Security Architecture Principles – Design Monday

Archive for the ‘Design’ Category

Security Architecture Principles – Design Monday

Posted by

Clack. Clack. Two hands. Hunt and peck typing. Clack. Clack. The beautiful red Valentine typewriter. Clack. Dieter Rams at his desk. This is the opening shot of the Rams documentary. What is he typing? Ten principles for good design.

An entire series of articles could be written applying Dieter Rams‘ principles to cybersecurity. This is not that. Instead, let’s look to Rams as an example of creating and living with principles.

What makes a good architecture principle? It makes a statement. “Good design is honest,” Dieter Rams might type out. “Buy not build” is one I often encounter. A good architecture principle has a rationale. “It does not make a product more innovative, powerful or valuable than it really is. It does not attempt to manipulate the consumer with promises that cannot be kept.” For buy not build, our development resources are valuable and must be deployed only in areas where there is a clear advantage and where an existing solution doesn’t satisfy the majority of our needs. Finally, a good principle makes an impact. It has implications for later decisions.

“I like orderly confusion very much. But this is neither orderly nor properly confused.” Dieter Rams says about an hour into the documentary, while evaluating objects against his esthetic and principles. “Others may like it. I do not.” A set of good architecture principles enables the team to make decisions. These decisions may be very different from other security teams, even other security teams in similar industries and at similar times. The success of a security architecture depends not upon the individual decisions. Rather, success depends on the consistency across decisions, initiatives, and capabilities. Consistency through principles.

Consistency poses a challenge. The same thing means different things to different people. For architecture principles to work, the team must debate implications and applications. An example of this comes in the documentary when Mark Adams walks Dieter Rams through the new Vitsoe headquarters. For background, Adams is the managing director of Vitsoe, the firm which produces Rams’ furniture. “I want it to be completely honest that that is a fire barrier,” Adams explains. But is it honest? And does the honesty balance against the other principles? After a moment of thought, Rams says simply: “It’s a little bit irritating.” After some back and forth, they decide to sand it and blend it in. (In the photo below, you can see the resulting gray fire panels.) The moment captures this discussion of application. Principles live through debate.

Be principled. Develop a small set of architectural principles to guide the technical design. Live with them. Argue them. Disagree and commit. Apply and iterate them. But be principled.

Vitsoe London Headquarters, Photography by Vitsoe.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Pilot with security chaos engineering – Design Monday

Posted by

No security capability operates as intended. Even with perfect data, perfect planning, and perfect foresight? Small differences between our assumptions and reality quickly add up to unpredictable situations. Security faces the proverbial butterfly flapping its wings in Brazil producing tornado in the United States.

The butterfly effect was coined by Edward Lorenz, a meteorologist and father of chaos theory. It all started when the limitations of computing led to the limitations in forecasting. It’s a pattern that still plays out today, leading some to point to the need for chaos engineering.

Edward Lorenz was working on one of the first desktop computers: the Royal McBee LGP-30. Desktop in the sense that the computer was, in fact, the size of a desk. It also cost nearly a half billion dollars, in today’s US currency. We’re talking state-of-the-art vacuum tube technology. A teletype machine, the Friden Flexowriter, provided both input and output. It printed at a glacial ten characters per second.

These constraints of his machine inspired Edward Lorenz. But I’m getting ahead of myself.

So there Lorenz was, modeling the weather. To save memory, as he ran the calculations, he printed the results to charts. At ten characters a second this was tedious. To save time, he printed to three decimal points.

The LGP-30 would hum and pop while it calculated a value to six decimal places. The Flexowriter would bang and punch out the result to three decimal places. Calculate 0.573547 and print 0.574. Again and again, line by line, while Lorenz waited.

This shouldn’t have been a big deal. The differences between the calculated results and printed values were quite small. But when Lorenz retyped the numbers and reran the models, he noticed something extraordinary. Weather on the original chart and the new chart would track for a day or two. But pretty soon, they’d differ widely, unexpectedly. What was once a calm day suddenly turned into a tornado. All due  to the tiny differences in the source data. Edward Lorenz had discovered chaos theory.

“Complexity. It’s extremely difficult to predict all the outcomes of one seemingly small change.” David Lavezzo of Capital One wrote in the book Security Chaos Engineering. “Measurement is hard.” And even when we have metrics, which we rarely do, these small changes compound and lead us into unforeseen territory.

