Balance depth with economy of mechanism – Design Monday

Archive for the ‘Design’ Category

Balance depth with economy of mechanism – Design Monday

Posted by

We spend far too much time talking about defense in depth and far too little time talking about economy of mechanism.

As a design inspiration, look to Alfred Heineken. Not a designer, Heineken was a brewer and a businessman.  In the 1950s, modernizing the look of the Dutch brewing company, Heineken made two changes to the beer’s logo. He dropped the upper-casing and then, to be playful, he tilted the e until it resembled a smile. Simple.

Defense in depth suggests more controls and more tools are better. However, this complexity comes at a cost. In a study performed by Cisco, the number of vendor tools was directly correlated with the downtime from a security incident. Security teams using one vendor averaged four hours or less of downtime, while teams managing more than 50 averaged more than 17 hours of downtime.

I suspect the downtime is driven by the team’s confusion when responding to incidents. It fits my personal experience, and reminds me of what Donald A. Norman wrote in Living with Complexity. “Modern technology can be complex, but complexity by itself is neither good nor bad: it is confusion that is bad. Forget the complaints against complexity; instead, complain about confusion.”

Economy of mechanism suggests implementing the fewest controls and fewest tools to mount an adequate defense. We have a finite cognitive throughput from people doing the work and people securing the work. We have a finite budget. After we have the requirements and possible tooling options, ask how we can achieve the same results with less. Ask again, and again.

Find the letter e, tilt it a bit, and smile.

Heineken’s smiling e logo, photography by Heineken.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Philosophy and Methodology, the Meta-Design Approach of George Nelson – Design Monday

Posted by

Artists create unique piece for a limited audience. Designers create for scale. The tension exists between creating something that works and building something that’s repeatable.

This tension came up in conversation around the article I wrote about Kenji Kawakami and the art of Chindōgu. The principle is employing playful anarchy to bring security controls from useless to un-useless to useful. People were quick to point out that quantifiable, repeatable, scalable security is jeopardized by the ad hoc chaos of creation.

For guidance, look to George Nelson who was the Director of Design for Herman Miller from 1947 to 1972. One of the first designs George Nelson brought forward was a “sculpture-for-use” table by Isamu Noguchi. Sculpture remade as a repeatable product. Nelson also managed designers such as Charles and Ray Eames, Alexander Girard, and Robert Propst. It’s a simple comparison to draw from furniture to technology, from the difficulty of managing people like the Eames to the difficulty of managing today’s cybersecurity talent.

Here is how Nelson did it for twenty-five years:

Philosophy. Reading George Nelson’s introduction to the Herman Miller catalog in light of the intrinsic motivation framework laid out in the book Drive. Autonomy, mastery, purpose. Nelson’s philosophy is finely tuned for getting the best out of innovative people. An unstated undercurrent is that designs must be producible. After all, Herman Miller is a business. The trick was to protect the playful anarchy while harnessing the results for manufacturing at scale. “There is a hint of the craftsman as opposed to the industrialist.”

Methodology. In modern times, George Nelson has been described as a meta-designer. That is, he spent more time designing the furniture design process than he spent designing the actual furniture. While he retired some twenty years before the founding of IDEO, Nelson would have been right at home in the world of design thinking. He pioneered a formal way to go from a series of conversations, to a series of prototypes, to a finished product. Along the way, capturing information and providing feedback to refine not only the design but also the lifecycle itself. Nelson’s approach was showcased in the “The Design Process at Herman Miller” exhibit in 1975.

The challenge in cyber security design is taking a successful proof-of-concept and scaling from prototype to securing the overall organization. How to balance the artist with the designer? The craftsman with the industrialist? Playful anarchy to well-defined operations? Nelson held a philosophy geared to foster those intrinsic motivations of the creative mind. He created a methodology for taking ideas to market. George Nelson combined both into his meta-design approach.

For security leadership to get meta, develop a philosophy and methodology, design a way to design, and improve based on feedback.

