“The only real security that a man can have in this world is a reserve of knowledge, experience and ability.“
— Henry Ford
I am lucky to have the opportunity to meet with all kinds of people in my job. I met professionals in different fields, mostly IT-related. I am considered one of the IT guys, but with one difference. You may argue that cybersecurity is, no matter what, a computer-related field. To me, cybersecurity is more like security in general than IT.
The Infosec guys try to keep a distance from the system team or network team because what we are handling, by default, is a completely distinct “problem.” If you use an engineering mindset to think about the security problem, you would probably make more than solving one.
We cannot solve the problem if we use the wrong mindset. An engineering mindset is a constructive, practical, and efficient way of thinking that could apply to all industries to make things work. In contrast, a security mindset is risk-based, contextual, and ultimately ensures nothing happens.
Engineers practice a novel form of thinking based on perceiving everything as a system. They see structures that aren’t obvious to us, and they know how to design under limitations, prioritizing them. Adopting an engineering mindset can benefit you in any field. They work with the goal of “How” in different areas.
Thinking in systems requires the ability to break down and construct a problem. This turns out to be the best thing for troubleshooting in which an engineer needs to peel down the problem into smaller parts and investigate from the modules.
When there is a black-box situation where the processes are unknown, “reverse engineering” is the thinking to reconstruct the processes from inputs and outputs. When looking at things with an engineering mindset, you break them down and put them back together.
Structured systems-level thinking would acknowledge how the system's elements are connected logically, whether it is separated in time, in sequence, or function, the structure's conditions to work fine.
This is the key to why engineers construct models —by that, they can have structured conversations based on reality. Critically, visualizing a structure should have the wisdom of knowing when a structure is worthy or when it isn’t.
While the real world is full of limitations and constraints that break or make things, engineers are the ones who make things work. They make design priorities and allocate resources by ferreting out the inadequate goals among stronger ones.
Engineers are supposed to create the best desirable results under the given conditions. They need to design to specifications and entail trade-offs. For example, choosing the strongest materials as a laptop case might be too heavy to carry; a beautiful and elegant design may also be too expensive.
A security mindset, on the other hand, is about thinking everything will fail eventually. Like a mother would always worry about her children, people with a security mindset think for the worst.
Take “Zero Trust Architecture” (ZTA) as an example, according to NIST SP800–207:
Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.
This basically tells the system to trust no one because everyone is suspicious. ZTA also assumes the defenses in place are already compromised.
It would help if you had someone who can prepare for the worst to work in security as incidents won’t happen every day, or in most cases, won’t happen at all. It would be best if you were particular about the choices or suggestions based on the different contextual information you had.
Let’s talk about what it is like to become a security professional. Ten years ago, when I was studying for my Master of Computer Forensics, the professor once said, “The best security happens when nothing happens.” It was only a funny sentence at that moment, but it is wisdom when I looked back now.
If everything is working according to plan, there would be no security outbreak. Security professionals, ideally, should not be handling security incidents all day. What is more important should be security planning and design. That is the process of allocating resources such as time and human resources to maximize visibility.
You can try to answer it by thinking about scary movies. The one thing in common is the unexpected shock or suddenly appeared ghost/ monster or sudden death of a character. As humans, what we do not know — the unknown is what we truly afraid of.
In a security professional’s daily work, our primary goal is not to ensure everything is running as expected but to make sure the unexpected or unknown are minimized or mitigated. When everything is well-considered and properly handled, the IT department should be happy and running as usual —nothing happens.
My mum is an ordinary housewife with a security mindset. She was very natural with that kind of thinking and taught me to think alike when I was young. That should be what people called social intelligence.
She told me to be careful when going out alone. She asked me not to walk straight in the direction of our apartment once leaving the elevator if someone is behind you. I took it all the way, at all times. I would imagine myself in all kinds of troubles and how to get out.
I realized that was what I taught the others after formally learned about security concepts. To others, it may be paranoid or negative, but that is what we need in Cybersecurity. It is perhaps the best way of thinking for genuine security professionals.
To enhance the cybersecurity posture, we need the best of both worlds. On the one hand, we must implement security measures in a cost-effective and timely manner; We also need to prepare for the worst situation and the “what if.”
As I said before, the one thing that makes you a great cybersecurity professional is a security mindset. I am not saying which one is better, but knowing the difference could help allocating resources to solve different problems.
When in practice, we could keep this final goal in mind.
As a security engineer:
As a security consultant:
As a security architect:
Thank you for reading. May InfoSec be with you 🖖.
Also published at https://medium.com/technology-hits/difference-between-engineering-and-security-mindsets-f1f7ee7ac625