Breaking Boundaries, Not Accepting Limits


Posted on by Michael Daniel

The theme for the RSA Conference 2024, the Art of the Possible, often connotes a limitation on options or outcomes. In this usage, the “possible” is contrasted with the “ideal” and represents the range of results that seems attainable. Focusing on the “possible” in these situations is usually considered a virtue. The ideal is so rarely obtainable that clinging to it too hard can produce worse outcomes than a compromise.

However, we can also use the Art of the Possible to mean breaking boundaries. In this usage, the phrase means finding an unexpected combination or range of outcomes that makes all the stakeholders better off. Searching for the possible becomes a journey into the unknown or the untried. Practicing the art of the possible in this way means creating opportunities that did not previously exist. It is not necessarily about obtaining an ideal solution, but it does expand the option space beyond what conventional wisdom says is obtainable.  

Unfortunately, cyber defenders often get stuck in the first meaning of the phrase. We talk about the constraints’ defenders face, from legal issues to economic incentives to technical problems. While these limitations are real, if we let them define the “possible” then we will never succeed in improving the security of the digital ecosystem. The constraints are too tight, too confining, for the art of the possible in that sense to generate much in the way of useful outcomes. If we keep searching for solutions with that mindset, we won’t get very far. 

Instead, we need to use the “art of the possible” in its second meaning. We need to search for ways to make the constraints not so binding. What happens if we change the definition of success from “keeping the bad guys out” to “preventing malicious actors from achieving their goals?” In the second formulation, defenders get many more opportunities to disrupt the adversaries’ plans because if we stop them at any point short of their goal, we succeed. The “possible” gets much bigger in this mindset.

What happens if we change the policy rules around how the cybersecurity burden is distributed across the ecosystem? The current distribution that places almost all the burden on the end user is not the result of some immutable law of nature. Rather, it stems from the policy choices we have made. If we change some of those parameters, then the option space expands dramatically.

This year’s RSA Conference provides the opportunity to explore ways to use the Art of the Possible in the second meaning. We have the chance to revisit assumptions, change perspectives, challenge preconceptions, and ask a lot of “what if” questions.  Those “what ifs” frequently lead nowhere and that’s okay. All we need is a few of the “what ifs” to take off and generate new opportunities. so that we can transform the digital ecosystem into one that favors the defenders over the malicious actors.  

Here’s to practicing the art of the possible. See you in San Francisco.  

Contributors
Michael Daniel

President and Chief Executive Officer, Cyber Threat Alliance

Professional Development & Personnel Management

innovation policy management professional development hackers & threats standards & frameworks visualization platform integrity software integrity

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs