Friday, April 17, 2026

Volunteer management - VM - 4.06 - operations - listening

Volunteer management - VM - 4.06 - operations - listening

I have participated in yet another seminar, supposedly in support of the volunteers.  Once again, the volunteer coordinator has done all the speaking.  Even in the part of the program that was specifically designed to solicit input from the volunteers, the coordinator managed things such that the volunteer contributions were cut short, and the coordinator did most of the talking.

In pretty much any study in regard to listening, when assessing their own capabilities, ninety percent of the population will say that they are above average in terms of listening skills.  The math doesn't add up.

As an early teen, I ran across the Dale Carnegie book "The Awesome Power of the Listening Ear."  It's not a great classic of literature by any means.  It's not even terribly useful in terms of management literature.  But it does, very strongly, make the case that if you learn how to listen to people, it will stand you in very good stead, and give you a massive advantage in all kinds of situations.  Which is quite true.

I tried to practice listening.  It isn't easy.  We have all kinds of social and psychological factors that predispose us to talk, rather than to listen.  Even if we are quiet, very often we simply don't want to communicate, and so we aren't particularly good at listening even then.  But I persevered, over a number of decades, and I think that I can say that I have developed some skills in listening.  And the book, and many other books that talk about listening, are quite right.  Being able to listen to people puts you at a very distinct advantage.  It is certainly a skill that you need to have as a manager, and particularly as a manager of volunteers.

My specialty is information security, and I frequently have to point out that business managers do not understand security.  I don't understand this, since, as I have said before, if you are a manager, at whatever level, in whatever field of endeavor, you manage two things: people and risk.  In security we deal with risk.  But in managing volunteers, of course, you are primarily managing people.  And managing people requires that you listen to them.  You have to know about your people, or you cannot manage them.  If you don't understand your people, you don't understand their motivations.  If you don't understand their motivations, you cannot motivate them.  If you cannot motivate them, you cannot get them to do what you need them to do.

If all of this sounds Machiavellian, then it is.  Machiavelli was right.  He was correct in a lot of the things that he said about how to manage people.  That's why his book is still a classic in management literature.  He does lean a little bit too heavily towards the coercive and deceptive, but the points that he makes are not wrong.  Social engineering involves managing people, and managing people involve social engineering.  And you have to understand people, and you have to, particularly, understand your specific group of people, in order to manage them effectively.  You have to know their motivations, you have to know where their buttons are, and you have to know the buttons that will turn them off, and possibly even drive them away from your volunteer endeavour.  And one of the things that will drive them away faster than any other, is not being listened to.

I have written about listening in a variety of situations, and with respect to a variety of conditions.  I have written about listening with respect to depression. I have written about listening with respect to grief.  I have even written a sermon about listening. And I have written a bit of a test, and practice exercise, for you to try out if you are, in fact, really interested in figuring out something about how much and how well you listen, and how to improve your own listening skills.  So I'll just point to those here, and not copy all of that material here once again.

You will have heard of active listening.  The people who talk about active listening well, ironically, if they're talking about active listening, they are not listening.  There is a lot of nonsense talked about active listening, and there is a lot of well-meaning discussion of active listening which still isn't terribly helpful.  Yes, you should be actively listening.  You should be thinking about what the person is saying.  You should be listening for what the person is *not* saying, as well.  One of the things you should not be doing, if you are actively listening, is actively thinking about what you are going to say in response to what this person is saying.  That is not part of active listening.  That is a disruption and distraction.  If you are thinking about what you are going to say, you are no longer listening.  That is one thing to be aware of in terms of listening.

Active listening is active.  It is work.  If you are not tired at the end of a session of active listening, you are doing it wrong.  Active listening involves listening and trying to understand what the person is saying.  What the person truly means is sometimes not necessarily what they are saying, in terms of the words that they are actually producing.  You have to listen, once again, for things that are not being said, and also for things that are being said badly.  You have to understand that not everyone has the same skill in terms of communication.  Some people do not have a great vocabulary.  Some people misunderstand the vocabulary that they think they have.  And some people just simply do not understand themselves.  Active listening means that you have to be listening for indications for all of these difficulties, at the same time that you are listening to the words that they are saying.

If you are doing all of that, you definitely will not have any time or cognitive capability left over to think about what you are going to say in response.

You have two ears, and one mouth.  That is a pretty good indication of how important listening is.  You should be listening twice as much as you are speaking.  And that is a minimum standard.

And that is particularly true when you have the floor.  In terms of communication, make sure that you keep your own speaking as brief as possible.  Make sure that you think about what you are going to say, and that you say it and as few words, as clearly, but as concisely, as is possible.  Never say with twenty-seven words, what you can say with four.  Prepare what you are going to say, and edit it down to the fewest possible words.  That will leave you more time to let other people speak.

And, even when you are leading the meeting, other people will want to speak.  Other people want to have their say.  Your volunteers will want to have their say.  And they will not be prepared.  They will not be concise.  They will not be conservative in terms of the number of words that they use.  They will want to get everything that they want to say out.  And that is just the reality of the human condition.  They are going to want to talk, and they are going to want to have their say, and if you prevent them from having their say that is going to be demotivating for them.  Yes, very much of what they are going to say will be useless, and wasting not only your time, but the time of other volunteers who have to listen while they are speaking.  Too bad.  This is reality.  You have to keep what you say short, so that they don't have to.  That's just the way life is.

You have to listen.  You have to listen to their complaints, to know what they are upset about, and what about any given situation upsets them.  You have to know when your volunteers are upset, and why.  You have to listen to them on a regular basis just to learn what they like, and what motivates them.  Why are they volunteering for you, and for the organization, in the first place?  What do they like about volunteering?  What do they *not* like about volunteering?  What do they not like about your organization?  You need to listen to all of these things.  And you are not going to get it on demand.  You are going to have to take every opportunity to listen, and listen carefully, to anything that your volunteers say.

Listen carefully to anything that they say that compliments you.  That is going to indicate to you what they like, and therefore what is going to motivate them.

You are going to have to listen to gossip.  You are not necessarily going to have to act on the gossip, and you definitely shouldn't repeat the gossip.  But the gossip is going to tell you of interpersonal frictions between different members of your team.  This is very important, once again.  These kind of frictions, these kind of problems are going to be demotivating.  Sometimes this information will let you know something about individual members of your team, and what they don't like, and what is there for demotivating in terms of their regular activities.  But sometimes it will give you information about larger problems, frictions between members of your team, and possibly, if you pay attention, prevent you from allowing some problem to become deeply entrenched within the organization, which will then take much more work to repair.

Listen.  Listen all the time.  Listen to everyone.  Listen to your volunteers' complaints about your paid staff.  Listen to your paid staff's complaints about your volunteers.  Listen to what your clientele have to say about your volunteers.  Listen to what your volunteers have to say about your clientele.  All of this is vital information.  It may not be given to you in a concise form.  It may be a mountain of verbal ore, which you have to refine into a small amount of actually useful information.  But you have to listen to get that ore in the first place.


Volunteer management - VM - 0 - introduction and table of contents
Posted by at No comments:

Thursday, April 16, 2026

Sermon - TLIS - 2.2.1 - Access Control

Sermon - TLIS - 2.2.1 - Access Control

Micah 2:11
If a liar and deceiver comes and says, 'I will prophesy for you plenty of wine and beer,' that would be just the prophet for this people!

Jeremiah 5:1
Go up and down the streets of Jerusalem, look around and consider, search through her squares. If you can find but one person who deals honestly and seeks the truth, I will forgive this city.

Psalm 12:7
You, Lord, will keep the needy safe and will protect us forever from the wicked

Malachi 2:16
“The man who hates and divorces his wife,” says the Lord, the God of Israel, “does violence to the one he should protect,” says the Lord Almighty. So be on your guard, and do not be unfaithful.

1 Corinthians 13:7
[Love] always protects, always trusts, always hopes, always perseveres.


When I am conducting the information security seminars, I always start with security management first.  As I tell people, I do security management, because, well you can have all kinds of security tools operating, if you are not managing everything, you don't have any security.

