This week: Vincent Connare and Comic Sans. Turns out, security controls are a bit like Comic Sans. They have their places. But when not in their place, they’re imminently mockable. Use controls thoughtfully. Principle: Everything is right somewhere. Nothing is right everywhere.
Previously: Ettore Sottsass and the Elea 9003, the inspiration for the HAL 9000. Securing by what we can measure in dollars leads to decisions which are blind to the human factors. When introducing human-centric design to our security programs, we must consider all the ways people determine value. Principle: Remember the subjective. Remember the chairs.
One thing more: “Andrea Granelli – president of Kanso, former chairman of the Olivetti Foundation and CEO of Telecom Italia Labs – talks about the past looking at the future. Inspired by the symbolism of our Olivetti Cafeteria, and next to a P101 – the very first personal computer in history – Granelli’s presentation focus on the connection between design and innovation, and about Olivetti Foundation as a paradigmatic example of that relation.” Watch on YouTube here.
Modularity and reuse are top of mind when we design cybersecurity capabilities. Our design should break down into a number of building blocks. These can be technical, like network segmentation. Building blocks can be architectural, like a DMZ or demilitarized zone networks. At the top-level, we can have solution building blocks which are product-specific, such as VMware NSX micro-segmentation for untrusted networks. From technical to architectural to solution, we move up in specificity. This is great for reuse. But it does pose a problem, for a building block that’s perfectly right in one area can be perfectly wrong in another.
Think about it like a font. In fact, think about it like the world’s most controversial font: Comic Sans. Vincent Connare is a noted type designer who worked with Microsoft in the 1990s. In 1994, Connare drew inspiration from Marvel and DC comics to develop the new Sans font. The original use case was cartoon characters in an ill-fated Microsoft GUI. But the font outlived its original purpose. Why? Because it is kid-friendly, warm, and in direct contrast with most every other font on Windows and Mac. People love the font almost as much as people hate it.
The designer Corey Holms said once told The Guardian that “Comic Sans is proof positive that design works, the public gets it and understands that type means more than just words.”
Comic Sans is perfect for a playful comic. It’s perfectly wrong for warning signs about electrocution. Sure, use Comic Sans on an ice cream truck. Don’t use it on an ambulance. Buzzfeed has an entire listicle of several Comic Sans fails. The point is, the font isn’t wrong. The usage is.
Use building blocks thoughtfully. Everything is right somewhere. Nothing is right everywhere.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
This week: John A. Macready and Bausch & Lomb. The original Ray-Bans were designed for pilot safety. Then they became cool. In our cybersecurity program, do people experience our controls as safety goggles or as cool sunglasses? Principle: Hand out Ray-Bans not safety goggles
Previously: Bas van Abel and the Fairphone. Design the security program, say with NIST controls, tied to strongly held corporate values. If it can be done with a smartphone, it can be done with a security capability. Reinforce values to gain support, speed implementation, and further adoption. Principle: Frame the initiative: reinforce values
When you look at the FedEx logo, do you see an E and an X? Or do you see an arrow? Let’s look at the cognitive processes that drive what we see. I’ll give two tips on how to get more creative when designing security controls.
A friend of mine tweets he’s up at 1 o’clock watching my videos with his daughter. When you can’t sleep, apparently, my videos do the trick. She had questions. Here are my answers.
Secure360 2020 – Security happens where man meets machine. Or, fails to happen, as we see all too often. Blame the users. They’ll click anything. Blame the developers. Half their code is riddled with vulnerabilities anyways. Blame the IT staff. You’d think they’d at least know better. But perhaps, we’ve been placing the blame on the wrong places. What exactly happens where people and technology meet? At that moment, that very moment, what factors in human psychology and industrial design are at play? And suppose we could pause time for a moment. Suppose we could tease out those factors. Could we design a better experience, design a better outcome, design a better path to the future? This session explores these questions and identifies lessons the cyber security field can learn from industrial design.
A little-known fact: Ray-Bans are safety goggles. You wouldn’t know it today. You can pay a couple hundred to buy these as sunglasses from Luxottica. How Ray-Bans went from practical to luxury is a story with a lesson for developing implementation plans.
