How Problem-Solving Fits into Security
The first step toward solving a problem is identifying what kind of problem it is.
“Problems in security tend to be what are called knowledge bridge problems,” said Wixey. “That means that they require knowledge outside of the problem itself, whether that’s technical knowledge, policy knowledge, experience in a particular thing — whatever it happens to be. And it can also be quite undefined, so they may not have concrete boundaries.”
Because there might not be a clear limit on the problem area, information security professionals need to be able to lean on their past experiences. But they must be careful not to jump to conclusions, Wixey said. Experts tend to identify a problem early on in the process, perhaps before all of the pieces of the puzzle have revealed themselves.
“It can lead people to make assumptions and with some problems, and those assumptions can be quite dangerous,” said Wixey.
It can be a problem for leadership as well, he added.
“Experience bias is something you see quite a lot with decision-makers with management, and it’s relying on past experience to make decisions,” said Wixey. “And whilst that can be useful, it can also lead to assumptions. It can lead to making the wrong decision and not recognizing that the current situation is different from previous situations.”
Wixey said that this is why security professionals should try to cultivate multidisciplinary backgrounds, so that their experience is varied enough to look at problems in different ways.
How to Improve Problem-Solving Skills
There are different strategies when it comes to solving problems and puzzles. One strategy is to use a linear processes of testing different operators to find the one that works. A backward chaining strategy begins with the solution, then tracks backward to figure out how to get there.
But particularly complex problems, like the ones that frequently come up in security, often require an insight strategy. That involves changing the space of the problem itself, something that usually requires a fresh perspective to find.
“So, you have a number of items — a bag of corn, a chicken and a fox — and you have to get them over to the other side of the river in a boat, but you can only take one item across at a time,” said Wixey, offering up an example of such a problem. “And if you leave the corn with the chicken, the chicken eats the corn. If you leave the chicken with the fox, the fox eats the chicken. So, insight with that particular riddle is the realization that as well as taking things from riverbank A to riverbank B, you can also take them back in the opposite direction. And that’s what opens up a solution to that case.”
In security, being able to find those solutions while maintaining a wide-angle lens on the problem is crucial. Information security professionals need to be able to make connections while being aware of their own experiential biases. Maintaining that delicate balance can separate good security officers from great ones.
“Some things you do need to think about consciously are testing assumptions and changing your beliefs, recognizing that you have a particular perspective on the world and that perspective may inhibit solutions rather than yield them,” said Wixey.
“It’s about looking at the bigger picture.”