Security as a Concern
“A productive way to view security is as a concern … But it’s not uncommon to come across situations where security is described as a set of features. The difference is that even when security features address a specific security problem, your concern about security may not have been met.”??Secure by Design Dan Bergh Johnsson, Daniel Deogun, Daniel Sawano?2019
Solving the wrong problem and building the wrong system is inefficient. One needs to
1. Keep the problem and solution spaces separate.
2. Remember the problem space is defined by the customer's mission or business needs.
3. Realize the engineers define the solution space, driven by the problem space.
Keeping the problem and the solution separate.
The problem is what we want the system to do and the concerns about that -the what. The solution is how. Focusing on solution can result in losing sight of the problem and solving the wrong problem and building the wrong system.
领英推荐
The problem space is defined by the customer's needs.
Customers will talk to engineers in terms of technology and their notion of solutions, rather than in terms of the problem - speaking to felt need (I need this widget) versus real need. Systems engineers must discover the customer's underlying problem. If the user requirements are not based on the true needs, the resulting system solution is not likely to respond to those needs. (which is tough when the customer is thinking "I need to meet compliance").
The systems engineer defines the solution space, driven by the problem space
The expert on solutions is the systems engineer, not the customer. If not, there is no need for the systems engineer. A stakeholder who insists on intervening in the design process may constrain the solution and limit the flexibility of the systems engineer in developing a system that supports the mission or business goals and meets the requirements.
Ramification
In many sectors, rather than stakeholders describing the need, they prescribe the solutions. Too many conversations are about compliance to security prescriptions than discussing security needs and concerns - descriptions of problems.
Unless otherwise stated, all views expressed are mine and don’t necessarily reflect those of my employer or MITRE sponsors.