If you are a project manager in charge of building your company’s new, strategic, bet-the-business application, you are probably going to look for people exceptionally skilled in designing and building complex architectures. We all know people like this. They have an almost magical ability to conceptualize an idea, lay out a precise roadmap from here to there, and then deliver the most amazing products. The ability to build something from nothing, and to so do with exceptional skill, is a rare gift. It requires a certain mindset which we all have to varying degrees, but that for a very few seems inborn and as natural as breathing. It is an orientation toward synergistic processes. And if you need security, that’s the problem.
Developing a security architecture or finding weaknesses in existing systems requires an orientation toward entropic processes. For the best security architects, this mindset seems inborn and as natural as breathing. While it is possible to have deep skill in both the synergistic and entropic domains, people are primary in one or the other. It is very similar to right or left handedness. Application people are comparable to the right-handed crowd, security people to the left-handers. Each group has varying degrees of dexterity in the non-dominant domain but true ambidexterity is extremely rare. The difference is that when you are staffing a project you don’t go out of your way to make sure there are few left-handers on the team. You may go out of your way to hire a security specialist or two but how do you identify the best candidates? Sure, you look at their track record of successful security work. But do you look for their primary orientation as synergistic or entropic? Now that you know, will you ever not look for that trait in a security specialist again?
My name is T.Rob, and I break stuff.
Hi Rob, Thanks for your efforts, I enjoy following your blog and tweets.
“Why Break Stuff?” makes a valiant effort to interdict the chronic and inherently limiting misperception that security and system architecture/architecting requirements and capabilites are near-mutually exclusive; or that security is simply another subsystem.
“Critical details aside, the [system and security] architect’s greatest concern and leverage are still, and should be, with the system connections and interfaces:
first, because they distinguish a system from its components;
second, because their addition produces unique system-level functions, a primary interest of the systems [and security] architect; and
third, because subsystem specialists are likely to concentrate more on the core, and least on the periphery of their subsystems, viewing the latter as (generally welcomed) external constraints on their internal design.
Their concern for the system as a whole is understandably less than the systems [and security] architect. If not managed well, the system [and security] functions can [will] be in jeopardy.”
The Art of Systems Architecting, a Third Edition
Mark W. Maier, Eberhardt Rechtin, CRC Press
Thanks, Dan! I may have a more coherent or meaningful reply after IMPACT. For now I’ll just say that someone I spoke with today told me he hadn’t thought if it this way and had been looking for security track record rather than “handedness” then asked how to tell how someone is wired. I replied that it’s all in the first reaction and you can almost play word association. If I ask someone to describe triggering the builder types will focus on the functionality and the breaker types will at least mention the security implications, possibly to the exclusion of the functionality. It’s not always that clear cut and you would need to have a longer conversation and look for the dominant orientation but eventually you get a feel for which group the candidate is in. Like leftys, the entropic types are the minority so when you find one, latch on.