Aug 12 2020

Black Hat 2020: How to Boost Security Problem-Solving

Cybersecurity can present complex challenges, but IT can use principles of puzzling to help overcome them.

A great deal of IT is problem-solving. Technologists put broad solutions in place to solve problems for the business while also solving acute help desk problems for employees on a daily basis. Strong IT professionals have skills that are built on a foundation of sound, creative problem-solving.

But problem-solving isn’t necessarily a trait you’re born with. At Black Hat USA 2020, Matt Wixey, research lead at PwC U.K., said that it’s something that can be trained.

“Problem-solving ability is often considered an innate skill,” said Wixey. “It’s [considered] something that you either have or you don’t — you can’t teach it. Research suggests that actually, that isn’t true. Everyone can get better at problem-solving. Everyone has the ability to problem-solve and to improve.”

Nowhere in IT are the problems more complex or the stakes higher than in security. Information security professionals have to be able to move quickly to patch vulnerabilities and build lasting defenses as issues are discovered. Problem-solving is therefore a crucial job skill.

“There are various ways you can measure someone’s problem-solving ability,” said Wixey. “You can measure it by the time it takes them to solve certain problems; probably most compellingly, their approach to problem-solving; and also their comfort level with ambiguity, with uncertain situations, with unpredictability.”

How Problem-Solving Fits into Security

The first step toward solving a problem is identifying what kind of problem it is.

“Problems in security tend to be what are called knowledge bridge problems,” said Wixey. “That means that they require knowledge outside of the problem itself, whether that’s technical knowledge, policy knowledge, experience in a particular thing — whatever it happens to be. And it can also be quite undefined, so they may not have concrete boundaries.”

Because there might not be a clear limit on the problem area, information security professionals need to be able to lean on their past experiences. But they must be careful not to jump to conclusions, Wixey said. Experts tend to identify a problem early on in the process, perhaps before all of the pieces of the puzzle have revealed themselves.

“It can lead people to make assumptions and with some problems, and those assumptions can be quite dangerous,” said Wixey.

It can be a problem for leadership as well, he added.

“Experience bias is something you see quite a lot with decision-makers with management, and it’s relying on past experience to make decisions,” said Wixey. “And whilst that can be useful, it can also lead to assumptions. It can lead to making the wrong decision and not recognizing that the current situation is different from previous situations.”

Wixey said that this is why security professionals should try to cultivate multidisciplinary backgrounds, so that their experience is varied enough to look at problems in different ways.

MORE FROM BIZTECH: Learn how top CISOs see today's security landscape.

How to Improve Problem-Solving Skills

There are different strategies when it comes to solving problems and puzzles. One strategy is to use a linear processes of testing different operators to find the one that works. A backward chaining strategy begins with the solution, then tracks backward to figure out how to get there.

But particularly complex problems, like the ones that frequently come up in security, often require an insight strategy. That involves changing the space of the problem itself, something that usually requires a fresh perspective to find.

“So, you have a number of items — a bag of corn, a chicken and a fox — and you have to get them over to the other side of the river in a boat, but you can only take one item across at a time,” said Wixey, offering up an example of such a problem. “And if you leave the corn with the chicken, the chicken eats the corn. If you leave the chicken with the fox, the fox eats the chicken. So, insight with that particular riddle is the realization that as well as taking things from riverbank A to riverbank B, you can also take them back in the opposite direction. And that’s what opens up a solution to that case.”

In security, being able to find those solutions while maintaining a wide-angle lens on the problem is crucial. Information security professionals need to be able to make connections while being aware of their own experiential biases. Maintaining that delicate balance can separate good security officers from great ones.

“Some things you do need to think about consciously are testing assumptions and changing your beliefs, recognizing that you have a particular perspective on the world and that perspective may inhibit solutions rather than yield them,” said Wixey.

“It’s about looking at the bigger picture.”

tampatra/Getty Images

More On