Too often in IT ego drives one to be rigid and stubborn. This results in a myopic and distorted perspective of technology that can limit ones ability to gain an enlightened view of dynamic and highly volatile environments. This defect is especially true of information security professionals that tend towards ego driven dispositions that create obstacles to agility. Agility is one of the key foundational tenets to achieving an enlightened perspective on information security; humility enables one to become agile. Humility, which is far different from humiliation, is the wisdom to realize one’s own ignorance, insignificance, and limitations of intellect, without which one cannot see the truth.
19th century philosopher Herbert Spencer captured this sentiment in an oft-cited quote “There is a principle which is a bar against all information, which is proof against all arguments and which cannot fail to keep a man in everlasting ignorance – that principle is contempt prior to investigation.”
The security blogging community is one manifestation of the information security profession, based upon which one could argue that security professionals lack humility and generally propose contempt for an idea prior to investigation. I will relate my own experience to highlight this concept.
Humility and the Jericho Forum
I was one of the traditionalists that was vehemently opposed to the ideas, at least my understanding of the ideas, put forth by the Jericho forum. In essence all I heard was “de-perimeterization”, “Firewalls are dead and you do not need them”, and “Perfect security is achieved through the end-point” – I lacked the humility required to properly investigate their position and debated against their ideas blinded by ego and contempt. Reviewing the recent spate of blog postings related to the Jericho forum I take solace in knowing that I was not alone in my lack of humility. The reality is that there is a tremendous amount of wisdom in realizing that the traditional methods of network security need to be adjusted to account for a growing mobile workforce, coupled with a dramatic increase in contractors, service providers and non pay rolled actors, all of which demand access to organizational assets, be it individuals, information or infrastructure. In the case of the Jericho forum’s ideas I lacked humility and it limited my ability to truly understand their position, which limits my ability to broaden my perspective’s on information security.
The volume of concepts for which I have established an opinion or had contempt for prior to investigation are too numerous to list. This does not make me more or less able to gauge market conditions, forecast evolving trends or identify strategic initiatives that will drive my organization to achieve higher levels of success – but it does allow me to be humble, and in my humility I move closer to achieving an enlightened sense of information security. Does your ego limit your ability to be agile, to be humble, to see beyond your own perceptions, to become needlessly fearful or overly confident in the face of increasing demands on IT professionals?
Something, something this way blogs 
nice post Amrit. Herbert Spencer was also a wonderful anti-statist.
Well he is in good company with Lenin, Marx, Engells, Chomsky, and Sid Vicious 🙂
Great Post.
No, really, I love you man…
http://rationalsecurity.typepad.com/blog/2007/09/amrit-i-love-yo.html
/Hoff
Lenin, Marx, Engells, Chomsky were statists.
I don’t want to get into a whole philisphocal debate here, but do a quick google for anti-statist+marxism and review the material (which would by definition include Marx, Lenin, and Engells) as for Chomsky – have you read his stuff? Completely anti-statist
We probably have different definitions of what a statist is. Maybe we will have a chance to discuss that some time. I would argue that Chomsky’s syndicalism is a form of statism, i.e. anti-individualist more or less and against the natural order of humanity.
Hi, Amrit!
I believe, you miss “ago” with “vision”. “Ago” is s self-natural attribute of every single person in the world. But “vision” is something that come from your experience, many people doesn’t have it. And, as your experience can’t be universal, your vision is always limited. In this concrete case, your limited vision just strikes with Jetico’s people ones, nothing more.
Also, it is really important to understand that human mind and vision are slowing down with ages and, thus, many security “experts” who really were an expert 10 years ago right now are out-to-date with its vision as this world changes quicker from day to day, much quicker that its vision.
From my point of view, defense need to be layered, it means that network-level security (it is not dead, but mighty compromised) need to be supplemented with host-based ones.
Pingback: Border Crossing Stats » Embracing Humility - Enlightened Information Security Observations of …