Anti-patterns and Patterns for Directing Security Projects – Design Monday

Archive for November, 2020

Anti-patterns and Patterns for Directing Security Projects – Design Monday

Posted by

An implementation is like a movie, directed by leadership and produced by project management. Successful security implementation projects start strong, start with style, start like movies. As projects are running, what else can cinema teach us?

I began this series of cyber security design principles with an insight: to see things differently, look at different things. Spend a week with an artist, designer, or director. Find a security lesson. Share what I find. Sometimes my process is easy, sometimes difficult. Yet no one has challenged me more than Federico Fellini.

Federico Fellini. Distinctive, acclaimed, the Italian filmmaker was legendary in the twentieth century. He directed thirty-one films, “was nominated for twelve Academy Awards, and won four in the category of Best Foreign Language Film, the most for any director in the history of the Academy.” You’ve seen a movie scene inspired by (or directly copied from) a Fellini film. It’s guaranteed. Let’s take one example: Fellini’s Casanova. The film follows the titular Casanova on an adventure across Europe, while highlighting what makes Fellini a legendary director and a example for cyber security.  

Anti-patterns in project management from Fellini’s Casanova:

  • Micro-manage your people. “Puppets are happy to be puppets if the puppeteer is good,” Fellini said of his relationship with his actors. Donald Sutherland, who played Casanova, described it as being the worst experience of his filmmaking career. Every action micro-managed and scripted, until nothing of the talented actor remained.
  • Force your people to fit your stereotype of talent. Sutherland is unrecognizable as Casanova. Fellini has him wearing a false chin and nose. He raised Sutherland’s hairline, which then necessitated false eyebrows to even the look out.
  • Over-engineer details that don’t affect the final result. Fellini, unsatisfied with the color and waves from the water, had a plastic simulated lake created for Sutherland to row across. Almost a decade later, furious the color blue wasn’t the right color blue, Fellini would delay production while an entire faux ocean shore was created with plastic sheets for And the Ship Sails On.    

James P. Carse popularized the idea of finite and infinite games. Most games we are familiar with are finite: you play to win, you play to maximize your results at the expense of the other players. Infinite games ongoing: you play to continue others to play. Federico Fellini films were finite games. Sutherland never worked with Fellini again. By contrast, the Golden Age of cinema was an infinite game. (Well, infinite, until it stopped in the 1950s.) Major film studios had in-house production crews and contracted actors. While the roles varied and films came and went, the directors were incentivized to keep the best people playing with them.   

Cyber security in an organization is like the Golden Age of cinema. The leader’s role is encouraging people to want to play with us again and again, implementation after implementation.

Don’t be Fellini. Manage projects with the following patterns:

  • Set the vision and collaborate with people on execution. Listen.
  • Personalize the approach and tasks for the people on the project. Individualize.  
  • Maximize efforts where they matter by minimizing where they don’t. Simplify.

Directing implementation projects is both an art and a game. It is the art of engaging people in an infinite game. Good security projects leave people hungry to play again.

Afterwards

Security is often a story about crime, and criminals often make mistakes even while succeeding. Imagine someone stealing backup tapes to get at stored credit cards, not realizing they were also stealing people’s spreadsheets. In 1975, thieves broke into Technicolor labs and made off with film from 120 Days of Sodom. The heist also swooped up seventy reels of film from Casanova, forcing Fellini to reshoot weeks of material.

A good reminder to classify and protect data according to what criminals value … rather than what a snarky blogger might value.


This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Verizon Taps Cisco, BlackBerry for Internet Security

Posted by

Verizon’s new Business Internet Secure bundle for small businesses taps Cisco and BlackBerry security services to help protect customers’ routers and connected devices. A recent Verizon Business survey found 38% of small businesses moved to remote work because of the COVID-19 pandemic. 

Excerpt from: Verizon Taps Cisco, BlackBerry for Internet Security

To support this transition, Verizon Business Internet Secure protects against threats at two points where attacks typically occur: employee devices with BlackBerry and the internet with Cisco Umbrella.

Even pre-pandemic, small businesses faced the same threats and potential damages from an attack, according to a Cisco security report based on a survey of almost 500 SMBs. The report also found that these companies take security preparedness every bit as seriously as their larger counterparts. And this matters because the security industry has traditionally been biased against SMBs, perpetuating the myth that they don’t prioritize cybersecurity, the report says.

“SMB executives, IT executives, security executives in these businesses have done their best to address the problem,” said Wolfgang Goerlich, advisory CISO at Cisco Duo in an earlier interview. What this means is that SMB IT and security leaders now have to ask themselves what’s next, he added. “Where do I go from here?”

Read the full article: https://www.sdxcentral.com/articles/news/verizon-taps-cisco-blackberry-for-internet-security/2020/11/


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Security Culture needs Security Advocates – Design Monday

Posted by

“Everything is design. Everything.” — Paul Rand (1914–1996)

Paul Rand is behind so many stories this series has covered. The Olivetti Valentine typewriter designed by Ettore Sottsass and used by Dieter Rams in his documentary? Paul Rand did Olivetti’s US advertising. Speaking of Deiter Rams, the Braun shavers that made Rams famous? Paul Rand bought every model. (Though Rand once said he would “buy just for their beauty and then put them in a drawer.”) IDEO, the birthplace of design thinking? Paul Rand did IDEO’s logo. He collaborated on a team with Charles Eames on IBM’s Design Program. I like to think some of that work was in the IBM plaza building that Ludwig Mies van der Rohe designed. The building, by the way, sported the iconic IBM logo which was, you guessed it, designed by Paul Rand.

