Security design, Ray-Bans, and phones – Recap

Archive for May, 2020

Security design, Ray-Bans, and phones – Recap

Posted by

Security design weekly recap for May 24-30.

This week: John A. Macready and Bausch & Lomb. The original Ray-Bans were designed for pilot safety. Then they became cool. In our cybersecurity program, do people experience our controls as safety goggles or as cool sunglasses? Principle: Hand out Ray-Bans not safety goggles

Previously: Bas van Abel and the Fairphone. Design the security program, say with NIST controls, tied to strongly held corporate values. If it can be done with a smartphone, it can be done with a security capability. Reinforce values to gain support, speed implementation, and further adoption. Principle: Frame the initiative: reinforce values

One thing more: You can listen to Bas van Abel on the TED stage: Changing the Way Products Are Made.

Security Design Strategies for the Age of BYO

Posted by

Secure360 2020 – Security happens where man meets machine. Or, fails to happen, as we see all too often. Blame the users. They’ll click anything. Blame the developers. Half their code is riddled with vulnerabilities anyways. Blame the IT staff. You’d think they’d at least know better. But perhaps, we’ve been placing the blame on the wrong places. What exactly happens where people and technology meet? At that moment, that very moment, what factors in human psychology and industrial design are at play? And suppose we could pause time for a moment. Suppose we could tease out those factors. Could we design a better experience, design a better outcome, design a better path to the future? This session explores these questions and identifies lessons the cyber security field can learn from industrial design.

Watch more videos on my YouTube channel.

Ray-Bans over Safety Goggles – Design Monday

Posted by

A little-known fact: Ray-Bans are safety goggles. You wouldn’t know it today. You can pay a couple hundred to buy these as sunglasses from Luxottica. How Ray-Bans went from practical to luxury is a story with a lesson for developing implementation plans.

Let’s start in 1929. Flying was so new that the US Air Force didn’t even exist yet. Planes were rough, flying was dangerous, and pilots were the heroes. Whether you could see clearly was a matter of life or death. US Army Air Corps Colonel John A. Macready worked with Bausch & Lomb to make a better pair of safety goggles. The resulting Ray-Bans protected against glare and wouldn’t fog up, saving lives, and were quickly adopted by the pilots when they reached production in the 1930s.

That might be the end of the story. But a curious thing happened. Pilots were cool. Pilots wore Ray-Bans. Movie stars wanted to also be the cool hero. Next thing you know? James Dean and Audrey Hepburn are wearing Ray-Bans in movies like Rebel Without a Cause (1955) and Breakfast at Tiffany’s (1961). The glamorous pilot and the glamorous celebrity came together in Top Gun (1986). Ray-Bans had entered the public consciousness as the fashionable look. When the luxury brand Luxottica bought them in 1999, strangely, not a single headline read: “Luxottica Buys Seventy-Year-Old Safety Goggles.”

When we design a security capability, the final step is planning the implementation and migration. Buried in that process is stakeholder management. Dusty and forgotten, stakeholder management doesn’t get a lot of attention. We design the safety goggles and we hand them out. Done. But to do so is to waste a powerful force for adoption. Who are the James Deans and Audrey Hepburns of our organization? Can we reach these influencers? They are crucial to getting our new security capability adopted. Get them on-board is good. Even better and even rarer, get them to use what we’re building as a status symbol.

I’ll leave you with a personal example. This story happened back when I was responsible for security at a money management firm. These were early days. Expensive stock trading applications had two-factor authentication. The vendor would ship a physical 2FA token as part of enrollment. Because it was expensive, only the top traders had accounts with these applications. James and Audrey carrying tokens conveyed their access, privilege, and social status. Sounds strange, but back in the day? 2FA tokens were cool.

Consider your stakeholder management and adoption plan. How involved and excited are James and Audrey? It spells the difference between passing out safety goggles and sharing Ray-Ban Aviators.

Ray-Ban Aviators, Photography by Wikipedia

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

ChannelPro Podcast and SMB Security

Posted by

I was a guest on the ChannelPro Podcast:

“Hips don’t lie, folks. Neither do Matt, Rich, or their guest host this week, MSP extraordinaire and former IT Glue exec Luis Giraldo of Ook Enterprises. Listen in as they discuss Tin Can, Luis’s interesting new cooperative services venture, plus Dell’s latest commercial laptops, stats about ransomware, and ChannelPro’s 2020 Vendors on the Vanguard list. Then keep listening for a timely and insightful conversation with Cisco advisory CISO Wolfgang Goerlich about SMB security and its surprising parallels with enterprise security. We’d be lying if we said Shakira shows up too, but then again she has that effect on people.”

