If you have ever sat through an orchestral concert, you would hear the first chair oboe playing a single note for the rest of the fellow orchestral players to latch onto and begin the process of fine tuning.
At first, it is a single A440 resonating on stage, followed section by section, strings, brass, percussion, until a cacophony of sound begins to reverberate from all players. They do this because they can. They do this because the lack of tonal harmony would result in a less than spectacular performance and likely some very unhappy customers and critics of music performance.
The great ears, harmony, and tone weren’t always like that for the players. Listening to young adults learning and playing will likely produce some serious intonation challenges.
Over the years, young learners and blooming musicians learn the ropes, they get to do things better each time they play and perhaps make it to Carnegie Hall, or become spectacular musicians in other venues.
It takes time. I recall sitting for hours in front of a tuning oscillator trying to get my A440 consistent every time I played the note. It was extremely difficult work. Certainly up front. Over time, it became easier.
Your desired Cybersecurity practice can be your A440. Machines, people, policy, technology could be considered some of sectionals that tune around the desired practice for your business. If you have a perfectly tuned orchestra, you get overtones. If you have a well tuned Cybersecurity practice then it could be the perfect intersection of Confidentiality, Integrity & Availability.
So, why all this? Cybersecurity, A440, orchestras, musicians, blah, blah, blah. Cybersecurity is not a perfect thing and it never will be. Just like perfect harmony is achieved not granted.
I suppose we all know it is about balance. The other day I was having a decent conversation with a gentleman over coffee who has been a developer all his life, now in charge of the entire development organization.
It dawned on me to change my way of speaking about vulnerabilities. I have since dropped the word “vulnerability” from my vocabulary when conversing with non-Cybersecurity folks. A normal reaction you might get from outside your constituency of Cybersecurity colleagues is a “roll-of-the-eyes” or a sigh of “ugh another one.”
I changed my thinking, at least for the moment. I called a “critical vulnerability” a “critical defect” instead. The reaction was nothing short of amazing. There was a sudden interest in changing said defect, fixing it or removing it completely.
With one word, I got a different reaction. It got me thinking about A440. It seems to me that we were on different tonal frequencies. His head was hearing A439 (defects), and mine was talking A440 (perfect security).
For me there was a relationship between the two. I’m enthusiastic regarding what I see as a fundamental change in my approach to building blocks of the technology stack since then. I’m trying to see if I can insert this idea of “frequency” or “desired state” into the process at the earliest possible stages.
Of course I will need to collaborate with some highly talented people and contribute however I can. Some might call this “DevSecOps,” “Software Defined Security,” “Embedding security in the build.” Call it what you want. The frequency needs to change to keep up. It isn’t vulnerabilities, its defect detection. It needs to be faster, integrated and automated. It also has to be balanced, aligned, and most important – it needs to resonate with the people that you work with.