Who are your experts?

I noticed an ad recently for a diet book by Peter Greenberg. Greenberg is a travel journalist, and he is dieting. Apparently that qualifies him to be a travel diet expert -- or at least enough of an expert for his book publisher's purposes.

It's interesting but irrelevant that according to Greenberg, he started out 60 pounds overweight and is now 20 pounds overweight -- after all, the hard part of a diet is keeping the weight off, not losing it. Keep that total -- 40 pounds -- in mind as we look at the logistics of publishing a book.

My current book, Spies Among Us, was 90 percent complete when my publisher took the book on as a rush project, and it still took 6 months to get it released. My Computerworld.com editor's most recent book, a svelte 96-pager written for kids about using instant messaging, took nearly nine months from planning to print. Even tomes from technical publishers, which often handle very tight turnarounds, tend to take three to four months to hustle through the publishing practice.

Meanwhile, a sound diet can result in a weight loss of 2 pounds a week. The 40 pounds that it took Greenberg to lose should have therefore taken him 20 weeks, or 4.5 months. If you assume that Greenberg started with the idea that he wanted to lose weight and then wrote his book, it should have taken him nine months to get to the point at which the book was released. That means that he might have lost one pound a week on the diet if he started to write the book as he was losing the weight.

It's still not a bad weight loss, but going by the time frames I've given you, Greenberg may well have started writing as an expert on the subject long before he was an expert on the subject. Now think of the "experts" covering security issues. For instance, one of my pet peeves is when I see newspaper articles talking about "secure" Internet transactions. Inevitably they advise readers to "look for the lock on the Web browser, which means you are dealing with a secure server." It's a widely quoted "fact" that happens to be untrue. The "lock" means that you are using the SSL protocol, which specifically means that the data is encrypted in transmission. That has nothing to do with the security of the server; you could in fact be securely sending your credit card number to a phishing site. It's an expert-sounding factoid that's just not accurate.

We have seen data theft from servers described as "secure." I suspect there are a lot of people who are learning about security from people perceived to be experts -- including the technology editors at the newspapers that publish "facts" like those, whether in a ham-handed effort to simplify tech for the general population or because they simply don't have their facts right. There's a funhouse-mirror effect in place too, since many computer generalists get their information on subjects like computer security from articles written by other generalists, who researched their articles by looking at other articles by generalists. In that situation, not only do errors propagate indefinitely, but good information is often drowned out by the consensus of bad info.

Making the matter even worse is that the generalists believe that they have to dumb down the material for the laypeople. Clearly the information needs to be understandable, and anyone who's tried to explain security issues to a nontechnical friend or relative knows how low the bar has to be set sometimes. However, since (again) bad info often drowns out good info, many of these consumer computer experts are dumbing down previously dumbed-down information. Inaccuracies creep in, and the reader is left with bad information ... which, often, they still don't understand!

Newspaper reporters are not the only example of bad "experts." I've seen computer consultants whose security knowledge is even worse -- and maybe more dangerous. I once had a friend call me in tears, saying that she had a virus on her computer that deleted years' worth of digital photos. I told her to get antivirus software and recommended a data recovery service. She told me that she had a local consultant come in and that he'd used a piece of software to disinfect that virus, so she didn't need to buy antivirus software. The consultant told her he was saving her money by doing this.

I told her that since her primary concern was retrieving the pictures, she should not touch the computer and should send the drive out to the data recovery service before she wrote anything else to the disk. She told me that the "cost-effective" consultant had already reloaded the operating system.

While there was a chance that her data wasn't overwritten, an expert should have known that writing to the drive might overwrite otherwise recoverable data. He obviously didn't have a clue that he'd just disinfected the system but hadn't stopped future infections -- after all, a freshly reloaded operating system with no antimalware protection is just as big a target. Cost-effectiveness is nice, but it's no substitute for competence.

So, who are your experts? Questionable advice is very much out there. Generalists are selling themselves as experts on very specific topics, such as security. I saw one IT services firm that started reissuing business cards that changed people's titles from "systems analyst" to "security analyst". The people had received no special training and had never done any security work before. That was irrelevant -- a quick title change, and their consulting rates went up.

With press coverage, be wary if you are reading a column about security one week that was about the latest digital cameras the week before. (Some reporters are security-fluent, but too many are subject to pressure from editors wanting coverage on whatever topic is hot in the news. Security, particularly in the data-breach era, fits the bill.) With consultants, what sort of resumes are the "experts" bringing to the table? Business cards are irrelevant; you want to know what the consultants were doing on their last few assignments.

Security is now a front-page topic. That means that a lot of people are jumping on the security bandwagon, and some of them believe that they have been "security experts" for years because they've added a number or some mixed-case letters to a few passwords. In Spies Among Us, I detail the case of Alexey Ivanov, a key figure in a Russian cybergang. He would break into Web sites and then attempt to extort money from the companies to fix the problems. Every so often, one of his victims would hire a "security consultant" to lock Ivanov out instead of paying him off. None of the consultants was ever able to accomplish that lockout.

Ivanov says that he never did anything brilliant, but the consultants never did the basic security measure of reloading the systems from scratch to remove backdoors. The one thing that Ivanov is most mad about regarding his convictions is that he has to reimburse the companies for the cost of the "experts" who were never able to keep him out!

Hopefully you know that a travel writer on a diet is not by default a travel diet expert. Likewise, I hope that you know that a computer consultant who simply uses 133t-speak in passwords is not a security expert. In a highly technical field such as security, talk and titles are both less significant than experience and deep knowledge. Bad advice can mean you lose a lot more than a few extra pounds.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about HIS

Show Comments