I almost always do access control second.  People ask why I do access control second.  Because access control is kind of the origin of information security.  When people think about information security, if they think about information security at all, they primarily think about confidentiality: keeping documents private.  That's all very well and good, of course.  And it is an example of access control.  We have to control access so that people can't steal our confidential information.

But, of course, there is also the issue of availability.  Access control is a means of ensuring that, while we keep certain information private from certain people, we make it *available* to those who need it.  This is another important part of access control, that of availability.

And then there is the third pillar of security: integrity.  I have already talked about the issue of integrity in another sermon.  Even if you keep information private from the wrong people, and make it available to the right people, sometimes the right people shouldn't be making any modifications to that information.  Sometimes it is important to keep the information from being changed at all.  Sometimes it is important to make sure that the information is not changed in error.  There are a number of reasons, and a number of different technologies, to control and maintain the integrity of information that is important to us.

So, why then am I talking about access control in regard to the Christian life?

Is there any need for confidentiality?  Well, no.  God is not trying to hide anything from us.  If anything, God is trying to reveal the truth to us.  And we aren't paying attention.

God is trying to reveal the truth to us.  He is trying to make it available.  And the availability, and spreading the availability, of the good news is one of the commands he has given us.  Go into all the world and preach the gospel.

But then there is that issue of integrity.  And we have touched on it in a couple of other sermons.  As noted in some of those other sermons, the integrity of information is relatively rarely at risk, but we should possibly have some form of access control in place in regard to the integrity of information and protection against heresy.

Some people have tried to control access to information about God, and the Christian life and faith, as a means of combating heresy.  This hasn't always worked to terribly well.  I mean, naming no names, but there was one particular denomination that, for hundreds of years, forbade people from even reading the Bible by themselves.  They had to have the Bible explained to them by the clergy.  Only the clergy were allowed to read the Bible.  It wasn't made available to the common people, and was, in fact, restricted.

Call me a free speech absolutist, if you will, but I think this was going a tad too far.

But before we start making fun of this particular denomination, let's admit that all of us, possibly to a lesser extent, are guilty of similar things.  For example, what about putting your children into a Christian school?  Isn't one of the reasons that many people cite for doing this that they want the children to learn about Christianity and the Christian life in school?  And, by extension, isn't it also true that a number of people feel that a number of unpleasant or controversial topics will not be encountered in a Christian school?  Christian schools may be seen as less likely to teach about evolution.

And, unfortunately, this means that we are very often doing a disservice to our children.  I have had conversations with children, from Christian homes, who have either been homeschooled or who have attended Christian schools, and who betray an alarming misunderstanding of topics like evolution.  One of these kids asserted, very definitively, that the theory of evolution says that God does not exist.  The theory of evolution doesn't say anything about God.  As a matter of fact, Darwin was a Christian.  The theory of evolution talks about how species develop and diverge in different environments.  It doesn't talk about God.  So, if we are teaching our children, or allowing our children to be taught, that evolution is anti-god and anti-religion, and must be desperately avoided, then we are doing our children a disservice.  We are, in fact, lying to them.

Evolution is not the only topic that we don't want our children to talk about.  And we are probably doing a disservice to them in those areas as well.

When I went to university, there was a professor who was famous for teaching an anti-Christian course.  The course was the philosophy of religion.  The professor was quite open about his own lack of faith.  He had been an Anglican, and had lost his faith.  He had designed the course around a series of proofs for the non-existence of god.

Of course, a great number of Christian students at the university took his course.  They all tried to attack his arguments.  But, unfortunately, instead of attacking his arguments as they were, they simply tried to argue against them by proof texting.  Stating that this person is wrong because the Bible says he is wrong doesn't really prove anything to someone who doesn't believe the Bible is the Word of God anyways.

I took this course.  But, as it would happen, I came from a science background.  I knew about science, and I knew about mathematics, and symbolic logic.  And it was logic that the professor was using to try and disprove he existence of God.  He had been teaching this course for approximately twenty years when I took it. In all that time, of course, a huge number of Christians had tried to attack his arguments.  In fact, there was a group of Christians, all from one particular church, who attended the same class that I did.  They tried the same tired old route of proof texting.  But they hadn't, as I have said, attacked his arguments on the basis with which the arguments were created: that of logic.

I did.  I knew logic.  I knew mathematics.  I knew science.  I attacked his arguments ruthlessly, and without exception.  I attacked all of his proofs.  And I managed to disprove all of them.

An awful lot of people would have expected this professor to be very angry at being bested by a Christian.  The thing was, I didn't attack him as a Christian.  I attacked him as a scientist and philosopher.

And he loved it!

Even though I demolished all his arguments, I demolished them on the basis with which they had been created.  No one had ever done that, not in the twenty years that he had been teaching the course!

And, since I attacked his arguments on the basis of science and logic, he didn't, initially, actually realize that I was a Christian.  In fact, when, in the course of a discussion, I did actually assert that I was a Christian, he didn't believe me.  He burst out, "You *can't* be a Christian!  You *think*!"

I mean it was kind of a fun comment to get at the time, and the fact that he thought that I thought was kind of an ego boost, but it is rather a damning indictment of my fellow Christians.

If we try and protect our children, or even ourselves, from the real world, we may be getting ourselves into a similar situation.  Controlling access to ideas maybe seen as controlling heresies, but it also restricts thought.  And God does not restrict our thought.  God allows us to choose whether we believe in Him or not.  God has not created us as automatons.  God has not created us as robots.  And, since we ate the fruit of the tree of the knowledge of good and evil, we have that knowledge.  That knowledge, by creating our fall into sinful nature, has already created enough trouble.  We might as well use it.

I have mentioned the "Prayer for Truth and Direction," from Kenya.  It seems appropriate to quote it again, here:

From the cowardice
      that dares not face new truth…
From the laziness
     that is content with half-truth…
From the arrogance
     that thinks it knows all truth…
Good Lord…
     deliver me.

               Amen.


cf Sermon - TLIS - 2.1.5 - Citizen Programming
   Sermon - TLIS - 0.2.2  47 - Integrity  Robert Slade is a world renowned speaker


Theological Lessons from Information Security

Sermon - TLIS - 0.1.1 - Security is a hindrance with no benefit

Sermon - TLIS - 0.2 / 47 - Integrity/Robert Slade is a world renowned speaker

Sermon - TLIS - 0.7.3 - Four right answers on CISSP questions

Sermon - TLIS - 1.1.2 - Management Planning: Operational, Tactical, Strategic

Sermon - TLIS - 1.1.3 - Functional and Assurance Requirements

Sermon TLIS - 1.1.5 - "Footprints" and key performance indicators/metrics

Sermon - TLIS - 1.1.7 - Security Frameworks

Sermon - TLIS - 1.2.1 / 34 - Edit, Audit, Prophet

Sermon - TLIS - 1.2.6 - Security awareness, training, education

Sermon - TLIS - 1.5.1 - Manage Everything

Sermon - TLIS - 1.7.1 - Organizational Roles and Body Parts

Sermon - TLIS - 2.1.5 - Citizen Programming

Sermon - TLIS - 9.8.5 / 73 - Muster station, safe and secure

Sermon - TLIS - 10.3.1 - Intellectual Property

Sermon - TLIS - 10.5.1 - Privacy

Sermon TLIS - 10.6.1 / 54 - Liability and Negligence


Posted by at No comments:

Wednesday, April 15, 2026

Sermon - TLIS - 2.1.5 - Citizen Programming

Sermon - TLIS - 2.1.5 - Citizen Programming

2 Kings 19:22
Who is it you have ridiculed and blasphemed? Against whom have you raised your voice and lifted your eyes in pride? Against the Holy One of Israel!

Job 20:6
Though the pride of the godless person reaches to the heavens and his head touches the clouds

Psalm 10:4
In his pride the wicked man does not seek him; in all his thoughts there is no room for God.


It is hard to explain to the uninitiated the very idea of "citizen programming," let alone its dangerous ramifications.  (It is also difficult to explain why it is here in access control rather than in application security later on.)

