Working in security is a commitment to a career of cognitive dissonance. Our work requires (more like demands) healthy skepticism. Yet we somehow find ourselves coming to work each day. We know about all the proverbial skeletons in the closet of services, devices and apps and all the myriad ways in which they could go wrong and yet we have committed ourselves to fixing it. A curious skeptical nature mixed with a bizarre desire to do good will get you very far in security.

It might also be your undoing. The same instinct that makes you good at this job, assuming everything will break, can quietly become the reason you refuse to engage when something new shows up.

Epistemic and defensive skepticism

Skepticism is an interesting concept philosophically. It can present as both a defence mechanism and an epistemic (meaning a means of seeking knowledge) virtue and separating between which brand you have requires self examination. A fair distinguishing feature between epistemic and defensive skepticism is the direction in which it faces. An epistemic skeptic is equally skeptical of all things, seeks balance between belief and evidence and withholds or caveats judgement under uncertainty. This framework is applied uniformly to both internal and external ideas or values. Whereas a defensive skeptic typically applies this framework only to that which threatens existing beliefs or could introduce emotional risk. This leaves uncomfortable assumptions unexamined and is arguably just a form of intellectualisation rather than a legitimate desire to be more critically minded.

Are you fairly applying your skepticism to AI?

Defensive skepticism in practice

It’s likely you’ve experienced this before, perhaps it’s something you might upon reflection notice in yourself. Refusing to evaluate or approve AI tooling because “it represents too great a risk”, yet not choosing to understand it. Being critical of those that use AI as part of their workflow, not because their approach is flawed, but because they have an approach at all. Or perhaps you’ve seen the perpetual sandman. Not reading, not testing, not forming an opinion and treating that absence as a position. These all seem like unique and perhaps understandable responses but they all produce the same outcome: you’re not in the room when it matters.

The price of being defensive

Absence is not a defence nor is refusal. AI adoption is something that will happen, LLMs do not need to be correct to be successful. They just need to be close enough. Your developers are going to use AI, your HR staff are going to use AI and your executives are going to push AI. In security we frequently talk about Known Knowns, Known Unknowns and Unknown Unknowns. Usually it’s the unknowns that keep us awake at night. But here’s an unknown worth losing sleep over: In every room you’re absent from you’ve left an empty chair. That chair was your chance to help make decisions about how AI gets adopted, what guardrails should exist, what data should flow where. Those decisions are getting made right now, by those that show up. You’re on the back foot, responding not guiding, flailing not leading.

Philosophy meets practicality

Question. Why do you patch vulnerabilities? There are a lot of answers to this question, and the majority of them are correct. Consider for a moment, if you will, the futility of the practice. Do vulnerabilities ever stop? You don’t refuse to patch a vulnerability simply because there will be more. When we must, we simply do. Yet somehow this logic doesn't survive contact with AI. What you're doing every time you patch is what Camus described. You push the boulder knowing it rolls back. You don't stop because it's futile, you find meaning in the effort. Camus concluded this wasn't despair, it was engagement in spite of the absurdity. "One must imagine Sisyphus happy."

So why is AI the boulder you've decided to sit down in front of?

Being in the room

So where does all this leave us? The answer is clear, you need to be in the room. You need to be an active part of the decision making process. This does not mean you’re a cheerleader. You don’t have to be “pro-ai”. Rather you should let the very skepticism that is excluding you become a virtue. This means your solution to AI in your organisation cannot simply be no.

Reply

Avatar

or to participate

Keep Reading