What are You Looking for?

September 15, 2023

The Fish, the Fishbowl, and All the Things We Thought We Knew

An ancient proverb: If you want to know what water is, don’t ask a fish.

In other words, the power of the hidden hand of culture is in its hiddenness. “It’s not culture, it’s just common sense/self-evident/the way it is”, we might hear someone say. Is that true? And what’s this got to do with security?
 
As someone who is both American and British I can tell you 100% for certain that what people assume is “just the way it is” is not at all the way it is, on the other side of the Atlantic. Anaïs Nin put it best: “We don’t see things as they are, we see things as we are.”
 
And it happens in your business, too. I routinely work with security organizations who will argue that something cannot be done, while their competitors down the street are doing it.
 
So the hidden hand of culture, which shapes and informs our perception of what is doable, must be challenged. But like the fish, it must be challenged intentionally and proactively, because we ourselves will not recognize the biases that have been imparted to us by our proverbial fishbowl.

Related posts:

  1. Who’s Threat Modeling the Threat Modelers?
  2. Honest Self-Reflection for Security Leaders, Post-Breach: 3 Important Questions to Ask Yourself
  3. Business Leaders: How to Help the Technologists to Help You
  4. What Moves the Cyber Resilience Needle the Most? It’s Probably Not What You Think
  5. Interacting With CISOs: 4 Tips for Security People

In my experience, security organizations tend to act based on (in order of prevalence):

  1. The way they’ve approached similar challenges in the past
  2. Their own understanding (rightly or wrongly) of the technical and regulatory landscape
  3. The degree to which they understand and are influenced by non-security business objectives (security organizations are notoriously terrible at this), and
  4. Their organization’s capacity for change.

Three actions to consider:

  1. Convenient, comfortable architecture patterns/solutions should be viewed as inherently suspicious. Challenge them on purpose, to make sure you really understand the hidden organizational/technical biases behind them.
  2. Ask experts outside your fishbowl for their take, especially about what they see happening cross-industry, and get curious (vs. defensive) if their input doesn’t align with your plans/expectations.
  3. Change is never sensible to the people who have a vested interest in keeping things the way they are. It doesn’t mean they’re obstructionists, it usually means they’re experts—experts in how it’s done today. Change is threatening and scary because you must become an amateur again. There is personal and corporate risk associated with this. But it takes an immense amount of energy to escape the gravity of the status quo (bodies at rest tend to stay at rest), and change often violates what seems sensible. If something ambitious is ever going to happen it will need to happen over the objections of the sensible. Be prepared for some people to call you reckless.

Leave a Reply

Your email address will not be published. Required fields are marked *