Home > Innovation > Security Innovation?

Security Innovation?

I migrated to a new job recently.  My previous job was "Chief Security Strategist."  Sounds linear, logical and pompous.  If you know me at all, the title doesn’t exactly fit me well.  I’m a fuzzy-logic, paint with a broad brush, and a reasonably palatable fellow.

My new title, which I created, is Chief Architect, Security Innovation.  I like this title because it means I think about things in a manner that implies they are going to be built.   It’s also  somewhat of an odd title, because when most people think of security, the last thing they expect to hear is the word "innovation" bolted onto the end of it.

Normally, one might expect to find words and phrases like "speed bump, insurance, pain, slow, firewall, policies, police, annoying, abrasive, and cost-center" associated with security.  But innovation?

Nobody really believes that security can be innovative, do they?  I do.

I like this word, what it stands for and what it means to security and the people who try and make a difference when implementing it with passion, and it is the focus of this post.  I think the reason security isn’t thought of as being innovative is that the people making the decisions don’t let themselves innovate!

Read on.

I’m driven by a fanatic gravitational attraction to change and enjoy being a catalyst for new thought, different ways of thinking and encouraging people to push harder and smarter in order to produce better output for any given input.  I like to solve problems; usually in the simplest way possible.  Often times, the simplest answers are the hardest to come by.  I don’t think it’s a question of "thinking outside the box."  I think it’s more an issue of allowing oneself to pretend there isn’t a box at all.

Some people mistake what I described above as a focus on being more efficient, but to me, efficiency is a by-product of innovation and innovative methods of problem solving.

People approach problem solving in many different ways.  Some like to noodle on a problem space and reason logically over a period of time, considering all empirical elements and paths leading to what may be multiple solutions and then choosing one as the recommended response.

Others like to drive to a solution as quickly as possible, thin-slicing their way to a terminus using instinct, intuition and adjacency to arrive at an answer a priori.

I’ll ask you to think about how you approach problem solving within the scope of your career. Since most of the folks who read this blog are in some manner security focused, think about your last complex security problem set as you read this.  Did you take your time or were you pushed (or push yourself) to snap-to and deliver a solution?

Guy Kawasaki’s blog
turned me on to a really fascinating manifesto by Matthew May titled "Mind of the Innovator: Taming the Traps of Traditional Thinking" and is a really great follow-on to his book titled "The Elegant Solution."Elegantsolution

"Mind of the Innovator…" provides a frank and compelling perspective on how people solve problems, and is illustrated by describing the seven deadly sins people commit when challenged.

The thing that really intrigued me about this piece is that anyone can arrive at a solution.  However, simple, elegant and creative solutions to problems usually don’t arrive easily and without complex thought distilled.  Worse yet, humans are generally horrible creatures of habit and revert to mental muscle memory to arrive at an answer and that’s not good creative problem solving, either.

I do hope Guy forgives me, but rather than try and imitate his summary of these sins, I am going to re-post his version here because, as usual, he’s done a fantastic job in doing so.

From Guy’s blog, here is a summary of Matthew May’s 7 deadly sins of problem solving:

  1. Shortcutting. Leaping to solutions in an
    instinctive way or intuitive way—i.e. the “blink” method of
    problem-solving—seldom leads to an elegant solution because deeper,
    hidden causes don’t get addressed. Watch CSI and House: first they
    collect the evidence, then diagnose, and then solve. It’s never the guy
    or the disease you initially suspect.

  2. Blindspots. Blindspots are the umbrella term
    for assumptions, biases, and mindsets that we cannot see through or
    around. Our brain does a lot of “filling in” for us because it’s a
    pattern maker and recognizer. Ths cn b hrd fr ppl t cmprhnd, hwvr, mst
    cn ndrstntd ths sntnc wth lttl prblm. But clear thinking involves more
    than simply filling in spaces in words.

  3. Not Invented Here (N.I.H.). NIH means that you
    refuse to consider solutions that are from external sources. It means
    “If we didn’t come up with it, it won’t work. It is of no use.” Next
    time you’re waiting for an elevator, watch someone walk up and hit the
    button even though it’s already lit. We often don’t trust others’

  4. Satisficing. Ever wonder why some solutions
    lack inspiration, imagination, and originality? It’s because by nature
    we satisfice—satisfy plus suffice. We glom on to what’s easy and stop
    looking for the optimal solution. What’s the least number of “sticks”
    you need to move to make this Roman numeral equation correct? XI + I =
    X If you answered anything but zero, you satisficed. Look at it upside

  5. Downgrading. Downgrading is the close cousin of
    satisficing but with a twist: a formal revision of the goal or
    situation. Reason? No one likes to fail. Result? We fall short of the
    killer app, so we pick the one that allows us to declare victory. Next
    time you’re playing hockey or football, try winning the game by hitting
    the outside of the post or taking the ball down to the one-yard line.

