Back when I was doing a lot of national and international standards work (ah…those heady days when REST vs. SOAP and SOA were all the rage), one of the most fascinating discoveries I made was the single reason the Web as we know it exists today:
Dangly bits.
Or, in this case, dangling links.
You see, up until Sir Tim invented the Web in 1991, hypertext systems (which is what the Web really is) were limited because they were “closed world.” What “closed world” really means is that everything somehow needed to be connected to everything else—without any broken paths.
In fact, broken paths were expressly forbidden by the existing rules of hypertext systems.
So, along came Sir Tim and said, what if we change that fundamental assumption? What if we eliminate the “closed world” constraint? What might be possible?
And so he did.
Sure, the mechanics weren’t formalized until Roy Fielding and Henrik Frystyk joined the party and published RFC 1945, including for the first time machine-readable response codes to augment the free-form, hypertext errors of Tim’s original. But the point is:
Dangling links are what make the Web possible.
However…it’s not just the dangling link itself.
It’s the ability of the system to predictably handle them that really makes the Web what it is.
What people tend to forget is that whatever we do to the endpoints, the Web is an always-changing a system of systems, but it’s still a system in and of itself. And as a system, it has to have rules.
And the reality is: the organizations we need to protect are already looking more like the Web itself than we really care to admit.
But have we changed?
Now, funnily enough, one of the conversations I joined on LinkedIn yesterday was one of those broken security records we keep playing:
“Here it is again: another example of a breach due to some organization not doing the basics.”
And do you know the thing that differentiates a broken record from Hip-Hop?
It’s boring.
There’s no catchy lyrics in between the samples. There’s no bass line. There’s no drum riffs.
It’s just the same.
Over and over.
And one of the handy evolutionary traits we humans have developed is that if it’s repetitive enough, we can damn well tune just about anything out—at least for a while.
So one of those “basics” we often get our knickers in a twist about is the state of our asset inventory. After all…we’ve gotta have it right? It’s #1 and #2 on the CIS Critical Security Controls.
How can we do anything if we can’t even figure out how to do the first two on the list??!!!??
So here’s a question:
What kind of thinking is behind CSC-1 and CSC-2 that requires us to exhaustively enumerate all of our authorized and unauthorized devices and software?
Right. It’s unquestionably a “closed world” mindset.
It’s an assumption that there’s a magical box we can draw around the world that defines the boundary of “things”…and within that box, we have some mechanism of reliably identifying those things so we can sort them in to naughty and nice—just like Santa Clause at Christmas.
The two fundamental assumptions:
- there’s a finite, static world, and
- there’s a fixed, reliable way to identify what’s in it
might have worked in 1983 when there were 2 million computers in the US and most of them weren’t connected to each other…
…but that kind of thinking sure as hell won’t work today with over 4 billion Internet users and when everything from your toaster to your teapot is technically “a computer” and connected to each other all the time.
Sure, you’ve heard the mantra “there is no edge” – now also a broken record – but do we really believe it?
The power isn’t in the answer. The power is in bothering to ask the question.
If we don’t ask questions – and are prepared to really listen to the answer instead of just waiting our turn to grind your argument into the dirt with our “superior intellect” and “expert knowledge” – we’re never really going to get anywhere.
And we’ll keep wondering why our security programs aren’t effective…
And we’ll keep wondering why our security budgets don’t get approved…
And we’ll keep killing ourselves chasing down every single threat and trying to inventory every single device that might interact with the world we’re trying to protect.
“Closed world” thinking works about as well today as having a closed mind.
So, if you really want to do a better job protecting your organization’s revenue, data and reputation, it’s time to thinking about the way you’re thinking about the problems you have…
…and it’s time to start asking better questions—and actually listening to the answers…
ESPECIALLY when we don’t immediately agree or believe them.
But it’s not easy.
I know. I still have my own blind spots too, and the tunnel vision just gets worse the more stress and pressure you’re under.
However…
There’s something that can help: an outside perspective.
And that’s exactly what I do my best to provide to each and every one of my coaching and consulting clients.
And I can do my best to help you too—but only if you let me.
Until 11:59pm US/Eastern on the 5th of July, you have the chance to get 3 months of 1 on 1 access to me as part of the Effective Security Leadership Coaching Program.
You’ll even save almost $7,000 what it will cost for the same access after that…
But only if you head on over to this non-dangling link and set up your call with me before the deadline:
https://securityleadershipcoaching.com.
And let’s start working on problems we can actually solve…instead of trying to tilt at windmills that no longer exist.
Cheers,
ast
—
Andrew S. Townley
Archistry Chief Executive