Paul Rand was instrumental in creating the culture and discipline of graphic design. He taught the next generation at Yale from 1956 to 1985, with a break in the 1970s. Rand was visiting professor and critic at a number of other institutions. Check out the book Paul Rand: Conversations with Students for a view into that work. “What is design?” Paul would often ask. When he wasn’t creating, Rand was instructing, and through instruction, he was creating culture.

Like Paul Rand fostered designers who brought ideas to wider audiences, security leaders need to foster advocates who will bring security ideas to the wider workforce.

We don’t talk much about advocates. A security advocate is a member of the security team who focuses on getting practices into the hands of the workforce. It’s more common for us to talk about security champions. A security champion is a member of the business itself, who collaborates with the security team on best practices. A fully fleshed out security capability has advocates working with champions to interpret and implement security controls. In a well-run security capability, those controls will be usable and widely adopted, because of the partnership of advocates and champions.

To learn more about cyber security advocates and what they need to succeed, check out the “It’s Scary…It’s Confusing…It’s Dull” research paper. These professionals “advocate for systems and policies that are usable, minimize requisite knowledge, and compensate for the inevitability of user error.”

Here are four practices from Paul Rand that we can apply to designing a security advocacy program:

(1) Coach on tangible work, not abstract principles. Rand’s courses were practical not theoretical, with advice given based on the student’s work. He focused stories, literature, examples, and more through the lens of the work at hand.

(2) Coach one-on-one, avoid one size fits all. Paul Rand worked individually with students, and a session on their work “went on as long as was necessary to set the student on the right track and was laced with stories from Paul’s vast career as they were appropriate to the issue at hand. When he worked with students, he poured his heart and soul into it.”

(3) Use short cycle times. Typically, the criticism on individual work in Rand’s courses came weekly. Feedback was quick, specific, and direct. Compare this to many security programs where manager feedback comes at annual reviews.

(4) Encourage personalization. Rand taught designers to build their own set of techniques, their own visual vocabulary, to solve problems. That’s not for the sake of originality. “Don’t try to be original,” Rand often said, “just try to be good.” It’s to develop a sense of the designer’s personal needs and strengths and how to mesh those with the audience’s instincts and intuitions.

When designing a cyber security program, give thought into how leadership will coach advocates. Give thought to how advocates will cultivate security champions. With a nod to Paul Rand, prompt both with a deceptively simple question. “What is security?”

Abacus Photogram, Photography by Paul Rand

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

A Pilot is Purposeful Play – Design Monday

Posted by

A new technology is a new toy. “Toys are not really as innocent as they look. Toys and games are the prelude to serious ideas.”

So said Charles and Ray Eames. The Eames ran a design studio in California (1943–1988) producing architecture, films, furniture. Arguably their most well-known piece was the Eames Lounge Chair. The chair, produced by Herman Miller, ushered in a new era of materials and is a valuable collector’s item today. It’s impossible to overstate this. It was impossible to make furniture that way before Eames. But this story isn’t about a chair.

This story is about a toy elephant.

A decade before the Eames molded wood for a Herman Miller chair, they were playing with molding processes in toys. The result? The Eames Elephant, a toy intricately crafted from molded plywood. The complexity of the elephant was foretold by dozens of unnamed playful experiments. The elephant itself foreshadowed the lounge chair. Without play, without toys, the Eames would never have mastered the underlying skills that produced the later masterpiece.

Playtime is fertile ground for innovation.

The power and necessity of play is a cross-discipline truth. In music, Miles Davis once said “I’ll play it first and tell you what it is later.” In biology, Alexander Fleming often said “I like to play with microbes.” Physics? Andre Geim stated the “playful attitude has always been the hallmark of my research.” The final word on this human condition goes, appropriately enough, to the psychologist Carl Jung. “The creation of something new is not accomplished by the intellect, but by the play instinct arising from inner necessity. The creative mind plays with the object it loves.”

A pilot is purposeful play. We need to pilot ideas and technologies as we frame up the security capability. To get the best work, people doing the pilot must be dedicated, be engaged, and enjoying themselves. As leaders, we clear calendars and make space. We also need to clear bureaucracy and other hinderance to fun. As implementers, we need to clear our heads and reach a state of flow. The purpose of a pilot is to improve our understanding of how things work, and to build underlying skills for what we’ll build next.

See Scale with Philosophy and Methodology for insights on managing the chaos. In the article, I compared Charles and Ray Eames to hackers. I easily imagine them at home in hackerspaces or hacker cons. The Eames embodied the hacker ethic years before “hacker” was even a term. Hands-on. Learning by doing. A strong sense that work, be it design or be it computing, changes the world when we love what we are doing.

The elephant in the room is the best pilot projects won’t look anything like work.

Eames Elephant, Charles and Ray Eames, 1945

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.