The Chauffeurs of Cybersecurity

Sign up

 “After winning the Nobel Prize, Planck toured around Europe giving a speech. Planck’s chauffeur eventually memorized the speech and asked if he could give it for him, pretending to be Planck, and Planck would pretend to be the chauffeur. So while in Munich, Planck let him do the speech and afterwards someone asked a tough question. The real chauffeur said that he couldn’t believe someone in such an advanced city like Munich would ask such an elementary question and as such, he was going to ask his chauffeur (Planck) to reply.

In this world we have two kinds of knowledge. One is Planck knowledge, the people who really know. They’ve paid their dues, they have the aptitude, and they possess the skills. And then we’ve got chauffeur knowledge. They have learned the talk. They may have a nice head of hair, they may have fine temper in the voice, they’ll make a hell of an impression. But in the end, all they have is chauffeur knowledge

Source: Charlie Munger – May 13, 2007

It’s unfortunate, but the cybersecurity industry has its share of chauffeurs.  You know the ones.  They tell you they have everything covered.  They say they can find any adversary.  They say they can easily detect your data leaving your enterprise.  They make verbal guarantees with no way to back them up.  What they don’t tell you, because they don’t know, is what’s involved in rooting out an advanced adversary.  They don’t understand the amount of labor that an organization needs to invest before there is some semblance of Data Leak Prevention (DLP) in place.  And the guarantees they offer would actually cost your organization an entire year’s revenue if implemented.  Absolute security (if there is such a thing) is cost prohibitive in almost every situation.

How do you figure out which person is relying on chauffeur knowledge and which one is the real deal?  The answer is relatively simple:

Don’t just ask them what they do, ask them how they do it!

The chauffeurs will bob and weave, they may even act a bit indignant trying to take the attention away from their ignorance and focus on your audacity at asking such a question.  The folks who know, though, will be happy to walk you through the process and use a whiteboard to dive deep.

The chauffeurs will perform a demo that shows a bunch of pretty graphs.  The Plancks of cybersecurity will show you the back end.

The chauffeurs will hide behind terms like “intellectual property” and “proprietary information”, while the people who actually know cybersecurity will explain the inner workings of their products or services.

So be careful.  There is some dilution of the knowledge base taking place, and it’s important to recognize the distinction between chauffeur and Planck knowledge.  Your organization’s reputation and brand may well depend on you understanding the difference.


What are your thoughts?  Do you agree there is a trend where people/companies are getting into the cybersecurity space without adding much value just because they see dollar signs?  Or is there a minority of technology snobs (like me?) who are overstating the problem?


Written by Craig Naylor