Intentional laziness

Identifying a time and then protecting that time is vital.

Over the past year[1], since Covid-19 struck us, one of the things that has been a notable is … well, the lack of notable things. Specifically, we’ve been deprived of many of the occasions that we’d use to mark our year, or to break the day-to-day grind: family holidays, the ability to visit a favourite restaurant, festivals, concerts, sporting events, even popping round to enjoy drinks or a barbecue at a friend’s house. The things we’d look forward to as a way of breaking the monotony of working life – or even of just providing something a bit different to a job we actively enjoy – have been difficult to come by.

This has led to rather odd way of being. It’s easy either to get really, really stuck into work tasks (whether that’s employed work, school work, voluntary work or unpaid work such as childcare or household management), or to find yourself just doing nothing substantive for long stretches of time. You know: just scrolling down your favourite social media feed, playing random games on your phone – all the while feeling guilty that you’re not doing what you should be doing. I’ve certainly found myself doing the latter from time to time when I feel I should be working, and have overcompensated by forcing myself to work longer hours, or to check emails at 10pm when I should get thinking about heading to bed, for instance. So, like many of us, I think, I get stuck into one of two modes:

  1. messing around on mindless tasks, or
  2. working longer and harder than I should be.

The worse thing about the first of these is that I’m not really relaxing when I’m doing them, partly because much of my mind is on things which I feel I ought to be doing.

There are ways to try to fix this, one of which is to be careful about the hours you work or the tasks you perform, if you’re more task-oriented in the role you do, and then to set yourself non-work tasks to fill up the rest of the time. Mowing the lawn, doing the ironing, planting bulbs, doing the shopping, putting the washing out – the tasks that need to get done, but which you might to prefer to put off, or which you just can’t quite find time to do because you’re stuck in the messing/working cycle. This focus on tasks that actually need to be done, but which aren’t work (and divert you from the senseless non-tasks) has a lot to be said for it, and (particularly if you live with other people). It’s likely to provide social benefits as well (you’ll improve the quality of the environment you live in, or you’ll just get shouted at less), but it misses something: it’s not “down-time”.

By down-time, I mean time set aside specifically not to do things. It’s a concept associated with the word “Sabbath”, an Anglicisation of the Hebrew word “shabbat”, which can be translated as “rest” or “cessation”. I particularly like the second translation (though given my lack of understanding of Hebrew, I’m just going to have to accept the Internet’s word for the translation!), as the idea of ceasing what you’re doing, and making a conscious decision to do so, is something I think that it’s easy to miss. That’s true even in normal times, but with fewer markers in our lives for when to slow down and take time for ourselves – a feature of many of our lives in the world of Covid-19 – it’s all too simple just to forget, or to kid ourselves that those endless hours of brainless tapping or scrolling are actually some sort of rest for our minds and souls.

Whether you choose a whole day to rest/cease every week, set aside an hour after the kids have gone to bed, get up an hour early, give yourself half an hour over lunch to walk or cycle or do something else, it doesn’t matter. What I know I need to do (and I think it’s true of others, too), is to practice intentional laziness. This isn’t the same as doing things which you may find relaxing to some degree (I enjoy ironing, I know people who like cleaning the kitchen), but which need to be done: it’s about giving yourself permission not to do something. This can be really, really hard, particularly if you care for other people, have a long commute or a high pressure job, but it’s also really important for our longer-term well-being.

You also need to plan to be lazy. This seems counter-intuitive, at least to me, but if you haven’t set aside time and given yourself permission to relax and cease your other activities, you’ll feel guilty, and then you won’t be relaxing properly. Identifying a time to read a book, watch some low-quality boxsets, ring up a friend for a gossip on the phone or just have a “sneaky nap”, and then protecting that time is worthwhile. No – it’s more than worthwhile: it’s vital.

I’m aware, as I write this, that I’m in the very privileged position of being able to do this fairly easily[2], when for some people, it’s very difficult. Sometimes, we may need to defer these times and to plan a weekend away from the kids, a night out or an evening in front of the television for a week, or even a month or more from now. Planning it gives us something to hold on to, though: a break from the “everyday-ness” which can grind us down. But if we don’t have something to look forward to, a time that we protect, for ourselves, to be intentionally lazy, then our long-term physical, emotional and mental health will suffer.


1 – or two years, or maybe a decade. No-one seems to know.

2 – this doesn’t mean that I do, however.

