Geer, Thieme: Specialization and Institutionalization Have Transformed Security

Two elders of information security came to Source Boston 2013 Wednesday morning to encourage the next generation to grab the torch from them and to urge great caution in diving too deeply into specialization.

Heavy thinkers Dan Geer and Richard Thieme said that the industry is closing in on an end of an era where practitioners soon will no longer come to security from a variety of backgrounds, bringing along with them lessons learned in other disciplines.

“We’re close to a transitional end because people can get degrees and certifications, and security is becoming institutionalized,” said Thieme, a former clergyman who has a literature background.

Geer, who has a bio-medical background, says he thinks about security in terms of disease models, much in the way a civil engineer would apply their knowledge of bridge construction to security or a physician would think in terms of triage.

“Any background that requires you to think [applies to security],” Geer said. “That’s what makes this field fascinating. This is truly a renaissance field. While you can, I think you should steal this mind-view from us. Steal from us before we are replaced by a leading expert on one cubic inch of the security manual.”

Geer and Thieme are true historians and observers of technology and security, and both are still making an impact. Geer is CISO of In-Q-Tel, which is a venture capital firm that operates on behalf of the intelligence community looking for innovative security technologies to bankroll. Thieme, meanwhile, continues to contribute articles to the community and is a frequent speaker at industry events. He has spoken at every DefCon, for example, since 1996. As moderator Josh Gorman said, Geer and Thieme represent the left brain and right brain of the industry, Geer its scientist and mathematician, and Thieme the hacker culture’s conscience and source of ethics.

Geer’s fascination with metrics and measuring security outcomes has made his reputation. As an indicator of the beginning of the end of security generalists, he shared details of a project he conducted where he plotted over a 21-year period the number academic articles in computer security literature and the number of times those works were cited. Looking at what he called the half-life of these articles, he plotted how long it took for articles to be cited a 50th time, and arrived at the conclusion that while the number of authors is rising, the average half-life of an article is falling.

“I think that’s an unarguable marker for specialization,” Geer said. “I can’t recommend anyone to be a generalist. Be a serial specialist, but I don’t think it’s possible to start from scratch and be a broad-spectrum generalist.”

Thieme said this dynamic is also true for citations in the medical field, which weakens the level of institutional knowledge.

“Masters of their domains are not familiar with their history,” Thieme said. “They are specialized to the point where true dialog between people is difficult because common points of reference are not there.”

Richard Thieme image via Jason Scott

Suggested articles

Threatpost News Wrap, April 28, 2017

Mike Mimoso and Chris Brook recap this year’s SOURCE Boston Conference and discuss the week in news, including the long term implications of the NSA’s DoublePulsar exploit, and the HipChat breach.