From time to time I’ll hear someone refer to information security as an art or a science. This article entitled “CyberGirlz: Middle-school girls learn the art of cybersecurity” is one example. And I’ve had people come right out and ask me if I thought information security was an art or science. I’ve always considered this either/or question a false dichotomy—a question which presumes the answer must be one or the other choice. Because to me, neither answer—art or science—is satisfactory.
I’ll explore both to show you why I think so.
Firstly, and the more problematic of the two options for me, is information security as a science. The definition of a science can be boiled down to “the systematic study of the structure and behavior of the physical and natural world through observation and experiment.” Two obvious sciences jump to mind: physics and medicine. Both of these sciences are based on centuries of curious people making hypotheses, gathering evidence, and conducting experiments to make advances in their fields.
Which makes a good case for why infosec isn’t a science because infosec doesn’t work that way at all. Most infosec practitioners aren’t making hypotheses, gathering evidence, and conducting experiments to do their jobs. Information security isn’t a field where there’s much left to be discovered. Sure, there are always new vulnerabilities that crop up, and we can always get better at the actual practice of protecting information, but that doesn’t make it a science.
Whenever someone refers to information security as a science it sounds to me like they’re trying to make it out to be more than it really is. Massimo Pigliucci says it well in his blog post “Why plumbing ain’t science”:
If plumbing really was a “science” in any interesting sense then it would be baffling that we force wannabe scientists to go through years of college, years of graduate school, and years of postdoc, to do something essentially analogous to fixing your bathroom. Ah, you might object, but the amount of technical knowledge necessary to become a biologist is much higher than that necessary to become a plumber. True, but if you think that all that young scientists learn, especially in graduate school and during their postdoc is more facts, you have never been in a real science lab.
There are plenty of people being paid to practice information security with no more than a high school degree and a strong technical aptitude. Perhaps they’re starting out as a junior information security analyst and they’ll develop the skills and knowledge to become a high-paid information security professional, but that hardly compares to the rigors of college, medical school, and competitive internships required to become a doctor.
Secondly, is the idea that information security is an art. Calling infosec an art sounds pretty far off the mark to me, despite the fact that there’s a book called “Zen and the Art of Information Security.” The definition of art is “the expression or application of human creative skill and imagination… producing works to be appreciated primarily for their beauty or emotional power.” Are we creating art when running security scans, writing security policies, or auditing the compliance of security controls? I don’t think so. We’re really just doing what’s necessary to keep our organization secure.
I’ll accept, though, that there are elements of art and science in information security. Each organization is different and different security managers will use their unique experiences to decide the most appropriate ways to mitigate what they think are the most relevant risks. That’s the “art” part of infosec.
On the other hand, we’re always seeking hard evidence to support our understanding of the organization’s environment. Likewise, we can get a third party evaluation of our security posture based on internationally-recognized standards. That’s the “science” part.
As I said at the beginning, the choice of “art or science” makes it seem like there are only two options to pick from. What about infosec being a philosophy, discipline, or profession? Infosec is definitely not a philosophy (“the study of the fundamental nature of knowledge, reality, and existence”), though. I’d say that information security is both a discipline (as in an “activity, exercise, or a regimen that develops or improves a skill”) and a profession (“a vocation requiring knowledge of some department of learning”). But it’s not simply either an art or science.
Do you agree or disagree? Leave your thoughts in the comments!
Photo credit: Mars P.