Tuesday, December 16, 2014

The Opportunity to Create

We work in a great profession in information security.  Unlike other professions which are bound by the physical world, we work with near limitless scope as infosec's context is not just spread out over the physical world, but also the digital.  In addition, we work in a profession whose challenges are not just static, caused by physical/technical constraints, but also dynamic, caused by the competing interest of different people.  However, that also hinders us in succeeding in our profession.

Information security has always had a combative context.  It's understandable as there is a clear offensive side, a clear defensive side, and rational actors existing on both sides.  We think about solutions in the context of winning the conflict.  This leads us to look for solutions based in force.  Either the force to overcome the other side's defenses or the force to absorb the other side's attacks.

There is another way though.  Instead of thinking of conflict, we can think of building something that simply transcends the conflict.  The same way a dancer compliments their partner's movements rather than forcing their partner to do what they want, we can think of information security as the opportunity to create something that transcends the combat; to create something that makes the combat a suboptimal solution to the goals of those participating in it.

I can't say I know what those solutions are.  I'm sure they are much harder to find than simple us versus them solutions.  however I think the transcendentals are a good starting place:

  1. Goodness: Is the solution good, (and not just in the moral relativistic sense that it is good in my own context, but in all stakeholder contexts.)
  2. Truth: Is the solution true, (again not just in the relativistic sense.  It must be true for all stakeholders.)
  3. Beauty: Is the solution beautiful to all stakeholders.

However, the transcendentals are very abstract concepts to apply.  In our day to day work, the following tenants may be much easier to test:
  1. If we are thinking of how a solution helps us gain an advantage over someone or beat someone, it is not the right train of thought.
  2. Finding solutions should include thinking about all stakeholders on all sides of the conflict and their needs.
  3. Finding solutions should include thinking about how the capabilities of all stakeholders can be integrated to create something greater than the sum of the parts.
  4. The solutions may not be technical in nature and may require the inclusion of stakeholders with non-technical skills to implement.
  5. We should be prepared to compromise and sacrifice to find the solution.
Hopefully by considering these tenants as we think of how to solve information security problems, we can find solutions which transcend the daily conflict of information security.  Hopefully we can find solutions which prevent conflict not because of the risk of losing is too great, but because there is no incentive to engage in it.

So the next time you are trying to solve an information security problem, test your approach to finding a solution against the tenants above.  If you find that your approach is inconsistent with the tenants, consider what you could do to meet these tenants.  The better a solution meets these tenants, the more likely it is to be a long lasting solution.