Design anarchy and Unnecessary Inventions

Archive for July, 2020

Balance depth with economy of mechanism – Design Monday

Posted by

We spend far too much time talking about defense in depth and far too little time talking about economy of mechanism.

As a design inspiration, look to Alfred Heineken. Not a designer, Heineken was a brewer and a businessman.  In the 1950s, modernizing the look of the Dutch brewing company, Heineken made two changes to the beer’s logo. He dropped the upper-casing and then, to be playful, he tilted the e until it resembled a smile. Simple.

Defense in depth suggests more controls and more tools are better. However, this complexity comes at a cost. In a study performed by Cisco, the number of vendor tools was directly correlated with the downtime from a security incident. Security teams using one vendor averaged four hours or less of downtime, while teams managing more than 50 averaged more than 17 hours of downtime.

I suspect the downtime is driven by the team’s confusion when responding to incidents. It fits my personal experience, and reminds me of what Donald A. Norman wrote in Living with Complexity. “Modern technology can be complex, but complexity by itself is neither good nor bad: it is confusion that is bad. Forget the complaints against complexity; instead, complain about confusion.”

Economy of mechanism suggests implementing the fewest controls and fewest tools to mount an adequate defense. We have a finite cognitive throughput from people doing the work and people securing the work. We have a finite budget. After we have the requirements and possible tooling options, ask how we can achieve the same results with less. Ask again, and again.

Find the letter e, tilt it a bit, and smile.

Heineken’s smiling e logo, photography by Heineken.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Scale with Philosophy and Methodology – Design Monday

Posted by

Artists create unique piece for a limited audience. Designers create for scale. The tension exists between creating something that works and building something that’s repeatable.

This tension came up in conversation around the article I wrote about Kenji Kawakami and the art of Chindōgu. The principle is employing playful anarchy to bring security controls from useless to un-useless to useful. People were quick to point out that quantifiable, repeatable, scalable security is jeopardized by the ad hoc chaos of creation.

For guidance, look to George Nelson who was the Director of Design for Herman Miller from 1947 to 1972. One of the first designs George Nelson brought forward was a “sculpture-for-use” table by Isamu Noguchi. Sculpture remade as a repeatable product. Nelson also managed designers such as Charles and Ray Eames, Alexander Girard, and Robert Propst. It’s a simple comparison to draw from furniture to technology, from the difficulty of managing people like the Eames to the difficulty of managing today’s cybersecurity talent.

Here is how Nelson did it for twenty-five years:

Philosophy. Reading George Nelson’s introduction to the Herman Miller catalog in light of the intrinsic motivation framework laid out in the book Drive. Autonomy, mastery, purpose. Nelson’s philosophy is finely tuned for getting the best out of innovative people. An unstated undercurrent is that designs must be producible. After all, Herman Miller is a business. The trick was to protect the playful anarchy while harnessing the results for manufacturing at scale. “There is a hint of the craftsman as opposed to the industrialist.”

Methodology. In modern times, George Nelson has been described as a meta-designer. That is, he spent more time designing the furniture design process than he spent designing the actual furniture. While he retired some twenty years before the founding of IDEO, Nelson would have been right at home in the world of design thinking. He pioneered a formal way to go from a series of conversations, to a series of prototypes, to a finished product. Along the way, capturing information and providing feedback to refine not only the design but also the lifecycle itself. Nelson’s approach was showcased in the “The Design Process at Herman Miller” exhibit in 1975.

The challenge in cyber security design is taking a successful proof-of-concept and scaling from prototype to securing the overall organization. How to balance the artist with the designer? The craftsman with the industrialist? Playful anarchy to well-defined operations? Nelson held a philosophy geared to foster those intrinsic motivations of the creative mind. He created a methodology for taking ideas to market. For security leadership, develop then and improve them based on feedback.

Philosophy drives the satisfaction of our people. Methodology drives the success of our initiatives. We need both, and both need continuous improvement.

Sculpture-for-use, Noguchi table, photography by the Isamu Noguchi collection.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Security design, fashion, and lounge chairs – Recap

Posted by

CyberSecurity design weekly recap for July 13-18.

