Safety and Security, Part I
Originally posted at Reciprocal Strategies. The safety world has learned over time that complex socio-technical systems resist simple, linear models and rational, reductive fixes. For the most part, we believe the security world has yet to learn this lesson. In a series of future posts, we plan to explore the following questions:
What are complex systems, and how do they fail?
What can we do to understand complex systems better?
How do safety professionals approach complex systems, and to what degree can we adapt their approaches to security?
Before going there, it's worth raising the question of why so many security professionals continue to overlook the full implications of the complex, socio-technical systems they're tasked to secure. The proximate answer is that they're simply too busy running from one "fire" to the next. A deeper answer probably involves some mix of the following:
human cognitive limitations (bounded rationality);
a lack of relevant training;
constantly moving targets;
rapidly evolving threats;
static, linear compliance and auditing requirements; and
a preference for strictly technical frameworks and solutions.
Of course, nothing quite inhibits the growth of new a concept like the curse of "success." Does anyone know an out-of-work sysadmin? How about an underemployed pentester? Industry's throwing a lot of money at security professionals these days. That's both good and bad--good because work gets done, bad because it feeds the all-too-common young-gun swagger. After all, if the current approach sells, it must work; why rethink the paradigm?
Here's why: complexity bites back. We're playing a game that shifts faster than we can react, yet we persist in viewing the problem through through our certification-throttled lenses. Maybe we do have something to learn, and maybe our safety colleagues can teach it to us.
Watch for more soon, and be sure to check out our current services and training courses over at Reciprocal Strategies .