Paul Graham’s Design Paradox is that people who have good taste in UIs can tell when other people are designing good UIs, but most CEOs of big companies lack the good taste to tell who else has good taste. And that’s why big companies can’t just hire other people as talented as Steve Jobs to build nice things for them, even though Steve Jobs certainly wasn’t the best possible designer on the planet. Apple existed because of a lucky history where Steve Jobs ended up in charge. There’s no way for Samsung to hire somebody else with equal talents, because Samsung would just end up with some guy in a suit who was good at pretending to be Steve Jobs in front of a CEO who couldn’t tell the difference.
I think this idea originated in Graham’s startup mistakes essay:
...when I think about what killed most of the startups in the e-commerce business back in the 90s, it was bad programmers. A lot of those companies were started by business guys who thought the way startups worked was that you had some clever idea and then hired programmers to implement it. That’s actually much harder than it sounds—almost impossibly hard in fact—because business guys can’t tell which are the good programmers. They don’t even get a shot at the best ones, because no one really good wants a job implementing the vision of a business guy.
In practice what happens is that the business guys choose people they think are good programmers (it says here on his resume that he’s a Microsoft Certified Developer) but who aren’t. Then they’re mystified to find that their startup lumbers along like a World War II bomber while their competitors scream past like jet fighters. This kind of startup is in the same position as a big company, but without the advantages.
So how do you pick good programmers if you’re not a programmer? I don’t think there’s an answer. I was about to say you’d have to find a good programmer to help you hire people. But if you can’t recognize good programmers, how would you even do that?
If it’s true that this is the bottleneck on friendliness, one way to address this might be to try to make the people who are actually good at security higher status—by running security competitions, for example. (I assume the competitions would have to be organized by high status people for this to work, and you’d have to identify people who actually had security mindset in order to design & judge them.)
I suspect that different fields have different deltas between the people who look impressive to an outsider on paper vs the people who are actually competent. Programming might have been one of the fields with the highest deltas, though I think this delta has been arbitraged away some as the meme that Github profiles are more important than degrees has spread through the public consciousness. Nowadays, I think Triplebyte has accumulated enough status that a business guy has a decent shot at correctly choosing them to choose their first technical employee.
(Didn’t Eliezer claim in a previous essay that he has the ability to differentiate experts from non-experts in fields he’s not personally familiar with? I don’t remember the details of how he says he does this.)
Real-world anectdata how one big company (medical equipment) got OK at security:
At some time they decided that security was more important now. Their in-house guy (dev->dev management → “congrats, you are now our chief security guy”) got to hire more consultants for their projects, went to trainings and, crucially, went to cons (e.g. defcon). He was a pretty nice guy, and after some years he became fluent at hacker-culture. In short, he became capable of judging consultant’s work and hiring real security people. And he made some friends on the way. I think this is the best path to aquire institutional knowledge: Take a smart person loyal to the company, immerse them into the knowledgable subculture (spending money on failures on the way), use the aquired knowledge to hire real professionals (really hire, or hire as consultants for projects, or hire to give trainings).
Different big company (not software related), same thing. After some years their security guys became fed up with their lack of internal political capital, quit and switched career to “real” security.
Note that this approach gets hacked if everyone uses it at once, which means you should never attempt to immerse your experts after hearing another company is doing it, because all the newbies will end up talking to each other (see how things like LinkedIn work for 99% of people as some kind of weird networking simulator).
Why do you think a competition would measure anything meaningful? The best way to hire programmers doesn’t seem to be about hiring those people who do best at programming competitions.
The goal is to discover a way to measure security mindset as accurately as possible, and then make it high status to do well according to the measurement. There’s no reason why your contest would need to look like our current idea of a programming contest. Software companies already have incentives to measure programming ability as accurately as possible—see companies like Triplebyte which are attempting to do this in a data-driven, scientifically validated way. But no one has an incentive to make your score on Triplebyte’s quiz public and give you status based on it.
Another idea is to push for software liabilities, as Bruce Schneier describes in this blog post, in order to create a financial incentive for more developers to have security mindset.
I think this idea originated in Graham’s startup mistakes essay:
http://paulgraham.com/startupmistakes.html
If it’s true that this is the bottleneck on friendliness, one way to address this might be to try to make the people who are actually good at security higher status—by running security competitions, for example. (I assume the competitions would have to be organized by high status people for this to work, and you’d have to identify people who actually had security mindset in order to design & judge them.)
I suspect that different fields have different deltas between the people who look impressive to an outsider on paper vs the people who are actually competent. Programming might have been one of the fields with the highest deltas, though I think this delta has been arbitraged away some as the meme that Github profiles are more important than degrees has spread through the public consciousness. Nowadays, I think Triplebyte has accumulated enough status that a business guy has a decent shot at correctly choosing them to choose their first technical employee.
(Didn’t Eliezer claim in a previous essay that he has the ability to differentiate experts from non-experts in fields he’s not personally familiar with? I don’t remember the details of how he says he does this.)
Real-world anectdata how one big company (medical equipment) got OK at security:
At some time they decided that security was more important now. Their in-house guy (dev->dev management → “congrats, you are now our chief security guy”) got to hire more consultants for their projects, went to trainings and, crucially, went to cons (e.g. defcon). He was a pretty nice guy, and after some years he became fluent at hacker-culture. In short, he became capable of judging consultant’s work and hiring real security people. And he made some friends on the way. I think this is the best path to aquire institutional knowledge: Take a smart person loyal to the company, immerse them into the knowledgable subculture (spending money on failures on the way), use the aquired knowledge to hire real professionals (really hire, or hire as consultants for projects, or hire to give trainings).
Different big company (not software related), same thing. After some years their security guys became fed up with their lack of internal political capital, quit and switched career to “real” security.
Note that this approach gets hacked if everyone uses it at once, which means you should never attempt to immerse your experts after hearing another company is doing it, because all the newbies will end up talking to each other (see how things like LinkedIn work for 99% of people as some kind of weird networking simulator).
Why do you think a competition would measure anything meaningful? The best way to hire programmers doesn’t seem to be about hiring those people who do best at programming competitions.
The goal is to discover a way to measure security mindset as accurately as possible, and then make it high status to do well according to the measurement. There’s no reason why your contest would need to look like our current idea of a programming contest. Software companies already have incentives to measure programming ability as accurately as possible—see companies like Triplebyte which are attempting to do this in a data-driven, scientifically validated way. But no one has an incentive to make your score on Triplebyte’s quiz public and give you status based on it.
Another idea is to push for software liabilities, as Bruce Schneier describes in this blog post, in order to create a financial incentive for more developers to have security mindset.