Think 10,000 hours makes you an expert ? It doesn’t.

Mark Cutting Analysis, Licensing, Management, Mentoring, Strategy, Technology, Training 4 Comments

One thing I’ve seen a lot of lately is the “expert” myth being touted on LinkedIn and Twitter. Originating from psychologist K. Anders Ericsson who studied the way people become experts in their fields, and then discussed by Malcolm Gladwell in the book, “Outliers“, “to become an expert it takes 10,000 hours (or approximately 10 years) of deliberate practice”.

This paradigm (if you can indeed call it that) has been adopted by several so called “experts” – mostly those within the Information Security and GDPR fields. This article isn’t about GDPR (for once), but mostly those who consider themselves “experts” by virtue of the acronym. Nobody should proclaim themselves a GDPR “expert”. You cannot be an expert in something that isn’t actually legally binding until May 25 2018, nor can you have sufficient time invested to be an expert since inception in my view. Nobody knows how many iterations and changes there will be once this new regulation goes live (and I’m guessing there will be a few where the policy just isn’t enforceable for a variety of reasons that have been overlooked in the original mandate).

Consultant ? Possibly, yes. Expert ? No.

The associated sales campaign isn’t much better, and can be aligned to the children’s book “Chicken Licken”.

For those unfamiliar with this concept, here is a walkthrough. I’m sure you’ll understand why I choose a children’s story in this case, as it seems to fit the bill very well. What I’ve seen over the last 12 months had been nothing short of amazing – but not in the sense of outstanding. I could align GDPR here to the PPI claims furore – for anyone unfamiliar with what this “uprising” is, here’s a synopsis.

The “expert” fallacy

Payment Protection Insurance (PPI) is the insurance sold alongside credit cards, loans and other finance agreements to ensure payments are made if the borrower is unable to make them due to sickness or unemployment. The PPI scandal has its roots set back as far as 1998, although compensatory payments did not officially start until 2011 once the review and court appeal process was completed. Since the deadline for PPI claims has been announced as August 2019, the campaign has become intensively aggressive, with, it would seem, thousands of PPI “experts”. Again, I would question the authenticity of such a title. It seems that everyone is doing it, therefore, it must be easy to attain (a bit like the CISSP then, which I get into here and here).

I witnessed the same shark pool of so called “experts” before, back in the day when Y2K was the latest buzzword on everyone’s lips. Years of aggressive selling campaigns and similarly, years of FUD (Fear, Uncertainty, Doubt – more effectively known as complete bulls…) caused an unprecedented spike that allowed companies and consultants (several of whom had never been heard of before) to suddenly appear out of the woodwork and assume the identity of “experts” in this field. In reality, it’s not possible to be a subject matter expert in a particular field or niche market unless you have extensive experience. If you compare a weapons expert to a GDPR “expert”, you’ll see just how weak this paradigm actually is. A weapons expert will have years of knowledge in a field, and could probably tell you which gun discharged a bullet just by looking at the expended shell casing. I very much doubt a self styled GDPR expert can tell you what will happen in the event of an unknown scenario around the framework and the specific legal rights (in terms of the individual who the data belongs to) and implications for the institution affected. How can they when nobody has even been exposed to such a scenario before ? This makes a GDPR expert in my view about as plausible as a Brexit expert specialising in Article 50.

What defines an expert ?

The focal point here is in the comparison. A weapons expert can be given a gun and a sample of shell casings, then asked to determine if the suspected weapon actually fired the supplied ammunition or not. Using a process of proven identification techniques, the expert can then determine if the gun provided is indeed the origin. This information is derived by using established identity techniques from the indentations and markings in the shell casing created by the gun barrel from which the bullet was expelled, velocity, angle, and speed measurements obtained from firing the weapon. The impact of the bullet and exit damage is also analysed to determine a match based on material and critical evidence. Given the knowledge and experience level required to produce such results, how long do you think it took to reach this unrivalled plateau ?

