SDxCentral posted the top ten stories of 2023. I was surprised and pleased my pre-mortem on Zero Trust came in at number two on the list. I’m not tagging this as news, as I covered the story when it came out here: https://jwgoerlich.com/a-pre-mortem-on-zero-trust/
But! That did remind me. Since the original article came out, the video came out. If you want to see the RSA talk that landed the second spot on SDxCentral’s top ten, you can see it now. Right here. Right now. So much fun.
No security capability operates as intended. Even with perfect data, perfect planning, and perfect foresight? Small differences between our assumptions and reality quickly add up to unpredictable situations. Security faces the proverbial butterfly flapping its wings in Brazil producing tornado in the United States.
The butterfly effect was coined by Edward Lorenz, a meteorologist and father of chaos theory. It all started when the limitations of computing led to the limitations in forecasting. It’s a pattern that still plays out today, leading some to point to the need for chaos engineering.
Edward Lorenz was working on one of the first desktop computers: the Royal McBee LGP-30. Desktop in the sense that the computer was, in fact, the size of a desk. It also cost nearly a half billion dollars, in today’s US currency. We’re talking state-of-the-art vacuum tube technology. A teletype machine, the Friden Flexowriter, provided both input and output. It printed at a glacial ten characters per second.
These constraints of his machine inspired Edward Lorenz. But I’m getting ahead of myself.
So there Lorenz was, modeling the weather. To save memory, as he ran the calculations, he printed the results to charts. At ten characters a second this was tedious. To save time, he printed to three decimal points.
The LGP-30 would hum and pop while it calculated a value to six decimal places. The Flexowriter would bang and punch out the result to three decimal places. Calculate 0.573547 and print 0.574. Again and again, line by line, while Lorenz waited.
This shouldn’t have been a big deal. The differences between the calculated results and printed values were quite small. But when Lorenz retyped the numbers and reran the models, he noticed something extraordinary. Weather on the original chart and the new chart would track for a day or two. But pretty soon, they’d differ widely, unexpectedly. What was once a calm day suddenly turned into a tornado. All due to the tiny differences in the source data. Edward Lorenz had discovered chaos theory.
“Complexity. It’s extremely difficult to predict all the outcomes of one seemingly small change.” David Lavezzo of Capital One wrote in the book Security Chaos Engineering. “Measurement is hard.” And even when we have metrics, which we rarely do, these small changes compound and lead us into unforeseen territory.
You can’t just rely on the temperature numbers predicted at the beginning of the week. You have to actually go outside. See if you need a jacket. See if you should be wearing shorts. The same is true of security. We can’t rely on our long-range forecast. We need to check the reality on the ground. Regularly. From there, adapt according to our principles.
We future-proof our security architecture by choosing versatility. We design for adaptability by prioritizing principles over rules-based approaches. But when we get to implementation, we should expect that we’ve missed something. Expect people and applications and devices and butterflies have behaved in ways that are a few decimal places further than we had considered.
We need some applied chaos to test and harden our implementation. The emerging domain of security chaos engineering is providing some useful techniques. Inject some evidence. Change some settings. Run some exploits. Validate that the security controls continue to operate. Security chaos engineering provides a way to explore the unexpected.
But ultimately, the take-away from Edward Lorenz is one of humility. We simply don’t know what will come. With the data we have, we can’t predict what will happen. Decades of advances in computing since the Royal McBee LGP-30 haven’t changed this equation. When implementing security, pilot with chaos to prepare for the unforeseen.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
“Billy the bookcase says hello.”
“So does a table whose name is Ingo,” sang Jonathan Coulton in his IKEA song, “and the chair is a ladder-back birch but his friends call him Karl.”
I can’t speak for Karl. But Billy, well, Billy has an interesting backstory.
In the late 1970s, an IKEA advertising man named Billy Liljedahl complained about the state of bookshelves. They were heavy, expensive, and often missed the point by not actually being sized for books.
Gillis Lundgren, head of design at the time, began to sketch. “I drew the first sketches on a napkin,” Lundgren would later recall. “That was often the way we worked. Ideas are perishable and you have to capture the moment as soon as it arrives.”
Billy the bookcase would debut in the IKEA catalog in 1979. By 2009, IKEA had produced and sold more than 41 million bookcases. It remains one of the most popular products to this day.
