I was one of those kids in school. I got the right answer, but I couldn’t be bothered to show my work. Why did it matter anyway, I got the right answer. Who cares if I didn’t write the 11 steps it took to get there?
Well, as I got older I learned that more and more often the way you got the answer was just as important — and in some cases more important — than actually getting the right answer.
Here’s why this applies to right now in your career.
There are right way to eat a Reese’s
I’m not trying to sound edgy here — I mean it. In cybersecurity we don’t have clear-cut “right answers” when it comes to what we do. There are what feels like obvious “right answers” but that’s wishful thinking, at best. Everything is a trade-off between performance, security, usability, and functionality. Every risk calculation you do in your head, and every decision you make on-the-fly, has to be accounted for. That is the part that matters.
When you’re called to testify in court on why you applied a stringent policy of restricting outbound traffic from network segment A, but not network segment B, the people asking the questions will try and paint you as making the “wrong” answer. In fact, you may have made the best answer at the time and with the information you had available to you.
This is why every regulation that’s worth it’s paper tells you in broad terms what you need to accomplish, not how you need to accomplish it. Because there are times when applying the appropriate control will halt or severely degrade business capabilities that is above the risk tolerance level — so the security control gets shelved with a risk acceptance of the lower risk.
Show your work — it matters more
The reason you’re being asked to justify your decision, show your work, is because people want to know why you made that decision. Why that server that was compromised did not get the latest Patch Tuesday patch but rather a temporary work-around. Yes, you were compromised because a compensating control was put in place, and a risk was recorded as accepted. Yes, you were compromised. Yes, you can show why that risk was taken, the decision criteria, and who was involved.
That’s what we want to see, after all. Those of us who have been doing this a long enough time know there will always be the next compromise, and the next breach. We’re over the faux outrage and pretending that “this could have been prevented if only…”. We want to know that someone thought things through, carefully, and came to a conclusion. Even if we don’t like the conclusion, and even if it led to a bad outcome, we just want to know what factors were considered, and why the decisions that were made, were made.
So you see, kids, the next time you’re taking an algebra test, or a physics exam, show your work. Maybe you’ll get the wrong answer because you added 2 plus 4 wrong in the heat of an important test — but if you show how you got there you’ll demonstrate understanding of the mechanics and decision-marking. That should get you most of the credit because at some point the computers will do the math for us, but they likely won’t have the graymatter to make difficult, squishy, gut-base decisions like we can.