This week: Yves Saint Laurent and fashion. CyberSecurity can be a bit too much like fashion. Every major event, there’s a new trend. The media buzz will say that new threats appear every day. The buzz is that our ways of defending become dated and ineffective as quickly as they’re implemented. What to do? Do the fundamentals well. Do them consistently. Do them with style. Principle: Frameworks fade but security is eternal.

Previously: Charlotte Perriand and the LC4 Chaise. Principle: Take it one metaphor at a time. Around 1930, Perriand applies the metaphor of the lounging cowboy to the LC4 Chaise Longue. Twenty years later, around 1950, Børge Mogensen applies the metaphor of Perriand’s chair to Morgensen’s Hunting Chair. And twenty years after that, we have lawn furniture inspired by Mogensen and Perriand. Technology advances at the speed in which new metaphors are identified, shared, adopted, and absorbed. Principle: Take it one metaphor at a time.

One thing more: YouTube has a documentary called Charlotte Perriand: Inventing the World. “An opportunity to review Perriand’s life and career from the perspective of her artistic activities as well as her social and political engagement. We talked about her stance on the individual’s role in nature, the position of women in society, a new type of living environment, the way different types of artistic creation relate to each other, and the concept of a synthesis of the arts.”


This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Frameworks fade but security is eternal – Design Monday

Posted by

Frameworks fade but security is eternal. Said with apologies to Yves Saint Laurent.

Yves Saint Laurent was a dominant force in fashion from the 1960s through to end of the century. His strengths stemmed from three areas. First, seeing the underlying fundamentals and being able to re-envision them across genders, across times, and across trends. Second, the ability to cross artforms for inspiration, most notably with Piet Mondrian and geometrical shapes. Finally, the ability to reformulate high fashion at couture for mass production. Yves Saint Laurent was the first to open a ready-to-wear line in Paris. He was a designer who mastered how to take the pieces apart and put them back together for new tastes and new markets. It Yves Saint Laurent who once famously said, “fashion fades but style is eternal.”

Last week, we looked at how the adoption of a control — doing something right but rare — has surprising stopping power against common attacks. But the fast-changing early adoption must be balanced with slow-changing fundamentals.

CyberSecurity can be a bit too much like fashion. Every major event, there’s a new trend. The media buzz will say that new threats appear every day. The buzz is that our ways of defending become dated and ineffective as quickly as they’re implemented. New frameworks cry out that the old ways were wrong.

This last bit is particularly on my mind in 2020. A new version of the CIS Critical Security Controls came out late last year. NIST is releasing a new version of its standard for security and privacy controls (NIST SP 500-53B). And the new PCI DSS (Data Security Standard) for credit card security is due any time now. Each framework will be accompanied by a wave of press on how everything has changed. The last version is so last season, and simply won’t do.

But is it? Is it really?

Like style, fundamentals in security remain the same even while the specifics evolve. We need to know our people and our technology. We need visibility into what’s happening and what’s changing. We need to think in terms of lifecycles and act in terms of incidents. We need to make sure the simple habits that result in defensible positions are done regularly. Finally, we need to understand the adversary’s objectives and tactics. From mainframes to data centers to cloud infrastructures to tomorrow, the fundamentals hold true.

A security architecture is comprised of a series of building blocks. Some building blocks should be innovative and ahead of our peers. Most building blocks should do the fundamentals and broadly cover the frameworks.

Do the fundamentals well. Do them consistently. Do them with style.


This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Security design, the first CRT font, and Ray-Bans – Recap

Posted by

CyberSecurity design weekly recap for July 6-11.

This week: Wim Crouwel and the New Alphabet. The first computer screen font predated the personal computer by a decade. Crouwel saw the possibility of CRTs and glimpsed the future of computers. By accepting the CRTs limitations as creative constraints, Crouwel redesigned the alphabet with straight quick lines. Crouwel released New Alphabet in 1967. It was innovative. It was unreadable. But it made a statement. Principle: Be ahead of the curve and ahead of the criminals.

Previously:  Colonel John A. Macready, Bausch & Lomb, and Ray-Bans. A little-known fact: Ray-Bans are safety goggles. You wouldn’t know it today. You can pay a couple hundred to buy these as sunglasses from Luxottica. How Ray-Bans went from practical to luxury is a story with a lesson for developing implementation plans. Principle: Hand out Ray-Bans not safety goggles.

