I’m on a break here in Orlando and made the mistake of checking my work email. A coworker from another team is pushing a prediction around data security that, depending on how you interpret it, is either:

  1. Already in multiple commercial products
  2. No harder to break than existing technologies

I won’t name names or even the specific proposal, but now we’re in a big internal debate since I’m fighting publication of a prediction that I think could embarrass us among security professionals. Unfortunately this person’s team is backing him/her and are really excited about this new security concept, without really understanding security.

We see this all the time in any complex field of study or practice. Someone from the outside, either left field or a related field, gets a really cool idea that they think is paradigm shifting. This person believes their outside view is “clearer” than those stuck in the tradition of their various area of expertise.

On very rare occasion such genius exists. But it isn’t you.

When I was younger I made the same mistake myself; all of us egotistical analytical or academic types are prone to errors of youth or inexperience.

Some fields are more prone to, what I’ll call “exploding lightbulbs” than others. Physicists, cryptographers, and doctors battle this on a sometimes daily basis.

The truth is we have experts for a reason. I’ve read that true expertise can take 10 years of experience in a field under most circumstances. It takes that long to learn the basic skills & history, and gain necessary practical experience. You can be really good or smart in a field, but expertise takes a lot longer.

We see it all the time in security. Someone out of networking, development, or wherever reads a book or takes a course and considers themselves an expert. Really, they’re just starting down the path. In some cases they might be an expert in some small area, but it doesn’t translate to the entire field. I was a paramedic. I’m not a doctor, even if I might catch some doctor’s mistakes on occasion. But when I think I know more than the doctor, and I’m wrong, I become very dangerous. It’s the same in security and many other fields. I was good at security fairly early on, but it took many years to become an expert. And even then, my expertise is only really deep in a couple of areas and some general principles.

We have experts for a reason, and not every practitioner is an expert. Expertise takes time, study, experience, and hard work.

In security if you think:

  1. You’ve invented a new, unbreakable encryption algorythm
  2. You just created a new, unbreakable defense against 0day attacks
  3. You perfected any single tool, at any layer, that can stop any attack, of any kind
  4. You built something to eliminate the insider threat
  5. You can take a couple classes and defend a large enterprise
  6. You have designed unbreakable DRM

You’re wrong.

If it’s really important to you go immerse yourself and become an expert. And I’m not talking about some 5 day CISSP class. Take the time, be an expert, or work with experts to convert your theoretical idea to reality.

Very rarely that bright bulb won’t explode. But most of the time we’re left with ugly shards of glass that just hurt everyone standing nearby.