Why? Regardless of Billy Liljedahl’s complaint, there were other shelves. IKEA had previously produced the Tiga. An early competitor inspired the Tiga: the Lundkvist shelf or Lundkvisthyllan. Not to mention the countless options we have today for shelving, storage, and more.
The reason is modularity, scalability, and extensibility. If there’s a room, if there’s a style, if there’s a need, there is a Billy configuration. The result has been pages on pages of Billy hacks. (Here are 45 ideas to get you started. Ironically, many without books. Sorry, Billy Liljedahl.) We’re seeing the power of architectural patterns playing out over 41 million use cases.
When IT security leaders envision future security capabilities, we must ground them in repeatable patterns. A thousand apps individually implementing controls can quickly lead to sprawl, gaps, and waste. Equip these same teams with a pattern, say for authentication or fraud detection, and we can standardize the building blocks. Even if each app is different. Even if it looks as different as a standalone bookcase in a young person’s first apartment, or a built-in bookcase in an adult’s work-from-home study.
“Books should talk but the bookshelf should be silent.” This is the motto of the Lundkvist shelf. They never said hello. Perhaps that’s why Billy won the market.
And there’s a lesson for IT security. Products should talk but security shouldn’t be silent. Architectural patterns speak softly long after security has left the room.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
The device changed our homes. It changed our perspective of time. In a way, it’s a story of miniaturization. They used to take up entire rooms, and suddenly could fit on a desk. It’s also the story of economics. They once were so costly only corporations could own them. With falling prices and shrinking sizes, it wasn’t long before every house had one.
The personal computer revolution? No. The sewing machine.
Our story begins a hundred years into the revolution. For most of those years, Singer dominated with black cast iron machines. Our design hero is Marcello Nizzoli, an Italian who refused to commit to any one discipline. He worked as a draughtsman, designed clothing and accessories, made advertisement posters, started magazines. Nizzoli’s collaboration with Olivetti was so successful, it set the standard for how Olivetti created teams of artists and engineers, paving the way for Ettore Sottsass to create the Valentine typewriter. When Necchi approached Marcello Nizzoli in the 1950s, Nizzoli had deep skills in precision machines and an instinctive understanding of those who stitch and sew.
The resulting Necchi Mirella Sewing Machine arrived in 1956. Nizzoli’s machine was light and beautiful. It features brightly colored enameled aluminum with a finely crafted metal drive mechanism. The Mirella won a number of awards and, today, is on permanent display at the New York Museum of Modern Art (MoMA). From contemporary accounts to modern documentaries, the consistent theme about the Necchi Mirella is this: user-friendly, ergonomic, and simplicity.
It was simple. We see this theme frequently when reading about good design. I return to the theme regularly in this series. Make it appealing, and keep it simple.
But simple is hard. That’s the problem.
Many CIOs and CISOs bicker like an old couple in a bad marriage. We make points, not progress. I wish we could watch pairs of executives argue it out and find what works. It’s too bad there isn’t an IT equivalent of what John Gottman and Julie Gottman have done with couples in the Love Lab. How can leaders have the tough conversations which lead to agreement?
Peter Coleman, inspired by Gottman, founded Difficult Conversations Lab to explore this question. What Coleman found is shocking: the root of the problem is our desire to simplify.
Our goal gets in the way of reaching our goal.
Coleman’s advice: get complicated. In conversation after conversation studied, complexity provided the space to reach agreement. When researchers framed the issue in black-and-white and primed the people with a similar simplified issue, the conversation became intractable. Often times, it was a short jump from intractable to “destructive spirals of enmity.”
The more we oversimplify requirements before speaking with peers and stakeholders, the less likely we are to come to an agreement. When we oversimplify early on, we fail to get buy-in. The resulting security controls won’t fit what the workforce needs.
Take the example of an identity. Let’s suppose we have people who change roles, going from contractor to employee. Suppose some people have multiple roles, say customer and employee. Start the conversation with the black-and-white control of all access and data being removed when a person is terminated. Watch how fast we get shutdown. An oversimplified approach leaves no middle ground for negotiating how identity gets defined and protected.
The lesson from Coleman, Gottman, and Nizzoli: Explore the complexity of the problem with the stakeholder, from their perspective.
Don’t explore the complexity with them from our perspective. If we want to enforce multi-factor authentication, we shouldn’t start by explaining complicated protocols and standards which enable MFA. But we should listen to the complex ways people work. Marcello Nizzoli’s success came from understanding how people sewed, not from explaining machinery to customers.