Leaving space, making balance

No substantive article this week.

I had an interesting idea for an article this week (I even took a picture to illustrate it) – but it’s going to have to wait for another time. I’ve got a busy week, and a couple of (non-urgent) medical appointments which have just got in the way a bit. This is one of those times when I’ve decided to set things aside, and not add to my pile of things to do by writing a proper article.

I should be back soon: in the meantime, follow my example and consider dropping a non-critical task and give yourself some breathing space.

Acting (and coding) your age

With seniority comes perks, but it also comes with responsibilities.

I dropped a post on LinkedIn a few days ago:

I’m now 50 years old and writing the most complex code in my career (for Enarx) in a language (Rust) that I only started learning 9 months ago and I’ve just finished the first draft of a book (for Wiley). Not sure what’s going on (and I wouldn’t have believed you if you’d told me this 25 years ago). #codingtips #writing #security #confidentialcomputing #rustlang

I’ve never received such attention. Lots of comments, lots of “likes” and other reactions, lots of people wanting to connect. It was supposed to be a throw-away comment, and I certainly had no intention either to boast or elicit sympathy: I am genuinely surprised by all of the facts mentioned – including my age, given that I feel that I’m somewhere between 23 and 31 (both primes, of course).

I remember in my mid- to late-twenties thinking “this business stuff is pretty simple: why don’t the oldies move aside and let talented youngsters[1] take over, or at least provide them some inspired advice?” Even at the time I realised that this was a little naive, and that there is something to be said for breadth of experience and decades of acquired knowledge, but I’m pretty certain that this set of questions has been asked by pretty much every generation since Ogg looked at the failings in his elders’ flint spear-head knapping technique and later got into a huff when his mum wouldn’t let him lead the mammoth hunt that afternoon.

Why expertise matters

Sadly (for young people), there really are benefits associated with praxis (actually doing things), even if you’ve absorbed all of the theory (and you haven’t, which is one of the things you learn with age). Of course, there’s also the Dunning-Kruger effect, which is a cognitive bias (Trust you? I can’t trust myself.) which leads the inexperienced to overestimate their own ability and experts to underestimate theirs.

Given this, there are some interesting and bizarre myths around about software/coding being a “young man’s game”. Leaving aside the glaring gender bias in that statement[2], this is rather odd. I know some extremely talented over-40 and over-50 software engineers, and I’m sure that you can think of quite a few if you try. There are probably a few factors at play here:

  • the lionisation of the “start-ups in the garage” young (mainly white) coders turning their company into “unicorn” trope;
  • the (over-)association of programming with mathematical ability, where a certain set of mathematicians are considered to have done their best work in their twenties;
  • the relative scarcity of roles (particularly in organisations which aren’t tech-specific) of “individual contributor” career tracks with roles where it’s possible to rise in seniority (and pay) without managing other people;
  • a possible tendency (which I’m positing without much evidence) for a sizeable proportion of senior software folks to take a broader view of the discipline and to move into architectural roles which are required by the industry but are difficult to perform without a good grounding in engineering basics.

In my case, I moved away from writing software maybe 15 years ago, and honestly never thought I’d do any serious coding again, only to discover a gap in the project I’m working on (Enarx) which nobody else had the time to fill, but which I felt merited some attention. That, and a continuous desire to learn new things, which had led me to starting to learn Rust, brought me to some serious programming, which I’ve really enjoyed.

We need old coders: people who have been around the block a few times, have made the mistakes and learned from them. People who can look at competing technologies and make reasoned decisions about which is the best fit for a project, rather than just choosing the newest and “coolest”[3].

Why old people should step aside

Having got all of the above out of my system, I’m now going to put forward an extremely important counter-argument. First, some context. I volunteer for the East of England Ambulance Service Trust as a Community First Responder, a role where I attend patients in (possible) emergency situations and work with ambulance staff, paramedics, etc.. I’ve become very interested in some of the theory around patient safety, which it turns out is currently being strongly influenced by lessons learned over the past few decades from transport safety, particularly aviation safety[5].

I need to do more study around this topic, as there are some really interesting lessons that can be applied to our sector (in fact, some are already be learned from our sector, particularly in how DevOps/WebOps respond to incidents), but there are two points that have really hit home for me this week, and which are relevant to the point at hand. They are specifically discussed with relation to high-intensity, stressful situations, but I think there’s broader applicability.