Citizen programming is the term given to programs written by amateurs without any formal training in programming or application development.  Both the term and the reality of the problem came to fruition with the production of the Lotus 1-2-3 spreadsheet program.  Lotus 1-2-3 provided macros which allowed for those who understood accounting to create complicated formulas and processes in relatively simple forms, without requiring them to actually learn formal programming languages.  This doesn't sound like a problem.  It sounds like a very useful tool, and it is.  However, the functionality provided in Lotus 1-2-3 and subsequent spreadsheet programs allowed people to create enormous utilities, which were very useful, but which, without being formally reviewed for their reliability, came to be very important to the companies in which they were implemented.  Thus, the companies were relying on completely untested software, sometimes for extremely important business processes.

We have come a long way since Lotus 1-2-3.  Most of you do not know what Lotus 1-2-3 is because it was superseded fairly soon after by Microsoft's Excel.  Excel came to be part of the Microsoft Office suite of applications, and all the applications in Microsoft Office started to use a common set of macros.  These macros eventually were so powerful that they were able to create email computer viruses that spread around the world in a matter of minutes.

We have created ever more powerful utilities and handed them to users who do not know how powerful they are.  It was bad enough with spreadsheets, but now we are handing them the power of artificial intelligence. Not just handing them the power, but encouraging them to use it, sometimes even demanding that they use artificial intelligence, for any and all purposes.  Recently, a series of articles in the Manchester Guardian has suggested different things that you can do with artificial intelligence.  All of them were rather profoundly silly.  And we are flooding social media with artificially created AI slop.  As Alan Kay said, "Any medium powerful enough to extend man's reach is powerful enough to topple his world."

We have systems, procedures, and life cycles that truck through the development process.  We have formal and semi-formal methods to make sure that software is secure and reliable.  However, these processes and procedures are only taught in formal classes on programming and application development.  Citizen programmers don't take these courses.  Citizen programmers don't know either the importance of making sure that their software is reliable, nor how to do it.

The line between a citizen programmer and a hacker is a fairly fine one.  Basically, it turns on the level of knowledge.  A citizen programmer and a novice hacker may have about the same level of knowledge.  And the knowledge, in either case, may be just as fragmentary.  In other words, important pieces tend to be missing.

This is not to say that citizen programmers cannot create amazingly useful utilities.  Often they are people who are closer to the actual operations of the business then the IT or development department.  The citizen programmer probably has a much better understanding of what people, at the front line, need to do their job.  They know what information the front line workers have, and they know what information the front line workers may find difficult to obtain.  They also know that permission to access certain information, or certain systems, may be difficult for the front line workers.  In other words, in terms of human factors engineering, the citizen programmer may have it all over the actual developer or programmer.  But the citizen programmer doesn't understand all the ins and outs of all the systems in the entire company, nor how certain misinformation might create a major problem for important databases within the company.

So we give citizen programmers access to amazing computerized and automated tools.  And with these tools, the citizen programmers, working on an ad hoc and as needed basis, sometimes create astoundingly useful programs an applications for the company.  So useful, that often these programs and utilities spread throughout the company, and become a necessary part of the business.  Without ever having been checked to see if they are secure or reliable.

And the first time the company finds out just how important this utility is to them is when somebody uses it and it produces an answer which costs and destroys ten percent of the company's total capitalization.  Nobody is going to be very happy about that.

We are encouraging anyone with a computer and a credit card to use enormously powerful tools to create ... well, anything they want to.  Maybe they will create another Tower of Babel.

You remember what happened at the Tower of Babel, don't you?

Starting to turn to the Christian life, let's look at the Tower of Babel story.  This is a story which many sermons seemed to indicate represents the sin of pride.  Men were proud, and decided that they could build a tower which would reach the heavens.  And God decided to do something about that.

Turning more directly to the Christian life, you probably have some theologians in your church.  They are frequently among the super Christians.  You know, the people who know all the right answers.  When you call out "how are we saved," they immediately reply back "by faith through grace."  When you call out "and how are we not saved" they call back immediately "through works."  And when you call out "why not?"  They call back "lest any man should boast!"

You know the ones.

The thing is, these people are the ones who are particularly useful to you.  They *do* know all the answers.  They have the catechism memorized.  They have the liturgy memorized.  They don't need the hymnbook, unless they are singing parts in the old hymns.

So they are useful.  You can always call upon them for pulpit relief.  You can always call upon them for Sunday school lessons.  You can always call upon them to lead a Bible study.  You can always call upon them to eat a new Christians group.  They will have all the answers.

And they may have a few additional answers.

They have studied the Bible.  They have really delved into it.  Particularly the obscure parts.  For example that passage in the Second Book of Hesitations, that puts a whole new spin on the nature of God.  And, now that they know it, that's what they are teaching in the pulpit relief sermons, while you're away, and in the Bible studies, and in the youth group, and in the new Christians group.

You remember the tower of Babel?  Still thinking of that?  Still keeping it in mind?

Now I have to be careful here because I have, elsewhere, noted that this kind of heresy is fairly rare.  As I have said, these are usually the super Christians.  They know all the answers.  In addition to knowing all the right answers, generally speaking they know all the heresies.  And heresies, contrary to the firm belief of the heretics, are seldom new ideas.  They tend to be the old ones recycled again.  One of the extremely effective ways of dealing with heretics of this type is to study the heresies.  Study them thoroughly.  Know the names.  Know why the church decided against them.  And then when somebody, bubbling with newfound enthusiasm for some idea that they think nobody has ever had before, comes rushing up to you and explains it, you can say oh, yeah, the Marionites.  Yeah, we haven't really heard about them since well about 1700 years ago.  And then casually throw in what the Council of Stratford upon Naples had to say about them, and why they were wrong.  It's possibly a little bit cruel, and you will notice that it tends to deflate the new enthusiast pretty sharply.  But, fortunately, pretty effectively.

You can't argue with a true believer.  You have to, carefully and casually, note that this idea has been raised before, and why the church barred it from orthodoxy.

If that doesn't work, you might try suggesting that this person who has found a new interpretation of scripture hidden in a dark corner, read the Bible.  The whole Bible.  Sometimes you can suggest it under the guise of ensuring that the interpretation that they have found is, in fact, supported by the rest of scripture, rather than being contradicted.  As a matter of fact this is a very good way to approach it, and legitimately so.  If somebody thinks that they have come up with a new idea, this is what you need to do.  Read the whole Bible, the whole of scripture, and carefully maintain a list of scriptures that *support* the new interpretation, and those that *contradict* it, and instead support the orthodoxy.  Having them do it themselves, rather than you hitting them over the head with the Bible verses that you prefer, is much more effective.  When you attack a true believer, they tend to entrench themselves, and just get deeper into their rut.  The rule of holes is, when you find that you are in a hole, stop digging.  So give them an opportunity to stop digging.  Take a look at the Bible, the whole Bible, and see what it actually does say about this matter.

I have mentioned the story of the Tower of Babel.  This story does have to do with pride.  But it also comes down to us in another word in the English language: babble.  This is what God does to confound the builders of the tower.  He confuses their language, and they can't understand each other.  And that's what new heresies tend to be: babble.

But don't forget the pride.  It's important.  CS Lewis points out that it is probably the biggest sin of all.  It is instructive to note the movie "The Devil's Advocate," where Al Pacino, in the character of John Milton, is actually playing the Devil.  And starts and ends the movie by breaking the fourth wall, and telling us, "Vanity, definitely my favorite sin."

As I was writing this sermon, I received a copy of the newsletter from Trinity Lutheran Church in Delta.  It contained "A Prayer for Truth and Direction," a poem from Kenya whose authorship is unfortunately lost.  It seems to be a fitting way to finish up:

From the cowardice
      that dares not face new truth…
From the laziness
     that is content with half-truth…
From the arrogance
     that thinks it knows all truth…
Good Lord…
     deliver me.

               Amen.