As we move from exploring the problem towards exploring possible solutions, we move from complexity towards simplicity. When defining the security capability, starting simple with an ugly prototype and iterating from there. When determining security controls, selecting the minimum requirements. Complexity as a starting point mustn’t be prolonged.
“Premature optimization is the root of all evil in programming,” Donald Knuth once famously said. If you spent effort optimizing things before they are fully developed, you end up creating unnecessary work.
While the Necchi Mirella is praised for simplicity, Marcello Nizzoli arrived at the machine’s design only after spending years absorbing the complexity directly from those working in the clothing industry. Complexity, next empathy, then understanding, and finally simplicity. That’s good design, good programming, and that’s good security work.
Premature simplification is the root of bad security.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
My focus on IT security began in 1997 with a malware outbreak. To get a sense of how much has changed, I checked out the (ISC)² website as it existed back then. Whoa. It’s ugly. The website and the views on cyber security have drastically improved since the nineties.
These days I regularly get asked, “where do we begin?” Privileged Access Management is supposed to look like this. Zero Trust Architecture is supposed to look like that. We only have a these two things, a paperclip, some duct tape, an overworked staff, and an intern. Where do we even start?
Borrowing from the product design world, take a Minimum Viable Product (MVP) strategy. Take a limited number of security controls. Take a limited scope of people and systems. Design a security capability, implement it, and get feedback on what works and where improvements are needed. Then, rinse and repeat with refined controls and in a new area of the organization.
A concern is that this process may lead to a patchwork of controls assembled from a tangle of point solutions. Valid concern. We’ve all seen such environments. A few of us have been lucky enough to build such mistakes, and learn from them. The way to avoid this is to use a consistent set of architecture patterns and project templates. Each sprint begins with these patterns and plans. Each one ends with updating the architecture and PMO libraries. It’ll be ugly, but with a controlled process, it’ll improve rapidly.
Criminals don’t care that we got the capability perfect. Adversaries aren’t impressed with the beauty of our control framework. So toss out the textbook.
Start where you are. Dare to be ugly. Iterate and improve.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
It has been said San Francisco is forty-nine square miles surrounded by reality. Fleeing Michigan snows for a week in San Francisco leads to feeling the otherworldliness. One flight and everything changes.
In San Francisco, underneath a series of hills reminiscent of Hobbit holes, is the California Academy of Sciences. The hills reflect the structures below, such as the planetarium. The overall field forms a living roof which keeps “interior temperatures about 10 degrees cooler than a standard roof and reducing low frequency noise by 40 decibels. It also decreases the urban heat island effect, staying about 40 degrees cooler than a standard roof.” This according to the California Academy of Sciences press release from 2007.
Renzo Piano designed building. His starting point was a question that’s delightful in his lateral thinking: “what if we were to lift up a piece of the park and put a building underneath?” In the California Academy of Sciences building and throughout Piano’s work, he returns again and again to themes of culture and change.
“The world keeps changing,” Renzo Piano said on the TED stage. “Changes are difficult to swallow by people. And architecture is a mirror of those changes. Architecture is the built expression of those changes. Those changes create adventure. They create adventure, and architecture is adventure.”
There’s a tension when designing a security architecture. The architecture must meet and mirror culture of the organization. The design can’t run contrary to how the organization works. But at the same time, the new controls must facilitate a cultural change towards a more secure way of being. The architecture mirrors while it modifies.
There’s another tension when designing a security architecture. Ongoing change will impact how people perceive and experience security. But at the same time, the security principles and posture must remain unchanged in the face of far ranging organizational change. “Architects give a shape to the change,” Piano once said. The architecture is flexible but stable.
My last trip in the US, before the pandemic, was to San Francisco. Within a month, everything had changed. We are experiencing the greatest migration in human history. A migration from the office to the home, certainly. More significantly, a migration from the physical to the digital. We now live in 1440 square pixels surrounded by reality.
Security architects must meet the wave of this change while holding steadfast to our security principles.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
“Here are the materials, ideas, and forces at work in our world. These are the tools with which the World of Tomorrow must be made.” With that, the pamphlet announced the 1939 New York World’s Fair.
