Tuesday, 31 October 2017

What Finnish School Children Can Teach The InfoSec Community

One of the plagues (in my humble opinion) within the InfoSec Community is compartmentalised thinking. We put different areas of our organisations into boxes and turn paradigms into silos. The artificial constructs, certification syllabi and subscriptions to schools of thought we use, structure our thinking and limiting our learning and interactions. This is not to say that any [particular] structured learning approach is wrong, but that we need to factor in the impact of these constructs on our thinking, learning and development as practitioners.
Alternative approaches to schooling have always fascinated me and made me somewhat envious of the beneficiaries. Consistently, research points towards the current approach to education as antiquated and at odds with the goals of inspiring learning and effective reasoning. It’s my belief that it’s never too late to fundamentally change your outlook and I’m consistently inspired by the innovative implementations of countries like Finland (and indeed, people I know in industry) to change the way I think, communicate and impart knowledge. This post talks about some of the different approaches to teaching / learning and how a joined-up approach can break damaging compartmentalised thinking.
Phenomenon-based Learning
The first thing I want to discuss is phenomenon-based learning. This approach was popularised by the Finnish schooling system in their National Curriculum Reforms in August 2016. The focus of ‘FBL’ is to improve the ‘authenticity’ of the learning experience, linking ideas to real-world scenarios and working in an interdisciplinary fashion.
They theory behind this approach is termed ‘constructivism’. In constructivism theory “learners are seen as active knowledge builders and information is seen as being constructed as a result of problem-solving, constructed out of ‘little pieces’ into a whole that suits the situation in which it is used at the time.”[1]. The approach also focuses on social interactions as a conduit for learning, drawing inspiration for how our understanding of language is developed. Essentially, the idea is to replicate how we learn more naturally as humans by not pigeonholing subjects and concepts.
In Finnish schools, this doesn’t totally replace taught subjects, but it augments some wider ideas and links all sorts of different facets (the common example given is the European Union) to real-world ideas. More information on the specifics of the approach can be found here.
How Are We Getting It Wrong?
Similar to the way in which school subjects neatly put ideas in pigeonholes, Information Security creates paradigms, career paths and exam tracks that shape thinking. This can create narrow fields of view and subscription to pre-conceived ideas related to a particular approach. Put simply, we’re creating worker-bees in an industry that needs to be creative and collaborative, as well as regimented. I’m not saying that any and all frameworks are damaging or have no value, but we should not allow them to narrow our sights. I see these types of structures as useful references to help guide us to make the right decisions, rather than a messianic answer to security. As an example, Agile development is something that has crept into this category and become a lifestyle brand. I think the more niche the area, the higher the chances are that it will become a cult-like framework and subsume a portion of practitioners.
While security audit is a useful tool, and frankly the only reason why a lot of organisations bother doing any security at all, it can create the idea that security and compliance are the same thing. This is destructive thinking and also creates a lot of the issues we see whilst going about our daily business.
In my view, few approaches are as effective in exposing the lack of joined-up thinking and processes than a live fire exercise (such as Red Teaming and attack simulations). Over the years, as I’ve orchestrated and run an array of attack simulation campaigns for organisations of various sizes, a few things have become clear about the players in the game (although not all, it should be said). I use the pronoun ‘we’ as I think we’re all guilty of this sometimes.
  • We don’t talk to each other, especially outside of our business functions.
  • We don’t like to concern ourselves with the roles of people outside our business unit.
  • We label ourselves and define our intellectual sphere based on our job function.
  • We measure ourselves against an arbitrary standard (often certification paths).
  • We think it’s someone else’s job to join the dots and think about the bigger picture.
  • We think it’s not possible to know everything, so it’s better to specialise and know one thing well, sometimes avoiding learning on this basis.

I believe that this type of attitude / thinking is something we learn early on and is not something easily undone. I’d be so bold to say that those who move outside this mind-set differentiate themselves, as people who’re useful in the security field vs. people who’re not. Moreover, the fundamental problem we have is the lack of quality thinkers who’re capable of creating holistic models and able to solve challenges collaboratively and creatively. I don’t think this issue is unique to security, but it’s certainly prolific and we’ve become a field that has more than its fair share of ill-suited people making up the numbers due to the skills gap. This probably sounds exceptionally harsh, but please let me explain. You could argue that this is real-life and there’s always a bell curve within a group of people. However, is this a trend that’s mirrored in other high-end vocational jobs, such as Doctors, Neuroscientists or Chemical Engineers? Is our capability as an industry proportional to the stakes and do we offer good ROI? It’s something to ponder.
The Future is Purple (and other Polychromes)
In scientific research, an interdisciplinary approach has been commonplace since the early 90’s. For example, Physics and Computing are combining to create quantum computers and genetics and neuroscience are unravelling the functionality of the brain. Should a joined-up approach be reserved for only grand scientific challenges? I don’t believe so. Setting this in the context of an organisation that is a high value target, under attack from a capable adversary, we can discuss the changes in approach and how more authentic thought processes can assist.
Phenomena-based adoption can help us re-evaluate our role in the bigger picture and help the coordinators conceptualise things in a more realistic way. We need to approach our challenges holistically and without paradigm bias. We should ask ourselves questions like: how do we know we accurately understand the real threats? If I’m a SOC analyst, do I know what a threat actor is and their MO? If I’m in the DevOps team, should I care about security outside of Availability? If I configure the Internet boarder technologies, should I care about compromises in user LANs? How does my role fit with the rest of the organisation?
Additionally, we need to consider what information we are getting following an attack and are we able to process or even understand it. Often the answer is that it’s overwhelming, and we need outside help. In this case, the most effective approach is to utilise existing expertise and knowledge and combine forces with the ‘attackers’ to understand how they do what they do and how to detect and prevent it. In the security assessment world, this is often referred to as Purple teaming (from the Red Team vs. Blue Team colour mix). This approach gives great learning opportunities for the defenders, in the problem-based style of sociocultural learning. There is also a reciprocal element as well, as the attacking team also gain a greater understanding of how difficult it is to defend. Typically, this doesn’t happen and it highlights a large issue currently in the professional services world, which is the lack of value given by professional services firms post-engagement. Collaborative phenomena-based learning is the future and purple teaming (or whatever you wish to call the idea) is key in our industry to better prepare to be more secure.
So, What Can Finnish School Children Teach Us as A Community?
I’m a big fan of bullet points and exclamation marks (and interrobangs)…
  • Break out of silos and compartmentalised concepts!
  • Don’t let curricula limit your learning!
  • Think critically about your role and remit within your organisation.
  • Seek learning opportunities outside of your role.
  • Security is an overlay of IT functions and human processes, therefore, it’s an advanced discipline and should be treated as such.
  • Security is everybody’s responsibility!
  • Learn in a style that is more authentic, read around topics.

No comments:

Post a Comment