My focus on IT security began in 1997 with a malware outbreak. To get a sense of how much has changed, I checked out the (ISC)² website as it existed back then. Whoa. It’s ugly. The website and the views on cyber security have drastically improved since the nineties.
These days I regularly get asked, “where do we begin?” Privileged Access Management is supposed to look like this. Zero Trust Architecture is supposed to look like that. We only have a these two things, a paperclip, some duct tape, an overworked staff, and an intern. Where do we even start?
Borrowing from the product design world, take a Minimum Viable Product (MVP) strategy. Take a limited number of security controls. Take a limited scope of people and systems. Design a security capability, implement it, and get feedback on what works and where improvements are needed. Then, rinse and repeat with refined controls and in a new area of the organization.
A concern is that this process may lead to a patchwork of controls assembled from a tangle of point solutions. Valid concern. We’ve all seen such environments. A few of us have been lucky enough to build such mistakes, and learn from them. The way to avoid this is to use a consistent set of architecture patterns and project templates. Each sprint begins with these patterns and plans. Each one ends with updating the architecture and PMO libraries. It’ll be ugly, but with a controlled process, it’ll improve rapidly.
Criminals don’t care that we got the capability perfect. Adversaries aren’t impressed with the beauty of our control framework. So toss out the textbook.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
“Develop people, develop security.” That was our tagline for the SimWitty team. The order reflected our values and simplified decisions. What to prioritize, developing a skill in a teammate or getting a release out the door? When develop people comes first, the answer is clear.
“Make a loan, change a life.” That’s Kiva’s tagline. Kiva has significantly more impact on broader social issues than SimWitty ever had, and it’s barely a comparison. There is one thing both have in common: values reflected in slogans resulting in decisions.
Kiva had a challenge. While its goal was to change lives through loans to small businesses, most businesses weren’t completing the application. The conversion rate was less than 1 in 5. Kiva looked to make design changes to simplify the application process. Many suggestions were made. One suggestion was particularly counter-intuitive to the point of being controversial: give small businesses a deadline.
“The founder was appalled. By giving customers a deadline, the company would have to deny service to people who missed that deadline. Denying service, the founder argued, was not a part of their company values,” wrote Kristen Berman, founder of Common Cents and Irrational Labs, who championed the design work for Kiva.
Security leaders must bring a degree of clarity to their team. Our values must be clear. Our criteria must be clear. And how we’ll try things and evaluate decisions must be clear. For Kiva, that meant changing lives through access to capital, with the number of people who complete loan applications as one measure. What does it mean for a security team?
Berman’s team went to work and experimented with deadlines. The number of completed applications went up. They experimented with incentives for early completion. Application rates went up further. More small businesses than ever were completing applications, resulting in changing more lives than ever. The decision to move ahead with the approach was clear.
This series has covered security programs reflecting strongly held corporate values. It’s equally important that a security leader have strong personal values, and that these values are reflected within the team. As Kiva’s example illustrates, there are times when options, on the surface, run contrary to our values. The path forward is to have a clear definition of success within those values.
Clarity enables experimentation and innovation while remaining true to what we believe in. Security leaders design capabilities and lead teams that reflect their personal values.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
I began this series of cyber security design principles with an insight: to see things differently, look at different things. Spend a week with an artist, designer, or director. Find a security lesson. Share what I find. Sometimes my process is easy, sometimes difficult. Yet no one has challenged me more than Federico Fellini.
Federico Fellini. Distinctive, acclaimed, the Italian filmmaker was legendary in the twentieth century. He directed thirty-one films, “was nominated for twelve Academy Awards, and won four in the category of Best Foreign Language Film, the most for any director in the history of the Academy.” You’ve seen a movie scene inspired by (or directly copied from) a Fellini film. It’s guaranteed. Let’s take one example: Fellini’s Casanova. The film follows the titular Casanova on an adventure across Europe, while highlighting what makes Fellini a legendary director and a example for cyber security.
Anti-patterns in project management from Fellini’s Casanova:
Micro-manage your people. “Puppets are happy to be puppets if the puppeteer is good,” Fellini said of his relationship with his actors. Donald Sutherland, who played Casanova, described it as being the worst experience of his filmmaking career. Every action micro-managed and scripted, until nothing of the talented actor remained.