Alfonso Iannelli was right at home in the World of Tomorrow. Having gotten his start designing posters for vaudeville, Iannelli was also right at home with hype. Sunbeam Products was showcasing two of Iannelli’s designs: a toaster and a coffee pot, or the T-9 Toastmaster and C-20 Coffeemaster. These hardly seem innovative to today’s audience. But toasters were still an emerging tech in the 1930s. And the C-20 pioneered the vacuum coffee process which even today connoisseurs consider the superior way to make coffee.
Most importantly, the C-20 and T-9 brought the Streamline Moderne style to life. The push towards modernism was a recurring theme in Iannelli’s work. And there it was, at the World’s Fair, courtesy of Sunbeam.
Unified in style and updated in technology, these appliances have parallels in security capabilities. We’re often updating existing capabilities along with designing and implementing new ones. For example, suppose we have an existing workforce identity and access management program. Suppose we also have customer identities within the ecommerce website. A common challenge is to bring these two programs up-to-date and centralize the way identity is secured.
When developing a vision for the future, we naturally look for ways to implement the latest technology. It is equally important that we look for ways to standardize and unify the design for the experience.
Find the Streamline Moderne of identity and access management. First, find your vision.
After acclaim at the New York World’s Fair, Sunbeam put the coffee maker and toaster into production. The Coffeemaster would stay on the market nearly thirty years, wrapping up its run in 1964. Meanwhile? The Toastmaster was immortalized in a slice of Americana. On the cover of the Saturday Evening Post in 1948, central to the Norman Rockwell painting, there sat Alfonso Iannelli’s toaster. Moderne had arrived.
The starting point was the World of Tomorrow. Likewise, with your vision, the starting point is showcasing a pilot. Develop a proof-of-concept. Tie it to something larger. Hype it with all the gusto of a vaudeville poster.
Showcase your vision. Take this moment to gain early support and feedback.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
On a winter evening in 2014, Nikki Sylianteng got a parking ticket. It wasn’t a surprise. This was in LA where the city collects around $140 million from tickets annually. Sylianteng’s $95 parking ticket wasn’t significant and it wasn’t a surprise. But what happened next was.
When designing security capabilities, we have two aspects to consider:
• The paths people take to complete work – number of steps, familiarity, and friction of each step
• The choices people make during work – number of choices, predictability, and cognitive load
I argue that security can improve people’s work. Make it easier. Make it faster. I often get pushback on this argument, and for good reason. A very real problem is that security teams don’t have good visibility into the path and the choices. Even more worrisome, we don’t get good feedback when things are difficult or when security controls are making them worse.
Millions live in LA. Hundreds of thousands get tickets in LA. One person gave feedback with a solution.
Why? It is the same reason the workforce tolerates bad security controls: habituation. People get used it. They become blind to the annoyances along the path they have to take to complete their workflow. Listen for these tell-tale phrases:
• That’s just the way the world works
• We’ve always done it this way
• Things could be worse
That’s an indication of a workflow security may be to improve while increasing security. There lies habituation. There lies unnecessary steps or choices. There lies an opportunity to improve the path. But we need a partner on the inside, someone who can see beyond the habituation, someone who has what’s called beginner’s mind.
This is what drew me to the story of Sylianteng and her parking ticket. (Listen to Nikki Sylianteng tell her story herself here.) She didn’t accept the ticket. She couldn’t accept the way the parking signs were. She launched To Park or Not to Park and radically redesigned the parking signs. She has since created tools that anyone can use to create their own simplified parking signs.
Imagine our security goal is parking enforcement. Our control, the parking sign. Four million people in LA see the signs. Some follow them. Others don’t. Only one person actually says this is a problem, and takes it on themself to correct the problem. Do we embrace this person? Well. We should. According to Nikki Sylianteng, her new approach “has shown a 60% improvement in compliance and has pilots in 9 cities worldwide.”
Find those with a unique combination of beginner’s mind and desire to make a change. Embrace them. They are your security champions, and by working together, leaps in adoption and compliance are possible.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
Seeing is Forgetting the Name of the Thing One Sees. A fantastic title, right? I was having a coffee meeting with a new product designer a few months back. As can happen, I was pretty wound up, going on about the need for usability and human-centric design in cybersecurity. She told me, “you need to read Seeing is Forgetting the Name of the Thing One Sees.”