Theological Lessons from Information Security

Sermon - TLIS - 0.1.1 - Security is a hindrance with no benefit

Sermon - TLIS - 0.2 / 47 - Integrity/Robert Slade is a world renowned speaker

Sermon - TLIS - 0.7.3 - Four right answers on CISSP questions

Sermon - TLIS - 1.1.2 - Management Planning: Operational, Tactical, Strategic

Sermon - TLIS - 1.1.3 - Functional and Assurance Requirements

Sermon TLIS - 1.1.5 - "Footprints" and key performance indicators/metrics

Sermon - TLIS - 1.1.7 - Security Frameworks

Sermon - TLIS - 1.2.1 / 34 - Edit, Audit, Prophet

Sermon - TLIS - 1.2.6 - Security awareness, training, education

Sermon - TLIS - 1.5.1 - Manage Everything

Sermon - TLIS - 1.7.1 - Organizational Roles and Body Parts


Sermon - TLIS - 9.8.5 / 73 - Muster station, safe and secure

Sermon - TLIS - 10.3.1 - Intellectual Property

Sermon - TLIS - 10.5.1 - Privacy

Sermon TLIS - 10.6.1 / 54 - Liability and Negligence



Posted by at No comments:

Tuesday, April 14, 2026

Sermon - TLIS - 1.1.2 - Management Planning: Operational, Tactical, Strategic

Sermon - TLIS - 1.1.2 - Management Planning: Operational, Tactical, Strategic

Luke 14:28-30
Suppose one of you wants to build a tower. Won’t you first sit down and estimate the cost to see if you have enough money to complete it?  For if you lay the foundation and are not able to finish it, everyone who sees it will ridicule you, saying, ‘This person began to build and wasn’t able to finish.’

Matthew 13:44
The kingdom of heaven is like treasure hidden in a field. When a man found it, he hid it again, and then in his joy went and sold all he had and bought that field.

Proverbs 19:21
Many are the plans in a person’s heart, but it is the Lord’s purpose that prevails.

James 4:13-15
Now listen, you who say, “Today or tomorrow we will go to this or that city, spend a year there, carry on business and make money.”  Why, you do not even know what will happen tomorrow. What is your life? You are a mist that appears for a little while and then vanishes.  Instead, you ought to say, “If it is the Lord’s will, we will live and do this or that.”


Not only in information security but in general business management we have the structure of planning divided into operational, tactical, and strategic levels.  This comes to us primarily from the military, as the tactical and strategic designations may imply.

It is often difficult to say where the divisions between the three planning levels lie.  Operational planning involves day to day operations.  It's hard to say that there is any planning involved.  The planning tends to be of the "this is the way that we've always done it" variety.  Operational planning involves looking at what is done on a day to day, and possibly even hour to hour, basis.  It is the province of the line worker and the hourly employee.  The time frame of the planning aspect might be to complete this particular task, or finish this particular product, depending upon the actual tasks to be accomplished.  the time frame, in terms of the planning horizon, tends to be the dividing line between the short term operational, medium term tactical, and long term strategic.

Even the division in terms of the time frame and horizon might be dependent upon the actual task being accomplished.  For example, in a game of chess, the operational planning may be in terms of seconds, generally less than a minute.  The tactical time frame might be minutes, up to perhaps fifteen minutes.  The strategic planning involved in such a game might involve a time frame of perhaps two hours.  And, depending on what your opponent does, all of this could change quite suddenly.

In a business environment, operational planning might involve the current day, tactical planning might involve up to the coming quarter, and strategic planning may involve years.  Long range strategic planning of upwards of one hundred years is not unknown certain cultures.

Once again, I am sure that you are going to ask what this has to do with the Christian life.  There are several issues with regard to planning.  After all, man plans and God laughs.  Planning is something that we do for our life, but do we have to do it in such a structured fashion?

There is the fact that we are not only planning for the short term, that is, our lifetime, but also for eternity.  Is the operational, tactical, and strategic breakdown of planning at all relevant to the Christian life?

Whether or not it is directly relevant, it is always a good idea to look at these kinds of concepts and see whether and to what extent they apply to our Christian life.

First of all, let's look at the issue of whether or not to plan anything at all.  After all, it is God who will decide whether or not we're going to do something.  As Gamaliel pointed out to the Sanhedrin in Acts, if we take too strong an action without consulting and determining whether it is actually God's will, we may find that we are, ourselves, working against God.  We don't necessarily want to be on His bad side.

But let's look at one of the passages in scripture that seems to indicate that we shouldn't be planning.  There's James, where he says that we shouldn't say we are going to go someplace and conduct business and make money, but then he goes on to say that if the Lord wills, we should go there and do this.  That is an important first step.  James is not saying that we shouldn't plan, but rather that we should plan with the expectation that our plans may have to be modified or discarded altogether if it becomes clear that this is not God's will for us.  If God shows us what his will is, then whatever planning we have done, we should be ready to discard it and start planning what it is that God actually wants.  He is not saying that planning is wrong, just that planning, without regard to what God wants, is incorrect.

And, yes, there is some potential value in following the very structured planning horizons.  When we pray, we are to pray for our daily bread.  Give us this day our daily bread.  That is the operational level of planning.  We are asking God's help with the operations of our life.  We aren't, at that point, asking for the operational aspects to be given to us in perpetuity.  This day we need it.  Therefore, we will ask for this day what we need for this day.

And the other levels of planning have value as well.  Let's look at our strategy.  We may not have a detailed strategy, but we should have an objective.  Our objective should be to get into heaven, or to get into eternity, or to get into the Kingdom, or to live forever with God, or however you want to put that.  That is our objective, and our strategy should bend towards, and be formulated by, that objective.

And then there are the medium-term goals.  What shall we plan for a career?  Shall we get married?  Shall we have a family, or are we dedicating our life solely to God's work?  What kind of work should we dedicate our lives to, or at least this portion of it?  Possibly we wish, on a strategic level, for our lives to revolve around service to others.  What kind of service in the near and medium term?  Of the various projects that we could undertake or participate in, which is most suitable, both in terms of our skills and in terms of God's leading, direction, and ultimate plan for us?

In terms of the long-term strategy, those of you who have followed my sermons or know my life story will not be surprised that I don't have an awful lot to say about planning your life out completely in advance.  One of the mistakes that young people make is to think that their entire life must be planned out, and that their operational lives, right now, and their tactical plans for the medium term must all be at the service of this long-term strategy.  I don't believe that.  I think that we do young people a disservice by suggesting that this is even possible.  Yes, in terms of making a success of your life, worldly standards of success may require you to have this level of a plan for your life, but that is not always possible.  It may not even be desirable, and it certainly is going to be unusual that God will have such a straightforward plan for you to follow, and wish you to pursue a specific path that can be defined easily in advance.

I was thirty-three years old before I got married.  That's kind of late in life.  What I didn't know was that I had to wait until the woman that God had in mind for me was ready.  It was in the same year that we got married that I also found my career, as the world would see it.  I started, first as a rather idle interest, and then pursued with more vigour, the area of information security.  That became such a major part of my life that I am now writing a series of sermons based on the ideas and concepts of information security itself.

I would not have known earlier in my life anything about this field.  It really didn't exist, and if I had followed earlier inclinations and pursued a strict adherence to a different path, I would have missed the books that I have now written, the course that I have prepared and delivered, and even the background for these sermons.

And you will have perhaps noted that I have, a couple of times, mentioned, "as the world sees," that the world sees planning as a good thing.  God may wish us to plan in that depth, but it seems that God wishes us to be a little bit more flexible than a strict adherence to a career path might allow us to be.

Perhaps I am mistaken in this thinking, and possibly God has specifically required me to be more flexible in my career and life.  I don't know for sure.  But it does seem that the indications from Scripture are that a rigid adherence to a predetermined plan is more worldly than required by God.

It may be that planning is, like fire, a good servant but a poor master.  Planning, in the immediate situation, and the near term, and in the longer term, can help us, and also assist us with fulfilling what we find that God requires of us.  But we must always be ready, if we find that what we are planning, and even doing, conflicts with what God would have of us. Be ready to completely abandon our plans and do what it is that God actually wants.

As they say about holes, when you find you are in one, the first step to take is to stop digging.




