Technology / #TEISS15: ‘The Myth of Magic Boxes’
#TEISS15: ‘The Myth of Magic Boxes’
4 November 2014
Ahead of The European Information Security Summit 2015, Rowenna Fielding, information governance manager at the Alzheimer’s Society, talks about IT's 'goblins', 'wizards', and their dark arts.
“Any sufficiently advanced technology is indistinguishable from magic”
Arthur C. Clarke in the essay “Hazards of Prophecy: The Failure of Imagination”, in Profiles of the Future (1962).
If you simply demand “a magic box”, don’t be surprised if you end up with the wrong magic and the wrong box.
The lure of technology and magic is similar – both are perceived to offer a short cut to results with a reduction in effort. Despite – or perhaps as a result of – the marketing of technology as tools to make life “easier”, people without a technical education who have only encountered technology head-on in the workplace or as a domestic consumer may well come to perceive technology as ‘magic’ – random and incomprehensible, requiring specialist skills and arcane knowledge. Even the certified geek will be heard occasionally to blame “goblins” for glitches in service or unintended consequences.
There is a central theme of powerlessness in this language, a feeling that we are the mercy of unknowable elements with alien motivations. In the drive to improve ease of use, we have introduced the twin misperceptions that a) no effort is required at any stage of technology employment at all and b) therefore any effort must be a wasted cost as the whole point of technology is to eliminate effort. That the lack of effort in planning, choosing, testing and verifying inevitably leads to failure has produced a sense of apathy and fatalism, on the part of the end user and the business owner; computers might as well be powered by imps and ley lines for all the control the average person has over them.
Unfortunately, those same hapless individuals often bring this passive attitude into the workplace, with predictable results, a conversation like this:
Person requesting: “Give me a <magic box>”
Supplier: “What <magic> do you want it to do?”
The requestor lists various features which their desired magic box must be capable of performing.
The supplier orders a magic box which includes the desired features.
The requester discovers that their shiny magic box doesn’t actually allow them to achieve the outcome they were hoping for.
Essentially the requester is assuming that lacking the detailed technical understanding of how any given solution may work lets them off the hook for actually knowing what they are asking for. They have neglected to specify the desired outcome of the magic spell which their magic box is casting and will usually be disappointed by the results.
With an active attitude and a clear picture of the desired outcome, the process looks rather different:
The purpose of the magic is established…….
Requester: “We want a magic box which tells us when Bad Things Happen so we can respond to them and stop them getting worse.”
Supplier: “What kind of Bad Things are you looking to detect? What do they look like when they happen? What information do you need the magic box to give you? When will you need it? How should it be delivered?”
Requester answers the Supplier’s questions, the Supplier uses these criteria to search for solutions that meet these needs.
Magic boxes are tested until the closest match to the criteria is found.
In scenario 1, the requester is passive and the feedback loop is negative – the technology doesn’t deliver the required results, this leads the person who needed the result to believe that they are an innocent victim of supernatural conditions and that the problem must lie with rubbish wizards (IT department) or the mischievous goblins which power the magic box.
In the second scenario, the business need drives the thinking and human action, the magic technology is only a passive tool and the features are an attribute of the tool, not the purpose of the magic itself. Option 2 undoubtedly requires more effort to implement and sustain but is far more likely to achieve useful results.
Faced with the competitive and complex world of IT security, it can be tempted for decision-makers to select tools in a reactive way, shiny marketing and lists of features seem like a good measure of how successful the purchase will be. However, technology experts, vendors and consultants must push back against this approach, or we collectively risk damaging decision-makers’ faith in technology. Unless we combat the myth that “technology is provided by magic boxes that do all of your thinking for you” with the reality-check “although technology might appear magical, it doesn’t actually have psychic powers.” we will continue to struggle to deliver IT security projects which provide satisfactory results.
See Rowenna Fielding speak alongside other industry experts at The European Information Security Summit 2015 at the Queen Elizabeth II Conference Centre in London