Philosophy drives the satisfaction of our people. Methodology drives the success of our initiatives. We need both, and both need continuous improvement.

Sculpture-for-use, Noguchi table, photography by the Isamu Noguchi collection.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Frameworks fade but security is eternal – Design Monday

Posted by

Frameworks fade but security is eternal. Said with apologies to Yves Saint Laurent.

Yves Saint Laurent was a dominant force in fashion from the 1960s through to end of the century. His strengths stemmed from three areas. First, seeing the underlying fundamentals and being able to re-envision them across genders, across times, and across trends. Second, the ability to cross artforms for inspiration, most notably with Piet Mondrian and geometrical shapes. Finally, the ability to reformulate high fashion at couture for mass production. Yves Saint Laurent was the first to open a ready-to-wear line in Paris. He was a designer who mastered how to take the pieces apart and put them back together for new tastes and new markets. It Yves Saint Laurent who once famously said, “fashion fades but style is eternal.”

Last week, we looked at how the adoption of a control — doing something right but rare — has surprising stopping power against common attacks. But the fast-changing early adoption must be balanced with slow-changing fundamentals.

CyberSecurity can be a bit too much like fashion. Every major event, there’s a new trend. The media buzz will say that new threats appear every day. The buzz is that our ways of defending become dated and ineffective as quickly as they’re implemented. New frameworks cry out that the old ways were wrong.

This last bit is particularly on my mind in 2020. A new version of the CIS Critical Security Controls came out late last year. NIST is releasing a new version of its standard for security and privacy controls (NIST SP 500-53B). And the new PCI DSS (Data Security Standard) for credit card security is due any time now. Each framework will be accompanied by a wave of press on how everything has changed. The last version is so last season, and simply won’t do.

But is it? Is it really?

Like style, fundamentals in security remain the same even while the specifics evolve. We need to know our people and our technology. We need visibility into what’s happening and what’s changing. We need to think in terms of lifecycles and act in terms of incidents. We need to make sure the essential habits which result in defensible positions are done regularly. Finally, we need to understand the adversary’s objectives and tactics. From mainframes to data centers to cloud infrastructures to tomorrow, the fundamentals hold true.

A security architecture is comprised of a series of building blocks. Some building blocks should be innovative and ahead of our peers. Most building blocks should do the fundamentals and broadly cover the frameworks.

Do the fundamentals well. Do them consistently. Do them with style.


This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Ahead of the Curve – Design Monday

Posted by

The first computer screen font predated the personal computer by a decade.

The tech wasn’t about to cooperate. For those who weren’t around during the CRT (Cathode-ray tube) screen days, here’s the thing. CRTs, in the sixties, refreshed slowly, updated even slower, couldn’t draw curves, and could barely draw a pixel. Any sane person would stay away from them.

Enter Wim Crouwel. Crouwel saw the possibility of CRTs and glimpsed the future of computers. By accepting the CRTs limitations as creative constraints, Crouwel redesigned the alphabet with straight quick lines. The resulting font, New Alphabet, displayed clearly on the limited screens. Crouwel released New Alphabet in 1967. It was innovative. It was unreadable. But it made a statement. New Alphabet informed the designers of the personal computers. It took a decade. But when the Apple II, Commodore PET, and TRS-80 hit in 1977, each computer featured a CRT screen and a fully readable font. The possibility Crouwel saw had come true.

With all the talk about cyber security constantly changing, we’re surprising slow at adopting new and innovative controls. We give the same excuses Wim Crouwel would have heard from his peers: the technology isn’t ready, it’s too hard, it’s too new. I recall running into this when deploying firewalls in the early 2000s. An excellent control was egress filtering. Most thought about firewalls protecting traffic coming in. But by looking at traffic going out, we could stop malware and attackers from calling home. Most engineers didn’t want to do this because it was too hard. We did. And until most defenders adopted egress filtering, attackers didn’t bother working around it, so the simple control caught many a bad guy.

