Book Review: "Black Box Thinking"

Cybersecurity Canon Candidate Book Review: “Black Box Thinking” by Matthew Syed, (published September 8, 2015)

Book Reviewed by: Kaoru Hayashi, Field CSO Japan, Palo Alto Networks, Oct 25, 2019.

Bottom Line: I don't recommend this book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read. 

Review:

Mathew Syed, a British columnist and writer for “The Times” newspaper, writes “Black Box Thinking” about how people and organizations learn from failure. This book covers various studies of individuals and organizations, such as the aviation and medical industries, and how they overcame failure. Similar to cybersecurity, these industries experience some truly advanced attacks that cannot be prevented. However, most security incidents are caused by simple mistakes, such as misconfigurations, using weak passwords or forgetting to apply updates to fix vulnerabilities. We see these common failures or mistakes repeated all over the world. This isn't a cybersecurity book, but it can help guide those who want to build a safer and more high-performance organization.

The key messages of the book are:

1. To succeed and progress you need to learn from failure.
2. Appropriate systems, culture, ways of thinking and methods are necessary for learning.
3. Pay attention to elements of psychology and organizational culture that hinder learning.
4. Share what you learn with the industry.

There are a number of key concepts and topics in “Black Box Thinking,” and here are a few that are important for cybersecurity:

System and Workflow

A single mistake can be fatal to an aircraft, so the aviation industry tries to automatically acquire as much data as possible. If something happens, the procedure is to analyze the data, investigate the cause and take immediate action to prevent the same failure from happening again. The "Black Box" in the title of this book is the flight recorder on the plane. It creates the most important record for investigating the root cause of an aviation accident.

In cybersecurity, it is also important to create a cycle in which records are automatically recorded as much as possible and analyzed in the event of an error.

One interesting point Syed makes in the book is that to learn from failure, you need to consider not only the data you can get but also the data you can't collect. It’s not possible to obtain and retain all necessary data for technical, economic and other reasons, but it is very important to understand the data that you have and the data that you do not have at the time of analysis.  This helps you investigate the causes of an issue and allows you to build more effective response measures moving forward.

Mindset and Culture

In order to succeed, it is necessary to learn through trial and error. As such, successful people have a positive attitude toward failure because they know that they can experience meaningful evolution by facing failure directly and repeatedly trying again. Growth mindset and growth culture help us unlock the potential of individuals and organizations.

There is no complete security. Even if you achieve a certain level of security, it cannot be a permanent solution. Organizations and human behavior cannot be predicted, and what is required of security will change according to the times and circumstances. Security is an iterative process, and organizations need to institute a mindset of improving productivity and security through embracing new challenges, rather than fearing change or failure.

What Prevents Learning from Failure

Syed also explains various human factors that hinder learning from failure.

• Mistakes threatening self-esteem or professionalism.
• Fear of failure and perfectionism.
• Hierarchical relationships that don’t allow individuals to point out mistakes.
• Mindset and culture of placing blame on individuals for failure.
• Fundamental attribution error by the brain, which tends to think of the simplest and most intuitive story.

Since cybersecurity is part of human and organizational activity, it is easy to imagine that some of the factors listed here have caused a drop in security levels. In particular, blame and intolerance can cause serious damage. When a security incident occurs, the person who fell victim or the IT or security team is often accused of being at fault, which doesn't help at all. If the culture of immediately shaming and blaming individuals is rooted in the organization, nothing will be reported, and no one will want to join the IT or security team. As explained in this book, it is important to face failures, identify the cause, make improvements and make the organization safer.

I recommend adding this book to your reading list. Information technology is evolving day by day and is now an important part of the foundation of our lives. Cybersecurity has never been more important to human life, and everyone bears part of the responsibility for following best practices to keep ourselves and our organizations safe. “Black Box Thinking” does not focus on cybersecurity, but it includes many tips that can contribute to more advanced processes and safer digital lives. 

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!