Hey there! I’m back after almost a year off from Secure Humans. Life has been a bit much, but it’s getting quieter now, so I’m sorry for the out-of-the-blue spam!

Some of the problems that I help security leaders with are the problems of scale and organization. I was watching an episode of the excellent PBS Spacetime on youtube and in a video about the weirdness of the Higgs Boson, there was an even weirder statement that brings everything about scale and organization into focus. Here I’ll paraphrase the video about how it would be weird if there were no layers of complexity between the atoms and a whole whale, as if the atoms that made up the whale could just organize themselves into a fully functional whale. That’s just as weird as expecting hundreds of thousands of people just knowing what to do and self-organizing into a fully functional business.

Most of us got into security from the bottom and worked our ways up - doing security testing or design, working as an individual contributor, and essentially working at the micro-scale in security. Find a vulnerability, fix a vulnerability. As our careers progress, we’re often asked to tackle larger and larger problems, but one obstacle everyone encounters along that path is that our toolboxes tend to break down when problems and tasks get much larger than the micro-scale. Analyzing an application’s architecture for threats is a different skill from analyzing an organization’s SDLC for potential security touch-points. Thankfully, one of the most powerful tools in my operational and strategic toolbox is something that is very familiar to many professionals and developers at the micro-scale of security: The Pattern.

Humans are pattern seeking creatures and we’re lucky that patterns show up so often in the world for us to find. I’m not here to argue that there is or isn’t some intelligent creator behind these patterns in nature, but just that there are ways of organizing building blocks into structures that just seem to work and we humans are pretty good at recognizing them. One pattern that we’ve noticed is a sort of meta pattern called Methodological Reductionism - the theory that if you understand what’s going on with all the component parts of an object, then you can understand the object itself. Sometimes it’s not just objects that are subject to this understanding, but layers and scales that build upon each other as you zoom in or out.

Swimming back to that hypothetical whale, instead of a whole mass of self-directed atoms going out and eating krill, whales do have organizational layers of a sort. If we reduce a whale into its major systems, we can understand how the brain and nervos system directs the muscular system, which is supported by the skeletal system, to put the krill into the digestive system which will break food down into nutrients to be transported by the circulatory system, and so on. Understand the major systems and you might have an idea of how whales do whale things, but what if you want to understand it’s major systems a little better? Break the respiratory system into organs like lungs, windpipes, and blow holes and study the tissues, cells, and proteins until you understand how breathing helps a whale do whale things. That’s reductionism in play - understand the components to better model and understand the whole.

Like whales or particle physics models, companies also have layers. The major systems of a company can be called Business Units or Divisions, they might be divided by industry vertical, geographical region, or functional role. In those large divisions, there are departments, teams, and individual contributors. While I gain an understanding of a security program, I have to understand where it fits in the whole in order to understand how the component parts work together. An organ cut off from the circulatory system cannot operate, a muscle not attached to the skeletal system cannot move it’s limb. A security team without resources cannot function and without policy, cannot leverage authority to affect change. That’s one of the powers of patterns - gap assessment. In a gap assessment, one can find missing inputs, dependencies, internal processes, and outputs for a program and recommend a way of closing the gap.

What if a gap assessment isn’t enough? What if you’re looking to secure one development style over another? Patterns don’t just show up in whales and security programs, but another icon of the fashion industry is the sewing pattern. Sewing patterns are 2-dimensional shapes that are transferred to 2-dimensional fabric that can then be cut and sewn into a 3-dimensional garment. This simplification allows us to create 3d sculpted objects, like a shirt, using 2d drafting tools like pencils, rulers, and paper. Another powerful technique is pattern alteration. If your shirt doesn’t fit because it’s too tight across the back, you can use a pair of scissors to cut the pattern piece apart, spread the pieces out, and fill in the gap with more paper in a way that won’t distort the final 3d shape beyond the intended alteration.

Much like clothing alterations, it’s possible to use standard methods to adjust a training pattern or a secure scanning pattern from a centralized, waterfall approach to a decentralized DevSecOps approach. Carefully separate the policy requirements and objectives from the resources and authority, invest the resources and responsibility into the development teams, provide them the re-crafted policy statements, and fill in the expansion with training, enablement, and cooperation.

Patterns exist everywhere in organizations, if you want to pull the pattern out of a regulatory compliance framework and adapt it for SSDF, find the essential parts and re-arrange them to work where you are. If you want to deploy a decentralized training capability, study the decentralized pipeline roll-out and follow that path. If your vulnerability management process isn’t working as well as your vulnerability discovery process, check the pattern and see what gaps may exist.

When shifting between layers, it’s important to remember another line from that Spacetime video - “Small Generates Large and Large Stabilizes Small.” The whale ingests krill atoms, and as those krill make their way through the systems and get broken down into smaller and smaller parts, they get turned into nutrients and eventually placed into their component proteins and cells. Those atoms, cells, and proteins cluster together into tissues, organs and systems, and make up the whale. In an organization, the higher provides goals, resources, and direction to the lower levels, and the lower levels turn those inputs into filled requirements, work, and value that makes the business work. Diagnosing the lack of an input to a lower level often times means analyzing the operational or strategic priorities and fixing problems at that level - You can’t expect a champions program to thrive without leadership support, and leadership can’t execute security requirements without developers and security professionals on the ground, doing the work.

And you thought patterns were only at the software architecture level. The ability to recognize that patterns exist, what their load-bearing parts are, and reshape them to work for new companies, teams, roles, or domains is vital and will only grow in importance as your responsibilities expand through your career.

There’s always more words to spend on a topic like this one, but I’ve hit my budget for now. Stay secure and never forget the humans.