Cybersecurity is a wicked learning environment

I recently rediscovered a post on Daily Dave from Halvar Flake. In it, he eloquently describes what some of us in cybersecurity now experience. At one point, we were navigating near-constant learning and change. We thrived on the excitement of what we were doing. As the industry grew, we participated in creating, embracing, and fighting many trends. We built careers in a field that, decades ago, lacked a formal education path and, to some, lacked any form of credibility. In re-reading Halvar's post and reflecting on all of this, I found myself reflecting most on my own learning journey. 

It got me thinking about the nature of learning within our field—a landscape that psychologist Robin Hogarth might describe as a "wicked" environment in contrast to more forgiving "kind" environments.

What I've come to realize is that security is a wicked place to learn.

Learning Environments

Psychologist Robin Hogarth gives us an excellent way to think about why some people spend years in an industry and only gain experience while others develop expertise. 

Expertise involves developing nuanced mental models and honing advanced pattern recognition skills that allow for effective predictions and decisions in complex situations. Experience, by contrast, means having years of exposure without necessarily building the frameworks needed for accurate judgment in complex scenarios.

Kind vs. Wicked Learning Environments

According to Hogarth's model, there are "kind" learning environments and "wicked" ones. In a kind environment, people learn from consistent, recurring patterns. The feedback is immediate and clear, so the process of learning is straightforward over time. 

In a wicked environment, on the other hand, information is obscured or delayed, and feedback can be inaccurate. Sometimes, conditions reward misguided actions, which makes learning much harder. It requires more time, digging deeper and always expecting the unexpected. 

Cybersecurity is, without a doubt, an exceptionally wicked environment.

The Unique Challenge of Cybersecurity

In cybersecurity, we are constantly making decisions to manage risks—risks like theft, compromise, exposure, and so on. These risks may never materialize. And if they do, it might be a long time before they become apparent. Our adversaries are elusive (duh), iterating on ways to evade or deceive, which further complicates our learning feedback loop. 

The tl;dr is cybersecurity offers slow, weak, sometimes misleading feedback.

This wicked learning environment impacts every aspect of the cybersecurity industry, from career growth to business risk management. It especially affects how buyers and sellers navigate the security market ecosystem.

A new lens

I could outline the various ways I believe the wicked environment manifests itself within the security ecosystem. The list would be fun, and possibly controversial (opinions often are :). But instead I want to stop here.

As RSA approaches next week, I hope the concept of wicked vs. kind learning environments offers you a fresh perspective. Whether you're on the show floor, engaging with industry peers, or wanting to reflect during your flight, consider using this new lens to “lift the boats around you”

Cheers!