  6. Complicating. Why do we overthink, complicate,
    and add cost? And why do we ALL do it so intuitively, naturally, and
    (here’s the killer) consistently? Answer: we’re hardwired that way. Our
    brains are designed to drive hoarding, storing, accumulating, and
    collecting-type behavior. We are by nature “do more/add on” types.
    Don’t believe it? Watch the customers at Costco or Sam’s Club buy
    thirty-six rolls of toilet paper.

  7. Stifling. We do naturally do the “Yeah, but..”
    dance in which we stifle, dismiss, and second-guess ideas. It’s
    ideacide, pure and simple. And it’s not just others’ ideas we stifle;
    we often do it to our own and kick ourselves later when someone else
    “steals” our great idea. Remember how Decca Records rejected the
    Beatles? “Guitar bands are on the way out.”

So, the next time you’re asked to solve a problem, don’t fall victim to these traps.

As an overly simple example, perhaps next time you’re faced with a security problem to solve, think different; instead of deploying that $50,000 firewall as an autonomic solution to protect a web-based application because that’s what we’re programmed to do, fix the application’s input validation instead and use an ACL in a router? 

Just a thought.  Think.


Categories: Innovation Tags:
  1. August 11th, 2007 at 18:28 | #1

    What do you mean nobody really believes security can be innovative? Of course we do. Well, some of us does. Probably not a large majority; but a small and vocal minority definitely does.
    We're small, we're loud, we're fuzzy. Or something.

  2. Arthur
    August 13th, 2007 at 17:45 | #2

    I really enjoy Matthew Mays' writing. I completely ate up his manifesto about Toyota and he had me completely hooked on this one until the stupid toothpicks problem. He couldn't come up with a better example? Like turning the whole thing over doesn't count as moving everything? It's yet again an example of why "thinking outside the box" has become a cliche. A training class at a former employer actually made box on the floor using masking tape and then had people stand in it to understand the concept of thinking inside vs outside the box. Just ridiculous.

  3. August 13th, 2007 at 18:42 | #3

    I once had a group of employees duct tape one another to a box full of Doritos and dishwashing detergent.
    I instructed them that within 15 minutes they were to figure out how to wash a load of delicates and prepare a delicious snack featuring finger foods with a Latin twist.
    2.5 hours later I received a call whilst I sipped a Mojito, nibbling on empanadas while having my drycleaning done. It's good to be King.
    The point? Don't listen to some A-Hole that encourages you to perform S&M Corporate bravado to impress someone; solve a business problem…like how to expense the entire boondoggle in the first place.
    I liked the point of my point — don't F it up for everyone else, Art. Sheesh. 😉

  4. August 15th, 2007 at 05:52 | #4

    Rational Security: Security Innovation?

    Some people think that they are the lunatic fringe. Mr Hoff states: Nobody really believes that security can be innovative, do they? I do.
    The next thing well be hearing is that rational security = security innovation or to simplify: Rational …

  5. August 15th, 2007 at 09:52 | #5

    Rational Security: Security Innovation?

    Some people think that they are the lunatic fringe. Mr Hoff states: Nobody really believes that security can be innovative, do they? I do.
    The next thing well be hearing is that rational security = security innovation or to simplify: Rational …

  6. August 16th, 2007 at 06:41 | #6

    Hrm, is that a new pic, or have I just not been looking at your site lately? And is that a full sleeve I see? Hrm, my image of you was all wrong! 🙂 I called you "squirrel" in my journal; but I think I need to change that now…

  7. August 16th, 2007 at 06:43 | #7

    Those 7 sins re-emphasize to me something simple that I like to keep in mind: get shit done. Of course, that means getting it done well…but still, get shit done.

  8. August 16th, 2007 at 07:04 | #8

    1) Yes, that's a new picture. People kept running into me and 1/2 an hour later realized who I was. Now they can avoid me up front since they know what I look like…or target me in the scope more easily.
    2) Yes, that's a full sleeve…amongst others.
    Squirrel!? Oh, great… 😉

  1. No trackbacks yet.