1. With experience comes expectation

While experience is enormously useful – bringing insights and knowledge that others may not have, or will find difficult to synthesise – it can also lead you down paths which are incorrect. If you’ve seen the same thing 99 times, you’re likely to assume that the 100th will be the same: bringing in other voices, including less experienced ones, allows other views to be considered, giving a better chance that the correct conclusion will be met. You increase diversity of opinion and allow alternatives to be brought into the mix. The less experience team members may be wrong, but from time to time, you’ll be wrong, and everyone will benefit from this. By allowing other people a voice, you’re also setting an example that speaking up and offering alternative views is not only acceptable, but valued. You and the team get to learn from each other, whether it’s when you’re wrong, or when you’re right, but you get to discuss with others how you came to your conclusions, and welcome their probing and questions around how you got there.

2. Sometimes you need to step aside to apply yourself elsewhere

Perhaps equally important is that sometimes, tempting as it may be to get your hands dirty and apply your expertise to a particular problem (particularly one which is possibly trivial to you), there are times when it’s best to step aside and let someone less experienced than you do it. Not only because they need the experience themselves, but also because your skills may be better applied at a systems level or dealing with other problems in other contexts (such as funding or resource management). The example sometimes given in healthcare is when a senior clinician arrives on scene at an incident: rather than their taking over the treatment of patients (however skilled the senior clinician may be), their role is to see the larger situation, to prioritise patients for treatment, assess risks to staff on scene, manage transport and the rest. Sometimes they may need to knuckle down and apply their clinical skills directly (much as senior techies may end up coding to meet a demo deadline, for instance), but most of the time, they are best deployed in stepping aside.

Conclusion

With seniority comes perks: getting to do the interesting stuff, taking decisions, having junior folks make the tea and bring the doughnuts in[6]. But it also comes with responsibilities: helping other people learn, seeing the bigger picture, giving less experienced team members the chance to make mistakes, removing barriers imposed by organisational hierarchy and getting the first round in at the pub[7]. Look back at what you were thinking about the beginning of your career, and give your successors (because they will be your successors) the chances that you were so keen for back then. Show them respect, and you (and your organisation) will benefit.


1 – I think that the “like me” is pretty implicit here, yes?

2 – which, sadly, reflects another bias in the market.

3 – there’s an important point here: many of us older folks love new shiny things just as much as the youngsters, and are aware of the problems of the old approaches and languages – but we’re also aware that there are risks and pain points associated with the new, which need to be taken into account[4].

4 – that really made me sound old, didn’t it?

5 – in large part influenced by the work of Martin Bromiley, a civil aviation pilot whose wife Elaine died in a “routine” operation in 2005 and who has worked (and is working) to help the health care sector transition to a no-blame, “just” culture around patient safety.

6 – this is a joke: if you have ever, ever find yourself in an office or team where this is the norm, and hierarchy shows in this sort of way, either get out or change that culture just as soon as you can. It’s toxic.

7 – I’m writing this in the middle of the UK’s second Covid-19 lockdown, and can barely remember what a “pub” or a “round” even is.

The importance of process (and people and rules)

If there is no process, you can throw technology at it as much as you want, but you are still likely to fail.

Those of us in Europe awoke to the news that the US electoral college have voted for Joe Biden as 46th President of the United States of America. Getting to this point has seemed (at least from the outside) to be a rather tortuous route, but from my understanding of how the US Constitution works[1], this is it: the process is complete and Joe Biden will be sworn in a President of the United States on a (probably very chilly) day next month, at the beginning of 2021. I have no intention of weighing the pros and cons of the candidates, nor even of examining the process (sometime labelled “arcane” by journalists”) by which US presidents are elected, but I do want to spend some time on the fact that there is a process, and thinking about how that works, and what supports it.

This is, first and foremost, a blog about IT security (though I have been known to post on a much wider range of issues from time to time), and so I unsurprisingly spend quite a lot of time discussing technology, but on this occasion I want to avoid doing that, as far as possible. If we look at the process for electing a US president, one of the most striking things about it, we might note, is the lack of technology. Yes, there are electronic voting machines to allow votes to be cast, yes, a myriad computers are deployed by psephologists[2] to forecast the results, but the actual process is lacking in much that we would normally think of as technology.

We often fixate on technology, but if there is no process in place to get from point A to point B, then you can throw technology at it as much as you want, but you are still likely to fail. Those points may be getting from having no president-elect to having a new president, completing a transaction to buy a house or a paperclip, hiring a new CEO or sous-chef, moving from a set of requirements to a working software program, or literally getting from a point A on a map to point B – they all require a process.