You can’t just rely on the temperature numbers predicted at the beginning of the week. You have to actually go outside. See if you need a jacket. See if you should be wearing shorts. The same is true of security. We can’t rely on our long-range forecast. We need to check the reality on the ground. Regularly. From there, adapt according to our principles.

We future-proof our security architecture by choosing versatility. We design for adaptability by prioritizing principles over rules-based approaches. But when we get to implementation, we should expect that we’ve missed something. Expect people and applications and devices and butterflies have behaved in ways that are a few decimal places further than we had considered.

We need some applied chaos to test and harden our implementation. The emerging domain of security chaos engineering is providing some useful techniques. Inject some evidence. Change some settings. Run some exploits. Validate that the security controls continue to operate. Security chaos engineering provides a way to explore the unexpected.

But ultimately, the take-away from Edward Lorenz is one of humility. We simply don’t know what will come. With the data we have, we can’t predict what will happen. Decades of advances in computing since the Royal McBee LGP-30 haven’t changed this equation. When implementing security, pilot with chaos to prepare for the unforeseen.

Royal McBee LGP-30 replica by Jürgen Müller

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Change the game – Design Monday

Posted by

Cyber security can be thought of as a game. Offense and defense. A set of motions and movements to score points, or to prevent the other team from scoring. Red team and blue team. A series of tactics and techniques to break in, or to detect and prevent such action. This thought is a good starting point. But we shouldn’t simply work on being better at the game. We need to change it.

Take basketball. When basketball debuted at the Berlin Summer Olympics in 1936, the game looked much the same as it does today. Sure, there have been subsequent rule changes. But the ball and hoop, well, those are classic.

Except.

During the first fifteen years of basketball, no one thought beyond the basket. Peach basket, to be precise. James Naismith famously nailed a peach basket to a gymnasium wall and thus invented the game. But it was the whole basket. After points were scored, a ladder would be used to fetch the ball. Sometimes, they used a stick to push the ball out. For fifteen years.

Why?

One reason is it’s hard to see beyond things. Functional fixedness. Another reason? We’re hardwired to add rather than subtract. Given the choice between adding a fetching stick and removing the bottom of the basket, we almost always choose the stick.

This human tendency has been studied. (See: People systematically overlook changes). There’s even book on the topic, Subtract: The Untapped Science of Less. The Subtract book looks at it from practically every domain, science to business to medicine and more. Except cyber security. Perhaps we can make it into a future edition.

Imagine people using IT in the organization. Imagine that’s the game we’re seeking to win. Get a sense of the players and the ball using business impact analysis. Get a sense of the movement and plays using journey mapping. Now imagine ways to secure this.

Your instinct will be to add. Pause. Look around for the peach baskets which can be replaced with hoops. Find something to subtract that improves the security.

Then change the game.

Peach baskets: the basket in basketball.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Good security is like a good coffee pot – Design Monday

Posted by

Coffee. Coffee fuels hackers, coders and security wonks alike. For hackers of my generation, we tackled many a problem and brewed many a pot with a Braun. And within its hourglass shape lies a lesson for today’s security professionals.

The chief designer at Braun from 1961-1995 was Dieter Rams. He was behind the ubiquitous Braun coffeemaker from the 1980s. (I had a hand-me-down pot in my workshop in the 1990s.) Now you might think the shape was for decoration. Makes sense. One of Dieter Rams’ ten principles for good design is that good design is aesthetic. You’d be wrong.

Attractiveness for the sake of attractiveness isn’t Dieter Rams point. His design aesthetic was first solving the problem, and then solving the problem in a beautiful way.

The hourglass coffeemaker’s shape stemmed from a problem with the plastic. Plastic casings were still relatively new at the time. The process wasn’t producing plastic that was strong enough. The fluting provided strength and structure. As Dieter Rams wrote, “what was often misunderstood as some kind of post-modern decorative element had in fact a definite structural function.”

Applying this to cyber security: first design to meet the security requirements, then redesign using the same elements to provide a good experience.

Braun KF 157 Coffeemaker, Photography via WorthPoint.

Good Design is Aesthetic

I’m nostalgic about Braun KF 157 coffeemaker. But I’m in love with the Braun KF 20.

The KF 20 was ahead of its time. It looked like science fiction. In the futuristic world of Alien set in 2122, there was the Braun KF 20.

Florian Seiffert designed the coffeemaker in 1972. Following Dieter Rams direction and principles, every stylistic element has a functional purpose. The end result is well-designed, well-intentioned, beauty.

