Security

Teach a man to fish


There's an old saying, usually attributed to Confucius, that goes something like "Give a man a fish, and you'll feed him for a day. Teach a man to fish, and you've fed him for a lifetime." There's an important life lesson in that simple statement. Some people translate it conceptually into something like "Education is the most important thing you can give someone to better his circumstances." I'm not sure that's really getting to the heart of the matter, or always accurate for that matter -- though it's probably close enough for government work.

The translation I like goes something like this:

Give a man the answer, and he'll only have a temporary solution. Teach him the principles that led you to that answer, and he will be able to create his own solutions in the future.

It's considerably less catchy, of course, but I think it gets down to brass tacks much better than limiting the meaning of the aphorism to traditional charity. If you go with the education translation, you're talking about nothing but how to elevate the standard of living in third world countries, which is important but hardly the one universal problem of life. In fact, the quote about education doesn't even make full use of the statement within the context of education, because formal education too often consists of nothing more than making children memorize answers, ignoring the importance of teaching them how to get to those answers in the first place.

If, on the other hand, you refer to the difference between temporary solutions and principles for solving problems, you may very well not only improve someone's standard of living, but give that person the tools to improve himself (or herself, naturally). This is a central theme of most of my interactions with others when I discuss IT security.

In IT security, more so than in many other fields of study and practice, it is important to be able to think for yourself, reason through the implications of what you are doing, and employ fundamental principles to come to sound conclusions. In many fields of endeavor, little more is required for success than memorizing some formulaic solutions developed by deep thinkers of the past who pioneered the field. IT security is a far more competitive field than most, however, because the primary concern of the IT security professional is someone trying to circumvent all his efforts.

As a result of this state of affairs, the ability to reason from principles is all-important. Mere robotic imitation of "best practices" is not sufficient for any certainty of success. This is why many of the responsibilities of the IT security professional cannot simply be automated away. Automation decreases the workload, but it cannot effectively eliminate the workload entirely, even though the entire IT field is about automation.

This is why my articles here in the TechRepublic IT Security weblog often focus on principles rather than recipes. Security recipes can be useful, too, of course -- and I have nothing against providing them, even given their necessarily temporary usefulness -- but the most important security writing I can do is to address basic principles. This applies to both what principles I know and how one can and should go about discovering more principles on one's own, even as far as discovering any flaws in the principles I offer.

In my consulting work, and when writing documentation, I try to teach the clients and end users of my work the principles behind what has been done. Simply encouraging rote memorization of steps one should take in the short term is tantamount to encouraging someone's information technology systems to fail in the long term. The same is true of providing systems that attempt to automate away any user interaction without teaching the user about what is going on behind the scenes and why. When you not only fail to teach the principles to the end user, but actively hide the details of how things work, you are very directly setting the end user up for failure -- whether you intend that result or not.

Some unscrupulous people regard such inevitable failure as job security. Some ignorant people regard it as an inaccurate estimate of the state of information technology, believing that somewhere out there someone can actually produce a system that does not require a knowledgeable user to ensure it will not fail spectacularly. While the user does not need to know everything about the system to ensure it continues to work, he or she does need to know enough to be able to check on how well it is working, and also needs to be willing and able to learn more about it as needed when problems arise. Passivity, especially in the realm of IT security, is usually a recipe for failure.

An aphorism that is related to the one about teaching a man to fish, and similarly applicable to far more than just IT security, is one I made up years ago and have used when relevant ever since:

The mark of a true professional is one who works toward the day he or she is obsolete.

If you are an IT security consultant, and you are not helping your clients learn how to get along without your services, you are not really doing your job. Keep that in mind when you consider the ethics of your decisions as an IT professional.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

13 comments
drowningnotwaving
drowningnotwaving

Excellent article Chad. I would suggest that your response needs to be tempered by the circumstances at the time. Aspects such as the urgency of the issue, the relative importance of the issue in the corporate scheme-of-things, the capability / motivation of the person in a muddle, and the need to 'protect' the image of that person in front of others, may all influence the manner in which Chip's educational component of the support is offered. E.G. If the CEO is in the boardroom, trying to make a presentation to a large prospective client, and can't understand why the projector never works without the VGA cable plugged in ... it may not be the appropriate time for a "lesson", per se. Fix, check, run may be the order of the day. Indeed, one may perhaps turn Chip's excellent answer on its head!! The savvy help-desker may see this as an opportunity to suggest that the CEO [i]"call me anytime you are setting up a presentation to make sure this runs smoothly."[/i]. By such trivial examples are many careers made! CEO ignorance - a career opportunity for all ! :)

mark.anthony.spencer
mark.anthony.spencer

"Give a Man a Fish, Feed Him For a Day. Teach a Man to Fish, Feed Him For a Lifetime" is attributed to Lao Tzu just so the correct reference is made. I always say that my job is to become obselete during interviews but in today's high risk Program Management roles, it doesn't get me as many jobs. I cringe at those whose aspiration is to being part of the furniture. I would jump at the opportunity to hire such a person. As to teaching, you have to work out your limits and if contracting, what the goals of them paying you are. I usually give them the choice: do you want me to impart something so you never need me, or fix something and you won't see the immediate problem again.

wozisan
wozisan

Lately I've been leaning toward believing that you can still teach a man to fish, as long as it automatically arrives on their plate breaded, fully cooked and with a side of fries. After being on "Sabbatical" (working part-time retail sales for 14 months between IT contracts), it is nice to get back into a more positive professional groove. Thank you for getting me back on track.

chivaago
chivaago

Now if we could get that mind set into our politicians.

AV .
AV .

Very good article, Chad. I share the philosophy that educating your users or clients is the best way for IT pros to do their job. Sometimes though, end users or clients don't want to know why, they just want you to deal with it. AV

rob.dalzell
rob.dalzell

I'm confused, I thought it was ???Give a man a fish, and you???ll feed him for a day. Teach a man to fish, and he'll sit in a boat and drink beer all day.??? I am a IT security consultant at one of the largest US Banks. I spend my days teaching people how to be safe with email. Despite my efforts to make myself obsolete, everyday I get more people coming to me who need my help. Good post.

david.hunt
david.hunt

I agree wholeheartedly. The funny thing I have always found about working yourself out of a job, is that there's always something new and interesting to do. Technology in IT moves and changes at a prodigious rate. After spending over 30 years in the industry, I'm never short of new and interesting things to do. The point about leaning the principles instead of rote procedures is one i have subscribed to since school days. It makes problem solving, even in unfamiliar technologies, much much easier.

Michael Kassner
Michael Kassner

I really appreciated the post. It reminded me of another reason why people need to "Pay it Forward". Having an inquisitive child is my chance and delight to teach principles instead of momentary solutions. Thanks.

santeewelding
santeewelding

The CEO (me) who knows of this ahead of time. Otherwise, good post.

apotheon
apotheon

Unfortunately, it likely wasn't either Lao Tzu or Confucious who said it. It's more certain that it wasn't Lao Tzu, though, since there is a grand total of one document generally attributed to him (the Tao Te Ching), and it does not make this statement at all. In fact, if I recall correctly, its only reference to fish was comparing the governing of a nation to the cooking of a small fish -- it's easy to do too much (either governing in the case of a nation or cooking in the case of a small fish), ruining the subject.

santeewelding
santeewelding

Could prove invaluable over at Aisle 2, in the Questions forum...guy named Davis.

boxfiddler
boxfiddler

if we could that mindset (back) into the art of citizenship. etu

w2ktechman
w2ktechman

especially around Legal departments....

Editor's Picks