Rational Survivability

I migrated to a new job recently.  My previous job was "Chief Security Strategist."  Sounds linear, logical and pompous.  If you know me at all, the title doesn’t exactly fit me well.  I’m a fuzzy-logic, paint with a broad brush, and a reasonably palatable fellow.

My new title, which I created, is Chief Architect, Security Innovation.  I like this title because it means I think about things in a manner that implies they are going to be built.   It’s also  somewhat of an odd title, because when most people think of security, the last thing they expect to hear is the word "innovation" bolted onto the end of it.

Normally, one might expect to find words and phrases like "speed bump, insurance, pain, slow, firewall, policies, police, annoying, abrasive, and cost-center" associated with security.  But innovation?

Nobody really believes that security can be innovative, do they?  I do.

I like this word, what it stands for and what it means to security and the people who try and make a difference when implementing it with passion, and it is the focus of this post.  I think the reason security isn’t thought of as being innovative is that the people making the decisions don’t let themselves innovate!

Read on.

I’m driven by a fanatic gravitational attraction to change and enjoy being a catalyst for new thought, different ways of thinking and encouraging people to push harder and smarter in order to produce better output for any given input.  I like to solve problems; usually in the simplest way possible.  Often times, the simplest answers are the hardest to come by.  I don’t think it’s a question of "thinking outside the box."  I think it’s more an issue of allowing oneself to pretend there isn’t a box at all.

Some people mistake what I described above as a focus on being more efficient, but to me, efficiency is a by-product of innovation and innovative methods of problem solving.

People approach problem solving in many different ways.  Some like to noodle on a problem space and reason logically over a period of time, considering all empirical elements and paths leading to what may be multiple solutions and then choosing one as the recommended response.

Others like to drive to a solution as quickly as possible, thin-slicing their way to a terminus using instinct, intuition and adjacency to arrive at an answer a priori.

I’ll ask you to think about how you approach problem solving within the scope of your career. Since most of the folks who read this blog are in some manner security focused, think about your last complex security problem set as you read this.  Did you take your time or were you pushed (or push yourself) to snap-to and deliver a solution?

Guy Kawasaki’s blog turned me on to a really fascinating manifesto by Matthew May titled "Mind of the Innovator: Taming the Traps of Traditional Thinking" and is a really great follow-on to his book titled "The Elegant Solution."

"Mind of the Innovator…" provides a frank and compelling perspective on how people solve problems, and is illustrated by describing the seven deadly sins people commit when challenged.

The thing that really intrigued me about this piece is that anyone can arrive at a solution.  However, simple, elegant and creative solutions to problems usually don’t arrive easily and without complex thought distilled.  Worse yet, humans are generally horrible creatures of habit and revert to mental muscle memory to arrive at an answer and that’s not good creative problem solving, either.

I do hope Guy forgives me, but rather than try and imitate his summary of these sins, I am going to re-post his version here because, as usual, he’s done a fantastic job in doing so.

From Guy’s blog, here is a summary of Matthew May’s 7 deadly sins of problem solving:

1. Shortcutting. Leaping to solutions in an
   instinctive way or intuitive way—i.e. the “blink” method of
   problem-solving—seldom leads to an elegant solution because deeper,
   hidden causes don’t get addressed. Watch CSI and House: first they
   collect the evidence, then diagnose, and then solve. It’s never the guy
   or the disease you initially suspect.

2. Blindspots. Blindspots are the umbrella term
   for assumptions, biases, and mindsets that we cannot see through or
   around. Our brain does a lot of “filling in” for us because it’s a
   pattern maker and recognizer. Ths cn b hrd fr ppl t cmprhnd, hwvr, mst
   cn ndrstntd ths sntnc wth lttl prblm. But clear thinking involves more
   than simply filling in spaces in words.

3. Not Invented Here (N.I.H.). NIH means that you
   refuse to consider solutions that are from external sources. It means
   “If we didn’t come up with it, it won’t work. It is of no use.” Next
   time you’re waiting for an elevator, watch someone walk up and hit the
   button even though it’s already lit. We often don’t trust others’
   solutions!

4. Satisficing. Ever wonder why some solutions
   lack inspiration, imagination, and originality? It’s because by nature
   we satisfice—satisfy plus suffice. We glom on to what’s easy and stop
   looking for the optimal solution. What’s the least number of “sticks”
   you need to move to make this Roman numeral equation correct? XI + I =
   X If you answered anything but zero, you satisficed. Look at it upside
   down.

5. Downgrading. Downgrading is the close cousin of
   satisficing but with a twist: a formal revision of the goal or
   situation. Reason? No one likes to fail. Result? We fall short of the
   killer app, so we pick the one that allows us to declare victory. Next
   time you’re playing hockey or football, try winning the game by hitting
   the outside of the post or taking the ball down to the one-yard line.

6. Complicating. Why do we overthink, complicate,
   and add cost? And why do we ALL do it so intuitively, naturally, and
   (here’s the killer) consistently? Answer: we’re hardwired that way. Our
   brains are designed to drive hoarding, storing, accumulating, and
   collecting-type behavior. We are by nature “do more/add on” types.
   Don’t believe it? Watch the customers at Costco or Sam’s Club buy
   thirty-six rolls of toilet paper.

7. Stifling. We do naturally do the “Yeah, but..”
   dance in which we stifle, dismiss, and second-guess ideas. It’s
   ideacide, pure and simple. And it’s not just others’ ideas we stifle;
   we often do it to our own and kick ourselves later when someone else
   “steals” our great idea. Remember how Decca Records rejected the
   Beatles? “Guitar bands are on the way out.”

So, the next time you’re asked to solve a problem, don’t fall victim to these traps.

As an overly simple example, perhaps next time you’re faced with a security problem to solve, think different; instead of deploying that $50,000 firewall as an autonomic solution to protect a web-based application because that’s what we’re programmed to do, fix the application’s input validation instead and use an ACL in a router? 

Just a thought.  Think.

/Hoff