Andrew Hay recently published a great blog post about shokunin (translation: craftsman or artisans) in the information security profession, or rather the lack thereof. If you haven’t read the post, I encourage you to do so here.
This post isn’t about refuting Andrew’s but about building upon a concept I took from it. Andrew’s argument is that we do not have shokunin in our profession, nor are they allowed to develop, as we require individuals to both occilate between specialization and general breadth. While I believe there is validity to that statement, I argue that applies to the literal and most narrow of definitions of the shokunin concept focusing on skill. What is lost in that application is the broader social consciousness and obligation mentioned the quote in Andrew’s post, which in my opinion is the key for our industry to successfully move forward.
In a book by Dave Lowry, “Moving Toward Stillness: Lessons in Daily Life from the Martial Ways of Japan”, he talks about the distinction between a martial artist and a martial artisan. In his view, the artist is one that is solely absorbed in their own ideas and concepts. In contrast, the artistan is someone who follows a chain of thought and practice, constantly working towards improvement of both. The concept dovetails nicely with the shokunin definition above and the application to our industry.
My opinion is that we have a glut of the former; those in our profession that are often highly technical yet myopic in their views based on their areas of expertise and unique experiences. It is the lack of the latter, those that apply their expertise as part of a broader collective and are continuously open to and developing new thoughts and practice that is our weakness. I do believe these people exist though, but what we often fail to do is organize, encourage, and develop those individuals and the ideas they bring forward.
A common theme of my blog this year has been the development of our profession to demonstrate better value and enablement, instill greater confidence and influence beyond our peer group, and generate positive cultural and behavioral impact. There have been those who do this well in isolation, but unfortunately they are viewed as exceptions because their organizations are “different” or their budgets are “greater”. Others we label as security philosophers and evangelists, the connotation of the terms drawing a negative reaction from the community because by definition they focus on philosophy and belief rather than application. We rise up collectively to discuss the latest security or privacy incident, with a collective “I told you so” or “They should have known better”. But once the Twitter-fires and blog-pitchforks are put away, we go back to our individual spheres of influence, focusing on our own ideas and concepts while continuing to commiserate about our struggles and our inability to impact the status quo.
That picture is fairly bleak, and I’m sure equal amounts will agree and disagree with its accuracy. In fairness, I’ve even depressed myself writing that last paragraph, but I don’t believe that the situation is without hope. I think of the energy we generate as a community when we’re united, whether in digital response to the latest security gaffe or finding time to sit down with our peers at conferences and industry events. The enthusiasm during those moments is often palpable, and the ideas we exchange flow freely even if they are sometimes dipped in healthy cynicism. But I think in order for us to move forward we have to answer a fundamental question as a profession:
How do we collectively keep that energy and enthusiasm from being just a snapshot in time and collaborate for real change beyond the echo chamber?
I wish I had a clear answer that would resolve that question, but I don’t…yet. What I do have is the desire to move this conversation forward and find like minded individuals that want to do so as well. If it’s an existing effort, I’ll join and bring coffee. If the effort is not formed, I’ll help start it.
This isn’t about generating a new set of definitions and controls. This isn’t about producing a new “must have” certification. This isn’t about recognition, self promotion, or financial gain. Just a desire by an individual to fulfill that greater social obligation that some of us feel and finally act on the hope of changing the status quo.
“Everyone thinks of changing the world, but no one thinks of changing himself.” – Tolstoy
It starts with us. Any takers?
