Same Actions, Different Results. Insanity or Genius?

This post is going to be somewhat abstract, somewhat “soapboxy”. And I don’t expect anyone to read it. Well, hopefully, at least one person will. I can’t help but comment on the trend to go down a path without a clear goal or strategy in mind. Actually, it’s not a trend within cyber security or even IT as a whole. It’s a trend within humanity (queue soapbox!). Somewhere along the lines planning became a sign of weakness and the verb agile became a proper noun.

http://www.perzactly.com/wiki/images/Einstein-fish.jpg

Einstein (it wasn’t him), Mark Twain, Ben Franklin or some other historical figure once said something along the lines of, “Insanity is doing something over and over again expecting a different result.” Ok, I always got a kick out of that simple, but profound truth. I’ve heard that statement before, during and after meetings time and time again. In fact, it is so commonly quoted that you would think “insanity” is a workplace epidemic that has been fully cured! Everyone, and I mean everyone, knows the definition. Yet, the quote is inappropriately called upon day in and day out. Something isn’t adding up…

Now that we have a clear definition of insanity, does the inverse equate to certain genius? Let’s try it…”Genius is doing something differently and expecting a different result.” Not so much. I don’t think we have a definition of genius just yet.

Let’s apply these two statements to Cyber Security and see what we learn. Stay with me!

“Insanity is doing something over and over again expecting a different result.”

Although this statement may be profoundly true in cases where 2+2 always equals 4, a day in the life of a cyber security analyst, CISO, or engineer just isn’t this simple. In fact, in many cases the same action does result in different results. Let me give you two examples, one technical and one human.

The first example is in regards to testing an exploit in an effort to determine whether your system is vulnerable. Anyone who has ever done this knows that sometimes you have to execute an exploit 3,4 or more times before it is successful. Because of the many factors involved in executing a successful exploit, you have to try it multiple times before it works. A simple privilege escalation exploit in a simple capture the flag (CTF) contest taught me that. Would attempt 3 qualify someone as insane? Hopefully not since it could take more than 3 attempts before your results differ! No flag for you!

My second example is more about the human element in regards to moving a security program forward. In my career I have both observed others and had to personally advocate for policies, initiatives and security controls not once, twice but dozens of times before successful results were achieved. Human thought processes change. Culture changes. Threats change. Sometimes what we really need is to stay the course even though the previous results were unfavorable. Granted, there is definitely a hair thin line between resilience and insanity.

“Genius is doing something differently and expecting a different result.”

Well I think we can all agree that this does not sound like “genius” behavior. I could argue that it’s common sense at best. Really, though, at its core this statement is an altogether fallacy. In fact, we all know that sometimes you can make a change and have the exact same results. That is as true when it comes to cyber security as it is for our choice of food intake. Do you want an example? Ok, then. How about that time Gartner told the world that IDS is dead? Or maybe when we were told that Antivirus is dead? Do you have a Next Generation Firewall (NGFW) yet? Let’s not forget that time I tried the cabbage soup diet. I’m being somewhat belligerent here, but the point is that new and different does not always differ the results. Incidents are on the rise despite the industry’s best efforts to “think differently.” Probably because the bad guys think different…er and sometimes what we categorize as different is really not so different after all. And I’m STILL looking for a way to lose weight without eating right or exercising.

So where does this leave us? We don’t know what insanity is or what genius is anymore! Now we’re totally lost souls! Ok, let me try to come up with a one of my own timeless quotes to be misquoted for generation upon generation. Ahem…here I goes…

“Insanity is doing something over and over again, without taking note of the results. Genius is knowing what your desired result is in advance and whether or not change will get you there faster. Mediocrity is believing you’re one or the other.”

Goodnight everybody.

Thanks for reading and don’t forget to subscribe.