“It is truly unpleasant and tiring to have to put up with products day in and day out that are confusing, that literally get on your nerves, and that you are unable to relate to.” Dieter Rams spoke of products like coffee pots. But he just as easily could have been describing security controls.

Good security has a design aesthetic that is relatable and understandable.

Braun KF 20 Coffeemaker, Image via Dan Gorman

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Add some nice rims – Design Monday

Posted by

“Simple cars need complex wheels.”

So said automotive designer Lowie Vermeersch about the Pininfarina Nido. When you make something so incredibly simple, a bit extra makes the entire thing pop.

The equivalent of nice rims in a security capability is that one thing we do that goes just a little bit further to make the end-user happy. It’s not something we have to do. We’re going to need wheels anyway. It’s a little extra.

It’s not something that adds much to the cost of the project. A nice set of rims runs around $1,000 with the average price of a car being $40,000. But its something the end-user notices and appreciates far above the price tag.

The path for designing a security capability goes from complexity to simplicity, taking those steps with empathy and understanding. As we follow that path, keep an eye open. Find opportunities to spend a fraction of the budget (say 1/40th?) on one detail that pleases people.

Simple security still needs chrome.

Pininfarina Nido EV, Photography courtesy NetCarShow.com

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Contrast the status quo with the new vision – Design Monday

Posted by

“I want to be Batman.” This is the greatest answer I’ve received to the interview question, “where do you see yourself in five years?” 

I hired him. Of course.

If only stopping criminals and villains was as simple as hiring superheroes. But we need equipment. We need partners and support. And before we get our batcave and police commissioner Gordon, we first need to reach people. 

Leaders excite and engage people to get things done. We use strong clear communication that cuts through debate and doubt, and provides a solution we can agree upon. It takes strong visual and verbal communication.

Superheroes

One more thing about superheroes, what happened to them visually? The Golden Age and Silver Age comic books were full of bright bursts of primary colors. These days, superheroes have been drained of color. DC’s Superman’s original bright blue and bright red are so muted, they look nearly black-and-grey. Marvel has taken a similar approach. Looking at you, WandaVision. The Scarlet Witch isn’t scarlet but a dark burgundy. Modern heroes are a study in dark contrast. 

Christopher Nolan’s Batman trilogy takes the blame. The films defined the noir look which has played out across all recent comic book movies. But who inspired Nolan?

Visual Contrast

The answer is Johannes Itten from the Bauhaus. That’s Bauhaus the design school, not Bauhaus the band. t’s final form was in Berlin, where Ludwig Mies van der Rohe was the director. Before that, the Bauhaus was in Dessau, getting its start in Weimar in 1919. Many great names, and many great designs, trace back to this time. But in Weimar? In the start? There was Johannes Itten. 

Johannes Itten taught art and color at the Bauhaus. Had a blast doing so, from what we can tell. “Play becomes joy, joy becomes work, work becomes play.”

While with the Bauhaus, Itten studied colors, establishing the fundamental categories for contrast: hue, light-dark, cold-warm, complementary, analogous, saturation, and extension. This work, specifically with contrasting seasonal color palettes, inspires painters and artists to this day. And nearly a century later, Christopher Nolan would turn to Itten’s desaturated and muted color palettes when establishing the mood of The Dark Knight Rises.

Contrast is what makes the visual beautiful.

Verbal Contrast

The communications expert Nancy Duarte studied storytelling and presentations. She looked at superhero movies, she looked at boardroom talks. “After all this study, it was a couple of years of study, I drew a shape,” Duarte recounted on the TED stage. “There is this commonplace of the status quo, and you need to contrast that with the loftiness of your idea.” 

Duarte details her contrast model and shape in her presentation, The secret structure of great talks, and in her Resonate book.

It was a pattern I followed when establishing the vision for my monitoring program. I explained the status quo of audits and manual efforts. I painted the picture of automation and visibility. I showed where we were weak, and pitched how my team could be stronger. I leaned into the contrast. In the end? I obtained the funding for the SIEM and equipped my team’s Batman.

Contrast is what makes the verbal actionable.

Sell the Vision

“The objective laws of form and color help strengthen a person’s powers and to expand his creative gifts,” Johannes Itten once said. Duarte’s research shows similar laws of form and content strengthen a person’s persuasive powers. 

Explain your vision by contrasting what is and what will be. Use this approach to gain buy-in, support, and budget. That’s how hire the Batman, and that’s how we get those wonderful toys.

A noir color study in contrast.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Lateral thinking inspired by the Nintendo Game & Watch – Design Monday

Posted by

Lack of sufficient budget and inadequate staffing, those are among the top challenges CISOs report when surveyed.

