Shostack + Friends Blog

 

Bounce and Range

I want to talk about two books: Bounce, by Matthew Syed and Range, by David Epstein. I want to talk about them together in part because Range is explicitly framed as a response to Bounce. cover of Bounce by Matthew Syed

I want to talk about two books: Bounce, by Matthew Syed and Range, by David Epstein. I want to talk about them together in part because Range is explicitly framed as a response to Bounce. [Update: Bill Gates has selected Range as one of his 5 good books for a lousy year.]

Bounce is focused on the relationship between talent and training. Syed starts with a discussion of ping pong stars, and the belief that they have some special talent or affinity for the game. He points out that most of Britian's Olympic team came from the same town, and how unlikely it is that everyone in that town had some genetic or other inbuilt advantage. It's about training and practice. Not the junk-science of 10,000 hours of practice, but the use of deliberative practice to develop specific skills.

This is resonant because I've spent a long time arguing against the need for an attacker mindset, or 'think like an attacker.' If we require some special, unteachable mindset as a prerequisite to building secure systems, we might as well give up. But, as Bounce teaches us, there's no magic, just practice. (Affinity for a topic, enjoyment of the practice doubtless helps, and early success probably contributes to that enjoyment, and thus practice.)

And that practice needs to be deliberate. That is, it needs to focus in on weaknesses, and address them. The exercises need to be constructed to develop new skills. I took a lot from this book to revising the training I deliver in threat modeling.

Of course, when I say this is resonant, I'm at risk of letting confirmation bias dominate my perception, and so it's good to have Range to critique Bounce. Epstien constructs a powerful argument that much success comes from acting at the intersection of fields or ideas, and that if you specialize early to get to thousands of hours of deliberative practice, you won't have range to draw apon.

This is interesting because in my time in security, we've gone from a field in which no one was trained, degreed or certified to one in which those are essential to starting out. We've struggled through the first attempts to figure out what security is, why it matters to an organization, how to "do security", "measure security" and reward employees for their work. We have answers, and to address demands from executives, IT departments, developers, and others, we've created structures and roles that define how work gets done. We now teach people how to be a SOC operator, a threat hunter, a penetration tester, an IAM manager, etc.

There is strong resistance to these forms, because a little reflection shows that these organizations are neither natural nor effective. There's a move recently to cast aside security's hard-won right to stop shipment. It turns out that being able to stop ship comes with accountability without authority, and so product owners pressure security to sign off, despite having done no work to secure a product. It's a bad situation all around, and the solution, shockingly, is to give up the power to stop a product from shipping, and move to an advisory role.

We have, probably, the same number of people with 'non-standard' origin or training as we did twenty years ago, but the field is far larger, making such difference far less common as a fraction of practitioners. We have fewer conversations about how we set our goals or why we do things, and a lot more about the tasks and how to accomplish them.

I learned important things from Range, and it delivers value. At the same time, I think it critiques an argument that I didn't read in Bounce. That argument is 'specialize early.' That's certainly an argument that's out there. There are regular complaints that people coming out of school don't have the particular technical skills that employers want, and that's frustrating to employers and students. What are they paying for if not to learn? And what they need to learn are not how to use Nessus version 2.2, but how to think critically, how to communicate, and how to learn. They need the range in which to embed their skills.

Below are some highlights that caught my attention in Range. I read Bounce on paper, so adding quotes is harder.

  • No tool is omnicompetent. There is no such thing as a master-key that will unlock all doors. —Arnold Toynbee, A Study of History (Page 4)
  • ...so that jazz musicians could improvise while inside an MRI scanner. Limb saw that brain areas associated with focused attention, inhibition, and self-censoring turned down when the musicians were creating. “It’s almost as if the brain turned off its own ability to criticize itself,” he told National Geographic. While improvising, musicians do pretty much the opposite of consciously identifying errors and stopping to correct them. (Page 69)
  • Improv masters learn like babies: dive in and imitate and improvise first, learn the formal rules later. “At the beginning, your mom didn’t give you a book and say, ‘This is a noun, this is a pronoun, this is a dangling participle,’” Cecchini told me. “You acquired the sound first. And then you acquire the grammar later.” (Page 70)
  • One of those desirable difficulties is known as the “generation effect.” Struggling to generate an answer on your own, even a wrong one, enhances subsequent learning. (Page 79)
  • Mention Kepler if you want to get Northwestern University psychologist Dedre Gentner excited. She gesticulates. Her tortoiseshell glasses bob up and down. She is probably the world’s foremost authority on analogical thinking. Deep analogical thinking is the practice of recognizing conceptual similarities in multiple domains or scenarios that may seem to have little in common on the surface. (Page 94)
  • If you’re asked to predict whether a particular horse will win a race or a particular politician will win an election, the more internal details you learn about any particular scenario—physical qualities of the specific horse, the background and strategy of the particular politician—the more likely you are to say that the scenario you are investigating will occur. Psychologists have shown repeatedly that the more internal details an individual can be made to consider, the more extreme their judgment becomes. For the venture capitalists, they knew more details about their own project, and judged that it would be an extreme success, until they were forced to consider other projects with broad conceptual similarities. (Page 101)
  • Dunbar witnessed important breakthroughs live, and saw that the labs most likely to turn unexpected findings into new knowledge for humanity made a lot of analogies, and made them from a variety of base domains. The labs in which scientists had more diverse professional backgrounds were the ones where more and more varied analogies were offered, and where breakthroughs were more reliably produced when the unexpected arose. (Page 109)
  • They’ve been there, many times, and now have to re-create a well-understood process that they have executed successfully before. The same goes for airline crews. Teams that have experience working together become exceedingly efficient at delegating all of the well-understood tasks required to ensure a smooth flight. When the National Transportation Safety Board analyzed its database of major flight accidents, it found that 73 percent occurred on a flight crew’s first day working together. Like surgeries and putts, the best flight is one in which everything goes according to routines long understood and optimized by everyone involved, with no surprises. (Page 194)
  • Griffin’s research team noticed that serial innovators repeatedly claimed that they themselves would be screened out under their company’s current hiring practices. “A mechanistic approach to hiring, while yielding highly reproducible results, in fact reduces the numbers of high-potential [for innovation] candidates,” they wrote. (Page 196)