Theological Lessons from Information Security

Sermon - TLIS - 0.1.1 - Security is a hindrance with no benefit

Sermon - TLIS - 0.2 / 47 - Integrity/Robert Slade is a world renowned speaker

Sermon - TLIS - 0.7.3 - Four right answers on CISSP questions

Sermon - TLIS - 1.1.3 - Functional and Assurance Requirements

Sermon TLIS - 1.1.5 - "Footprints" and key performance indicators/metrics

Sermon - TLIS - 1.1.7 - Security Frameworks

Sermon - TLIS - 1.2.1 / 34 - Edit, Audit, Prophet

Sermon - TLIS - 1.2.6 - Security awareness, training, education

Sermon - TLIS - 1.5.1 - Manage Everything

Sermon - TLIS - 1.7.1 - Organizational Roles and Body Parts



Sermon - TLIS - 9.8.5 / 73 - Muster station, safe and secure

Sermon - TLIS - 10.3.1 - Intellectual Property

Sermon - TLIS - 10.5.1 - Privacy

Sermon TLIS - 10.6.1 / 54 - Liability and Negligence



Posted by at No comments:

Monday, April 13, 2026

Sermon - TLIS - 1.2.6 - Security awareness, training, education

Sermon - TLIS - 1.2.6 - Security awareness, training, education

Deuteronomy 5:1
Moses summoned all Israel and said: Hear, Israel, the decrees and laws I declare in your hearing today. Learn them and be sure to follow them.

Job 34:4
Let us discern for ourselves what is right; let us learn together what is good.

Ecclesiastes 1:17
Then I applied myself to the understanding of wisdom, and also of madness and folly, but I learned that this, too, is a chasing after the wind.

Acts 26:24
At this point Festus interrupted Paul’s defense. “You are out of your mind, Paul!” he shouted. “Your great learning is driving you insane.”


I have come to a concept in information security on awareness, training, and education.  It is vitally important in security, and also in business in general.  As a teacher, it is personally very important to me.  I have the feeling that it's very important to the Christian life as well, but I must admit I am having trouble clarifying precisely how in my own mind.

I must admit that my colleagues in the field of information security do not all share my enthusiasm for security awareness training.  In the same way that GK Chesterton said "The Christian ideal has not been tried and found wanting; rather, it has been found difficult and left untried," so too, security awareness has not been tried and found wanting, but rather it has been assumed to be found wanting and has not been tried.

In security, we consider awareness to be what everyone needs to know.  All workers need to be aware of common attacks on the enterprise or themselves, the importance of security to the enterprise and to themselves, and the fact that security is everybody's business.  Specialists, who are responsible for particular applications, databases, or pieces of equipment, need to have particular and targeted training in regard to those responsibilities.  Then there are the professionals, who need to have a broader understanding of the entire field of security, and the management and planning for its implementation and structure.

Awareness is broad and not terribly deep or specialized.  The common attacks mentioned might include frauds and scams conducted against individuals; spear fishing, specifically targeting an organization through acquiring detailed knowledge of the internal structures; things like computer viruses and malware which attack in a scatter-shot type of operation; and specific attacks that might be mounted against this particular enterprise.  Awareness is conducted in terms that are possibly most appropriate to advertising.  Using cute and memorable phrases to bring certain types of attacks and protections to mind.  Handing out trinkets with reminders of specific protections and concepts.  Repetitions of the same messages over and over again.  It is important that the repetitive material be modified, on a regular basis, to say the same things but in a new, and possibly more memorable, way.

Training is, as I say, for specialists.  Specialists who own certain databases, or are responsible for particular applications that are crucial to our enterprise, or particular devices that provide resources for us.  There will be specialty training on the operations of these entities, but there will also be specific training on the importance of particular types of security for these special resources.

The professionals and managers of information security have a broader responsibility.  At the same time, they probably are going to have specialties of their own, possibly acquired as they rose through the ranks of the enterprise and the field of security itself.  However, it is important that these professionals have a very broad overview of security and the sum total of all the domains and fields that it contains.  They must be able to talk with specialists, not so much to ensure that they fully understand the specialty, but at least to the point where they can communicate with the specialists and obtain the greatest benefit out of a specialist contractor's knowledge.

I am trying to consider whether there is an appropriate mirror in the Christian life.  My initial reaction is that there is.  For example, is there an area of knowledge that all believers, and by extension all people to whom we are supposed to be delivering the Good News, need to know.  Then is there a separate level of training that needs to be directed at, for example, ministers, pastors, para-church leaders, and those among the laity who wish to improve their own understanding of the Christian life?  And then, of course, there is the education level that would be the province of theologians and possibly the faculty of seminaries and colleges.

But immediately I run into a bit of a problem.  Is the awareness of the Christian message to be for believers only, or is it to be spread, as the Great Commission would have it, to all nations?  And how far does the content of the message of the Gospel, itself, extend?  Are we content to tell of the instruction to love God, love your neighbor, and spread the message?  Do we go slightly further and have as a curriculum the contents of the little booklet about the four spiritual laws?  Given that the Bible is the most widely available book in the world, is that the curriculum?  (Even though nobody reads it any more.)  What about individual Bible reading?  What about individual prayer time?  What about small groups, either for prayer or for Bible study?  Should we encourage, in terms of the awareness of the original Biblical languages, at least some kind of teaching about the alphabets, if not the actual languages themselves?

Also, in regard to awareness level education, is it good enough that we focus on simplistic repetition of cant phrases, and the provision of trinkets?

Should Christian education be a one size fits all endeavor?  Should questions of Christian life, experience, and even theology, be suitable for everyone?

Regent College, on the campus of the University of British Columbia, is a theological college and institution of international renown.  A number of people consider it to be a type of seminary.  However, even from its beginnings as an institution, Regent College has had a specific distinctive of providing theological education for the laity itself.  Anyone who is interested can come and take Advanced Theological Courses of Study.  I highly respect Regent College, but in this situation it is causing me a bit of trouble.  Does it belong to the awareness level of education for the laity, along with Bible colleges that provide a much lower level of education, or does it belong in the training section for specialists, or those involved in the ministry?  Or, given the status of the faculty, is it an institution of professionals?

In regard to the question of whether the Christian message should be only for believers, or spread to others, non-believers, to all nations: 

In terms of the provision of awareness training, in information security, to the general employees and workers of a company, I have frequently proposed an expansion of this endeavour.  I hold that, particularly with regard to issues such as scams, frauds, and malware, that provision of training to the general public, outside of the company or enterprise, does, in fact, benefit the enterprise.

In regard to the attack by a single attacker on an enterprise, the warning and suggestion of protections to the general public may be seen as having no benefit.  After all, if the attacker is attacking an outside individual, he is not able to concentrate on attacking the enterprise.  However, in the case of malware, and particularly computer viruses, the infection of a machine outside the enterprise actually increases the risk to the enterprise.  A machine that is infected will be firing out copies of the virus, not particularly directed, and spread in a shotgun spread, but some of those infections are likely to hit machines and accounts related to the enterprise.  Therefore, this increases the risk to the enterprise.  By extension therefore, mentioning or providing security training to the public, even at a cost to the enterprise, is a benefit to the enterprise by reducing the total threat environment that can be attacking the enterprise at any given time.

Can we extend this to the Christian life?  Is there a benefit in conducting evangelical campaigns, to the local church?  Yes, evangelical campaigns are what we are instructed to conduct, but is there a benefit to us as the local church?  Certainly, if the campaign is successful, and we obtain additional Church members, this does help the church.  But, by extension of the idea of companies and enterprises conducting public security awareness training, simply as a public good, and thereby obtaining a benefit from it, by the same token, it would appear that there is some benefit to the church, of conducting evangelistic campaigns, regardless of whether or not individual results from that campaign result in additional members to the specific local church.

Before we move on to the next level, that of training of specialists, you may be somewhat perturbed at my mention, earlier, in regard to security awareness training, of the importance of repetition.  You may think that the simple jingles and constantly repeated catchphrases of advertising are inappropriate in regard to the education of the general laity and members of the church.  If so, I would remind you of the main delivery method for basic Christian education: that of the sermon.  Think of the number of sermons that you hear over the course of months or even a year.  How often are the same essential points repeated again and again and again.  And again.  How often do our hymns or praise songs repeat the same words over and over again?  And I think that, if you are fair, you will note that Christians do have their own catchphrases, just the same as does advertising.  Can I get an "Amen"?
 
