The Right Raga

Definitions from Oxford Languages · Learn more

ra·ga

/ˈräɡə/

noun

noun: raga; plural noun: ragas; noun: rag; plural noun: rags

1. (in Indian music) a pattern of notes having characteristic intervals, rhythms, and embellishments, used as a basis for improvisation.

   • a piece using a particular raga.

   
   

A musicologist I once knew told me the following story:

I taught music theory on a faculty that included an Indian professor who was not all that impressed with Western Music. Imagine my surprise when, one day, I hear Mozart coming from his office. When I asked him about it, he said "Mozart is different; he always find the right raga!"

So it is with technology in general and cybersecurity in particular: the key to success is finding the right raga, no matter the genre. This is not as simple as it sounds, because being a Luddite or a newness worshiping Neophile both work, sort of. What's the alternative? The alternative toward which we must strive is Karmic Balance. We must weigh risk against reward, cost against benefit, the present against the future.

Being a Luddite sort of works because sufficiently out-of-date technology is a niche and means that few opponents are focusing on it. For example, I happen to drive a 22 year-old car; a security expert of my acquaintance was very impressed when we walked to our cars after a meeting. "I don't drive computerized cars either; too easy to hack!" he said. This is true, but not why I happen to drive this particular car. To me, the benefit of being safe from having my car hacked is low, since I flatter myself that no one is trying to murder me. But being out-of date often means that your technology does not even offer the services that the current army of malicious hackers seek to exploit. A straight-up DOS machine is impervious to remote attack--and it is similarly very limited in its usefulness. Being a Luddite only sort of works because you risk failing to provide all the services you could safely provide, or relying on technology with flaws or attributes easily exploitable by the first expert who comes along. This is "security by obscurity" and it is brittle, by which we mean that it is solid until it shatters. I call the cyber defenders who survive this way "Dr No" because they say "no" to just about everything new, thereby reducing their professional lives to a problem they have solved before. Working with them is frustrating in the extreme.

Being a Neophile sort of works because getting on the latest-and-greatest treadmill sometimes allows you to outrun problems. At least for a while. For example, I have worked with more than one development team that endlessly repeated itself, essentially rewriting their code every few years using whatever tools were then shiny and new. Being on the bleeding edge often means that hackers haven't had a chance to catch up yet and that mediocre cybersecurity won't cost you until they do. Being a Neophile only sort of works because you risk serious flaws in immature technology, the news of which happens to spread like wildfire through the hacker community. And then your goose is cooked. (There are other issues, not related directly to cybersecurity, such as lost productivity and high development costs, but I shall leave those to managers). I call the Neophiles the Cult of Newness: is it new? Let's try it! Does it work? Who cares, there is a new New Thing to try! Working with them is exhausting.

Entropy is a relentless foe and in cybersecurity Entropy gets an assist from Evil. Achieving Karmic Balance in cybersecurity is both difficult and never-ending. At the lower end of the org chart cybersecurity requires an equally relentless dedication to procedure and policing. At the higher end of the org chart cybersecurity requires constant balancing of resource allocation against priorities.

Striking this balance every day is hard. We can help.