Think carefully and you may recall hearing allusions to The Two Cultures – a lecture given by British scientist and writer C.P. Snow in 1959, and later published as The Two Cultures and the Scientific Revolution.
It’s really worth a full read, but to help get you more quickly to my point for this blog, I’ve outlined some of Snow’s key points:
- I believe the whole of western society is increasingly being split into two polar groups
- Literary intellectuals at one pole
- At the other scientists
- Between the two a gulf of mutual incomprehension
- Sometimes (particularly among the young) hostility and dislike
- But most of all lack of understanding
- Their attitudes are so different that, even on the level of emotion, they can’t find much common ground
- Those in the two cultures can’t talk to each other
- This polarization is sheer loss to us all
- To us as people, and to our society
- The degree of incomprehension on both sides is the kind of joke which has gone sour
- [of scientists] Remember, these are very intelligent men
- Their culture is in many ways an exacting and admirable one
- Verbal exchange, insistent argument
- [of intellectuals] Most non-scientists have no conception of [science] at all
- Even if they want to have it, they can’t
- This tone-deafness doesn’t come by nature, but by training, or rather the absence of training
- They dismiss [scientists] as ignorant specialists
- Yet their own ignorance and their own specialization is just as startling
Here’s the point: substitute “security practitioners” for “scientists”, and “business leaders” for “intellectuals”, and Snow’s comments are shockingly spot-on more than 50 years later.
I’ve written about this cultural divide many times – see Watch Your Language: How Security Professionals Miscommunicate About Risk (10 March 2014) and The Information Security Servant-Leader (5 October 2012), among several others. But this week I was part of an email exchange that illustrates just how deep the divide can be.
The exact context doesn’t really matter, and I’m keeping the identities private – the point is, just look at how the sentiments being expressed below echo the “scientist / security practitioner” side of the two cultures phenomenon:
- It is nothing but a myth that someone can take an IT Security management job without experiencing “how IT works” and the key tools of the trade. When it comes to IT security, indeed the devil is in the packets and bytes.
- For a CISO job, lately it needs a ground-up technical understanding! It is no longer an armchair management job as there are too many Snowdens out there and the numbers of Snowdens are growing.
- Get all the business people you like together and see how well they can implement the defenses and controls outlined by the policies. At the end of the day, the paper a policy is written on is only a piece of paper. You still need someone who understands security and is capable at a technical level to implement the technical aspects that actually DO protect the business.
- [Organization X] was extremely unhappy because they still weren’t getting people who could actually implement something or actually perform the necessary security functions.
- Risk management policy does not have IT Security teeth until it is implemented with appropriate technical countermeasures.
- Management has long needed a better understanding of the technical nature of IT.
In sharp contrast, just last week I witnessed several dozen heads nodding in earnest agreement when a well-known CIO gave them this advice in a keynote: “Don’t let the technical geeks run the conversation.”
My own take on the matter is pretty simple.
First, it’s essential and urgent that we do bridge this divide between the generally more technical security practitioners and the generally less technical business leaders. If we can’t figure out how to do this, the bad guys will continue to win … our governments will continue to “help” by expanding regulatory compliance … and all of us as consumers and users and society as a whole will continue to pay the price.
Second, the “scientist / security practitioner” side needs to stop complaining about not being understood or appreciated, and learn to communicate in a language that the business leaders can more easily understand and act upon. In no way does this diminish the importance of technical competence – on the contrary, it’s an “and” not an “or”. But simply waiting for the other side to change is not the answer. We need to make a move in the right direction.
Personally I really try – to the best of my abilities – to contribute to building this bridge, both in my work as researcher and analyst at Aberdeen Group, and in my role teaching graduate courses at Brandeis University.
Some days I just realize how painfully long it is taking us to get there.