An expert isn’t solely based on knowledge. It’s not solely based on experience either. In fact, it’s a deep mixture of both. Deep in the sense of the subject matter comprehension, and how to execute that same understanding along with real life experience to obtain the optimum result. Here’s an example  

An information technology expert should be able to

  • Identify and eliminate potential bottlenecks
  • Address security concerns,
  • Design high availability
  • Factor in extensible scalability
  • Consider risk to adjacent and disparate technology and conduct analysis
  • Ensure that any design proposal meets both the current criteria and beyond
  • Understand the business need for technology and be able to support it

If I leveraged external consultancy for a project, I’d expect all of the above and probably more from anyone who labels themselves as an expert – or for that fact, an architect. Sadly, I’ve been disappointed on numerous occasions throughout my career where it became evident very quickly that the so called expert (who I hasten to add is earning more an hour than I do in a day in most cases) hired for his “expertise and superior knowledge” in fact appears to know far less than I do about the same topic.

How long does it really take to become an expert ?

I’ve been in the information technology and security field since I was 16. I’m now 44, meaning 28 years experience (well, 27 as this year isn’t over yet). If you consider that experience is acquired during an 8 hour day, and used the following equation to determine the amount of years needed to reach 10,000 hours

10000 / 8 / 365 = 3.4246575342 – for the sake of simple mathematics, let’s say 3.5 years.

However, in the initial calculation, it’s 10 years (using the basis of 90 minutes invested per day) – making the expert title when aligned to GDPR even more unrealistic. As the directive was adopted on the 27 April 2016, the elapsed time period isn’t even enough to carry the first figure cited at 3.5 years, irrespective of the second. The reality here is that no amount of time invested in anything is going to make your an expert if you do not possess the prerequisite skills and a thorough understanding based on previous events in order to supplement and bolster the initial investment. I could spend 10,000 practicing a particular sport – yet effectively suck at it because my body (If you’ve met me, you’d know why) isn’t designed for the activity I’m requesting it to perform. Just because I’ve spent 10,000 hours reading about something doesn’t make me an expert by any stretch of the imagination.

If I calculated the hours spanned over my career, I would arrive at the below. I’m basing this on an 8 hour day when in reality, most of my days are in fact much longer.

27 x 365 x 8 = 78,840 hours

Even when factoring in vacation based on 4 weeks per year (subject to variation, but I’ve gone for the mean average),

27 x 28 X 8 = 6,048 hours to subtract

This is only fair as you are not (supposed to be) working when on holiday. Even with this subtraction, the total is still 72,792 hours. Does my investment make me an expert ? I think so, yes – based on the fact that 27 years dedicated to one area would indicate a high level of experience and professional standard – both of which I constantly strive to maintain.

Still think 10,000 hours invested makes you an expert ? You decide ! What are your views around this ?

About the Author
Mark Cutting

Mark Cutting

Facebook Twitter Google+

Mark Cutting is the founder of and He is a network, security and infrastructure expert with more than 27 years service in the Information Technology sector. Mark has a significant eye for detail, coupled with an extensive skill set. Having worked in numerous industries including trading, finance, hedge funds, marketing, manufacturing and distribution, he has been exposed to a wide variety of environments and technologies alike.

Leave a Reply

2 Comment threads
2 Thread replies
Most reacted comment
Hottest comment thread
3 Comment authors
Sally TurnerMark CuttingSara Recent comment authors
newest oldest most voted
Notify of

You have worked 365 days a year for the last 27 years? Impressive! Why not also claim you work 24 hours a day then?

33 hours/week (London average) x 48 week/year * 27 years: Is about 43k hours not about 72k hours.

Is this how your clients are billed?

Sally Turner
Sally Turner

Absolutely brilliant article that really does explain away this constant myth :d It just goes to show that those who really consider themselves “experts”are alone in their thoughts. Very well written , concise, and certainly to the point.
@Sara – if you read the article properly, you’ll see that the formula used did indeed take into account vacation time, and was based on an 8 hour day ?

“Even when factoring in vacation based on 4 weeks per year (subject to variation, but I’ve gone for the mean average), 27 x 28 X 8 = 6,048 hours to subtract”