The book covers conversations Lawrence Weschler, the author, had over three time periods with Robert Irwin. It gets to the heard of Irwin’s philosophy and approach. Irwin began abstract in the 1960s. He painted lines. He painted dots. But when displaying his work, Irwin noticed the way the art was experienced was influenced by factors outside of his paintings. Any of us who have seen optical illusions with colors and lines understand this instinctively and likely think nothing of it. But to Irwin, who was obsessed with the experience to the point of banning photography, this simply wouldn’t do. Irwin took to replastering and repainting walls, sometimes whole studios, where his art was displayed.
Robert Irwin insisted on controlling the entire experience and this led to the realization that the surroundings were just as important as the artwork itself.
We’ve been slow at coming to a similar realization in cybersecurity. Consider the Web application. A thousand things have to go right for it to work, and a thousand things can go wrong from a security perspective. OWASP framed these issues up into a top 10 list. This simplified the work of developing a secure Web app. However, OWASP initially focused solely on the app itself. Of the six releases since 2003, only the last two releases included the walls and studios, the vulnerable server components, on the OWASP top 10. We’re slow to recognize the importance of the surroundings.
Robert Irwin’s obsession with the surroundings transformed the artist from painter to landscaper. He has gone on to produce more than fifty large scale projects since 1975.
From the perspective of a designer, we must consider how the new capability fits into the existing cybersecurity portfolio and, more broadly, into the organization. We have to replaster the walls. We must make sure it fits in the studio. From the defensive perspective, this makes a lot of sense. A criminal faced with a strong control will look at the environment for other weaknesses and take advantage of gaps. From the usability perspective, Robert Irwin reminds us that how something is seen is as much about the thing as it is about the overall experience.
Security is not the control itself. Security is the surroundings.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
The building came into view. My vantage point was on the Chicago River. It was Valentine’s Day. Now Chicago natives had warned us about the cold February winds. But there my wife and I were, on a river tour of Chicago’s architecture. Frozen to the ship’s deck, we looked up as the IBM Plaza came into view.
Ludwig Mies van der Rohe designed the building in the 1960s. Mies came from the famed Bauhaus school, another of my favorite sources of inspiration. In fact, Mies was the last director of Bauhaus. He moved from Berlin to Chicago in 1937 to head the architecture department of Illinois Institute of Technology. There’s a direct line from Bauhaus to Second Chicago School of architecture. Specifically, in minimizing ornamentation in favor of emphasizing building materials themselves.
It was this modernism which drew IBM to Mies van der Rohe. But there was a problem. Many, in fact, with the building IBM wanted. Computing technology of that age was notoriously hot and power-hungry. Moreover, computer engineers were at a premium, which meant a large workforce with little patience for waiting on elevators. Every minute counted. Moving to the ground, the lot was an oddly shaped. Triangular. It sat partially atop of a train line which restricts the foundation needed for a skyscraper. And to top it off, the site had an agreement to provide storage for the Sun-Times. That’s a lot.
“Less is more” was popularized by Mies van der Rohe. Boil down architectural requirements to the essentials. In cybersecurity, we’ve embraced less is more. You see it in concepts like least privilege, least trust (aka Zero Trust), economy of mechanism, and limited security blast radius. You see it in my security principles; like when I discuss building Roombas not Rosies. Less is more is a reminder to take a minimalist approach.
Even from the Chicago River, you can feel the minimalism of the IBM Plaza. The exposed vertical beams, the glass and steel materials on full display. Less is more. But it’s more than it seems. The building has more than double the elevators of a comparable building. The cooling system is similarly over-powered. Designed by C.F. Murphy, the HVAC is tuned for 1970s era computing. Mies also made several floors to be taller to support raised flooring, and reinforced to support the weight. The building is subtly shifted back to make use of the lot, with weight shifted back onto a strong foundation. This feature explains the open pillars in front and allowed Meis to neatly avoid the question of the railway. Less is more? If anything, much of the IBM building is overdone.
Less is more is not a call for doing less. It is a reminder to save our energies to do more where it counts. It is a reminder to pour the savings into solutions for the problem at hand. When we save resources for priorities, less isn’t loss.
IBM moved into IBM Plaza in 1971. For more than three decades, the building was the Chicago office of the tech giant. “The building was declared a Chicago Landmark on February 6, 2008 and added to the National Register of Historic Places on March 26, 2010.” Today, the building at 330 North Wabash is known as the AMA Plaza. It stands as a testament to Ludwig Mies van der Rohe’s ability to balance less and more.
The design lesson: More of what matters is more.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.