Have a listen here:

To see listen to other podcast interviews, click to view the Podcasts page or the Podcasts category.

Security design, denim jeans, and ugly cars – Recap

Posted by

Security design weekly recap for May 17-23.

This week: Bart Sights. In cybersecurity, when planning the implementation and ongoing operations, consider how the technology can wear in like jeans. Thoughtful design leads to a security capability which improves with age. Principle: Wear in, not wear out.

Previously: Think of Roberto Giolito who let his design be ugly where it didn’t matter, in order for the design to be Car of the Year where it did matter. Ruthlessly prioritize. Principle: Dare to be ugly.

One thing more: To learn more about Bart Sights, and more about denim jeans, check out The World According to Jeff Goldblum, episode 104, Denim.

StateTech: Ensuring telehealth solutions are HIPAA-compliant remains critical, even amid relaxed rules

Posted by

At a time when public health departments have been stretched thin by the coronavirus pandemic, telehealth solutions have helped ease the strain by connecting doctors remotely to patients. That has been especially useful during a time when everyone has been advised to maintain social distancing to help reduce the spread of the virus.

Excerpt from: How States Can Secure Public Health Telehealth Deployments

Part of the issue involves making sure the professionals who are operating the telehealth tools “have good visibility into who is compliant and who is not,” says Wolf Goerlich, advisory CISO at Cisco’s Duo Security. “A good deal of time and attention is spent on that.”

The actual appointment itself presents challenges, Wolf notes, because doctors and patients may all have different devices, different network settings and conditions, and varying bandwidth constraints.

Throughout this process, there are a number of security systems at work, says Goerlich. There is a need to confirm the clinician is who they say they are. The clinician and patient devices need to be certified as healthy and free of malware or are not going back to a command-and-control site.

“From a technical perspective, it comes down to really good authentication, access controls, adaptive access policies, device health and the integrations that happen along the way,” Goerlich says.

Read the full article here:

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

Security Which Fits Like a Favorite Pair of Jeans – Design Monday

Posted by

Denim jeans are magical. Wear after wear, they mold themselves to ourselves. Denim jeans are hazardous. The way we produced these jeans in 1850s is far from eco-friendly. Jeans both document our personal experiences and reflect our societal shift towards environmentalism.

Denim also harbors a lesson for security capabilities. We’ll get back to that in a moment. But first, did you know Levi Strauss has a resident mad scientist?

That would be Bart Sights. Sights leads the Eureka Innovation Lab. When he joined Eureka, it didn’t look good. The techniques to produce and finish a pair of jeans used incredible amounts of water and left behind a bath of chemicals. Neither were concerns back in the 1850s when water was plentiful and production was a fraction of the scale it is today. To address this, Sights and his team kept the outcomes but tossed everything else. Starting with what makes jeans good jeans, the so called four Fs of fiber, fabric, fit and finish. Then working backwards to find different ways to achieve each. Eventually, Sights completely revolutionized the entire manufacturing process. Jeans stayed jeans. But the chemicals were filtered and recycled. And the water? Eureka’s process reduced water by 96%.

Bart Sights brought his love of denim and his need to innovate together, modernizing the means yet preserving the ends. The secret is to never forget where you are coming from. Sights’ earliest memory of denim goes back to getting three pairs of Levis ever school year. “I would watch with amazement as they changed and aged as I wore them every single day for a year, literally becoming a walking history of my experience and expression. To me, that is the magic of denim jeans.”

Patina. The design term for that sort of magic is patina. In jeans, this comes from the indigo dye and how it wears while being worn. Leather also develops a patina as it picks up oils from the skin and scuffs from the environment. The copper awning on your house oxidizing a lovely green? Patina. The counter-intuitive idea is using materials and creating designs which get better with age and use. The object becomes etched, documentation of where it has been, nostalgia manifest. If you’ve wondered why we love such items, now you know.

In cybersecurity, having people love us is a high target. Perhaps even out of reach. Still. When planning the implementation and ongoing operations, consider how the technology can develop a patina. Tuning a SIEM is one example, with each time making the rules and reports more comfortable. Machine learning has a natural patina as exposure to data wears it in and shapes it to reflect our organization. So, ML on email for fraud detection is another IT example. On the process side, slot time into operations to smooth out edges and improve the work. Much like Bart Sights re-envisioning production while keeping true to the outcomes, we too can squeeze a lot of water out of the process. Thoughtful design leads to a security capability which improves with age.

Design to wear in not wear out.

Cybersecurity that fits like a favorite pair of jeans, photography Blake Burkhart

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.