The Science in Ideation

Great ideas are critical for innovation, however a common caveat often associated with an ideation process is the lack of systematic analysis of the idea following the initial ideation phase. As good and productive ideators are often also charismatic in selling the ideas, this critical step is often skipped.

A good example from the application security field is a blog posts by Mark Curphey in which he suggests a program for making the world more secure by subsidizing software security apprenticeship. Mark is the founder of OWASP, one of the more intriguing information security user communities out there, so we should probably hear what he has to say about a community project to make application more secure.

Or should we?

Last night I saw Dan Ariely’s wonderful (as usual) TED lecture “Beware: conflicts of interest”. Dan, a professor of psychology and the author of “Predictably Irrational” reminds us yet again that we seldom base our plans and ideas on sound ground. When ideating we tend to see only the positive sides of our ideas without examining them as a whole.

Mark’s idea may be the best out there, and many people at the OWASP community agree with him. I could not say the opposite, as I did not systematically analyze it. However neither did Mark. The key sentence in the article is “I have an idea <full stop>” and it seems beyond that the article does not substantiate the validity of the idea.

One issue to note is that the article identifies the problem and suggests a solution, but never stops to analyze the root cause of the problem. The article identifies the problem as lack of application security talent and suggests an apprenticeship program sponsored and mentored by the community. However establishing whether this is it a good solution for the problem requires understanding the root cause. Is it just a lack of training resources? And if so would this be the most cost effective way to provide training?

I have my personal (unproven) ideas as to why we lack enough application security professionals. One of them is that while application security requires very smart people it is still a less prestigious field than development. Another is that information security is pretty frustrating due to the severe compromises our business environment requires: security is still after all secondary to functionality and schedule when releasing software. Each one of those issues would require a much different solution than the one Mark suggests.

A second issue with the article is that it tells what’s in it for each party participating but not what they stand to lose. For example, interns may receive great mentoring and training but are certain to be bound for submarket salary for the 18 months they signed for in return for participation. There is a reason most people today rely on student loans rather than corporate sponsorship for a college degree.

I do need to apologize to Mark for picking on him. We all do that all the time and are actually required to do so by our environment which incentivizes ideation over systematic scrutiny. Moreover, ideation may require the freedom from detailed analysis in its initial stage. But while commercial ideation may let market pressures decide, letting only one in many startups to succeed, community investment, whether governments or NGOs, requires a more careful analysis.