Oddly enough? No one ever asks CISOs what they have too much of.

With that one question, Gunpei Yokoi created the handheld video game console market. The Nintendo game designer was behind the Game & Watch and Game Boy. He called his combination of disciplined focus on play and radical use of legacy components “lateral thinking with withered technology.”

It’s a philosophy with repercussions for security leaders.

Withered Technology

When Yokoi spoke of withered technology, he meant technology which had matured to the point where it was plentiful, affordable, and well-understood.

The Nintendo Game & Watch series was built on an advantage in the market which Sharp and Casio’s competition created. These two companies emphasized leading edge technology. The result was older black-and-white LCD calculator screens where readily available at a very low cost. Yokoi embossed the screen to compensate for manufacturing imperfections. To get color? Yokoi had colored lines printed on the embossed screen. This also reduced the need for lighting up the entire display, saving battery and extending game play.

The first way to apply Game & Watch thinking is finding similarly seasoned technology in our security stack. We might not have budget for an advanced user behavior analytics platform with machine learning. But we do have a logging platform. How far can we take what we have? Find the correlation-and-alerting equivalent of embossed-and-painted calculator screens.

A deeper way to apply Yokoi’s philosophy returns to the question: what do we have in abundance? I once collaborated with an organization that had built out an access review and certification process in IT service management. Why? Well, they had extra ServiceNow licenses. Abundance isn’t only technology, however, it can also relationships. I know another organization with strong relationships with marketing and corporate communications, who used this to great effect, producing a slick internal campaign which drove adoption of password vaulting.

In one context, it is withered. In another context, it is ripe. The trick is to see a new context.

Lateral Thinking

As a discipline, lateral thinking offers several methods for seeing things differently. One that comes to mind when studying Yokoi is the provocation and movement technique.

The first step is stating a provocation. This statement can negate the status quo, change the logical order of things, or exaggerate an aspect of the strategy. If our current security model depends upon network visibility, for example, one provocation would be “our defense doesn’t require anything from the network.”

The second step is determining how we move from our current thinking towards a context which satisfies the provocation. The general path is to extract a principle, focus on the difference between the contexts, imagine a movement to close the gap. Using the above example, that may be “we shift monitoring from the network to the endpoint.”

The Game & Watch version of Donkey Kong offers a perfect example of provocation and movement. The arcade version of Donkey Kong required a joystick. The variable resistance joysticks used in arcades required bulky potentiometers. The provocation is an exaggerated arcade joystick taped onto a Game & Watch. The underlying principle is up/down and left/right movement.

The resulting move was to create the plus-shaped cross control pad. These controls require only four buttons, fit the Game & Watch, cost a thousandth of an arcade joystick, and became Yokoi’s most widely copied innovation.

Ripening on the Vine

Yokoi’s “lateral thinking with withered technology” principle culminated in the Nintendo Game Boy. Released in 1989, it had a cross control pad and a black-and-white LCD. The processor was from the 1970s. Specifically, Sharp’s response to the Intel 8080 and Zilog Z80. In every way, the Game Boy was under-powered compared to the competition.

The Game Boy went on take the market, and to sell 119 million units. It remained Nintendo’s highest selling game system for nearly two decades. Nintendo DS finally overtook the Game Boy in 2016. And withered technology? Withered won.

Gunpei Yokoi began at Nintendo as a maintenance man working the assembly line. He once said, “I don’t have any particular specialist skills. I have a sort of vague knowledge of everything.” His strength was finding strengths in areas others overlooked, then strategically applying them to great advantage.

When determining how best to protect the organization, think like Yokoi, and look for areas of abundance ripening on the vine. Calculator screens, surplus processors, existing technology, working processes, strong relationships. Identify strengths. Be provocative.

Nintendo Game & Watch: Donkey Kong. Photo courtesy WikimediaImages from Pixabay.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

IKEA’s Billy the bookcase and modularity in IT security – Design Monday

Posted by

“Billy the bookcase says hello.”

“So does a table whose name is Ingo,” sang Jonathan Coulton in his IKEA song, “and the chair is a ladder-back birch but his friends call him Karl.”

I can’t speak for Karl. But Billy, well, Billy has an interesting backstory.

In the late 1970s, an IKEA advertising man named Billy Liljedahl complained about the state of bookshelves. They were heavy, expensive, and often missed the point by not actually being sized for books.