One thing more: There’s a YouTube video on How Ray Ban Became the King of Sunglasses that’s worth checking out. One thing I didn’t mention in the Ray-Bans article was how the invention of a technique that makes lenses from molten glass which were impact-resistant made the sunglasses possible in the first place. It was a technical leap forward.


This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Ahead of the Curve – Design Monday

Posted by

The first computer screen font predated the personal computer by a decade.

The tech wasn’t about to cooperate. For those who weren’t around during the CRT (Cathode-ray tube) screen days, here’s the thing. CRTs, in the sixties, refreshed slowly, updated even slower, couldn’t draw curves, and could barely draw a pixel. Any sane person would stay away from them.

Enter Wim Crouwel. Crouwel saw the possibility of CRTs and glimpsed the future of computers. By accepting the CRTs limitations as creative constraints, Crouwel redesigned the alphabet with straight quick lines. The resulting font, New Alphabet, displayed clearly on the limited screens. Crouwel released New Alphabet in 1967. It was innovative. It was unreadable. But it made a statement. New Alphabet informed the designers of the personal computers. It took a decade. But when the Apple II, Commodore PET, and TRS-80 hit in 1977, each computer featured a CRT screen and a fully readable font. The possibility Crouwel saw had come true.

With all the talk about cyber security constantly changing, we’re surprising slow at adopting new and innovative controls. We give the same excuses Wim Crouwel would have heard from his peers: the technology isn’t ready, it’s too hard, it’s too new. I recall running into this when deploying firewalls in the early 2000s. An excellent control was egress filtering. Most thought about firewalls protecting traffic coming in. But by looking at traffic going out, we could stop malware and attackers from calling home. Most engineers didn’t want to do this because it was too hard. We did. And until most defenders adopted egress filtering, attackers didn’t bother working around it, so the simple control caught many a bad guy.

Early adoption of a control — doing something right but rare — is super effective against casual attackers and commodity attacks. It may be easily bypassed by advanced attackers or sophisticated tools, but the majority of the time organizations face more common threats. The control continues to be effective until many have adopted it. Consider:

Example 1) Mac OS X computers were more secure on the Intel platform from Windows when released in 2006. Macs had 8% of the market share by 2014 and little malware. By 2019, the share of the desktop market running Macs climbed to 17%. That same year, Windows had 5.8 malware detections per computer per year. Macs had nearly double, 11 malware detections per computer. Macs had great stopping power for thirteen years.

Example 2) Windows 10’s market share reached 25% by 2017. Windows 10 had a feature that auto-played image files like ISO. This was a great new feature for phishers because most spam filters blocked executables like EXE. In May 2017, criminals started repackaging their malicious EXEs in ISO files and sending them on through. Sure, some organizations were filtering ISOs. But most weren’t, at least, until 2019. When spam filters finally caught up, April 2019, criminals simply switched from ISO to IMG image files. But for nearly two years, a simple ISO filter had stopping power.

Example 3) One last example that’s near to my heart. When Microsoft Office 365 email launched in 2011, the early adopters quickly rolled out multi-factor authentication (MFA). Attacks reusing stolen credentials were easily blocked, stopping phishing for passwords. By 2019, MFA adoption on Office 365 email exceeded 20%. The criminals began to switch from trying to steal passwords to trying to steal the authentication tokens, thereby bypassing MFA altogether. Eight years. While MFA still has stopping power, the threats are beginning to adapt.

Wim Crouwel was a decade ahead of his time and his font never saw wide adoption. Though it did have a resurgence in popular culture in 1988, when Peter Saville and Brett Wickens used New Alphabet for Joy Division’s Substance album cover. Wide adoption wasn’t the point. Showing others the possibility of the new medium was, and at that, Crouwel succeeded.

When designing and implementing cyber security controls, Crouwel is an inspiration. The tech will not cooperate. The result won’t look normal. But doing something right but rare, adopting a security control ahead of the pack, has demonstrated stopping power. Because it’s right, it stops the common attacks. Because it’s rare, criminals aren’t incentivized to work around it. The early adopter strategy can give our organizations and advantage that lasts years.

Being ahead of the adoption curve is being ahead of the criminals.

New Alphabet font designed by Wim Crouwel

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.