The start of a new course this week – Intro to Security Engineering, where we look at applying engineering principles to security. Although cyber security is a budding discipline, we can learn from others. By applying engineering principles, we can have security being designed into systems, products, businesses, so that we are being proactive and are prepared for attacks, rather than being reactive and constantly chasing our tails. 

Engineers do things like: measure things; they are skeptical until evidence is provided; they test and review things; they believe in openness and transparency; they view errors as an opportunity to learn; they use standards (which are helped by transparency); they display professionalism; they iterate. 

Engineering principles

These are the four engineering principles that stand out to me:

Measurement

Measurement informs decisions: on whether we need a solution, on what problem we are trying to solve and on what/how we need to design/build a solution. It supports skepticism and it informs testing and review of what we have done.

Openness

Openness allows us to learn from others, leading to standards. In a dynamic field such as cyber security this is critical. The asymmetry of attack means that one of our best defences is herd immunity – knowing what works, as well as vulnerabilities so that we can mitigate them.

Treatment of Errors

An engineer’s response to an error is not to hide it or ignore it. It is to examine it, learn from it. This draws on measurement – to understand the error – as well as openness and transparency – in sharing the error and the solution.

Professionalism

Professionalism means that engineers are dedicated to doing good, not just for themselves or their employer, but for their profession and by extension society. This drives an engineer to  uphold their principles, even in the face of pressure and conflicting interests.

Reflection

By applying engineering principles, we can help to deliver results that are scalable and repeatable to a standard. We are no longer fighting attackers on our own, but as part of a community, learning from each other’s mistakes and successes. This gives us a form of herd immunity against attackers.

The professional point resonated with me – a duty over your employer, to your profession and by extension for the good of society. This is extremely empowering, especially when faced with the naive response to breaches and vulnerabilities to cover them up.