Home > Information Security, Musings > “Practical Intelligence” in Infosec

“Practical Intelligence” in Infosec

March 3rd, 2009

I recently finished reading Malcolm Gladwell’s latest book, “Outliers”. The book examines the reason why certain people and groups behave and perform in certain ways, or why certain events seem to happen to particular groups in disproportionately large numbers. Great book, fairly simple premise. I won’t dig much into the book’s conclusions, leaving that instead for the erstwhile reader.

One section really grabbed my attention, though. In a discussion of really smart people, namely Chris Langan and Robert Oppenheimer, Gladwell examines why they each ended up where they did. Langan, arguably the smartest man alive, is a nobody: he lives in some rural town on a farm, got no real higher education, and has bounced around doing various jobs his whole life. Oppenheimer, on the other hand, ran the Manhattan Project and is widely considered one of the true geniuses of our time. Both, however, are inherently brilliant by the scales we commonly use (the modern IQ test, for example). Both were also presented with some significant hurdles along their unique paths, and the truth of it is that Oppenheimer had far more serious issues to contend with overall.

However, Oppenheimer prevailed where Langan did not. In reviewing the individual cases, Gladwell points out that Oppenheimer had something Langan did not: “practical intelligence”. To quote from the book:

It is procedural: it is about knowing how to do something without necessarily knowing why you know it or being able to explain it. It is practical in nature: that is, not knowledge for its own sake. It’s knowledge that helps you read situations correctly and get what you want.

In short, Oppenheimer could deal with people. Read body language, interpret situations. Figure out the best story to tell to BS himself out of a jam. It’s more than common sense. It’s a learned ability to interact with people and manipulate situations to benefit us the most. How can we think of this in terms of information security?

I’ve been saying for quite some time now that people skills are inherently more important then pure technical skills for both advancing your career and getting the job of security done day-to-day. It’s time to revisit that. First, people promote people they LIKE. People hire people they LIKE. People also tend to want to surround themselves with people LIKE THEM. Get the point? If you are a total goober, who still thinks your soldering iron is your best friend, then a wake-up call is in order: your days are probably numbered unless you’re just absolutely at the top of your game and your technical skills are in high demand.

Second, getting the job of security accomplished takes some politics. It takes some ego stroking. Some subtle manipulation. That’s really true of all the best business “dealmakers” out there today. I’m not suggesting dishonesty, or a lapse in ethics. Just the reality that you can’t be a bull in a china shop and expect people to give a damn about whatever it is you’re saying. I meet way too many supergeeks in this industry, some with real technical skills, who think that’s going to get them ahead forever. I especially love the geeks who can only feel superior by challenging other geeks publicly and trying to denigrate those with a lesser degree of technical skill. These people are sorely confused about, well, lots of things. And they CERTAINLY don’t have any practical intelligence!

Consider a simple example. Just tonight on one of the SANS GIAC mailing lists I am on, a guy was debating the age old struggle between the paranoid security guy and the user who wants to use Facebook a bit during the day. How do you handle this? Block all Internet? Only block some? This is really a totally open-ended question – the answer is absolutely “It Depends”. But working with business units and other organizational players may require some debate and tact. What if the CIO wants to use Facebook? Do you just stick to your technical guns and hope that works out? Errrr…..no. Probably not.

I am a geek. I love technical skills and topics, and read highly technical material voraciously. I constantly play with new technologies and techniques, convinced that this is important. And I really believe it is. But the skill I cherish the most? And the one I’ll be working on more than ever? You got it – my “practical intelligence”, or “dealing with people” skill. It will help me articulate security issues, explain my reasoning, and try to persuade people to see things my way much better than those obscure Unix commands ever will. 🙂

Categories: Information Security, Musings Tags:
  1. March 4th, 2009 at 13:58 | #1

    I did read that email discussion thread (SANS GIAC mailing list) and was hoping that someone would make a blog post out of it; glad it was you. I think Practical Intelligence is finally bubbling to the top and 2009 will be the year in which information security professionals across the board will work on refining their non-technical skills.

  2. Ron W
    March 5th, 2009 at 14:18 | #2

    Great post!
    When the head of a University Information Assurance program asked a group of business people what skills should be taught to his students, they replied, “Philosophy, Psychology, Sociology, Marketing, oh yeah and some computers…”

    I spoke on this topic at the 2007 RSA Conference, “Being ‘People’ People for Security Professionals.” I’ve tried to give a repeat the past two years, but have been reject.
    Oh well, at least RSA is having a Professional Development track this year.

    While extremely valuable, these “soft” skills aren’t as sexy as hacking skills…

  3. March 6th, 2009 at 15:52 | #3

    Dave – brilliant, thanks for putting that to (virtual) paper. There are so many technically brilliant security folks out there who just can’t seem to grasp the sense of it all, why certain things will never be done “right”… and how sometimes failure is acceptable.

    It’s this [un]common sense and that ability to get along with and read people that makes for a great leader specifically in the security field because security is never seen as a front-runner in business. Security is a “necessary evil” at best – and if the security leadership is abrasive we fail as a group… horribly. Manipulation, sadly, is what makes our jobs actually do-able.

    Thanks for the post.

Comments are closed.