“The only real security that a man can have in this world is a reserve of knowledge, experience and ability.“ — Henry Ford I am lucky to have the opportunity to meet with all kinds of people in my job. I met professionals in different fields, mostly IT-related. I am considered one of the IT guys, but with one difference. You may argue that cybersecurity is, no matter what, a computer-related field. To me, cybersecurity is more like security in general than IT. The Infosec guys try to keep a distance from the system team or network team because what we are handling, by default, is a completely distinct “problem.” If you use an engineering mindset to think about the security problem, you would probably make more than solving one. We cannot solve the problem if we use the wrong mindset. An engineering mindset is a constructive, practical, and efficient way of thinking that could apply to all industries to make things work. In contrast, a security mindset is risk-based, contextual, and ultimately ensures nothing happens. An Engineering Mindset — the Problem-Solving Attitude Engineers practice a novel form of thinking based on They see structures that aren’t obvious to us, and they know how to design under limitations, prioritizing them. Adopting an engineering mindset can benefit you in any field. They work with the goal of “How” in different areas. perceiving everything as a system. Thinking in Systems Thinking in systems requires the ability to break down and construct a problem. This turns out to be the best thing for troubleshooting in which an engineer needs to peel down the problem into smaller parts and investigate from the modules. When there is a black-box situation where the processes are unknown, “reverse engineering” is the thinking to reconstruct the processes from inputs and outputs. When looking at things with an engineering mindset, you break them down and put them back together. Visualizing Structures Structured systems-level thinking would acknowledge how the system's elements are connected logically, whether it is separated in time, in sequence, or function, the structure's conditions to work fine. This is the key to why engineers construct models —by that, they can have structured conversations based on reality. Critically, visualizing a structure should have the wisdom of knowing when a structure is worthy or when it isn’t. Limitations and Constraints While the real world is full of limitations and constraints that break or make things, engineers are the ones who make things work. They make design priorities and allocate resources by ferreting out the inadequate goals among stronger ones. Engineers are supposed to create the best desirable results under the given conditions. They need to design to specifications and entail trade-offs. For example, choosing the strongest materials as a laptop case might be too heavy to carry; a beautiful and elegant design may also be too expensive. A Security Mindset — The Guy With The Most Negative Attitude A security mindset, on the other hand, is about thinking everything will fail eventually. Like a mother would always worry about her children, people with a security mindset think for the worst. Take “Zero Trust Architecture” (ZTA) as an example, according to NIST : SP800–207 Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. This basically tells the system to because everyone is suspicious. ZTA also assumes the defenses in place are already compromised. trust no one It would help if you had someone who can prepare for the worst to work in security as incidents won’t happen every day, or in most cases, won’t happen at all. It would be best if you were particular about the choices or suggestions based on the different contextual information you had. The Best in Cybersecurity = Nothing Happens Let’s talk about what it is like to become a security professional. Ten years ago, when I was studying for my Master of Computer Forensics, the professor once said, It was only a funny sentence at that moment, but it is wisdom when I looked back now. “The best security happens when nothing happens.” If everything is working according to plan, there would be no security outbreak. Security professionals, should not be handling security incidents all day. What is more important should be security planning and design. ideally, That is the process of allocating resources such as time and human resources to maximize visibility. What is the most frightening thing about a human being? You can try to answer it by thinking about scary movies. The one thing in common is the unexpected shock or suddenly appeared ghost/ monster or sudden death of a character. As humans, what we do not know — the unknown is what we truly afraid of. In a security professional’s daily work, our primary goal is not to ensure everything is running as expected but to . When everything is well-considered and properly handled, the IT department should be happy and running as usual —nothing happens. make sure the unexpected or unknown are minimized or mitigated From Paranoid Kid to Cybersecurity Professional My mum is an ordinary housewife with a security mindset. She was very natural with that kind of thinking and taught me to think alike when I was young. That should be what people called . social intelligence She told me to be careful when going out alone. She asked me not to walk straight in the direction of our apartment once leaving the elevator if someone is behind you. I took it all the way, at all times. I would imagine myself in all kinds of troubles and how to get out. I realized that was what I taught the others after formally learned about security concepts. To others, it may be paranoid or negative, but that is what we need in Cybersecurity. It is perhaps the best way of thinking for genuine security professionals. Final Words To enhance the cybersecurity posture, we need the best of both worlds. On the one hand, we must implement security measures in a cost-effective and timely manner; We also need to prepare for the worst situation and the “what if.” As I said before, the one thing that makes you a great cybersecurity professional is . I am not saying which one is better, but knowing the difference could help allocating resources to solve different problems. a security mindset When in practice, we could keep this final goal in mind. As a security engineer: to implement the security solutions properly; to work on assurance testing and fail-over scenarios. As a security consultant: to review and maintain the security landscapes; to understand nothing is fixed permanently, thus requires continuous improvement. As a security architect: to make decisions based on boundaries and constraints; to adopt frameworks such as Zero Trust that assume the worst natively. Thank you for reading. May InfoSec be with you 🖖. Also published at https://medium.com/technology-hits/difference-between-engineering-and-security-mindsets-f1f7ee7ac625

Timely

Interested in Infosec & Biohacking. Security Architect by profession. Love reading and running.

2021 - HackerNoon Contributor of the Year - CULTURE

2022 - HackerNoon Contributor of the Year - Beginners Guide

2022 - HackerNoon Contributor of the Year - Containers

2022 - HackerNoon Contributor of the Year - Cybersecurity

2022 - HackerNoon Contributor of the Year - Data Privacy

2022 - HackerNoon Contributor of the Year - Privacy

2022 - HackerNoon Contributor of the Year - Security

Support Me on Coil

2021 - HackerNoon Contributor of the Year - PERSONAL-DATA

Nominated for 2022 - HackerNoon Contributor of the Year - Cybersecurity

Nominated for 2022 - HackerNoon Contributor of the Year - Security

Nominated for 2022 - HackerNoon Contributor of the Year - Privacy

Nominated for 2022 - HackerNoon Contributor of the Year - Beginners Guide

Nominated for 2022 - HackerNoon Contributor of the Year - Containers

Nominated for 2022 - HackerNoon Contributor of the Year - Data Privacy

Too Long; Didn't Read

A CyberSecurity Mindset  May Involve Being The Guy With The Most Negative Attitude

A CyberSecurity Mindset May Involve Being The Guy With The Most Negative Attitude

Too Long; Didn't Read

Company Mentioned

@z3nch4n

RELATED STORIES