In order to be considered an expert in any field, you have to spend a lot of time learning things. In fact, I’d argue that one of the distinguishing traits of someone who is – or could become – an expert is their willingness and enthusiasm to learn, and keep learning. The ability to communicate that knowledge is another of those traits: you can’t really be an expert if you have no way to communicate that knowledge. Though that doesn’t mean that you need to be a great speaker, or even a great writer: by “communicate” I’m thinking of something much broader. In the field of security and IT, that communication may be by architecture diagram, by code writing, by firewall rule instantiation, or by GUI, database or kernel module design, to name just a few examples. These are all ways by which expertise can be communicated, instantiated or realised: the key is that the knowledge that has been gained is not contained, but can be externalised.
There’s another trait that, for me, betrays a true expert, and that’s the ability to say “I don’t know”. And it’s difficult. We enjoy and cultivate our expert status and other’s recognition of it: it’s part of our career progression, and it hits the “esteem” block in Maslow’s Hierarchy of Needs[1]. We like people asking our opinion, and we like being able to enlighten them: we take pride in our expertise, and why wouldn’t we? We’ve earned it, after all, with all that hard graft and studying. What’s more, we’ve all seen what happens when people get asked a question to which they don’t know the answer to something – they can become flustered, embarrassed, and they can be labelled stupid.* Why would we want that for ourselves?
The problem, and very particularly in the security field, is that you’ll always get found out if you fake it. In my experience, you’ll go into a customer meeting, for instance, and there’s either the sandal-wearing grey-beard, the recently-graduated genius or just the subject matter expert who’s been there for fifteen years and knows this specific topic better than … well, possibly anybody else on the planet, but certainly better than you. They may not be there in the first meeting, but you can bet your bottom dollar*** that they’ll be in the second meeting, or the third – and you’ll get busted. And when that happens, everything else you’ve said is called into question. That may not seem fair, but that’s the way it goes. Your credibility is dented, possibly irreparably.
The alternative to faking it is to accept that awkward question and simply to say, “I don’t know”. You may want to give the question a moment’s thought – there have been times when I’ve plunged into an response and then stopped myself to admit that I just can’t give a full or knowledgeable answer, and when I could have saved myself bother by just pausing and considering it for a few seconds. And you may want to follow up that initial acknowledgement of ignorance by saying that you know somebody else who does (if that happens to be true), or “I can find out” (if you think you can) or even “do you have any experts who might be able to help with that?”
This may not impress people who think you should know, but they’re generally either asking because they don’t (in which case they need a real answer) or because they’re trying to trip you up (in which case you don’t want to oblige them). But it will impress those who are experts, because they know that nobody knows everything, and it’s much better to have that level of self-awareness than to dig yourself an enormous hole from which it’s difficult to recover. But they’ll also understand, from your follow-up, that you want to find out: you want to learn. And that is how one expert recognises another.
* it’s always annoyed me when people mock Donald Rumsfeld for pointing out that there are “unknown unknowns”: it’s probably one of the wisest soundbites in recent history**, for my money.
Alice, Eve and Bob - a security blog 
One of the great things about working in a (mostly) meritocratic industry like tech (and by extension security) is the known and recognized inability for anyone to know everything, or at the very least to understand all things in the correct context at all times. Unlike in my previous career in law (why did my eye just start twitching?), where the foundations of the subject matter are based on well-established precepts (such as common law or codifications related to understood themes such as “reasonableness” that go back hundreds of years), there are seemingly no hard and fast “right and wrongs” in our industry – at least up until something is standardized or chosen as a best practice (outcomes based more on business interests and value-generation, and less “being dictated from on high”)
If we can agree that there are no objective rights and wrongs, and no one can possibly know everything, it behooves all in our industry to get really, really good at asking really good questions. I’d push it one step further, Mike – experts are those that say “I don’t know,” and are able to articulate exactly where in their logic/understanding they are lacking.
I love our industry because we are not discouraged from looking silly, or pretending to know all things at all times; asking good questions is the only way we grow, and I think we for the most part encourage that sort of personal and professional discovery.
LikeLike