Force your people to fit your stereotype of talent. Sutherland is unrecognizable as Casanova. Fellini has him wearing a false chin and nose. He raised Sutherland’s hairline, which then necessitated false eyebrows to even the look out.
Over-engineer details that don’t affect the final result. Fellini, unsatisfied with the color and waves from the water, had a plastic simulated lake created for Sutherland to row across. Almost a decade later, furious the color blue wasn’t the right color blue, Fellini would delay production while an entire faux ocean shore was created with plastic sheets for And the Ship Sails On.
JamesP. Carse popularized the idea of finite and infinite games. Most games we are familiar with are finite: you play to win, you play to maximize your results at the expense of the other players. Infinite games ongoing: you play to continue others to play. Federico Fellini films were finite games. Sutherland never worked with Fellini again. By contrast, the Golden Age of cinema was an infinite game. (Well, infinite, until it stopped in the 1950s.) Major film studios had in-house production crews and contracted actors. While the roles varied and films came and went, the directors were incentivized to keep the best people playing with them.
Cyber security in an organization is like the Golden Age of cinema. The leader’s role is encouraging people to want to play with us again and again, implementation after implementation.
Don’t be Fellini. Manage projects with the following patterns:
Set the vision and collaborate with people on execution. Listen.
Personalize the approach and tasks for the people on the project. Individualize.
Maximize efforts where they matter by minimizing where they don’t. Simplify.
Directing implementation projects is both an art and a game. It is the art of engaging people in an infinite game. Good security projects leave people hungry to play again.
Afterwards
Security is often a story about crime, and criminals often make mistakes even while succeeding. Imagine someone stealing backup tapes to get at stored credit cards, not realizing they were also stealing people’s spreadsheets. In 1975, thieves broke into Technicolor labs and made off with film from 120 Days of Sodom. The heist also swooped up seventy reels of film from Casanova, forcing Fellini to reshoot weeks of material.
A good reminder to classify and protect data according to what criminals value … rather than what a snarky blogger might value.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
Verizon’s new Business Internet Secure bundle for small businesses taps Cisco and BlackBerry security services to help protect customers’ routers and connected devices. A recent Verizon Business survey found 38% of small businesses moved to remote work because of the COVID-19 pandemic.
To support this transition, Verizon Business Internet Secure protects against threats at two points where attacks typically occur: employee devices with BlackBerry and the internet with Cisco Umbrella.
Even pre-pandemic, small businesses faced the same threats and potential damages from an attack, according to a Cisco security report based on a survey of almost 500 SMBs. The report also found that these companies take security preparedness every bit as seriously as their larger counterparts. And this matters because the security industry has traditionally been biased against SMBs, perpetuating the myth that they don’t prioritize cybersecurity, the report says.
“SMB executives, IT executives, security executives in these businesses have done their best to address the problem,” said Wolfgang Goerlich, advisory CISO at Cisco Duo in an earlier interview. What this means is that SMB IT and security leaders now have to ask themselves what’s next, he added. “Where do I go from here?”
This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.
Paul Rand is behind so many stories this series has covered. The Olivetti Valentine typewriter designed by Ettore Sottsass and used by Dieter Rams in his documentary? Paul Rand did Olivetti’s US advertising. Speaking of Deiter Rams, the Braun shavers that made Rams famous? Paul Rand bought every model. (Though Rand once said he would “buy just for their beauty and then put them in a drawer.”) IDEO, the birthplace of design thinking? Paul Rand did IDEO’s logo. He collaborated on a team with Charles Eames on IBM’s Design Program. I like to think some of that work was in the IBM plaza building that Ludwig Mies van der Rohe designed. The building, by the way, sported the iconic IBM logo which was, you guessed it, designed by Paul Rand.
Paul Rand was instrumental in creating the culture and discipline of graphic design. He taught the next generation at Yale from 1956 to 1985, with a break in the 1970s. Rand was visiting professor and critic at a number of other institutions. Check out the book Paul Rand: Conversations with Students for a view into that work. “What is design?” Paul would often ask. When he wasn’t creating, Rand was instructing, and through instruction, he was creating culture.
Like Paul Rand fostered designers who brought ideas to wider audiences, security leaders need to foster advocates who will bring security ideas to the wider workforce.
