Yes, Norbert, We Agree!
We continue to encounter CISOs and corporate leaders who believe security remains strictly a technical problem. While we agree that technical issues, challenges, and threats have broken security wide open, the way to fix a technical problem (long term) isn’t always with a technical fix.
As we’ve long said on RTJ, security is a systems issue. It involves technology and people and perspectives and decisions and communication and miscommunication and lifecycles and controls and management and conflicting requirements and the asymmetric evolution of subsystems and . . . on and on. Yet we continue to encounter CISOs and corporate leaders who believe security remains strictly a technical problem, and not just a technical problem but a technical problem whose solution is limited to the domain of a handful of technical certifications. As long as this belief persists, we’ll continue to fight uphill.
In the introduction to his 1948 book Cybernetics, Norbert Wiener offers insight into how overspecialization limits solutions and cross-domain collaboration encourages them. Specifically, he discusses how he pioneered cybernetics along with, among others, Dr. Arturo Rosenblueth, a physiologist. We quote liberally from this section of the book because Dr. Wiener is clearly passionate about the topic, and to simply paraphrase his words would lessen their impact.
For many years Dr. Rosenblueth and I had shared the conviction that the most fruitful areas for the growth of the sciences were those which had been neglected as a no-man’s land between the various established fields. (Wiener, 1948 2)
And how do these neglected areas persist? Specialists stick to their own domains, and specialists frequently fail to talk with other specialists:
[A specialist] will be filled with the jargon of his field, and will know all its literature and all its ramifications, but, more frequently than not, he will regard the next subject as something belonging to his colleague three doors down the corridor . . . (Wiener, 1948 2)
And here’s the heart of the issue; simply substitute physiologist with “pentester” and mathematician with “systems-oriented red teamer.” In this sense, we suspect that to some degree we continue to talk past pentesters, and they continue to talk past us.
If the difficulty of a physiological problem is mathematical in essence, ten physiologists ignorant of mathematics will get precisely so far as one physiologist ignorant of mathematics, and no further. If a physiologist who knows no mathematics works together with a mathematician who knows no physiology, the one will be unable to state his problem in terms that the other can manipulate, and the second will be unable to put the answers in any form that the first can understand. (Wiener, 1948 2)
This, in our opinion, is the equivalent of a call for a cross-domain security red team:
Dr. Rosenblueth has always insisted that a proper exploration of these blank spaces on the map of science could only be made by team of scientists, each a specialist in his own field but each possessing a thoroughly sound and trained coins with the fields of his neighbors; all in the habit of working together, of knowing one another’s intellectual customs, and of recognizing the significance of the college’s new suggestion before it is taken only for formal expression. (Wiener, 1948 3)
And again . . .
We had dreamed for years of an institution of independent scientists, working together in one of these backwoods of science, not subordinates of some great executive officer, but joined by the desire, indeed by the spiritual necessity, to understand the region as a whole, and to lend one another the strength of that understanding. (Wiener, 1948 3)
We dream of something similar, only not for the purpose of furthering cybernetics (that’s been done) but for the purpose of tackling our current security challenges. Unfortunately, the message we hear again and again is “Dream on!”
Wiener, Norbert. Cybernetics. 1948. Cambridge, MA: The M.I.T. Press.