper. When my civilian friends learn of this, it is not uncommon for me to hear the question: “What is the best rifle to use?” It is an interesting question and my answer is always the same. I ask: “What is the best tool in your toolbox?” Clearly, the definition of the “best tool” depends upon what tool is needed for the particular project AND the ability of the person to use the particular tool. Whether we are talking about sniper rifles, laser designators, hammers, or firewalls, it is important to remember that technology is a ‘tool’ and nothing more. These tools may help with the job at hand and some tools may be better for a particular job than others but tools cannot work without a skilled person using them. Ultimately, the effectiveness of the tool relies upon the skill and training of the person using it. Using another shooting example, I still go to the rifle range and shoot quite a bit. I always laugh a bit when I see someone at the range with a $5,000 rifle and clearly little skill at shooting. I call these ‘brandi guns’ because these people cannot afford to shoot them but they can pull them out while drinking brandi and show off their expensive rifle. When asked, my recommendation to people is to get a less expensive rifle and invest in ammunition, training, and range time. Again, the point is that it is human nature to want to rely upon technology but without proper skill and training, the tool cannot be used to maximum effect. Finally, as with skill, without constant practice, and training, the skill will diminish. While I still go to the range and shoot, I am not as accurate as I used to be at long range shooting. It is simply not possible for me to invest the time needed to be as good as I once was.
The point to be taken is that companies should invest in ‘people’ first and ‘technology second’. Having a cutting edge application layer firewall without the proper people to manage the device will render it ineffective. Human skill and innovation will always rule the day over technology.