The Importance of Tacit Knowledge in Security by Design¶
In Security by Design, the most effective security outcomes arise from the skilful interplay between explicit knowledge and tacit knowledge.
However, explicit knowledge alone is rarely enough to build truly resilient systems.
While explicit knowledge tells you what to do, tacit knowledge guides you on how and when to apply it effectively — and, crucially, when to deviate from the rules.
Building simple, secure IT solutions relies heavily on tacit knowledge. This form of knowledge—gained through hands-on experience, contextual awareness, and professional judgement—enables practitioners to interpret requirements, anticipate risks, and make appropriate trade-offs in ways that cannot be fully captured in documentation.
Large Language Models (LLMs), such as ChatGPT, operate primarily on explicit knowledge derived from patterns in data. While they can provide useful general guidance, they lack direct awareness of your organisation’s specific systems, threat landscape, and operational context. As a result, their outputs should not be treated as authoritative or context-complete security advice.
AI tools can support learning and exploration, but they must be used with caution. Security decisions should always be validated by experienced professionals who possess the tacit knowledge necessary to assess real-world implications. Over-reliance on automated suggestions, without critical evaluation, risks introducing gaps that may not be immediately visible.
In practice, Security by Design means on combining the broad, accessible insights offered by tools with the deeper, experience-driven understanding held by practitioners.
Why Tacit Knowledge Matters for Security by Design¶
Relying solely on explicit knowledge creates a dangerous illusion of security. Teams may tick every box on a checklist and meet every compliance requirement, yet still introduce critical vulnerabilities because they lack the contextual awareness and critical thinking that tacit knowledge provides.
Real-world security decisions frequently occur in ambiguous, complex situations where no documented rule perfectly fits. It is tacit knowledge that enables engineers and architects to:
Recognise subtle design flaws that standard threat-modelling templates miss
Anticipate how real users (or attackers) will actually interact with the system
Make pragmatic risk decisions when perfect security conflicts with business needs
Adapt established practices to new technologies and emerging threats
Bridging the Gap: From Tacit to Explicit¶
The goal is not to eliminate tacit knowledge, but to nurture it and make as much of it as possible accessible to the wider team. Organisations that excel at Security by Design actively invest in converting valuable tacit knowledge into explicit forms, while simultaneously preserving and transmitting what remains inherently personal and experiential.
Effective approaches include:
Mentoring and shadowing programmes
Pair design and collaborative threat modelling sessions
Structured post-incident reviews and “blameless” retrospectives
Communities of practice and regular knowledge-sharing forums
Capturing design rationale (not just the decision, but why it was made)
These practices help surface hidden insights and gradually turn individual expertise into organisational capability.
The Optimal Balance¶
Robust Security by Design emerges from the synergy of both knowledge types:
Explicit knowledge provides the essential structure, consistency, and scalability.
Tacit knowledge supplies the depth, adaptability, judgement, and creative problem-solving required to deal with evolving and sophisticated threats.
Security leaders who understand this distinction move beyond simply mandating documentation and processes. They deliberately cultivate environments where experience is valued, reflection is encouraged, and knowledge flows naturally between individuals and teams.