At the training or specialist level, one would normally think of seminaries, and those institutions that prepare one for Christian leadership positions.  This kind of training would include both Biblical and systematic theology, probably at least one of the two biblical languages, training in pastoral care, and training in some form of public speaking.  I have, perhaps cavalierly, skipped over pastoral care without providing much detail.  Probably candidates for the ministry should be subjected to pastoral care themselves.  Some courses in psychology and psychological counseling would probably not go amiss.  This does seem to be an area where ministers seem to have a bit of a weakness.  I have noticed over the years that ministers in a great many churches are chosen on the basis of their performance capabilities rather than their ability to counsel the individual.

There is an immediate problem in considering the training level in the Christian life, particularly in regard to ministerial or clerical training.  A factor which does not normally arise in the business or security world is that, in the Christian world, it is considered important and even vital that there be a "calling" to the position of minister, supported by spiritual gifts.  This does not mean that education does not play a role in the Christian life, even in clerical training.  Spiritual gifts are important, and a calling is vital.  The calling and gifts can be supported, shaped, and possibly even augmented by mere human training.

And we come to the professional level of the Christian life.  Even putting it that way, with that wording, sends shivers down my spine.  Normally, one would think that this is the province of seminary faculty, the bishops and archbishops of the major denominations, the writers in theology and philosophy, but it also has to contain people like televangelists, whose primary skill often seems to be that of self-promotion.  For seminary faculty, of course, it is easy to see that we should require studies of all forms of theology and philosophy as well, as well as working knowledge of higher criticism and a fairly substantial command of the language, even beyond Hebrew and Greek.  (I have, myself, a slightly more than working knowledge of higher criticism, given that I have studied stylistic and linguistic forensics as a background to software forensics.)  But then we come to the leadership in denominational structures, where management, and particularly business management, would take some precedence.  As previously noted, there are a number of people who are attached to, and even important to, the Christian life, who we sometimes wish were not.  Televangelists and certain authors may significantly contribute to the Christian life, overall.  But very often these people do not have much in the way of professional qualifications at all. They don't have specialized knowledge, and sometimes, it has to be admitted, they are simply in it for themselves.

Do we need to expand our view of Christian education at the awareness level?  Do we, as Christians, need to pursue more deeply education and training related to the Christian message and life?  Are we too timid in our view that, if we know the four spiritual laws, we have enough basic knowledge?  Have we taken to heart too much the idea that we must come as little children, and so not question and not learn and not pursue education with respect to the Christian life?  Is it possible that we are putting too much emphasis on revelation and spiritual gifts, and not enough on our, admittedly fallible, efforts at education in this fallen world?

Regent college, and the Laing family, provide the Laing lectures as a series of public lectures.  These lectures bring celebrated philosophical and theological leaders to present their ideas to the general public.  The lectures are available without charge to any who wish to attend.  In addition the lectures are now available online, to any who wish to attend online.  I recently attended this year's Laing lectures, and was somewhat disturbed to notice the fact that, while there were a large number of people in attendance at the college itself, there were definitely empty seats.  I also noted that I was one of thirty people waiting on line for the online version of the lectures to start.  Given the eminence of those who are chosen to present the Laing lectures, it seems that this is a disturbingly small population who take the opportunity to learn extremely interesting topics related to Christianity and the Christian life.  I doubt that this is a failure on the part of Regent to advertise and promote the lecture series.  Rather, it demonstrates a disturbing lack of interest in further Christian education on the part of my fellow Christians.


Theological Lessons from Information Security

Sermon - TLIS - 0.1.1 - Security is a hindrance with no benefit

Sermon - TLIS - 0.2 / 47 - Integrity/Robert Slade is a world renowned speaker

Sermon - TLIS - 0.7.3 - Four right answers on CISSP questions

Sermon - TLIS - 1.1.2 - Management Planning: Operational, Tactical, Strategic

Sermon - TLIS - 1.1.3 - Functional and Assurance Requirements

Sermon TLIS - 1.1.5 - "Footprints" and key performance indicators/metrics

Sermon - TLIS - 1.1.7 - Security Frameworks

Sermon - TLIS - 1.2.1 / 34 - Edit, Audit, Prophet

Sermon - TLIS - 1.5.1 - Manage Everything

Sermon - TLIS - 1.7.1 - Organizational Roles and Body Parts


Sermon - TLIS - 9.8.5 / 73 - Muster station, safe and secure

Sermon - TLIS - 10.3.1 - Intellectual Property

Sermon - TLIS - 10.5.1 - Privacy

Sermon TLIS - 10.6.1 / 54 - Liability and Negligence



Posted by at No comments:

Sunday, April 12, 2026

Sermon - TLIS - 0.7.3 - Four right answers on CISSP questions

Sermon - TLIS - 0.7.3 - Four right answers on CISSP questions

Ecclesiastes 3:22
So I saw that there is nothing better for a person than to enjoy their work, because that is their lot. For who can bring them to see what will happen after them?

Ecclesiastes 6:12
For who knows what is good for a person in life, during the few and meaningless days they pass through like a shadow? Who can tell them what will happen under the sun after they are gone?

John 18:38
"What is truth?" retorted Pilate.

Proverbs 16:9
In their hearts humans plan their course, but the Lord establishes their steps.


For a quarter of a century, I have facilitated seminars for those seeking their certification as professionals in the field of information security.  The particular exam that I have conducted seminars for is the CISSP, or Certified Information Systems Security Professional.  The exam is probably the hardest exam that you will ever encounter.

That isn't just my assessment.  In one of the seminars, one of the candidates came up to me towards the end of the seminar and said that if he was ever recruiting, for any job, regardless of what it was, and one of the candidates had passed the certification exam, he would hire that person.  He figured anybody who could get through this exam could get through anything.

The exam used to consist of 250 questions.  That was back when it was paper-based.  These days, there are computer-based exams, and candidates can get through in as few as 100 questions.

The exam is multiple-choice.  When I say that, most people think that means it's an easy exam.  That is definitely not the case.  Over the years, preparing testing instruments for a wide variety of courses, the multiple choice exam has come to be my testing instrument of choice. It's much harder to write, for the instructor, but if you do it properly, it is the most reliable.  I, and a number of the other exam instructors, spend a considerable time getting students prepared for the style of the questions that they will see.  Each question has the question, maybe with a bit of background, and then four options to choose from.

Again, most people think that a multiple-choice exam is going to be easy.  Far from it.  Sometimes you are presented with four correct answers.  You have to choose the answer that is most correct out of those four correct options.  Sometimes you are presented with a question that gives you four wrong answers as possibilities.  You have to select the answer that is the least wrong among the four wrong options.  One of the other instructors characterises these questions as "which answer stinks the least".

The kind of questions that give you four correct answers, or four incorrect answers, can be extremely challenging.  Candidates will agonise over the choices.  All four answers are correct.  Which answer is the *most* correct?  How do you even determine an answer to the question, "most correct?"

Most correct tends to mean that it is the answer that will provide the most benefit, if the question calls for a benefit, in the most situations, to most companies and most individuals trying to protect those companies.

So, I hear you ask, "What has this to do with the Christian life?"  Once again, it has a lot to do with the Christian life.  A lot of times, in life, we are presented with multiple options.  Sometimes we are presented with a number of seemingly equally correct and valid options to follow.  Which one do we choose?  Sometimes we are presented with a huge range of wrong or impossible options.  Which do we choose?  Which is the lesser of two, or a great many, evils?

In dealing with the question of the exam, we do tend to tell the students that you should not overthink the question.  Do not agonize too long over the answer.  Do not think, and rethink, and second guess yourself to the point where you are paralyzed by indecision.  One of the things that we tend to tell the candidates is that, if you have any chance of getting through the exam at all, very often your first response to the question is, in fact, the correct one.

It is the same with the Christian life.  Do not beat yourself up over the options.  Maybe the options are all correct, but you ask yourself, which path is the path that God wants me to follow?  Again, sometimes all of the paths before you, all of the options, appear to be wrong, but you have to do something.  What do you do?  Which do you choose, among a range of bad options?

