Nothing to fear for an engineer!

Agreed, security engineering sucks. But let’s do away with thinking of it as a burden

What kind of engineers do we want to be, after all? What IS an engineering mindset? (Source: The Noun Project)

Security Engineering sucks.

No, seriously, it’s very annoying that we need to do it at all. I mean, who of you has become an engineer in order to do security? Engineers want to build great things, make life easier, better, and more efficient.

Security engineers, however, do not build any cool new features. All they do is trying their best to ensure that the cool features other engineers built do not get screwed. We only need to do Security Engineering because there are total douchebags in the world that want to abuse our very cool engineered features.

So I agree that having to do Security Engineering really sucks, just like having to lock one’s bike sucks.

But can we do away with saying Security Engineering is a burden? Can we stop whining that it is too much to expect of an engineer to do Security Engineering? Can we stop falling for products and services telling us that they take “the burden of security” away from us?

Can we, being engineers, finally start thinking like engineers when it comes to security?

To provide us all with a vivid reminder for what “thinking like an engineer” means, I’ve chosen an archetypal example:

Gyro Gearloose.

Gyro Gearloose (Own photography. Yes, I actually met him.)

I‘m sure no one would disagree that Gyro is a kind of flagship engineer. He might in fact be the internationally most acclaimed and undisputed engineer. He’s even adopted a stage name in numerous countries.

Gyro’s international stage names.

For those among you who happen to not know Gyro, here are some facts that wikis provide so we’re all on the same page.

First, trivia. Gyro is an “anthropomorphic cuckatoo or maybe chicken”. So despite living in Duckburg, he’s definitely not a duck. Have you ever noticed he does not have duck feet like Donald or Scrooge? That’s because “due to some cross-breeding with another species in the distant past, the Gearlooses have human-like feet”.
He’s also much taller than the ducks. In fact, Gyro’s author Carl Barks once said: „If I had known that I would one day make an entire booklet with just Gyro Gearloose stories, I would have made him only about as big as Donald or Scrooge, so he’d have been easier to draw. He was a tall, lanky chicken bird that didn’t fit easily into the pictures with the ducks.”

So much for the kind of bird Gyro is. But more importantly, making him such a good fit as a flagship engineer, he’s also “Duckburg’s most famous inventor”; a “classic example of an eccentric genius” with “outrageous productivity”. He “has invented thousands of world-changing inventions without thinking much of it” and is “humble to the point of blindingness”.

Not surprisingly, Gyro Gearloose is a childhood hero for many engineers I know. Not for me, to be honest, because I never wanted to ba an engineer as a child. So I’ve been asking around why Gyro is such an idol for engineers, and this is what I got:

“The archetypal inventor!”

“Always finds a solution to everything.”

“He was kind to everybody and built technological solutions for good reasons.”

“Seemed to be smart without the usual ‘being smart comes at a cost’ narrative…”

So, I figured it would be great if we‘d all be a little bit more like Gyro; if we approached security engineering with a Gyro mindset.

But what IS that Gyro mindset, after all?

A Gyro Gearloose Mindset

Luckily for us, there’s a lot of documented material on Gyro’s life, so we can do some behavioral anaysis. There’s one great story well-suited to learn something about Gyro’s character, which is called “Picnic” and dates back to 1957. You can read it here.

I’d like to summarize the “Gyro mindset” in three mantras:

1. Nothing to fear for an engineer

The picnic story begins with Gyro going through orders for inventions (yes, orders. Even for a genius, it’s not all sudden brilliant enlightenment) — all of them having to do with making open-air picknicking more pleasant. But Gyro has a problem: He has no clue about picknicking and never went on a picknick himself. So he doesn’t even know what the problems are that people want fixed.

But Gyro wouldn’t be Gyro if that’d stop him. Also, he does not simply invent something and hopes it makes peoples’ picknicks more pleasant. Instead, he puts in the effort fo identify the real picnic problems:

“I suppose I’d better pack a basket of eatables and go into the woods for a picnic! […] Whenever a problem presents itself, I’ll whip out a quick invention to take care of it!”

So maybe security is your “picnic”. Maybe you don’t know much about it or where the problems are. But with a Gyro Gearloose mindset, you will find out. And you will solve the problems you encounter along the way. Never heard of this thing called picknicking? Nothing to fear for an engineer, as Gyro’s well-known motto goes.

2. This calls for an invention (or two)

Let’s see how the story goes on. As expected, Gyro encounters problems early on, and begins to solve them: There’s waste lying around where he wants to spread his picnic blanket? This calls for an invention — and outdoor carpet sweeper. The lumpy ground causes food to be spilled from the dishes? This calls for an invention — dishes with adjustable legs.

Sitting down, starting to eat, Gyro encounters the next problem: Ants! By now, you know what is going to happen. Same as the last Whenever he encounters a problem, he utters his second famous quote: “this calls for an invention!”