We don’t talk much about advocates. A security advocate is a member of the security team who focuses on getting practices into the hands of the workforce. It’s more common for us to talk about security champions. A security champion is a member of the business itself, who collaborates with the security team on best practices. A fully fleshed out security capability has advocates working with champions to interpret and implement security controls. In a well-run security capability, those controls will be usable and widely adopted, because of the partnership of advocates and champions.
To learn more about cyber security advocates and what they need to succeed, check out the “It’s Scary…It’s Confusing…It’s Dull” research paper. These professionals “advocate for systems and policies that are usable, minimize requisite knowledge, and compensate for the inevitability of user error.”
Here are four practices from Paul Rand that we can apply to designing a security advocacy program:
(1) Coach on tangible work, not abstract principles. Rand’s courses were practical not theoretical, with advice given based on the student’s work. He focused stories, literature, examples, and more through the lens of the work at hand.
(2) Coach one-on-one, avoid one size fits all. Paul Rand worked individually with students, and a session on their work “went on as long as was necessary to set the student on the right track and was laced with stories from Paul’s vast career as they were appropriate to the issue at hand. When he worked with students, he poured his heart and soul into it.”
(3) Use short cycle times. Typically, the criticism on individual work in Rand’s courses came weekly. Feedback was quick, specific, and direct. Compare this to many security programs where manager feedback comes at annual reviews.
(4) Encourage personalization. Rand taught designers to build their own set of techniques, their own visual vocabulary, to solve problems. That’s not for the sake of originality. “Don’t try to be original,” Rand often said, “just try to be good.” It’s to develop a sense of the designer’s personal needs and strengths and how to mesh those with the audience’s instincts and intuitions.
When designing a cyber security program, give thought into how leadership will coach advocates. Give thought to how advocates will cultivate security champions. With a nod to Paul Rand, prompt both with a deceptively simple question. “What is security?”
Abacus Photogram, Photography by Paul Rand
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
A new technology is a new toy. “Toys are not really as innocent as they look. Toys and games are the prelude to serious ideas.”
So said Charles and Ray Eames. The Eames ran a design studio in California (1943–1988) producing architecture, films, furniture. Arguably their most well-known piece was the Eames Lounge Chair. The chair, produced by Herman Miller, ushered in a new era of materials and is a valuable collector’s item today. It’s impossible to overstate this. It was impossible to make furniture that way before Eames. But this story isn’t about a chair.
This story is about a toy elephant.
A decade before the Eames molded wood for a Herman Miller chair, they were playing with molding processes in toys. The result? The Eames Elephant, a toy intricately crafted from molded plywood. The complexity of the elephant was foretold by dozens of unnamed playful experiments. The elephant itself foreshadowed the lounge chair. Without play, without toys, the Eames would never have mastered the underlying skills that produced the later masterpiece.
Playtime is fertile ground for innovation.
The power and necessity of play is a cross-discipline truth. In music, Miles Davis once said “I’ll play it first and tell you what it is later.” In biology, Alexander Fleming often said “I like to play with microbes.” Physics? Andre Geim stated the “playful attitude has always been the hallmark of my research.” The final word on this human condition goes, appropriately enough, to the psychologist Carl Jung. “The creation of something new is not accomplished by the intellect, but by the play instinct arising from inner necessity. The creative mind plays with the object it loves.”
A pilot is purposeful play. We need to pilot ideas and technologies as we frame up the security capability. To get the best work, people doing the pilot must be dedicated, be engaged, and enjoying themselves. As leaders, we clear calendars and make space. We also need to clear bureaucracy and other hinderance to fun. As implementers, we need to clear our heads and reach a state of flow. The purpose of a pilot is to improve our understanding of how things work, and to build underlying skills for what we’ll build next.
See Scale with Philosophy and Methodology for insights on managing the chaos. In the article, I compared Charles and Ray Eames to hackers. I easily imagine them at home in hackerspaces or hacker cons. The Eames embodied the hacker ethic years before “hacker” was even a term. Hands-on. Learning by doing. A strong sense that work, be it design or be it computing, changes the world when we love what we are doing.
The elephant in the room is the best pilot projects won’t look anything like work.
Eames Elephant, Charles and Ray Eames, 1945
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