Gillis Lundgren, head of design at the time, began to sketch. “I drew the first sketches on a napkin,” Lundgren would later recall. “That was often the way we worked. Ideas are perishable and you have to capture the moment as soon as it arrives.”

Billy the bookcase would debut in the IKEA catalog in 1979. By 2009, IKEA had produced and sold more than 41 million bookcases. It remains one of the most popular products to this day.

Why? Regardless of Billy Liljedahl’s complaint, there were other shelves. IKEA had previously produced the Tiga. An early competitor inspired the Tiga: the Lundkvist shelf or Lundkvisthyllan. Not to mention the countless options we have today for shelving, storage, and more.

The reason is modularity, scalability, and extensibility. If there’s a room, if there’s a style, if there’s a need, there is a Billy configuration. The result has been pages on pages of Billy hacks. (Here are 45 ideas to get you started. Ironically, many without books. Sorry, Billy Liljedahl.) We’re seeing the power of architectural patterns playing out over 41 million use cases.   

When IT security leaders envision future security capabilities, we must ground them in repeatable patterns. A thousand apps individually implementing controls can quickly lead to sprawl, gaps, and waste. Equip these same teams with a pattern, say for authentication or fraud detection, and we can standardize the building blocks. Even if each app is different. Even if it looks as different as a standalone bookcase in a young person’s first apartment, or a built-in bookcase in an adult’s work-from-home study.

“Books should talk but the bookshelf should be silent.” This is the motto of the Lundkvist shelf. They never said hello. Perhaps that’s why Billy won the market.

And there’s a lesson for IT security. Products should talk but security shouldn’t be silent. Architectural patterns speak softly long after security has left the room.

IKEA Billy bookcase hack, via Willow Style Co.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Telephones and the staying power of ideas – Design Monday

Posted by

Early hacker history is intrinsically tied to the telephone. Early hacker movies, too. Sneakers, WarGames. Hackers, Matrix, all have phones central to the plot. Yet before there was hacker history, there was phone history.  

The form factor of the telephone, at the dawn of the twentieth century, was the candlestick. That’s where the mouthpiece is on top of the stand, and the earphone is a cup you hold to your ear. This was the way a telephone looked for nearly forty years. The first phone to break free of this form? Came from the Bauhaus.

Richard Schadewell and Marcel Breuer designed the first cradle telephone in the late 1920s. Created for the Fuld Corporation and used in 1929 for the Frankfurt housing program, the phone is often called the Fuld or Frankfurt phone. Regardless of what you call it, Schadewell and Breuer’s design re-imaged the telephone. But it didn’t get much reach beyond Frankfurt.

Johan Christian Bjerknes and Jean Heiberg took the Fuld phone further with Ericsson’s Bakelite telephone. Ericsson began producing the phone in 1932, and it became popular across Europe. But the design did have problems. The handset was heavy, a problem when holding for an entire conversation. As time went on, repair and maintenance also became a growing concern.

Henry Dreyfuss began working the problem for Bell Telephone Laboratories. Dreyfuss studied the Ericsson and Bauhaus phones. He did field research with telephone repairmen. Dreyfuss studied how people used the phone, held the phone, moved with the phone. Dreyfuss then spent over two thousand hours prototyping, testing, and refining for usability and maintainability. The resulting telephone — Western Electric Model 302 — went into production in 1937. Dreyfuss designed the successor, Model 500, a decade later. The form factor of the 302 and 500 was the dominate phone design well into the 1990s.

Arguably, for fifty years after the 302, the only innovation on the American stock telephone was changing from rotary to push-button dialing with the Model 2500. Ask any hacker who was a kid in the 1970s or 1980s, and they’ll have a story about how they messed with the ubiquitous and cheap 2500 phone. Mine involves playing spy as a kid, “wiretapping” the phone. When Windows 95 and 98 arrived on the scene, the icon for telephony? The iconic Western Electric telephone.

Steve Jobs announced the first iPhone in 2007. He did so with an icon which traced back in time to the Bauhaus school. Our collective understanding of how a phone looks runs from Dreyfuss, to Bjerknes and Heiberg, back to Schadewell and Breuer.

The telephone offers many lessons. Adoption can make or break an innovation. Thinking about the end-user can lead to devices better tuned to their needs, even something as simple as the swoop of plastic that makes a handset comfortably rest on the shoulder. The customers are more than the end-users. Considering how the device will be serviced and maintained over its lifetime leads to sustainable designs. The backwards compatibility, too, provided by telephones is admirable. But when it comes to determining security controls, there’s a more powerful lesson.

