I don't disagree with these. However, I would add on compliance being necessary but not sufficient, I would say it is not necessary either. Compliance is a kind of virus that infects organizations. It's a tool to get people aligned certainly, and a set of principles you can use as a foundation for a program, but if the problem you are solving for is how to get people aligned, security is orthogonal to that.
On the skills crisis, it just means that security professionals are both expensive and not worth it. As if they (we) were creating value, nobody would say they were expensive, or say that they didn't have the skills to solve the problem. It's not unlike insurance, where you make sacrifices at the altar of compliance and hope the authorities are kind if calamity hits.
While I appreciate the creative cognitive tools for finding alternatives to percieved limits and principles, this dissolving of binary thinking is also a trend to destabilize concreteness and logical thinking and convert issues into an unstable managed consensus, which is effectively a political struggle. It is a cognitive style with a whole bunch of tactics wrapped up in it that are designed for managing groups and not for making things, fixing things, and getting people things they want. We would benefit from some of this in security, and in fact I have used it and seen it work. However, the entire approach resembles how a mother might tell her children to share something, which assumes the thing already exists and what needs resolution is the rights to it as governed by her, which is certainly appropriate in some organizational contexts and situations, but as a single note cognitive style that includes things like non-violent communication, narrative controls and some other tactics, the method sets off a bunch of alarms. The instinct to subvert and subordinate problems as a means to manage them instead of solving them concretely is a powerful tool, but one that we should acknowledge as critically as we do so-called binary thinking.
I had not considered a link between being against binary thinking and political-style management. Thank you for writing it, because I found it very thought provoking.
Another way to look at it is that the author isn't attacking concreteness. Instead, the author is taking generalizations and adding context for why that generalization exists. This helps identify when the generalization applies and when it does not.
On the skills crisis, it just means that security professionals are both expensive and not worth it. As if they (we) were creating value, nobody would say they were expensive, or say that they didn't have the skills to solve the problem. It's not unlike insurance, where you make sacrifices at the altar of compliance and hope the authorities are kind if calamity hits.
While I appreciate the creative cognitive tools for finding alternatives to percieved limits and principles, this dissolving of binary thinking is also a trend to destabilize concreteness and logical thinking and convert issues into an unstable managed consensus, which is effectively a political struggle. It is a cognitive style with a whole bunch of tactics wrapped up in it that are designed for managing groups and not for making things, fixing things, and getting people things they want. We would benefit from some of this in security, and in fact I have used it and seen it work. However, the entire approach resembles how a mother might tell her children to share something, which assumes the thing already exists and what needs resolution is the rights to it as governed by her, which is certainly appropriate in some organizational contexts and situations, but as a single note cognitive style that includes things like non-violent communication, narrative controls and some other tactics, the method sets off a bunch of alarms. The instinct to subvert and subordinate problems as a means to manage them instead of solving them concretely is a powerful tool, but one that we should acknowledge as critically as we do so-called binary thinking.