Let’s start in 1929. Flying was so new that the US Air Force didn’t even exist yet. Planes were rough, flying was dangerous, and pilots were the heroes. Whether you could see clearly was a matter of life or death. US Army Air Corps Colonel John A. Macready worked with Bausch & Lomb to make a better pair of safety goggles. The resulting Ray-Bans protected against glare and wouldn’t fog up, saving lives, and were quickly adopted by the pilots when they reached production in the 1930s.
That might be the end of the story. But a curious thing happened. Pilots were cool. Pilots wore Ray-Bans. Movie stars wanted to also be the cool hero. Next thing you know? James Dean and Audrey Hepburn are wearing Ray-Bans in movies like Rebel Without a Cause (1955) and Breakfast at Tiffany’s (1961). The glamorous pilot and the glamorous celebrity came together in Top Gun (1986). Ray-Bans had entered the public consciousness as the fashionable look. When the luxury brand Luxottica bought them in 1999, strangely, not a single headline read: “Luxottica Buys Seventy-Year-Old Safety Goggles.”
When we design a security capability, the final step is planning the implementation and migration. Buried in that process is stakeholder management. Dusty and forgotten, stakeholder management doesn’t get a lot of attention. We design the safety goggles and we hand them out. Done. But to do so is to waste a powerful force for adoption. Who are the James Deans and Audrey Hepburns of our organization? Can we reach these influencers? They are crucial to getting our new security capability adopted. Get them on-board is good. Even better and even rarer, get them to use what we’re building as a status symbol.
I’ll leave you with a personal example. This story happened back when I was responsible for security at a money management firm. These were early days. Expensive stock trading applications had two-factor authentication. The vendor would ship a physical 2FA token as part of enrollment. Because it was expensive, only the top traders had accounts with these applications. James and Audrey carrying tokens conveyed their access, privilege, and social status. Sounds strange, but back in the day? 2FA tokens were cool.
Consider your stakeholder management and adoption plan. How involved and excited are James and Audrey? It spells the difference between passing out safety goggles and sharing Ray-Ban Aviators.
Ray-Ban Aviators, Photography by Wikipedia
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
“Hips don’t lie, folks. Neither do Matt, Rich, or their guest host this week, MSP extraordinaire and former IT Glue exec Luis Giraldo of Ook Enterprises. Listen in as they discuss Tin Can, Luis’s interesting new cooperative services venture, plus Dell’s latest commercial laptops, stats about ransomware, and ChannelPro’s 2020 Vendors on the Vanguard list. Then keep listening for a timely and insightful conversation with Cisco advisory CISO Wolfgang Goerlich about SMB security and its surprising parallels with enterprise security. We’d be lying if we said Shakira shows up too, but then again she has that effect on people.”
This week: Bart Sights. In cybersecurity, when planning the implementation and ongoing operations, consider how the technology can wear in like jeans. Thoughtful design leads to a security capability which improves with age. Principle: Wear in, not wear out.
Previously: Think of Roberto Giolito who let his design be ugly where it didn’t matter, in order for the design to be Car of the Year where it did matter. Ruthlessly prioritize. Principle: Dare to be ugly.
At a time when public health departments have been stretched thin by the coronavirus pandemic, telehealth solutions have helped ease the strain by connecting doctors remotely to patients. That has been especially useful during a time when everyone has been advised to maintain social distancing to help reduce the spread of the virus.
Part of the issue involves making sure the professionals who are operating the telehealth tools “have good visibility into who is compliant and who is not,” says Wolf Goerlich, advisory CISO at Cisco’s Duo Security. “A good deal of time and attention is spent on that.”
The actual appointment itself presents challenges, Wolf notes, because doctors and patients may all have different devices, different network settings and conditions, and varying bandwidth constraints.
Throughout this process, there are a number of security systems at work, says Goerlich. There is a need to confirm the clinician is who they say they are. The clinician and patient devices need to be certified as healthy and free of malware or are not going back to a command-and-control site.
“From a technical perspective, it comes down to really good authentication, access controls, adaptive access policies, device health and the integrations that happen along the way,” Goerlich says.
This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.