What is a process? Google, courtesy of Oxford Languages, offers the definition: a series of actions or steps taken in order to achieve a particular end. This seems like a useful description, but in the contexts we’re describing, it is the fact that the actions or steps are defined which is important. In the world of computing, we might say that there is an algorithm to be followed to complete the process. This algorithm allows a variety of things, all of which are important:

  1. the writing down and codification of the process;
  2. the allocation of different people to different roles in the process;
  3. norms, rules, regulation and/or legislation to be created to ensure the correct following of the process;
  4. the application of technology to simplify, speed up or automate parts of the process.

I don’t want to talk about point 4 particularly – I spend far too much of my time on that in most of my life – and the ways of achieving point 1 are so diverse as to defy consideration in this context, so let’s briefly discuss points 2 and 3.

Allocating people

If you have a process, you can break that process into steps, you can assign roles and responsibilities to those steps. This is useful in a variety of ways, the first of which is that you can start to scale the process by having different people working on different steps – sometimes in parallel. Imagine having one person having to count all of the votes in the US presidential election, or even having multiple people doing it, but having to do so in series: it might work, but it’s going to take way too long. Another benefit is one on which the Industrial Revolution was built: specialisation. Some people will be good at some parts of the process, and others at other parts of the process. You can increase efficiency by putting those with expertise on the right pieces of the process. A third, unrelated to efficiency, is separation of responsibilities. Sometimes, it’s important that certain people, who are experts or certified to perform a particular role, are the ones who do that. Often, it’s even more important that certain people don’t perform those roles. An example of this would be if one of the candidates in an election was the one to perform the final tally of votes and hand the result to the person making the announcement, or if they made the announcement themselves. This is equally true for other types of process: your bank does not want you to be the person who provides the final approval for your loan, and a company does not want a spouse, partner or family member to be providing sign-off for a hiring decision.

Norms, rules, regulation and legislation

In the UK, we have strong social norms around the process of queuing, and you will be subject to social (and sometimes stronger!) censure if you break them. Rules around other processes may be stronger, and sometimes regulation by an industry body or even legislation at the nation level (or multi-national level such as EU or UN) is required to safeguard the appropriate execution of a process. The ability for courts to intervene where vote-rigging may have taken place is a good example in the US election process, but legislation and regulation around anything from wiring a house to what fertilisers are allowed on particular crops provide additional levels of checking and assurance that processes are following correctly (by including censure or punishment for those who have contravened them) or can be remedied when not (through other processes such as legal review or court cases).

Legislation and regulation can be annoying, but without them (or equivalent rules and norms for other types of process), we cannot be sure of what we are getting into, or whether, if we get into it improperly, that we will ever get out of it. People support and are subject to these checks and balances, and without the combination of all of them (not forgetting the technology as well), processes are next to useless.


1 – I am not a lawyer. Nor a constitutional expert. Nor even a US citizen. Basically, do not take my word for any of this.

2 – I love this word. We should use it more often.

Taking some time

I’m going to practice what I preach, and not write.

I’m going to practice what I preach, this week, and not write a full article. I’ve had a stressful and busy few weeks, including needing to spend some extra time with the family (nothing scary or earth-shattering – we just needed some family time), and I think the best thing for me to do today is not spend time writing an article. Let me point you instead at some I’ve written in the past.

On self-care:

On security:

On trust:

Keep safe, and look after yourself, dear reader!

Silencing my voice

Just links. I didn’t write these: others did.

Just links. I didn’t write these: others did.

(Image by Pexels from Pixabay).

7 tips for managers of new home workers

You will make mistakes. You are subject to the same stresses and strains.

Many organisations and companies are coming to terms with the changes forced on them by Covid-19 (“the coronavirus”), and working out what it means to them, their employees and their work patterns. For many people who were previously in offices, it means working from home.  I wrote an article a few weeks ago called 9 tips for new home workers, and then realised that it wouldn’t just be new home workers who might be struggling, but also their managers.  If you’re reading this, then you’re probably a manager, working with people who don’t normally work from home – which may include you – so here are some tips for you, too.

