When I was going over the parallels between the numeric-control vs record-playback (NC vs RP) machine tools, there was a significant point of dissimilarity that was glossed over: machine tool inputs are known. The variable there is what you want to make with the material, the genius of the trained master being in how best to get from untouched stock to finished product. In IT, and especially in sifting through environmental data (config files, network traffic, what have you) trying to make sense of something you have seen or found, this is not the case:the input is not predictable. The special genius of the trained professional, here, is the finely honed ability to spot patterns in unfamiliar terrain.

Human pattern matching skill is truly phenomenal. Reading the sections on mushroom gathering in Michael Pollan's The Omnivore's Dilemma one gains a real appreciation for just how quickly and thoroughly the human mind can, when presented with a new terrain, learn to spot the choice bits that mean something. These are skills that reach way back into humanity's evolutionary past, and are just as applicable to tracking rogue systems or misbehaving users through system logs as to tracking wild boars through a forest. Ideally, technologies will work with, support, and even enhance those skills. They are most critically important in the first-time scenario, where an administrator or engineer or security analyst first figures out what constitutes a meaningful track through the data underbrush. Like the making of a master die for a new machine part, this is a critical prerequisite for later automation of detection, logging, and (as needed) countermeasures. Unlike the design of a die via NC tools, where the part is exhaustively specified in the design phase to enable programming of a robot to cut the part, it is not possible to describe new attacks or misbehaviors in advance. They are unpredictable and so require a different approach.

Related to the first-time scenario is the one-time scenario, wherein an extensive effort is put in to identify something only to discover that, for whatever reason, it won't be reusable -- the quarry was chimerical, the seeming trail a series of coincidences. In this case, the expert has learned more about pattern matching, and lost nothing but a bit of time. The master die cutter has gotten a bit more practice. No loss except time and some return on that time, even if no copies of the part are ever made, whereas in an NC world, the same (and much more significant) amount of effort went into the specification of a part that would only be cut once as for a part that would be cut ten thousand times.

In either case, the extent to which the masters' tools available support the efficient focus of that skilled mind on the material to be searched and understood can make a significant difference to how long it takes to determine whether the search is one time or first time.