This week: Vincent Connare and Comic Sans. Turns out, security controls are a bit like Comic Sans. They have their places. But when not in their place, they’re imminently mockable. Use controls thoughtfully. Principle: Everything is right somewhere. Nothing is right everywhere.
Previously: Ettore Sottsass and the Elea 9003, the inspiration for the HAL 9000. Securing by what we can measure in dollars leads to decisions which are blind to the human factors. When introducing human-centric design to our security programs, we must consider all the ways people determine value. Principle: Remember the subjective. Remember the chairs.
One thing more: “Andrea Granelli – president of Kanso, former chairman of the Olivetti Foundation and CEO of Telecom Italia Labs – talks about the past looking at the future. Inspired by the symbolism of our Olivetti Cafeteria, and next to a P101 – the very first personal computer in history – Granelli’s presentation focus on the connection between design and innovation, and about Olivetti Foundation as a paradigmatic example of that relation.” Watch on YouTube here.
Modularity and reuse are top of mind when we design cybersecurity capabilities. Our design should break down into a number of building blocks. These can be technical, like network segmentation. Building blocks can be architectural, like a DMZ or demilitarized zone networks. At the top-level, we can have solution building blocks which are product-specific, such as VMware NSX micro-segmentation for untrusted networks. From technical to architectural to solution, we move up in specificity. This is great for reuse. But it does pose a problem, for a building block that’s perfectly right in one area can be perfectly wrong in another.
Think about it like a font. In fact, think about it like the world’s most controversial font: Comic Sans. Vincent Connare is a noted type designer who worked with Microsoft in the 1990s. In 1994, Connare drew inspiration from Marvel and DC comics to develop the new Sans font. The original use case was cartoon characters in an ill-fated Microsoft GUI. But the font outlived its original purpose. Why? Because it is kid-friendly, warm, and in direct contrast with most every other font on Windows and Mac. People love the font almost as much as people hate it.
The designer Corey Holms said once told The Guardian that “Comic Sans is proof positive that design works, the public gets it and understands that type means more than just words.”
Comic Sans is perfect for a playful comic. It’s perfectly wrong for warning signs about electrocution. Sure, use Comic Sans on an ice cream truck. Don’t use it on an ambulance. Buzzfeed has an entire listicle of several Comic Sans fails. The point is, the font isn’t wrong. The usage is.
Use building blocks thoughtfully. Everything is right somewhere. Nothing is right everywhere.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
This week: John A. Macready and Bausch & Lomb. The original Ray-Bans were designed for pilot safety. Then they became cool. In our cybersecurity program, do people experience our controls as safety goggles or as cool sunglasses? Principle: Hand out Ray-Bans not safety goggles
Previously: Bas van Abel and the Fairphone. Design the security program, say with NIST controls, tied to strongly held corporate values. If it can be done with a smartphone, it can be done with a security capability. Reinforce values to gain support, speed implementation, and further adoption. Principle: Frame the initiative: reinforce values
When you look at the FedEx logo, do you see an E and an X? Or do you see an arrow? Let’s look at the cognitive processes that drive what we see. I’ll give two tips on how to get more creative when designing security controls.
A friend of mine tweets he’s up at 1 o’clock watching my videos with his daughter. When you can’t sleep, apparently, my videos do the trick. She had questions. Here are my answers.
Secure360 2020 – Security happens where man meets machine. Or, fails to happen, as we see all too often. Blame the users. They’ll click anything. Blame the developers. Half their code is riddled with vulnerabilities anyways. Blame the IT staff. You’d think they’d at least know better. But perhaps, we’ve been placing the blame on the wrong places. What exactly happens where people and technology meet? At that moment, that very moment, what factors in human psychology and industrial design are at play? And suppose we could pause time for a moment. Suppose we could tease out those factors. Could we design a better experience, design a better outcome, design a better path to the future? This session explores these questions and identifies lessons the cyber security field can learn from industrial design.
A little-known fact: Ray-Bans are safety goggles. You wouldn’t know it today. You can pay a couple hundred to buy these as sunglasses from Luxottica. How Ray-Bans went from practical to luxury is a story with a lesson for developing implementation plans.
Let’s start in 1929. Flying was so new that the US Air Force didn’t even exist yet. Planes were rough, flying was dangerous, and pilots were the heroes. Whether you could see clearly was a matter of life or death. US Army Air Corps Colonel John A. Macready worked with Bausch & Lomb to make a better pair of safety goggles. The resulting Ray-Bans protected against glare and wouldn’t fog up, saving lives, and were quickly adopted by the pilots when they reached production in the 1930s.