1 – Communicate

Does that meeting need to be at 9am?  Do you need to have the meeting today – could it be tomorrow?  As managers, we’re used to being (or at pretending to be) the most important person in our team’s lives during the working day.  For many, that will have changed, and we become a distant second, third or fourth. Family and friends may need help and support, kids may need setting up with schoolwork, or a million other issues may come up which mean that expecting attention at the times that we expect it is just not plausible.  Investigate the best medium (or media) for communicating with each separate member of your team, whether that’s synchronous or asynchronous IM, email, phone, or a daily open video conference call, where anybody can turn up and just be present.  Be aware of your team’s needs – which you just can’t do without communicating with them – and also be aware that those needs may change over the coming weeks.

2 – Flex deadlines

Whether we like it or not, there are things more important than work deadlines at the moment, and although you may find that some people produce work as normal, others will be managing at best only “bursty” periods of work, at abnormal times (for some, the weekend may work best, for others the evenings after the kids have gone to bed).  Be flexible about deadlines, and ask your team what they think they can manage.  This may go up and down over time, and may even increase as people get used to new styles of working.  But adhering to hard deadlines isn’t going to help anybody in the long run – and we need to be ready for the long run.

3 – Gossip

This may seem like an odd one, but gossip is good for human relationships.  When you start a call, set aside some time to chat about what’s going on where the other participants are, in their homes and beyond.  This will help your team feel that you care, but also allow you to become aware of some issues before they arise. A word of caution, however: there may be times when it becomes clear in your discussions that a team-member is struggling.  In this case, you have two options. If the issue seems to be urgent, you may well choose to abandon the call (be sensitive about how you do this if it’s a multi-person call) and to spend time working with the person who is struggling, or signposting them directly to some other help.  If the issue doesn’t seem to be urgent, but threatens to take over the call, then ask the person whether they would be happy to follow up later. In the latter case, you must absolutely do that: once you have recognised an issue, you have a responsibility to help, whether that help comes directly from you or with support from somebody else.  

4 -Accommodate

Frankly, this builds on our other points: you need to be able to accommodate your team’s needs, and to recognise that they may change over time, but will also almost certainly be different from yours.  Whether it’s the setting for meetings, pets and children[1], poor bandwidth, strange work patterns, sudden unavailability or other changes, accommodating your team’s needs will make them more likely to commit to the work they are expected to do, not to mention make them feel valued, and consider you as more of a support than a hindrance to their (often drastically altered) new working lives.

5 – Forgive

Sometimes, your team may do things which feel that they’ve crossed the line – the line in “normal” times.  They may fail to deliver to a previously agreed deadline, turn up for an important meeting appearing dishevelled, or speak out of turn, maybe.  This probably isn’t their normal behaviour (if it is, then you have different challenges), and it’s almost certainly caused by their abnormal circumstances.  You may find that you are more stressed, and more likely to react negatively to failings (or perceived failings). Take a step back. Breathe. Finish the call early, if you have to, but try to understand why the behaviour that upset you did upset you, and then forgive it.  That doesn’t mean that there won’t need to be some quiet discussion later on to address it, but if you go into interactions with the expectation of openness, kindness and forgiveness, then that is likely to be reciprocated: and we all need that. 

6 – Forgive yourself

You will make mistakes.  You are subject to the same stresses and strains as your team, with the added burden of supporting them.  You need to find space for yourself, and to forgive yourself when you do make a mistake. That doesn’t mean abrogating responsibility for things you have done wrong, and neither is it an excuse not to apologise for inappropriate behaviour, but constantly berating yourself will add to your stresses and strains, and is likely to exacerbate the problem, rather than relieve it.  You have a responsibility to look after yourself so that you can look after your team: not beating yourself up about every little thing needs to be part of that.

7 – Prepare

Nobody knows how long we’ll be doing this, but what are you going to do when things start going back to normal?  One thing that will come up is the ability of at least some of your team to continue working from home or remotely.  If they have managed to do so given all the complications and stresses of lockdown, kids and family members under their feet, they will start asking “well, how about doing this the rest of the time?” – and you should be asking exactly the same question.  Some people will want to return to the office, and some will need to – at least for some of the time. But increased flexibility will become a hallmark of the organisations that don’t just survive this crisis, but actually thrive after it. You, as a leader, need to consider what comes next, and how your team can benefit from the lessons that you – collectively – have learned. 

1 – or partners/spouses: I caused something of a stir on a video conference that my wife was on today when I came into her office to light her wood-burning stove!

Your job is unimportant (keep doing it anyway)

Keep going, but do so with a sense of perspective.

