After a decade of participating in certification workshops (and similar events like program and solution development), I have witnessed an interesting trend emerge: ask ten professionals to define a term or concept and get twelve answers. Rarely these answers are tied to a standard framework or definition; instead, they tend to be based on the experience of the expert being asked (or offering their opinion anyway). In my experience, the resulting workshops muddle the opinions together to produce a result people claim pride in (because they have their own opinion incorporated) â€” but it rather than building on the wheel, it often reinvents the wheel.
Note: this can be easily tested. With the new awareness of the trend, look for it during a meeting, workshop or even in the stream of answers given on a mailing list of professionals. In most cases there will be a flood of answers that *seem* correct, but lack references or links. While this is not always a bad thing, it often leads to confusion and complication.
While this may not happen to all groups, it certainly happens to a lot of them. Why else do we have so many frameworks to assess risk? When you really dig into them, they all advocate essentially the same thing but with a variety of tools and ways to do it. Most â€œsecurityâ€ professionals feel that none of them is complete and continues to search for the holy grail (which means they decide to build it better).
This is an inherent challenge â€“- and benefit â€“- to working with a team of experienced, dedicated and passionate professionals: each has tremendous value to contribute based on their experience. The problem lies in distilling the various experiences into a useful solution instead of working to muddle them together into something that looks like the wheel we already have, but only slightly different (and not necessarily better).
In order to prevent the unnecessary reinvention of what already exists â€” and use time and resources to get better results â€” it is important to first understand the three main reasons this happens (tomorrow, we explore what to do about it):
1 – â€œTruthinessâ€ Strikes Again!
If you have not (yet) watched The Colbert Report, â€œtruthinessâ€ is the term he coined, defined as:
â€œthings that a person claims to know intuitively or â€from the gutâ€œ without regard to evidence, logic, intellectual examination, or facts.â€ [http://en.wikipedia.org/wiki/Truthiness — this is entirely worth the quick read and consideration]
There is too much â€œtruthinessâ€ in security today â€” inherent in the myriad of certifications, frameworks and solutions â€” and the industry overall. I suspect it is a result of exerting professional opinions combined with a [perceived] lack of time to back it up with references. This is, quite possibly, the single biggest challenge the industry faces right now: put enough experts in the room and everyone has an opinion that is a shade different from the others.
The paradox is these different opinions are precisely what is needed to distill to the core essence necessary for an effective solution. These opinions need to be captured, tied back to references and distilled for important elements. However, when faced in a group setting of experts, each person has an innate desire to share valuable information and insights; everyone wants to be â€œright.â€ Just because someone â€œclaims it soâ€ doesnâ€™t make it true (even if it is written on the Internet).
Truthiness brings an unintended consequence: personal emotional involvement. It is easy to make a statement of â€œfactâ€, but more difficult (albeit necessary) to back it up with references and data that support the point. Call it ego, passion or whatever you want. Whether relying on a priori or a posteriori knowledge (I had to look it up, too: http://en.wikipedia.org/wiki/A_priori_and_a_posteriori_%28philosophy%29 – hat tip: Lori Mac Vittie), individual emotion and reputation becomes entangled in the result; this introduces unnecessary complication that muddies the end result.
(Pick the Brain recently ran a great post about this: Is Truthiness Holding Back Your Blog? — if youâ€™re not reading this regularly, you should consider it)
2 – Failure to Focus on Fundamentals
The value of pulling together a team of professionals lies in their collective experience. These experiences inform opinions that are important when used to explore or contrast fundamental concepts. The challenge is ensuring the opinions are couched properly and tied back to the appropriate fundamental concepts. All-to-often, fundamentals â€” which take time to review, distill and cite â€” are left by the wayside. People accept â€œclose enoughâ€ as being â€œgood enough,â€ when, in fact, it is not (well, except for horse shoes and hand grenades).
Over time, a tight grasp on fundamental concepts is loosened. As experience colors fundamental understanding, individuals accept â€œclose enoughâ€ and rely on truthiness (afterall, it works in their professional lives). Failing to focus on fundamentals (or at least reference sources) leads to confusion of language resulting in wasted time and effort. This extends beyond the current session to future sessions where the specifics of the discussion have long since been forgotten. By failing to establish anchors to accepted standards, definitions, resources or other fundamentals, the essence is lost. As a result, it is difficult, if not impossible, to make meaningful progress.
Using language to reach a truly common understanding requires constant and skillful negotiation. Success comes when those involved work together to build a common set of anchors. Without a similar frame or grounding to the same perspective, it becomes increasingly difficult to reach the same conclusion.
3 – group think prevails
â€œGroupthink is a type of thought exhibited by group members who try to minimize conflict and reach consensus without critically testing, analyzing, and evaluating ideas. During groupthink, members of the group avoid promoting viewpoints outside the comfort zone of consensus thinking. A variety of motives for this may exist such as a desire to avoid being seen as foolish, or a desire to avoid embarrassing or angering other members of the group. Groupthink may cause groups to make hasty, irrational decisions, where individual doubts are set aside, for fear of upsetting the groupâ€™s balance.â€ [http://en.wikipedia.org/wiki/Groupthink]
Here is where this applies: most of these groups have few arguments. The few challenges that exist tend to be heated and passionate discussions centered on two different positions, both relying on truthiness. The sad reality is that most people have forgotten (or never learned) how to challenge and argue effectively.
This lack of practice in participating in argument is also hampered by the personal emotion. When the argument is centered on the idea of a person instead of a fundamental concept and how it is applied – it feels like a personal attack to the person who suggested it. And sometimes, it probably _is_ a personal attack. Regardless, it does not represent a constructive approach toward real results.
Realizing the conflicts are unproductive (and sometimes uncomfortable), groupthink kicks in. It is further compounded by those who are less certain of the facts who decide to remain quiet lest they be branded as unworthy of participation. The natural instinct is to presume the other person knows more and avoid the embarrassment of being wrong. So instead of vigorous and productive conversation, the group is met with tactic approval (and sometimes whispers in the corners).
Passion expressed as truthiness that is not anchored to references gives way to groupthink. The resulting product often resembles a reinvented wheel, instead of a solution that takes advantage of the good wheels already developed.
Your New Wheel (wait, did you want a new wheel?)
What about personal pride and taking ownership of the solution?
While â€œownershipâ€ is believed to lead to better results (the whole concept of responsibility addressed in Into the Breach), few people want to own the efforts of someone else. Personal investment clashes with the fashionable approach of rejecting solutions â€œnot made hereâ€ (which would take another series to explore). Basically, everyone wants to build their own, better solution (for various reasons). Unfortunately, as the process unfolds, the three elements outlined above combine to create an end result that the very professionals involved often distance themselves from. Personal pride turns to hurt emotions and bitter feelings. And the search for a new solution kicks back in.
How to overcome these challenges and build a successful framework/solution will be tackled in the next segment.