The thing is, you have to answer.  You have to choose.  You have to make a choice and make a decision, and sometimes there is actually no perfect decision to make.  We live in a fallen world.  Do not try to find the perfect answer.  If the perfect answer is not one of the options before you, then you cannot pick the perfect answer.  This often happens in the exam as well.  Students who try and force one of the available options to be the "perfect" answer are the ones who make mistakes.

In terms of the exam, we tell students that if you really cannot figure out how to answer the question, then just guess.  If you just guess, you have a twenty-five percent chance of getting the right answer and the points that you would get for that answer.  If you do nothing, if you do not choose, then you get nothing.  You get zero.  In a sense, it is the same in life.  If you do nothing, then you get nothing.  If you do not choose, then you choose nothing.  There is a similarity here to the parable of the servant who, given a certain amount of money, wraps it in a cloth and buries it, thinking that it will be safe.  Of course, he is told that he has done wrong because he could have invested the money with the bankers, and then at least there would be a bit of interest.

In the same way, in the Christian life, if we do not have a perfect solution before us, it is because we live in a fallen and sinful world.  We have to pick the best option available to us, and then go on.  Don't do nothing.  Never let what you can't do prevent you from doing what you can do.  As Voltaire tells us, "the best is the enemy of the good."  And James as well: James 4:17 “If anyone knows the good they ought to do and doesn’t do it, it is sin.”

I have, elsewhere, mentioned that, following Gloria's death, in trying to determine what I should do in terms of rebuilding my life, someone mentioned the passage in Philippians about whatever is pure, think on these things.  I took this as an indication that I should de-emphasise my work in information security.  Later, certain events seem to indicate that this was, in fact, the wrong choice.  That I should be continuing with my information security work, but possibly in a different way.

At the moment, I am writing sermons based on specific lessons out of my seminar materials for the study of information security.  I am going through my curriculum for information security, with all of its frauds, scams, attacks, and adversaries, and using those concepts to create and write sermons, one of which is this one.  Did I make the wrong choice?  Did I make the right choice?  Only God can answer that question.  I certainly don't know for sure, but it certainly seems that the advice, and my interpretation of it, was holding me back from what God might be now directing me to.  It might be that I needed a delay in order to do this, and that God provided that delay.  Once again, I don't know, but what I can say is that, presented with any range of options, in our fallen, sinful world, all that we can do is to pick the path which, in our current state of fragmentary knowledge and understanding of God's will, does look like the best.  Even if it's the best among a range of bad options, or a range of good options, of which we can take only one.

I spent the day recently with a young man who is trying to consider how best to live and structure his life.  He is a thoughtful young man, and although he does not have a vast range of experience, he is considering his whole life: should he marry?  What kind of business should he be involved in?  Should he be pursuing business primarily, or charitable endeavours?  He is faced with many options.  A number of them are good, but he can only pick one.  There is only one that he can concentrate all his energies on.  Which one should it be?

You don't have to be young to face this kind of paralyzing indecision.  After Gloria died, a friend told me that now I had the chance to reinvent myself.  I knew what he meant, since he himself had lost two wives and a son in the course of his life.  My first reaction was, "Thanks, but I'll pass on the opportunity."  That ship had sailed.  That wasn't an option.

Now, what do I do with my life?  I am writing the words to sermons that nobody hears.  I am writing seminars, and materials for them, that no one ever attends.  I am working with volunteer organizations which are falling apart for lack of volunteers and lack of funding.

At one point, many years ago, I was working in a place where I could ride my bike to work.  One time Gloria needed to come and pick me up after work.  As we headed home, we reached a point on Boundary Road in Vancouver where you could see pretty much my entire bicycling route stretched out ahead of me, terminating at a point high in the North Shore Mountains.  She burst out, "How do you possibly keep going when you know that you have to drive all of that?"  I replied, "You don't drive all of that.  You look at the road twenty feet ahead of you, and you drive that."

Often, our paralyzing indecision comes from the consideration of "all of that."  Our entire life stretches out before us, and we think that the choice that we make now will determine what we do for our entire future.  That is seldom the case.  I take issue with the career planners who say that you need to plan, very early, in great detail, how your life is going to work.  If you do not, you will not be a success.  I never wanted to be a teacher because my parents weren't particularly good at it, and certainly didn't love it.  When I was forced into it, I loved it.  I thought my life was over when I got fired from teaching. The fact that I got fired from teaching resulted in me teaching on six continents.  All my life I seem to have been forced into situations, and often jobs, that I would not have chosen.  Looking back, it is astonishing to consider how perfectly chosen all of them were.

It's almost as if somebody else knew the right answer.


Theological Lessons from Information Security

Sermon - TLIS - 0.1.1 - Security is a hindrance with no benefit

Sermon - TLIS - 0.2 / 47 - Integrity/Robert Slade is a world renowned speaker

Sermon - TLIS - 1.1.2 - Management Planning: Operational, Tactical, Strategic

Sermon - TLIS - 1.1.3 - Functional and Assurance Requirements

Sermon TLIS - 1.1.5 - "Footprints" and key performance indicators/metrics

Sermon - TLIS - 1.1.7 - Security Frameworks

Sermon - TLIS - 1.2.1 / 34 - Edit, Audit, Prophet

Sermon - TLIS - 1.2.6 - Security awareness, training, education

Sermon - TLIS - 1.5.1 - Manage Everything

Sermon - TLIS - 1.7.1 - Organizational Roles and Body Parts



Sermon - TLIS - 9.8.5 / 73 - Muster station, safe and secure

Sermon - TLIS - 10.3.1 - Intellectual Property

Sermon - TLIS - 10.5.1 - Privacy

Sermon TLIS - 10.6.1 / 54 - Liability and Negligence



Posted by at No comments:

Saturday, April 11, 2026

Sermon - TLIS - 0.1.1 - Security is a hindrance with no benefit

Sermon - TLIS - 0.1.1 - Security is a hindrance with no benefit

Leviticus 18:5
Keep my decrees and laws, for the person who obeys them will live by them. I am the Lord.

Deuteronomy 4:8
And what other nation is so great as to have such righteous decrees and laws as this body of laws I am setting before you today?

Joshua 1:7
Be strong and very courageous. Be careful to obey all the law my servant Moses gave you; do not turn from it to the right or to the left, that you may be successful wherever you go.

Joshua 24:15
But if serving the Lord seems undesirable to you, then choose for yourselves this day whom you will serve, whether the gods your ancestors served beyond the Euphrates, or the gods of the Amorites, in whose land you are living. But as for me and my household, we will serve the Lord.

Matthew 22:37-40
Jesus replied: “‘Love the Lord your God with all your heart and with all your soul and with all your mind.’  This is the first and greatest commandment.  And the second is like it: ‘Love your neighbor as yourself.’  All the Law and the Prophets hang on these two commandments.”


Business men do not understand security.  As I have mentioned elsewhere, frequently, I do not understand this lack of understanding on their part.  Managers in a business, whatever they manage, whatever level they manage, manage two things: one is risk and the other is people.  They may possibly manage some other things, but they have to manage these.  We, in security, manage risk.  We are doing half of the job of management.  Why is it that business people so signally fail to understand security?

One of the major areas of misunderstanding is that business people, and employees and workers in the business as well, see security only as impeding the business in some way.  Workers tend to see security as setting up requirements that only hinder them in the performance of their jobs.  Employees, generally speaking, want to do their jobs and do their jobs correctly.  They see the requirements that we, in the security field, set up, as being a hindrance and impedance and drag on their ability to perform their job.

Given this perception, it is no wonder that nobody likes security.  The problem is, the perception is wrong.

Security is not just an impedance or hindrance with no benefit.  Security is there, in fact, to ensure that the workers and employees can continue to do their jobs.  We, in the security field, set up policies, procedures, login requirements, and other aspects of security so that someone from the outside of the company, who may be intent on stealing resources or information from the company, or trying to create trouble for our company, is not able to do so.

When we ask a normal worker to use the assigned login credential and to choose a strong password that they can remember, we are trying to ensure that nobody from outside will be able to use that login credential, guess the worker's password, and then use that credential in order to steal resources, delete information, corrupt information, or do various kinds of damage to our systems and information bases.  We are trying to protect the company, and we are trying to protect not only the worker's job, but their ability to perform their job.