I work in IT – like many of the readers of this blog. Also like many of the readers of this blog, I’m now working from home (which is actually normal for me), but with all travel pretty much banned for the foreseeable future (which isn’t). My children’s school is still open (unlike many other governments, the UK has yet to order them closed), but when the time does come for them to be at home, my kids are old enough that they will be able to look after themselves without constant input from me. I work for Red Hat, a global company with resources to support its staff and keep its business running during the time of Covid-19 crisis. In many ways, I’m very lucky.

My wife left the house at 0630 this morning to go into London. She works for a medium-sized charity which provides a variety of types of care for adults and children. Some of the adults for whom they provide services, in particular, are extremely vulnerable – both in terms of their day-to-day lives, but also to the possible effects of serious illness. She is planning the charity’s responses, coordinating with worried staff and working out how they’re going to weather the storm. Charities and organisations like this across the world are working to manage their staff and service users and try to continue provision at levels that will keep their service users safe and alive in a context where it’s likely that the availability of back-up help from other quarters – agency staff, other charities, public or private health services or government departments – will be severely limited in scope, or totally lacking.

In comparison to what my wife is doing, the impact of my job on society seems minimal, and my daily work irrelevant. Many of my readers may be in a similar situation, whether it is spouses, family members or other people in the community who are doing the obviously important – often life-preserving – work, and with us sitting at home, appearing on video conferences, writing documents, cutting code, doing things which don’t seem to have much impact.

I think it’s important, sometimes, to look at what we do with a different eye, and this is one of those times. However, I’m going to continue working, and here are some of the reasons:

  • I expect to continue to bring in a salary, which is going to be difficult for many people in the coming months. I hope to be able to spend some of that salary in local businesses, keeping them afloat or easing their transition back into normality in the future;
  • it’s my turn to keep the household running: my wife has often had to keep things going while I’ve been abroad, and I’m grateful for the opportunity to look after the children, shop for groceries and do more cooking;
  • while I’m not sick, there are going to be ways in which I can help our local community, with food deliveries, checks on elderly neighbours and the like.

Finally, the work that I – and the readers of this blog – do, is, while obviously less important and critical than that of my wife and others on the front line of this crisis, still relevant. My wife spent several hours at work creating an online survey to help work out which of her charity’s staff and volunteers could be deployed to what services. Without the staff who run that service, she would be without that capability. Online banking will continue to be important. Critical national infrastructure like power and water need to be kept going; logistics services for food delivery are vital; messaging and conferencing services will provide important means for communication; gaming, broadcast and online entertainment services will keep those who are in isolation occupied; and, at the very least, we need to keep businesses going so that when things recover, we can get the economy going again. That, and there are going to be lots of charities, businesses and schools who need the services that we provide right now.

So, my message today is: keep going, but do so with a sense of perspective. And be ready to use your skills to help out. Keep safe.

“Unlawful, void, and of no effect”

The news from the UK is amazing today: the Supreme Court has ruled that the Prime Minister has failed to “prorogue” Parliament – the in other words, that the members of the House of Commons and the House of Lords are still in session. The words in the title come from the judgment that they have just handed down.

I’m travelling this week, and wasn’t expecting to write a post today, but this triggered a thought in me: what provisions are in place in your organisation to cope with abuses of power and possible illegal actions by managers and executives?

Having a whistle-blowing policy and an independent appeals process is vital. This is true for all employees, but having specific rules in place for employees who are involved in such areas as compliance and implementations involving regulatory requirements is vital. Robust procedures protect not only an employee who finds themself in a difficult position, but, in the long view, the organisation itself. They a can also act as a deterrent to managers and executives considering actions which might, in the absence of such procedures, likely go unreported.

Such procedures are not enough on their own – they fall into the category of “necessary, but not sufficient” – and a culture of ethical probity also needs to be encouraged. But without such a set of procedures, your organisation is at real risk.

How to be a no-shame generalist

There is no shame in being a generalist, and knowing when you need to consult a specialist.

There comes a time in any person’s life[1] when they realise that they’re not going to be able to do all the things they might like to do to a high level of expertise.  I used to kid myself that I could do anything if I tried hard enough and practised enough, but then I tried juggling.  It turns out that I’m never going to be able to juggle.  Not just juggle expertly.  I mean juggle at all.  My trying to juggle – with only one ball, let alone more than one – is so amusing that my family realised years ago that it was a great party trick.  “Daddy,” they’ll say, “show everyone your juggling.  It’s really funny.”  “But I can’t juggle,” I retort.  “Yes,” they respond, “that’s what’s funny[2].”

