I’ve always considered myself a pragmatist. Perhaps not surprisingly, I have also always been a big fan of pragmatism. I guess one goes along with the other. A pragmatist is defined as “a person who is oriented toward the success or failure of a particular line of action, thought, etc.; a practical person.” Aside from being a useful worldview, I would argue that being a pragmatist is the only way to improve the security posture of an organization. How can I make such a statement? Allow me to explain.
Before diving into this topic, perhaps it makes sense to begin by examining the portion of the definition that reads “oriented toward the success or failure of a particular line of action”. To put it another way, a pragmatist is someone who focuses primarily on successfully achieving a desired goal or a desired outcome. As many of us are aware, this almost always involves working collaboratively with others, making compromises, hard choices, difficult decisions, and perhaps most importantly, not being an ideologue. Achieving gains in any field involves stepping away from ideology, and security is no exception. The focus shifts from one of doing things a certain way to one of achieving a successful outcome, even if it necessitates reasonable concessions that may feel a bit uncomfortable initially.
I’d like to help illustrate this concept through an example. Recently, I observed a discussion on security improvements to a publicly facing portal between several different people from various different places around the security community. The person responsible for the security improvements decided to share some details around steps that were taken to improve authentication to the portal, as well as its overall security. The details shared also included issues and challenges that were encountered, along with how they were addressed. To my surprise, what was shared was met with a chorus of complaints and criticisms, rather than praise, from many in the group.
Actually, now that I think about it a bit more, I don’t know why I was surprised at all by this reaction. Not because I agree with the reaction, but rather, because I should know better by now. Sometimes it seems like the security field is dominated by ideologues, even though I know that the silent majority of practitioners is out there listening. Perhaps it was naive of me to expect a room full of ideologues to understand the business side of things that the brave practitioner needed to grapple with. It is true that those of us that make real-world decisions also have to make real-world compromises. But, in our defense, we are focused on the end goal of improving security. We can’t always control every detail of how that gets done in the end, and we can’t always have everything exactly the way we want it. I don’t see this as a negative, but instead, as a big positive.
To understand this a bit better, let’s return to the example of the publicly facing portal discussed above. In this specific case, the company running the portal is, understandably so, extremely sensitive to the customer experience. In highly competitive industries, companies strive to find creative ways to beat out the competition. Ease of use for a customer is just one of the many different points that companies compete on. Given the pressure on the business, the revenue from which funds security, it’s easy to see how being an ideologue just won’t work here. Perfect security on the portal is never going to happen. So, let’s boil it down to its essence. The security professional faces two choices:
1. Be a pragmatist, work collaboratively with the business to understand constraints and priorities, and focus on how security can be improved within that framework, or...
2. Be an ideologue, don’t seek to understand the constraints and priorities of the business, and demand changes that will not fit within the framework that the business is operating in.
Which approach do you think will land better results?
Whether we’re working on securing an enterprise, looking to gain visibility and response capability during a move to the cloud, trying to make software more secure, improving the security of web applications, building a security operations and incident response program, or any of the other important undertakings in the security field, we need to work as a partner and an advisor to the business. Time and time again, this has shown itself to be the only proven way to make progress toward the end goal of improving the organization’s security posture.
The modern security practitioner needs to be a pragmatist that works with the business to improve security without negatively impacting the business. Now, more than ever before. Or, to put things a bit differently: What has two or three decades of ideology gotten us? Has it motivated the majority of organizations to proactively identify vulnerabilities and close those holes? No. Has it motivated the majority of organizations to continuously monitor for intrusions and prepare to investigate and respond to them? No. Has it reduced the number of breaches and put a stop to the theft of sensitive, confidential, and proprietary information? No.
We’ve been so busy with ideology that we’ve forgotten to focus on what’s important -- our end goals and the outcomes we desire. Most business people understand risk mitigation quite well. You’d be surprised what happens when you work collaboratively with the business. Educating the business about the risks and threats they face and constructively helping them to work towards mitigating those risks and threats has been repeatedly proven to improve security in practice. Despite this, we seem to have become the profession of no, mocking all those who make difficult choices and work collaboratively with the business. That has to change if we’re going to have any long-term impact and success.