But, business people, business owners, managers, and even employees and workers see security as a hindrance to the smooth operations of the business.  Not only that, particularly in regard to the managers, they see security as a cost centre.  It is an expense and does not return any value.  There is no revenue generated by having people do their jobs in a secure manner.  At least that's the way most managers see it.  The fact that, if security does not protect the systems and then somebody does attack the systems, nobody is going to make any revenue at all, doesn't seem to enter their consideration.

We probably don't do ourselves any favour, in the security field, by saying, when management comes to us and says that they want absolute 100% guaranteed security for their systems, that this is impossible.  We, in the field, know that 100% perfection simply isn't achievable.  The closer you want to get to that impossible standard, the more expensive it becomes.

Part of our job is to do cost-benefit analysis.  We have established security protection to a certain level, and it costs a certain amount of money or resources.  We then have to consider: if we increase the security, how much is that going to cost the company?  How much benefit will the extra protection bring to the company?

Once again, you are going to be asking yourself, and me, "What does this have to do with Christianity?"  Well, most people see Christianity as a hindrance as well.  Christianity, and religion in general, are seen as a "no fun" state of mind.  This is a philosophy which says that anything that is fun is bad.  Religion, overall, is seen as a whole series of "thou shalt nots".  That's the way that we are perceived.

And, of course, this attitude is also incorrect.

God has not laid down the law so that we can have no fun.  God has provided his law and direction to us so that we can have the most fun that there is: in a relationship with Him.

Let's take some of the aspects of modern life that people consider to be antithetical to the Christian way of doing things, or that the Christian way of doing things is antithetical to modern life.  Allow me to use one particular example: alcohol.

I don't drink.  In my case, it's not so much that my family didn't drink, although they didn't, but the fact that, by the time I got into university and was going to parties where drinking was available, I had already taken organic chemistry.  When I was offered various alcoholic drinks, all that I could taste was industrial solvent.  I couldn't really see the point in trying to develop a taste for the stuff, and so I didn't.

But, of course, most people do, and most people don't see anything wrong with drinking.  And, indeed, there isn't necessarily anything wrong with drinking.  Drinking to excess does create problems, but alcohol, in and of itself, is not necessarily a bad thing.  Yes, wine is certainly consumed in the Bible, and anyone who says that all of the mentions of wine in the Bible are actually just references to grape juice are definitely fooling themselves.  There isn't really anything wrong with alcohol per se.

My dad was a teacher, and then a principal.  He, as a principal, was responsible for staff parties, to a certain extent.  He hosted a couple every year.  My family did not drink alcohol, so these parties were dry parties.  There were no alcoholic beverages served at these parties, particularly when they were at my parents' house.

I taught in another school, with a different principal.  That principal made his own wine, and his wine was fairly famous among the school staff for being particularly strong in terms of its alcoholic content.  It was also considered to be rather raw on the throat, but I'll have to take somebody else's word for that, because of course I never drank any of the stuff.

The point is simply that here are two situations, with two people in the same job, creating two very different types of parties.  My dad's parties were dry.  The other principal's parties were definitely alcohol-soaked.

My parents recounted that, among the staff members, there were comments to the effect that they really appreciated the fact that the parties were dry.  There was no trouble at the parties, nobody ever got drunk, and there were no unpleasant incidents at these parties.  I don't want to say that having alcohol at a party inevitably leads to unpleasant consequences, but there is certainly a great deal of evidence that suggests that it does happen on occasion.  If there is no alcohol, these types of consequences can't arise.

So people at my parents' parties tended to have more fun.  Without unpleasant aftereffects.

When I worked in logging camps, there was a lot of drinking that went on.  Even when the camp was supposedly a dry camp, alcohol got smuggled in on a regular basis and was definitely consumed.  The loggers would show up in my office in the morning stating that they got a bottle of alcohol and had a wonderful time last night!  That statement would be followed up by one of two options explaining why they had a wonderful time last night.  Option A was that I'm sick as a dog this morning.  Option B was that I can't remember what I did last night.

I never understood the logic behind those two justifications proving that they had a wonderful time the night before.

I'm not sure that I picked the right rule when I picked on alcohol.  After all, there isn't any actual commandment against drinking.  (Not unless you consider Proverbs 31:4 it is not for Kings; Lemuel it is not for Kings to drink wine not for rulers to crave beer.)  It isn't a major problem for an awful lot of people.  It's a problem for society overall, and it's a terrible problem for some people.  But it isn't exactly universal.

Pride.  Possibly I should have picked on pride.  But that's a lot more complex.

In any case, there are all kinds of things that we could pick on.  The point is not any specific sin or commandment.  Any specific issue even.  The point that I want to make is that what God tells us to do is, as I have noted in a different sermon, for our own good.  God's directions to us are not a heavy-handed person yelling at us to keep off his lawn, but a parent, giving us advice that will help us in life.

There is another point to be made here with respect to the issues and approach of security.  I have mentioned that a lot of people ask us to give them 100% guaranteed protection, and have mentioned that there is no such thing.  In the same way, there is no such thing as 100% righteousness.  Well, there is, for God, of course.  But not for us.  And that presents us with a little bit of a problem in terms of people saying, "Well, if we cannot be righteous, then why even try?"  The answer is that we should always strive for perfection, even though we are pretty sure we are never going to meet it.

And, of course, there is more benefit to Christianity.  In the same way that there is more benefit to a business in having security then simply the protection of assets.  Security, by forcing you to study what is and isn't important in your business, and what are and aren't important assets, forces you to understand more about your business, and therefore make better business decisions.

In the same way, there are more benefits to Christianity.  There is the relationship with God, to begin with.  There is support and provision from God.  Not that it doesn't come to those who don't believe in him, it just has to come a little bit more indirectly.

There are somewhat intangible and ineffable benefits.  I really enjoy CS Lewis's Narnia chronicles, the series that is most identified by the book "The Lion the Witch and the Wardrobe."  Those who love the series probably have a favorite scene in it.  My own favorite scene is one from one of the lesser known books, and even within that book it is probably a scene that is passed over in many times.  In it, the characters have been captured, and an evil witch is attempting to gaslight them, and convince them that there is no Narnia, there is no overworld (they are being held underground).  A character, deliberately injuring himself in order to clear his mind, makes an absolutely impassioned and beautiful speech about how if the sun and sky and Narnia and other aspects of believing in Narnia (which stands in for a belief in Christianity in the books) are all such false childish imaginings, then it's rather odd that their fictional imaginings are so much better and more substantial than the world they see around him them.

God is not anti-fun.  God loves us.  God wants us to be happy and has made all kinds of provisions for us to make us happy.  God's directions are not to stop us from having fun, but to ensure that we can continue to enjoy all the wonderful things he has provided for us.


See also: Sermon 45 - The Difficulties of Law


Theological Lessons from Information Security

Sermon - TLIS - 0.2 / 47 - Integrity/Robert Slade is a world renowned speaker

Sermon - TLIS - 0.7.3 - Four right answers on CISSP questions

Sermon - TLIS - 1.1.2 - Management Planning: Operational, Tactical, Strategic

Sermon - TLIS - 1.1.3 - Functional and Assurance Requirements

Sermon TLIS - 1.1.5 - "Footprints" and key performance indicators/metrics

Sermon - TLIS - 1.1.7 - Security Frameworks

Sermon - TLIS - 1.2.1 / 34 - Edit, Audit, Prophet

Sermon - TLIS - 1.2.6 - Security awareness, training, education

Sermon - TLIS - 1.5.1 - Manage Everything

Sermon - TLIS - 1.7.1 - Organizational Roles and Body Parts



Sermon - TLIS - 9.8.5 / 73 - Muster station, safe and secure

Sermon - TLIS - 10.3.1 - Intellectual Property

Sermon - TLIS - 10.5.1 - Privacy

Sermon TLIS - 10.6.1 / 54 - Liability and Negligence



Posted by at No comments:
Subscribe to: Comments (Atom)