That might be the end of the story. But a curious thing happened. Pilots were cool. Pilots wore Ray-Bans. Movie stars wanted to also be the cool hero. Next thing you know? James Dean and Audrey Hepburn are wearing Ray-Bans in movies like Rebel Without a Cause (1955) and Breakfast at Tiffany’s (1961). The glamorous pilot and the glamorous celebrity came together in Top Gun (1986). Ray-Bans had entered the public consciousness as the fashionable look. When the luxury brand Luxottica bought them in 1999, strangely, not a single headline read: “Luxottica Buys Seventy-Year-Old Safety Goggles.”
When we design a security capability, the final step is planning the implementation and migration. Buried in that process is stakeholder management. Dusty and forgotten, stakeholder management doesn’t get a lot of attention. We design the safety goggles and we hand them out. Done. But to do so is to waste a powerful force for adoption. Who are the James Deans and Audrey Hepburns of our organization? Can we reach these influencers? They are crucial to getting our new security capability adopted. Get them on-board is good. Even better and even rarer, get them to use what we’re building as a status symbol.
I’ll leave you with a personal example. This story happened back when I was responsible for security at a money management firm. These were early days. Expensive stock trading applications had two-factor authentication. The vendor would ship a physical 2FA token as part of enrollment. Because it was expensive, only the top traders had accounts with these applications. James and Audrey carrying tokens conveyed their access, privilege, and social status. Sounds strange, but back in the day? 2FA tokens were cool.
Consider your stakeholder management and adoption plan. How involved and excited are James and Audrey? It spells the difference between passing out safety goggles and sharing Ray-Ban Aviators.
Ray-Ban Aviators, Photography by Wikipedia
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
This week: Bart Sights. In cybersecurity, when planning the implementation and ongoing operations, consider how the technology can wear in like jeans. Thoughtful design leads to a security capability which improves with age. Principle: Wear in, not wear out.
Previously: Think of Roberto Giolito who let his design be ugly where it didn’t matter, in order for the design to be Car of the Year where it did matter. Ruthlessly prioritize. Principle: Dare to be ugly.
Denim jeans are magical. Wear after wear, they mold themselves to ourselves. Denim jeans are hazardous. The way we produced these jeans in 1850s is far from eco-friendly. Jeans both document our personal experiences and reflect our societal shift towards environmentalism.
Denim also harbors a lesson for security capabilities. We’ll get back to that in a moment. But first, did you know Levi Strauss has a resident mad scientist?
That would be Bart Sights. Sights leads the Eureka Innovation Lab. When he joined Eureka, it didn’t look good. The techniques to produce and finish a pair of jeans used incredible amounts of water and left behind a bath of chemicals. Neither were concerns back in the 1850s when water was plentiful and production was a fraction of the scale it is today. To address this, Sights and his team kept the outcomes but tossed everything else. Starting with what makes jeans good jeans, the so called four Fs of fiber, fabric, fit and finish. Then working backwards to find different ways to achieve each. Eventually, Sights completely revolutionized the entire manufacturing process. Jeans stayed jeans. But the chemicals were filtered and recycled. And the water? Eureka’s process reduced water by 96%.
Bart Sights brought his love of denim and his need to innovate together, modernizing the means yet preserving the ends. The secret is to never forget where you are coming from. Sights’ earliest memory of denim goes back to getting three pairs of Levis ever school year. “I would watch with amazement as they changed and aged as I wore them every single day for a year, literally becoming a walking history of my experience and expression. To me, that is the magic of denim jeans.”
Patina. The design term for that sort of magic is patina. In jeans, this comes from the indigo dye and how it wears while being worn. Leather also develops a patina as it picks up oils from the skin and scuffs from the environment. The copper awning on your house oxidizing a lovely green? Patina. The counter-intuitive idea is using materials and creating designs which get better with age and use. The object becomes etched, documentation of where it has been, nostalgia manifest. If you’ve wondered why we love such items, now you know.
In cybersecurity, having people love us is a high target. Perhaps even out of reach. Still. When planning the implementation and ongoing operations, consider how the technology can develop a patina. Tuning a SIEM is one example, with each time making the rules and reports more comfortable. Machine learning has a natural patina as exposure to data wears it in and shapes it to reflect our organization. So, ML on email for fraud detection is another IT example. On the process side, slot time into operations to smooth out edges and improve the work. Much like Bart Sights re-envisioning production while keeping true to the outcomes, we too can squeeze a lot of water out of the process. Thoughtful design leads to a security capability which improves with age.
Design to wear in not wear out.
Cybersecurity that fits like a favorite pair of jeans, photography Blake Burkhart
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
