There is no pleasure in events bearing out the correctness of recommendations unheeded. For it is difficult to comprehend the wisdom, knowledge, and experience that gave rise to a suggested course of action which plies against the prevailing sentiments of bureaucratic management. What may seem obvious to a seasoned practitioner is the result of a complex distillation of accumulated knowledge and experience unique to the individual. Lest we be myopic about our own condition, we must also admit the same holds true for business managers and leadership. Taken to the extreme, technical expertise is separate from business management. Each is a construct of our own making, an alternate reality with different beliefs, motives, and priorities. In neither reality can the real-world problems of cybersecurity be solved by themselves. Cybersecurity is the epitome of an interdisciplinary pursuit. Solving cybersecurity problems requires straddling multiple alternate realities at once while holding the needs and wants of each in constant tension. This is life in the gray zone—the dominion of a multifaceted interdisciplinary Subject Matter Expert (SME).
Cyber threat intelligence around the publication of new vulnerabilities and exploits tends to be a fast-paced endeavor—an iterative collaboration among malware researchers, incident responders, platform experts, and individual contributors. It is a fascinating loosely orchestrated free-flowing affair that can be difficult to follow for the uninitiated. A solid base of knowledge and experience in the subject area combined with a modicum of social media savvy is required for organizing the data points and understanding often cryptic exchanges. It is analogous to the way in which intelligence services develop signals intelligence. Where the collection of raw bits and pieces of information, through a process of translation and analysis, finally coalesces into a coherent report. These expert assessments, or the unclassified versions thereof, are eventually what we might hear about in the news someday. As with signals intelligence, so it is with new vulnerabilities and exploits. Except new developments occur at break-neck speeds. Word of a vulnerability can spread, be researched, confirmed, developed, and with working exploits written in less than a day.
By comparison, bureaus move at a much slower and more deliberate pace. The colloquialism of moving at the speed of molasses in January springs to mind. There are natural reasons why this is the case. The inner workings of bureaus resonate with ancient motives set against a modern day palace courtyard. They are a reflection of our human condition. Of being at once the depth of all our failings and the height of our idealism about everything we aspire to be. This is the base condition of a bureaucratic organization. Should that sound too pessimistic, know that there are good people throughout their ranks willing to join with forthright efforts to move the organization forward. You can see them everywhere. They are the champions possessing the fortitude to have lasted long enough to gain wisdom about their own circumstances and be in a position to exert the right influence at the right time and to a degree necessary to have an impact. These people are the stalwart pillars of a bureaucracy and the levers by which it can be inched forward in the pressing matters of cybersecurity.
At the intersection of these opposite realities, the former of hyper elasticity and the latter of protracted political calculation, are the ranks of unsung heroes able to hear the messenger and act within their spheres of influence. Incremental micro action is the maverick methodology by which the behemoths of bureaucratic government gradually warm to the change of direction needed. Years of observation have led to one inescapable conclusion. New ways of operating are only enshrined in policy and adopted by the bureaucracy at large after the approach has already become the de facto standard championed by leaders in the organization. It is the role of the interdisciplinary SME to be an independent outside standard, to provide insights, and exert influence to benefit the whole. Such a SME must possess the wherewithal to deftly execute planting the seeds of change in fertile ground. What springs forth is a variety of flowering plant that grows larger and sturdier with each iteration until whole fields of support take root. Consistently providing good and timely information is the cybersecurity equivalent of heliotropism. Flowers move to follow the sun and sustain themselves through photosynthesis. Here is the dilemma of cybersecurity. The rates of change in the threat landscape far exceed those we can cultivate within a bureaucratic organization.
There is the hint of a solution to be found in the designs of late model automobiles. We can borrow a page from decades of automotive design evolution. Year after model year, we can observe a clear trend toward increasing simplicity, comfort, and accommodation. The advent of automatic transmissions and power steering lowered the barrier to entry and made driving motor vehicles more accessible to a broader base of consumers. This in turn grew markets and drove the demand for more innovation. Fast-forward decades to today where automobiles are equipped with latest technology. Cameras, sensors, and servo mechanisms are all attractively packaged into what are mobile computerized robotic systems ready to assist their human operators in an increasing number of driving tasks. This arrangement improves motor vehicle travel safety while simultaneously closing the skills gap. Sophisticated technology is being used to bridge between where people are and where they need to be to operate vehicles proficiently at high-speed in an increasingly hectic and distracted world. Upscale automobiles can even park and unpark themselves in tight spaces without driver assistance, and fully autonomous self-driving vehicles are on the horizon. The automation formula works because it requires much less effort to automate common tasks than it does to instill the same awareness, diligence, and skill into every vehicle operator.