Technology does not fix process

A number of people outside InfoSec have pointed this out to me and I thought I’d pass it along with a couple of observations.

The first is of course the (ISC)2‘s motto “Security Transcends Technology” and the second is Marcus Ranum‘s comment:

“If you think that technology can solve your problems then you
don’t understand technology and you don’t understand your

The author of the article has it in for the vendors of CMDB‘s, as you could see from other postings a that site, but don’t get hung up on that. The principle holds in all of IT.

In this and many other forums I see people asking for technology solutions – specific specialized tools. I may be a Greybeard or maybe it that I’ve had to craft my ‘tools’ from first principles in the past, or maybe I find tools like plain text files (rather than RTF or word processing) to create lists and notes; spreadsheets, simple block diagraming tools; wikis and mindmaps and the ability to use them to communicate with other people rather than solipsistically create mind-numbingly elaborate structures that are meaningful only to me and on my PC. Its amazing what you can do with a group of people and a whiteboard and flip chart. Not only what gets produced but ow much of it is retained and applied.

So that’s my reply to people who want specialized tools and ways ‘avoid work’. Perhaps the avoidance is really a lack of understanding.

Understanding how to build useful things using basic tools requires not only skill but also understanding; understanding not only of the tools, not only of the ‘product’ but also of the principles and processes involved. All to often buying the ‘packed set’ ends up with something that is under-used for one of variety of reasons, but you can be that lack of understanding of the principles and underlying processes is key among them.

In the past I’ve applied this argument to the CLI vs GUI argument. All to often the GUI only permits what the GUI designer had in mind, and that can be a very limited subset of what is needed. A complaint often levelled against system an network administrators who have been though a
vendor’s “Boot Camp” courses is that they don’t really understand the principles and the underlying processes, an if it isn’t in the GUI they can’t go it. YMMV. That’s not to say the GUI is useless, its great for the common tasks, the expected. But if you don’t understand what’s under the hood you’re not going to recognise when to put the GUI aside. The GUI is just another layer of technology.

If what’s underneath is broken, technology can’t and won’t fix it.

Reblog this post [with Zemanta]

About the author

Security Evangelist

Leave a Reply