Blogger: Eric Maiwald
I was catching up on my reading when I came across a short piece in the IEEE Spectrum magazine by Robert Lucky. In the article, Mr. Lucky describes problems that are so complex that they cannot be fully solved – he calls these problems “wicked problems.” While reading the article I kept coming back to the old joke about security engineering – cheaper, faster, or secure…choose any two.
In this article, Mr. Lucky talks about really hard problems that often have no elegant solution only different sub-optimal options. “Entanglement” is a word he uses to describe how these problems (and their solutions) influence other things outside of our normal boundaries. He notes that to approach such a problem, we often draw boxes around the parts of the problem we control. That sounds a lot like how some organizations approach IT problems – this is a security problem or a network problem or a development problem.
But the problems we deal with are not really that cut and dry. Should I use virtualization in my data center? If you only look at power and space consumption in the data center, the answer is an obvious yes. But what about other concerns like security? Did the virtual environments just circumvent all of the network security controls? What about service oriented architectures? Good idea? Sure but what does the use of services mean for the development process and for the implementation of controls? What about WAN optimization? Should I use it? Perhaps but there are tradeoffs in its use (for example, don’t try to optimize an encrypted stream of data because it won’t compress!). I could go on but I think you get the idea and where I’m headed with this.
I’m sure you heard the joke in security – cheaper, faster, or secure…choose any two. While we laugh at this (and mostly at the security guy who dares to intrude into the faster getting cheaper), the joke illustrates the tradeoffs involved in all large system engineering or architecture projects. Unfortunately, unlike mathematics where we can easily find the local maximum and therefore the optimal solution to a problem, engineering is a messy process that requires less than optimal solutions to these very hard problems.
So where am I going with this? In order to deal with these hard problems, security needs to work with other IT disciplines. We need to identify the tradeoffs to be made and then choose the most appropriate solution based on the requirements from the business. In the end, many of the tradeoffs cannot be solved by IT alone so the business will have to be involved and will need to understand the impact of the decisions.
Hi Eric,
you say well that security needs to work with other IT disciplines and to understand the requirements from the business.
As it is long work, and as it is possible to make mistakes in the interpretation of the requirements from the business, I would add that it is very important to be trusted with views of the strategy, both IT strategy and higher-level corporate strategy.
Aligning with a higher-level view is also profitable because it prevents from aligning with a few persons' views, which could be misleading.
Of course, you still need to speak with other IT people and people from the business in order to understand more granular matters.
As a summary, I would say that it's quite obvious that you need to understand global strategy when you work in a transverse field such as security.
BTW, if you're interested in wicked problems, the University of Toronto released a magazine about them last year. You have to order it, but the table of contents is at this address:
https://secure.e-registernow.com/M1260/Winter09_contents.pdf
Posted by: Christophe Pradier | July 21, 2009 at 03:50 AM