There are two observations to make here: First, inventions always follow problems. No invention without a problem. Second: You can do “this calls for an invention!” over and over.

Gyro’s invention are sometimes…less than ideal.Sometimes inventions for problems just create new problems, or, in wikis’ words:

His inventions don’t always work the way he wants them to…

His inventions often lack an important feature.

Unfortunately for Gyro, his ideas sometimes work too well…

That’s part of the process. Just means that new problem calls for another invention.

3. Know what your brain needs for engineering thinking

Apart from the picnic story, there’s one last thing in the Gyro world we should not overlook. He knows what he needs in order to think clearly. And he knows that he needs something in order to think clearly.

Gyro is often accompanied by his Little Helper, a small anthropomorphic robot with a light bulb for a head. Little helper often takes care of the small, trivial things so Gyro does not have to bother about them. In our picnic example, you might have noticed this little detail: When Gyro packs his picnic basket, little helper adds batteries Gyro would have forgotten otherwise.

So that’s for the small problems. Besides Little Helper, Gyro also has a Thinking Cap, a hat shaped like a combination of a roof-top and a nest, with three black birds living inside it. Gyro wars this thinking cap when he has to figure out particularly difficult problems.

And Gyro knows that without his thinking cap, he‘s not nearly as good. There‘s no shame in needing tools that help you to think clearly when doing security engineering. However, they’re not to be confused with tools that claim to do the thinking for you.
So that’s the third part of the Gyro Gearloose mindset: Make use of whatever helps your brain work best. You may not have a thinking cap, but you may have other tools that help your brain think.

When have we ditched our Gyro Gearloose mindset when it comes to security engineering?

For security engineering, we engineers do not think like Gyro Gearloose yet — or anymore. Nothing to fear for an engineer? For security engineering, we do fear.

We tell ourselves — and we get told — that we need to fear. You may have come across these statements, so common they’ve almost become platitudes.

  • “Security is too complicated!”
  • “OT engineers cannot do security on top!”
  • “Security is different from normal engineering. Engineers don‘t speak the security language.”
  • “There is no 100% security, so why even begin?”
  • “You’ll be breached anyway, so just focus on response”
  • “It’s not a matter of if, but a matter of when”
  • “There’s no silver bullet for security”

It’s very comfortable to believe all this, to lean in to the fact that security needs to be someone else’s job, that someone else will tell us how to do security.
But here’s the thing: In the end, security will be our problem anyway. What do you think will be affected by security measures? Correct: Our systems, our daily routines, our range of acceptable design choices. Wouldn’t if be better if these decisions were in our realm?

You, we, us engineers have not taken the responsibility for security. We’re lamenting security is not done “the engineering way”. It’s a myth that “the engineering way” does not work for security. We engineers simply haven’t cared about security enough to build models and methods for security that “feel engineery enough”.

Let’s take the first three statements:

  • “Security is too complicated!”
  • “OT engineers cannot do security on top!”
  • “Security is different from normal engineering. Engineers don‘t speak the security language.”

What would Gyro say?
You don’t know how to do security? I bet you do not know how to face other engineering problems when first confronted with them, just like Gyro does not know how to fix picnics to begin with. But he has the tools to find out.
You might not know yet how to fix security. But you can find out because you have all the tools. If you know your systems, you know almost everything that you need for security engineering. Don’t let anyone tell you otherwise.

Second three statements:

  • “There is no 100% security, so why even begin?”
  • “You’ll be breached anyway, so just focus on response”
  • “It’s not a matter of if, but a matter of when”

You constantly run into new problems when doing security? You have the feeling you can never possibly be done with security?
What would Gyro say? By now, you know that problems call for inventions, and new problems call for new inventions. Your first solutions for your security problems may not be enough. They may even introduce new security problems. Practice “this calls for an invention” until it doesn’t anymore. Repeatedly — it’s part of the progress.

You might have noticed we left out the last of the seven statements:

  • “There’s no silver bullet for security.”

Well, this is correct, with one exception. Here’s your one and only silver bullet:

Meet the one and only silver bullet for security engineering: Your brain.

Your brain.

That’s good news. And even better news is it does not have to do all the work alone. It’s okay to build thinking caps and to need little helpers. I assume you already have your brains with you, and I’m bringing some thinking caps and little helpers to the party*, so we should be well-equipped for Gyro Gearloose-worthy security engineering.

And when there’s the slightest hint of you feeling fearstruck looking at your security duties, this little Gyro will hopefully mumble “nothing to fear for an engineer!” and get you back on track. You have what it takes!

*Note: This is the transcript of the intro for a keynote held at Swedish SCADA Säkerhet Conference on November 16, 2020. In the original, what followed was an introduction to “little helpers” and “thinking caps”, smaller and larger remarks, tips and tricks; basics useful for engineers diving into security engineering. I’ll continue to publish some of these on this blog.

Friction generates heat — true for writing and engineering. Fluchsfriction generates writings on security engineering. Heated debates welcome! CTO@admeritia

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store