You're not five

• 14 May 2024
• ciso,
• work

In 1983, percussion enthusiast and Nobel Prize laureate physicist Richard P. Feynman gave an interview to the BBC about some random science shit. During that interview, Feynman is asked the question: "Fucking Magnets, How Do They Work?", and buddies... he's not having it.

"I can't explain that attraction in terms of anything else that's familiar to you. For example, if I said the magnets attract like as if they were connected by rubber bands, I would be cheating you. Because they're not connected by rubber bands … and if you were curious enough, you'd ask me why rubber bands tend to pull back together again, and I would end up explaining that in terms of electrical forces, which are the very things that I'm trying to use the rubber bands to explain, so I have cheated very badly, you see."

What the man is saying here is this: you can't understand C without going through the motions of understanding A and B first. If we try to do that, we're simplifying things to the point where you're glossing over the details, and, as we all know, there's where the devil is.

The very worst thing one can possibly do is to try and simplify things that cannot be simplified any further, and that's why this whole "explain it to me like I'm five" is dumb. Dumb and dangerous, which is possibly the one combo you want to avoid.

The infantilization of people who are otherwise calling the shots doesn't help anyone. You shouldn't go to your vCISO/board and ELI5 complex shit because a) they are not five, and b) it is in their best interest to understand the threats they're facing so they can do their fucking job of allocating resources properly and prioritizing things. When you ELI5, you fail to convey the critical information needed, and that's a known problem. Explaining things as if your interlocutor is a five year-old works very well when they are indeed five, or when the thing you're explaining is inconsequential in the grand scheme of things. Saying that your bread dough rises because the yeast "eats sugar and farts C02" is close enough. No one is going to die or lose millions of dollars because they did not fully grasp the intricacies of this particular metabolic pathway of fungi.

Your vCISO/CIO/CTO/CEO, on the other hand... they are not five, and they should fucking know what's going on—gory details and all— because there are consequences for them not understanding exactly what's up. Every time some LinkedIn moron says something like "vCISOs don't need to be technical!" or "You need to learn how to speak bUsInNesS", I need to remind myself that these people are too far gone to even comprehend my outrage, so why bother? That's why every technical issue you bring to a non-technical decision maker has a tendency to become several different meta-issues involving t-shirt sizes, RACI matrices, OKRs, SWOTs, and every other project management bullshit:

"I don't know anything about the metabolism of yeast, but I understand eating and farting, so let's go with that instead!" Brayden O'Douche, PMP

People cannot make good decisions without the relevant information, and dumbing shit down removes the relevant information. It's really that straightforward.

"But Scar, you can't possibly expect the Pantheon of Gods we call the C-Suite to know everything there is to know about cybersecurity!"

And I don't. You gotta meet me halfway here, though. I'll simplify things as much as humanly possible, but you also need to do your part. It's not all cocaine and prostitutes and RSAC and Black Hat: you need at least some functional understanding of the things the people you oversee do every day. Luckily, there's a cheat code. It's called "trusting the people who know what they're doing", but that's a rarely used strategy because accepting that some underling might possibly know more about something than you is not a great way to look good. Instead, the people in charge would rather run their fucking mouths, talk nonsense, and ask for a Kanban board and a Confluence page.

And that's very different from them asking questions in good faith. Questions asked in good faith come from a place of intellectual curiosity and empathy, and we know that's not in high supply. It's not a matter of "all we've got are hammers", but a matter of "we definitely have a whole toolbox here full of things that are not hammers, so why the fuck do you keep asking me to put things in terms of nails when hammers have got nothing to do with the matter at hand?"

Next time some 10-ply asks you to "put this in a way that I can understand", pull a Feynman and reply "I can't explain that in terms of anything else that's familiar to you." The man won a Nobel Prize in Physics, so you know that's good advice!

• Previous: To the class of 2024.
• Next: Cybersecurity is dead.