On Being Right or Being Complete

A Simple Rule for the Committed Person

 

The World is changing. I am sure you know this. Now, how it is changing and where it is going are open questions. Because they are open, because uncertainty reigns, should we abandon all hope and resign ourselves to a life of adaptation to “what is”?

Quite the contrary, for those like me who were formed during the Cold War, the current world is nothing if not completely changed, with a wider and wider horizon of countries rising to the challenge of development, autonomy and prosperity.

In this context, there are people who still think that identify progress with uni-polarity and “Westernisation,” and for whom the term “technology” has only one meaning.

But this world is ending, and this is having large impacts in Business and all the Professions. There is for example, silent change in the Security profession, a trend that ultimately will take her away from decadence, and restore it in its just place.

For in the past few decades, especially since the 1980´s the Security discipline became less and less a profession, and resembled more a salaried job, something we do to make a living, and not something we do in search of excellence. A good symptom that this decadence cannot last, is that it is possible to speak about it, to begin with. It is true, though that some problems can be addressed publicly, while others are discussed in hushed voices in private conversations, if at all.

The truth is that there is a crisis in the Security profession, one that is characterised by the trivialisation of our work, to the point that “being a Security specialist” is a contradiction in terms: you are a “specialist” and then, for example, you are concerned with such a small slice of the Security problematic, that your contributions dissolve in a vast sea of other “specialities” where it becomes irrelevant.

Crisis here means properly “choice,” so a great crisis is just a moment of great alternatives.

And the truth is that we have become like the people criticised by Miguel de Unamuno the Basque philosopher of the early XX Century, who identified the problem:

“For there are many who, while they go about looking out for I know not what  ideal—that is to say, fictitious duties and responsibilities—neglect the duty of putting their whole soul into the immediate and concrete business which furnishes them with a living; and the rest, the immense majority, perform their task perfunctorily, merely for the sake of nominally complying with their duty—para cumplir, a terribly immoral phrase—in order to get themselves out of a difficulty, to get the job done, to qualify for their wages without earning them, whether these wages be pecuniary or otherwise.”  – Miguel de Unamuno, “Tragic Sense of Life,” 1912.

In this incomplete, hidden debate I definitely take the side of those who seek completeness before “rightness,” because you can be right and not complete, like the proverbial clock that strikes the “right” time twice a day.

To be complete, above everything else is a question of method. To illustrate this I always tell my fiends how I realised about 12 years ago, while working for a large software and hardware vendor, that if their complete technology stack were implemented successfully in some client environment, the same would be necessarily flawed in terms of Security. And this would be so not because of some technological challenge or defect, but because the multiple pieces of the “portfolio” simply didn´t cooperate with each other and did not enable integrated monitoring or reporting. To be more precise: there was no way of monitoring user activity from one end to the other of the “architecture.”

What is Security for if it is not for user access control and monitoring? How can be declare a solution complete and “deployed” if it does not change the Assurance level of the organisation but perhaps even deteriorates it further?

For sure, recent trends in Security marketing have left us with increased emphasis on, “Intelligent” and “Adaptive” solutions, but all of these are partial and focused on this or that aspect of the business architecture. And people continue to ignore the fact that out of the whole of Security less that 25% –roughly—has anything to do with technology.

Hear for example the inflated claims of many SaaS-orientated technologies, positioning themselves as “Cloud security” devices, when in reality they hardly cover critical access routes and cloud infrastructure. Marketing defeats Security when we ignore this.

Security is complete or it is not “secure.” By this I don´t mean “absolute” Security, which does not exist. By “complete” I refer to the richness and encompassing power of the Security vision. So for example, a Security “delivery project” focused exclusively on the implementation of some limited mechanism, can hardly be classified as part of a Security vision, unless it covers the four characteristic areas of our activity, those of Direction (Strategy), Selection (Organisation), Protection (Technology) and Verification (Control).

I have proposed four “Perspectives” of Security as a way to re-orient our activities to what they should be. And this approach is characterised by something that can be called “poly-contexturality,” following the theories of two German thinkers Gotthard Günther and Niklas Luhmann.

Polycontextural is the method that aims at the totality of world views in their joint, co-dependent realisation. So for example, Security Monitoring is seen here as essentially correlated with the other three perspectives, those of Direction, Selection and Protection. And any deliverable in the realm of Verification (Monitoring) must be supported in actions and processes in the other three. The following diagram illustrates these points:

diag22

 

Yes, I know that such philosophical approaches are not welcome, or even are despised in our profession, but these are set here not to seek approval, but to challenge the current circumstances.