I’m also never going to be able to draw or do any art with any competence.

Or play any racquet sport with any level of skill.

Or do any gardening, painting or DIY-based household jobs with any degree of expertise[3].

Some people will retort that any old fool can be taught to do x activity (usually, it’s juggling, actually), but not only do I not believe this, but also, to be honest, there just isn’t enough time in the day to learn all the things I’d kind of like to try.

What has all this to do with security?

Specialism and education

Well, I’ve posted before that I’m a systems person, and the core of thinking about systems is that you need to look at the big picture.  In order to do that, you need to be a generalist.  There’s a phrase[5] in English: “Jack of all trades, master of none”, which is often used to condemn those who know a little about many things and are seen to dabble in them without a full understanding of any of them.  Interestingly, this version may be an abbreviation of the original, more positive:

Jack of all trades, master of none,
though oftentimes better than master of one.

The core inference, though, is that generalists aren’t as useful as specialists.  I don’t believe this.

In many educational systems, there’s a tendency to push students towards narrower and narrower fields of study.  For some, this is just what is needed, but for others – “systems people”, “synthesists” and “generalists” – this isn’t the best way to harness their talents, at least in the long term.  We need people who can see the big picture, who can take a wider view, and look beyond a single blocking issue to realise that the answer to a problem may not be a better implementation of an authentication library, but a change in the authorisation mechanism being used at the component level, for instance.

There are dangers to following this approach too far, however:

  1. it can lead to disparagement of specialists and their skills, even to a distrust of experts;
  2. it can lead to arrogance on the part of generalists.

We see the first in desperately concerning trends such as politicians thinking they know more than economists or climate scientists, anti-vaxxers ignoring the benefits of vaccination, and idiocy around chem-trails, flat-earth beliefs and moon landing conspiracies.  It happens in the world of work, as well, I’m sad to say.  There is a particular type of MBA recipient, for instance, who believes that the completion of the course and award of the degree confers on them some sort of superhuman ability to know what is is best for all organisations in all circumstances[6].

Specialise first

To come back to the world of security, my recommendation is that even if you know that your skills and interests are leading you to a career as a generalist, then you need to become a specialist first, in at least area.  You may not become an expert in that field, but you need to know it well.  Better still, strive for at least a level of competence in several fields – an ability to converse knowledgeably with true experts and to understand at least why they are making the choices and recommendations that they are.

And that leads us to the key point here: if you become a generalist, you need to acknowledge lack of expertise: it must become your modus operandi, your métier, your way of working.  You need to recognise that your strength is not in your knowing many things, but in knowing what you don’t know, and when it is time to call in the specialists.

I’m not a cryptographer, but I know enough about cryptography to realise when it’s time to call in an expert.  I’m not an expert on legal issues around cryptography, either, but know when to call on a lawyer.  Nor am I an expert on block storage, blockchain consensus, quantum key exchange protocols, CPU scheduling or compression algorithms.  The same will go for many areas which I may be called on to touch as part of my job.  I hope to have enough training and expertise within related fields – or the ability to gain it – to be able to ask sensible questions, but sometimes even that won’t be true, and the best (and most productive) interaction will be to say “I don’t know about this: please explain it to me, or at least tell me what the options are.”  This seems to me to be particularly important for security folks: there are so many overlapping disciplines, and getting one piece wrong means that your defence in depth strategy just got a whole lot shallower.

Being too lazy to look things up, too arrogant to listen to others or too short-sighted to realise that there are areas in which we are not expert are things of which we should be ashamed.

But there is no shame in being a generalist, and knowing when you need to consult a specialist.


1 – I’m extrapolating horribly here, but it’s true for me so I’m assuming it’s a universal truth.

2 – apparently the look on my face, and the things I do with my tongue, are a sight to behold.

3 – I’m constantly trying to convince my wife of these, and although she’s sceptical about some, we’re now agreed that I shouldn’t be allowed access to any power tools again if we want avoid further trips to the Accident and Emergency department at the hospital[4].

4 – it’s not only power tools.  I once nearly removed my foot with a wallpaper stripper.  I still have the scar nearly 25 years later.

5 – somewhat gendered, for which I apologise.

6 – disclaimer – I have an MBA, and met many talented and humble people on my course (and have met many since) who don’t suffer from this predicament.