The choices we make today will shape how the organization thinks for years to come. Ideas have staying power which outlives any given technology. Choose wisely.

Bauhaus Fuld telephone, Ericsson Bakelite telephone, Western Electric Model 302, Model 2500, Windows 95 telephony icon, iPhone 1 phone icon

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Premature simplification is the root of bad security – Design Monday

Posted by

The device changed our homes. It changed our perspective of time. In a way, it’s a story of miniaturization. They used to take up entire rooms, and suddenly could fit on a desk. It’s also the story of economics. They once were so costly only corporations could own them. With falling prices and shrinking sizes, it wasn’t long before every house had one.

The personal computer revolution? No. The sewing machine.

Our story begins a hundred years into the revolution. For most of those years, Singer dominated with black cast iron machines. Our design hero is Marcello Nizzoli, an Italian who refused to commit to any one discipline. He worked as a draughtsman, designed clothing and accessories, made advertisement posters, started magazines. Nizzoli’s collaboration with Olivetti was so successful, it set the standard for how Olivetti created teams of artists and engineers, paving the way for Ettore Sottsass to create the Valentine typewriter. When Necchi approached Marcello Nizzoli in the 1950s, Nizzoli had deep skills in precision machines and an instinctive understanding of those who stitch and sew.

The resulting Necchi Mirella Sewing Machine arrived in 1956. Nizzoli’s machine was light and beautiful. It features brightly colored enameled aluminum with a finely crafted metal drive mechanism. The Mirella won a number of awards and, today, is on permanent display at the New York Museum of Modern Art (MoMA). From contemporary accounts to modern documentaries, the consistent theme about the Necchi Mirella is this: user-friendly, ergonomic, and simplicity.

It was simple. We see this theme frequently when reading about good design. I return to the theme regularly in this series. Make it appealing, and keep it simple.

But simple is hard. That’s the problem.

Agreeing to Protect the Organization

Many CIOs and CISOs bicker like an old couple in a bad marriage. We make points, not progress. I wish we could watch pairs of executives argue it out and find what works. It’s too bad there isn’t an IT equivalent of what John Gottman and Julie Gottman have done with couples in the Love Lab. How can leaders have the tough conversations which lead to agreement?

Peter Coleman, inspired by Gottman, founded Difficult Conversations Lab to explore this question. What Coleman found is shocking: the root of the problem is our desire to simplify.

Our goal gets in the way of reaching our goal.

Coleman’s advice: get complicated. In conversation after conversation studied, complexity provided the space to reach agreement. When researchers framed the issue in black-and-white and primed the people with a similar simplified issue, the conversation became intractable. Often times, it was a short jump from intractable to “destructive spirals of enmity.”

The more we oversimplify requirements before speaking with peers and stakeholders, the less likely we are to come to an agreement. When we oversimplify early on, we fail to get buy-in. The resulting security controls won’t fit what the workforce needs.

Take the example of an identity. Let’s suppose we have people who change roles, going from contractor to employee. Suppose some people have multiple roles, say customer and employee. Start the conversation with the black-and-white control of all access and data being removed when a person is terminated. Watch how fast we get shutdown. An oversimplified approach leaves no middle ground for negotiating how identity gets defined and protected.

A Word of Caution

The lesson from Coleman, Gottman, and Nizzoli: Explore the complexity of the problem with the stakeholder, from their perspective.

Don’t explore the complexity with them from our perspective. If we want to enforce multi-factor authentication, we shouldn’t start by explaining complicated protocols and standards which enable MFA. But we should listen to the complex ways people work. Marcello Nizzoli’s success came from understanding how people sewed, not from explaining machinery to customers.

As we move from exploring the problem towards exploring possible solutions, we move from complexity towards simplicity. When defining the security capability, starting simple with an ugly prototype and iterating from there. When determining security controls, selecting the minimum requirements. Complexity as a starting point mustn’t be prolonged.

A Design Principle

“Premature optimization is the root of all evil in programming,” Donald Knuth once famously said. If you spent effort optimizing things before they are fully developed, you end up creating unnecessary work.

While the Necchi Mirella is praised for simplicity, Marcello Nizzoli arrived at the machine’s design only after spending years absorbing the complexity directly from those working in the clothing industry. Complexity, next empathy, then understanding, and finally simplicity. That’s good design, good programming, and that’s good security work.

Premature simplification is the root of bad security.

The Necchi Mirella Sewing Machine, designed by Marcello Nizzoli, 1956.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.