Well its been another great week in cyberspace.  Yes I jest.

This week I got a call from an "Expert in Cyber security".   I hung up after 45 seconds since I consider the term "Expert in Cyber security" a double nested contradiction in terms!  (Ok. It wasn't really 45 seconds but it was as quick as I could while being relatively polite.  I was introduced once as an "Expert in Cyber security".  I insisted the introduction be retracted before I started my talk.)

Folks, I don't see many things getting better.  Consultants like to talk about industry best practices.  Speaking from experience, most companies who have been breached thought they were doing industry best practices in cyber defense at the time.  AND THEY STILL GOT BREACHED.  HELLO?

Lets stop fooling around and lets dump the term industry best practice.  Lets call it what it really is INDUSTRY MOST PREVALENT PRACTICES.  Not best, just prevalent.  Ok?

So we have been talking about paradigms, Thomas Kuhn, Scientific reductionist thinking, Descartes, Bacon, and the fact that our current cyber defense model is in crisis.  That model, the current dominant paradigm, what everyone tells their auditors is that all assets can and are being equally defended through the use of a common perimeter.  Think about that.

If you are a front line practitioner, you are under funded and over worked.  You bought the latest tool sets only to find they came complete with unintended consequences.

No wonder you are under funded.  All funding flows from internal audit.  They are being told the current paradigm of uniform defense through a common perimeter.  So why would you need more money?

I really love it when clients tell me how important this all is because the have to brief their board of directors. Seriously?

In my talks I sometimes use this photograph

When it comes to malicious cyber activity, many companies think the bad guys have entered our safe environment.  You might consider that actually we are doing business in their world.  Think about it.

If you could actually defend your assets perfectly, what would you do and what would you do differently?

Stay tuned.

Peter Drucker

I read today Peter Drucker taught that senior executives should spend one half of their time alone thinking problems through. Okay.

I was also thinking about mature companies that have withstood the test of time and who are now passing over the top of the "S"curve.  Do any companies immediately come to mind?

Mature companies that have withstood the test of time really don't need great executives and leaders.  However in many cases they have them anyway.  

"Back in the day", large stable companies gave managers the time to properly develop and to properly season.  Obviously that is no longer the case today.

For instance I just read that the average chief marketing officer is in the job for about two years.  So it's clearly either produce results or get out.

Do you ever wonder where this is all leading?

No wonder cyber security executives really don't have time to think through the issues.  

Michael Kohl

678-770-6200

On Paradigms

Thomas S. Kuhn

American Physicist

Creator of the word "Paradigm"

To understand where cyber security needs to go, lets go a bit deeper into the term paradigm.  Paradigm means the sum totality of what everyone knows to be true.

Rene Descartes

We are currently living during the later stages of the scientific industrial paradigm.  So follow along for a moment.  The scientific industrial paradigm was in-part ushered in by Rene Descartes (1596-1650) writing his "Discourse on the Method" in 1637 and introducing our current 3-space X axis, Y axis, Z axis "Cartesian" coordinating system.

Francis Bacon

In the same historical period of time, Francis Bacon (1561-1626) wrote his "Novo Organum" in 1620.  Combined, these 2 works contributed profoundly to bring Europe out of the dark ages and into the age of reason.  Descartes and Bacon provided foundational bases for The Scientific Method which helped drive us to our current scientific industrial paradigm.

The Scientific Method (which we were all taught as scientists and engineers) features reductionist thinking under which problems are broken into smaller (supposedly) more easily solvable pieces.  Without dispute, the Scientific Method and reductionist  problem solving contributed greatly to technological progress since the mid 1600's.

Unfortunately malicious activity in cyberspace by nation states, hactivists, and cyber criminals is demanding that we quickly and profoundly evaluate our current defensive approach to vital information infrastructures.  Incremental improvement in cyber defense substantially lags behind the acceleration and sophistication in offensive technique.

***************
THOUGHT EXPERIMENT:   Pause for a moment and think of the current dominant paradigm (what no one would ever question) concerning the state of cyber security defense.  Name some cyber security defensive systems, processes and practices that are never questioned by cyber defense practitioners.
***************

In my last post I mentioned that Thomas Kuhn (1922-1996) the American born, Harvard educated physicist first introduced the term "Paradigm" into our vocabulary in his 1962 book, "The Structure of Scientific Revolutions".

In that book Kuhn also gave us the Kuhn Cycle. The Kuhn Cycle describes the major phases we experience when long held belief and practice clash with contradictory experience. Kuhn postulated that Normal Science (and engineering I might add) proceeds along using the scientific method and reductionist problem solving.  As enough problems have been reduced to smaller and smaller pieces, certain observations and results begin to appear that causes our model to drift from the norm.  When enough of these divergent observations and results have accumulated we have a model that is termed "in crisis".

With a model in crisis, change in thought and practice becomes acceptable again and we move to a model revolution.  With the revolution maturing comes the leap to paradigm shift and the adoption of a new normal science and engineering.

I believe we are currently experiencing the model crisis phase of the Kuhn Cycle as it relates to cyber security enterprise defense.

In my current role as a senior executive on the AT&T Security Solutions team,  I meet with Chief Security Officers of large corporations.  Although I cannot nor will not reveal the details of those discussions, I will comment that those discussions are congruent with the above thought trail.

In my next post I will introduce a very strong force that is currently disrupting the linear thinking of the scientific industrial paradigm.  I believe you will quickly connect the dots as to the applicability of that new force in driving a new and better cyber security paradigm.

The purpose in this blog

The purpose in this blog is not to gain agreement nor stimulate disagreement.  It's true purpose is to encourage pathways and distinctions that allow executives and security practitioners to creatively think differently. 

To the best of my ability I am attempting to apply the laws of complex systems that I've learned, to our pressing challenges in cyber security.   Many like me who have been trained in complex systems thinking are currently working on predicting the weather, the migratory patterns of animal herds, Neuroscience or the mass movement of financial markets.

My major hypothesis is that complex systems thinking is applicable to cyber defense.
You see, "different isn't always better but better is always different."  Agreed?
My hypothesis further includes my belief that in order to change the current offensive and defensive reactionary game being played in cyberspace, we need to subvert the dominant cyber paradigm.

The term paradigm was first introduced into our vocabulary by Thomas Kuhn in his 1962 book "The Structure of Scientific Revolution". The book should constitute mandatory reading for all cyber professionals.
Essentially Thomas Kuhn defines the term paradigm as those beliefs about any subject which will never be questioned as to their truthfulness.  I'm talking here about commonly accepted facts.

In my next entry I'll talk about the nature of the reactive games currently ongoing in cyberspace.