But, “halt”, some colleagues will say: How will that help us with this or that project? How do we implement the technologies that the clients have already chosen? Can you say anything about that?

Thanks to my long technical experience in many areas (also outside of Security) I am sure that I could speak quite a lot about “deploying” technologies and the like, but precisely because of this experience is that I am convinced that we are doing harm to our clients when we do not step back and re-consider the following:

Are we called Security professionals because we just “implement” technologies independently of their results? Are we complying with the ethical responsibilities of our company and our multiple affiliations just because we “dutifully” implement technologies that we have not evaluated? Are we recommending a solution even if we would not recommend it if we did the solution analysis and design?

Mind that I am not addressing here my own immediate colleagues but *all* the Security professionals, as we all are in the midst of this “crisis” in the Security profession. It is one that goes across the world and has no particular relationship with this or that company or country. No one is spared. It is a global crisis, and it is not one we can escape by “collective” or “organisational” or “business” measures. No amount of management can solve it, because this is a crisis at the level of the person.

The person is the root and the anchor of all action. It lies beneath the “individual,” as it is evident in modern corporations. These do not know the person and don´t need to know it, because it is outside of their realm. We come to work every day as persons, yes, because of our own motivations, but then we leave our hopes, dreams, desires and even principles outside of the entrance. And we become “individuals.” Organisational people, each one encased in his or her “own” isolation.

That is “normal.” Actually, Corporations could not operate –and much less globally– with persons! So I am not calling for some sort of retrogression to a past that is now lost in the post-national society. Let me emphasise: It is not “corporations” that I am blaming for the current situation. What I pointing to is to the fact that in acting as “individuals” in our business life, we are also draining this space of any ethical energy. You see: isolated, fragmented “individuals” do not have ethical desires, individuals do not strive and do not struggle for higher goals. Individuals do not have purposes but only consensus. Individuals are trend followers and risk-avoiders by definition.

It is the people themselves, under the pressures of current global society, who adopt the “individual” mask and hide their inner truth. Yet there is change, despite the limitations, and there are many who still project their life energy into their professional life, and thereby become examples of action.

My thesis around the Four Security Perspectives is only a tool to help others expand their vision and action. It cannot replace the person´s own impulse of the person´s own theories and beliefs. So, whatever I said about “philosophy can and must be assimilated in different forms. Precisely because of polycontexturality, there are no simple truths to convey to each other!

As there are other ways of saying the same:

“Frame Theory is a method that disavows, from the beginning, what most methods regard as essential: the guarantee of consistent outcome. Such methods are called ‘monothetic’, partly on behalf of this goal. Polythesis deals, however, with an ‘imperfect’ world where single effects can be the product of multiple causes, where single causes have multiple and changing effects, where some effects become causes and vice versa.”

 Donald Kunze,  http://art3idea.psu.edu/locus/frametheory_polythetic.pdf

 

So in Security we need our own Polythetic approach, where each side of the matter fully counts and where incomplete answers are disavowed. This is because, to be complete is to live on the real, on the multiple interactions of stances and points of view, to recognise and act in a multipolar world.

If not Security, then what other information technology discipline should be more sympathetic to this direction? None, because –considering everything we can do in IT– no other discipline demands our full attention to the context, the purpose, the time and the method of our action. Or, as I frequently say to drive a particular point: “Out of all the Security disciplines, Identity management –which is for me essentially Access enablement and control—is the one most affected by organisational concerns, and is also the one that impacts the organisation in the highest degree.”

And all of this can be put in a very simple way, as a rule for the committed person, the one striving for good, for art for art´s sake (as was customary to say years ago). This simple rule is that in choosing between being “right” and being “complete,” the committed person should always follow her or his conscience and choose being complete. Always and infallibly so.

Or, in different words: you can be complete and “right” insomuch as your action and thought are complete, but you cannot be complete and right, if your action  and though are only “right.” For, mind this, the completeness addressed here is the completeness of vision and action, of planning and executing, of sharing and monitoring. Not an abstract completion merely in thought or contemplation.

Already in past generations wise people understood this when they wrote these words: “May my speech be one with my mind, and may my mind be one with my speech.” (*)

This will save the Security profession in a new multipolar world.

 

(*) Aitareya Upanishad – 800 – 500 BCE