I’m thinking (maybe wrongly) that we, in #InfoSec, are still largely attached to the language of “People, process and technology” in how we design security practices.
I don’t think that’s the best lens to look at the Sociotechnical systems we wish to influence. Here’s why:
🧵
“People, process and technology” has built into it a mechanistic decomposition of what a security practice entails. It transpires as an analytical approach, in that we “tear it apart, study its parts and then build it back up”.
There’s nothing inherently wrong with analysis but
Processes of analysis, by their decomposition, promote a focus on properties of the parts and derive or assume those are the properties of the whole.
However, we now know that’s not how Complex Adaptive Systems behave. The whole has properties which are absent in its parts
The whole (the system) is defined by its interactions and not by its components.
But, is there a different lens through which we could assess or evaluate security practices ?
Yes, there is. Through Elizabeth Shove’s ‘Social Practice Theory’ or #SPT
What’s that you ask ?
In #SPT we assess practices through the combination & interaction of “meanings” (symbolic meanings, ideas and aspirations), competences (skill, know how and technique) and materials (tech, objects, artefacts)
I argue that this language is better suited for processes of synthesis
Synthesis is the basic building blocks of systemic thinking. Synthesis is about understanding the purpose of the whole and function of its parts along with the relationships and connections that affect the dynamic of the whole.
With #SPT we no longer need to think of security processes in isolation and as a required element of the whole. We can first focus on the meaning of operational practices, as understood and narrated by practitioners, and work to integrate security outcomes in their existing ones
Complementing that with a focus to address any competence requirements and materials required to increase the likelihood of security delivery and operation of the systems our organisations operate
I do believe this is, yet, another instance where holding on to “old language” is also holding us back.
We can’t keep using mechanistic and linear-causality language and expect systemic integration of security practices. Systems don’t operate like that.
To finalise, the first step to making sustainable change (particularly where security has bad rep), is moving away from language associated with old ways of working, if we’re to have a fighting chance to make better and be better
</slight rant>
And if you want to know more about #SPT and particularly how it can be combined with @swardley mapping, you should check the @MaturityMapping website 🙂