I’m thinking (maybe wrongly) that we, in #InfoSec, are still largely attached to the language of “People, process and technology” in how we design security practices.

I don’t think that’s the best lens to look at the Sociotechnical systems we wish to influence. Here’s why:

🧵
“People, process and technology” has built into it a mechanistic decomposition of what a security practice entails. It transpires as an analytical approach, in that we “tear it apart, study its parts and then build it back up”.

There’s nothing inherently wrong with analysis but
Processes of analysis, by their decomposition, promote a focus on properties of the parts and derive or assume those are the properties of the whole.

However, we now know that’s not how Complex Adaptive Systems behave. The whole has properties which are absent in its parts
The whole (the system) is defined by its interactions and not by its components.

But, is there a different lens through which we could assess or evaluate security practices ?

Yes, there is. Through Elizabeth Shove’s ‘Social Practice Theory’ or #SPT

What’s that you ask ?
In #SPT we assess practices through the combination & interaction of “meanings” (symbolic meanings, ideas and aspirations), competences (skill, know how and technique) and materials (tech, objects, artefacts)

I argue that this language is better suited for processes of synthesis
Synthesis is the basic building blocks of systemic thinking. Synthesis is about understanding the purpose of the whole and function of its parts along with the relationships and connections that affect the dynamic of the whole.
With #SPT we no longer need to think of security processes in isolation and as a required element of the whole. We can first focus on the meaning of operational practices, as understood and narrated by practitioners, and work to integrate security outcomes in their existing ones
Complementing that with a focus to address any competence requirements and materials required to increase the likelihood of security delivery and operation of the systems our organisations operate
I do believe this is, yet, another instance where holding on to “old language” is also holding us back.

We can’t keep using mechanistic and linear-causality language and expect systemic integration of security practices. Systems don’t operate like that.
To finalise, the first step to making sustainable change (particularly where security has bad rep), is moving away from language associated with old ways of working, if we’re to have a fighting chance to make better and be better

</slight rant>
And if you want to know more about #SPT and particularly how it can be combined with @swardley mapping, you should check the @MaturityMapping website 🙂

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mario Platt

Mario Platt Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!