One of my favorite memories comes from the mid-1980s at Hanscom AFB, just outside Boston. I was a young junior officer, married to the Love of my Life (TM), with two daughters: a toddler and a newborn. My wife and I lived on the airbase, and she wanted to host our neighbors to celebrate the attainment of a life goal for me: attaining my master’s degree. I was excited and proud of this achievement and my wife baked treats for two days to prepare the celebration.
When friends and neighbors arrived, we set up tables with goodies and snacks, turned on the stereo, and poured drinks. It was a grand time, and I was feeling both happy and relieved to have completed a years-long task of late nights juggling family, work, and school. I was standing among the guests with my wife when a fellow officer who lived next door walked up and casually asked me from which institution I had graduated.
“I received my MBA from Western New England College,” I said with a tinge of pride in my voice.
“Really? WNEC?” he replied with a sneer, deflating my ego pretty quickly. “If I were to get my master’s here, I’d go to Harvard or BU.”
“I suppose those are better schools” I replied. “Where did you decide to go for your master’s?”
“Oh, I don’t have one yet. I am still making up my mind about where to enroll.”
It was all I could do to stifle a chuckle and look serious. So, I just nodded my head and wished him the best of luck in choosing the right institution.
For those three years, I was under the Tyranny of the How.
How was I going to able to attend university full-time, work full-time, and still provide for my young family?
How was I going to sneak in study time at the kids’ sports events?
How was I going to pay for this education while not jeopardizing my family’s current and future welfare?
How was I going to divvy up those precious 24 hours each day to meet my goals?
Answering these “Hows” had become my daily routine for three years. These questions ruled my thoughts.
But before I could succumb to the Tyranny of the How, I had to answer the bigger question: the Why. Why did I want to pursue this goal at this time in my life? Every time I felt overwhelmed by the How, I had to go remind myself of the Why. I was doing this to advance my career and position myself for not only military promotions, but for a better and more profitable professional life after I hung up my uniform for good. There was likely to never be a better time.
Once I has answered that overriding question, I could finally begin to wrestle with the daily Hows.
On one of my recent security consulting engagements, my team and I were constantly being pressured by the Tyranny of the How:
How quickly could we implement new technology to get better reporting from the SOC?
How were we going to document and track application vulnerabilities?
How could we better provide and control privileged access management for critical servers?
But in order to assess the appropriate answers to these Hows, we had to keep returning to the Why.
Why are these investments necessary to provide for the confidentiality, integrity, and availability of this organization’s digital assets?
Only when cast in the light of the Why did the Hows come into focus and provide the necessary guidance and metrics to make weighty financial and personnel decisions. In the security profession, the Why is the science of risk management. It guides and drives the entire process of what we call security. The process is a journey that never ends.
