Oddbjørn Steffensen

Forty years ago, Winston W. Royce described what has later been named the waterfall model, pictured to the right. He states the he believed in the concept, but: “the implementation described [..] is risky and invites failure” due to the testing occurring very late in the lifecycle, and the long way from initial requirements to operation.

Twenty years ago, when I was studying software engineering, the waterfall philosophy was still the foundation for how large-scale systems were developed. The results were predictable — a string of failures in development of large-scale software systems in the late eighties and throughout the nineties.

In the software development world, the backlash to the Big Design Up Front (BDUF) of the waterfall model was to do what Royce really proposed: iterative, incremental and evolutionary development.
One of the best known models based on these principles is
Barry Boehm’s spiral model, published in 1986.

In the same year Hirotaka Takeuchi and Ikujiro Nonaka published the The New New Product Development Game in Harvard Business Review. Instead of rigid sequential development (the “relay race” approach), they propose a (the “rugby” approach) where development emerge from multidisciplinary teams working together from start to finish.
A few years later, this philosophy was adapted to the software development world by Ken Schwaber and Jeff Sutherland in the Scrum framework, officially presented at OOPSLA in 1995. This again led to the agile software development movement, culminating with the publication of the Agile Manifesto in 2001.

While the software development world has clearly progressed beyond the top-down approach of years past, enterprise security still seem to cling to this approach — based on perceived stakeholder interests, we create entire “information security management systems” (ISMS) in the style of ISO/IEC 27001 in order to solve the enterprise security conundrum.

The problem is that entities like this are more or less designed to operate as a crudely bolted-on accessory to the enterprise instead of as a organically integrated part of the daily activities. As a result, properly ensuring a reasonable level of security in a modern enterprise is a sisyphusian task, where “security” are running behind in an effort to catch up with the dynamic complexity of a modern enterprise.

In short — we need to learn from developments in other disciplines in order to achieve our goal of both effective and efficient security.

The next posts on this blog will attempt to explore the implicit and explicit connections between security and related disciplines.

Almost exactly ten years ago, I shifted my attention from Unix and system management to working exclusively on various topics within the field of information security. While it’s hard to claim that the overall security standing haven’t improved in the past decade, it is fair to say that we still have a long way to go in this area.

I believe that the field of security can benefit from looking at recent developments in surrounding areas, for example:

• software development has shifted from a traditional waterfall approach to more agile ways in order to produce better quality while costs are under control.
• systems thinking and complexity theory to better understand the forces and counter-forces with regard to security
• true requirements engineering; instead of just picking security requirements out of the hat (or a plausible security standard)

Around a decade ago, I read William Zinsser’s inspiring Writing to Learn. In his book, Zinsser promotes the process of writing in order to better understand a topic by forcing oneself to deeper thinking. Expressed in a nutshell by Toby Fulwiler and Art Young:

Writing to learn is different. We write to ourselves as well as talk with others to objectify our perceptions of reality; the primary function of this “expressive” language is not to communicate, but to order and represent experience to our own understanding. In this sense language provides us with a unique way of knowing and becomes a tool for discovering, for shaping meaning, and for reaching understanding.

While I may be a slow adopter, this blog is my attempt to use this philosophy to “connect the dots”. I will try to keep the postings within the realm of information security in its widest sense, it may occasionally delve into wholly unrelated topics.

Only time will tell if I also remember anything from one of Zinsser’s other books: “On Writing Well”..