Early adoption of a control — doing something right but rare — is super effective against casual attackers and commodity attacks. It may be easily bypassed by advanced attackers or sophisticated tools, but the majority of the time organizations face more common threats. The control continues to be effective until many have adopted it. Consider:

Example 1) Mac OS X computers were more secure on the Intel platform from Windows when released in 2006. Macs had 8% of the market share by 2014 and little malware. By 2019, the share of the desktop market running Macs climbed to 17%. That same year, Windows had 5.8 malware detections per computer per year. Macs had nearly double, 11 malware detections per computer. Macs had great stopping power for thirteen years.

Example 2) Windows 10’s market share reached 25% by 2017. Windows 10 had a feature that auto-played image files like ISO. This was a great new feature for phishers because most spam filters blocked executables like EXE. In May 2017, criminals started repackaging their malicious EXEs in ISO files and sending them on through. Sure, some organizations were filtering ISOs. But most weren’t, at least, until 2019. When spam filters finally caught up, April 2019, criminals simply switched from ISO to IMG image files. But for nearly two years, a simple ISO filter had stopping power.

Example 3) One last example that’s near to my heart. When Microsoft Office 365 email launched in 2011, the early adopters quickly rolled out multi-factor authentication (MFA). Attacks reusing stolen credentials were easily blocked, stopping phishing for passwords. By 2019, MFA adoption on Office 365 email exceeded 20%. The criminals began to switch from trying to steal passwords to trying to steal the authentication tokens, thereby bypassing MFA altogether. Eight years. While MFA still has stopping power, the threats are beginning to adapt.

Wim Crouwel was a decade ahead of his time and his font never saw wide adoption. Though it did have a resurgence in popular culture in 1988, when Peter Saville and Brett Wickens used New Alphabet for Joy Division’s Substance album cover. Wide adoption wasn’t the point. Showing others the possibility of the new medium was, and at that, Crouwel succeeded.

When designing and implementing cyber security controls, Crouwel is an inspiration. The tech will not cooperate. The result won’t look normal. But doing something right but rare, adopting a security control ahead of the pack, has demonstrated stopping power. Because it’s right, it stops the common attacks. Because it’s rare, criminals aren’t incentivized to work around it. The early adopter strategy can give our organizations and advantage that lasts years.

Being ahead of the adoption curve is being ahead of the criminals.

New Alphabet font designed by Wim Crouwel

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Design Thinking for Cyber Security Services – Design Monday

Posted by

IDEO has been at the center of many fundamental designs in computing history. This includes the simple and ubiquitous mouse.

Thought it was Apple? Think again. Steve Jobs came to a firm called Hovey-Kelley in the late seventies, a firm which would become IDEO in 1991. Jobs had a problem. The only other computer mouse in existence cost 16 times what people could afford. The mouse also broke frequently and was, well, ugly. None of this would work for the Lisa and Mac.

David Kelly (of David Kelley Design, Hovey-Kelley, and later one of three founders of IDEO) assembled a team. Douglas Dayton worked on the frame. Jim Yurchenco was responsible for the mechanical design. Bill Dresselhaus, with his love of Art Deco, handled the packaging. The technology of the day was finicky and “required such precision that it probably couldn’t be mass-produced.” There were practical debates about the sound of the click, or the number of buttons. Each change required every other part to be redesigned to fit in the tiny space. But even in those early days, the firm that would become IDEO had a secret weapon.

Design thinking. IDEO refined it and popularized it. Design thinking is a way of problem solving and developing solutions that’s a departure from how we in IT have long done things. Consider the following five points of design thinking:

  1. Empathize – think about people who we’re serving (empathy is the heartbeat)
  2. Define – think about the main problem we’re trying to solve
  3. Ideate – brainstorm, mindmap, whiteboard, play
  4. Prototype – build a possible solution
  5. Test – sit down with the people and have them test the prototype

Now compare the design thinking steps to ITIL service design:

  1. Service solution – think about requirements, deadlines, costs, budgets
  2. Information systems and tools – think about the service portfolio, configuration management, capacity, and security
  3. Technology and architecture – think about designs, plans, and processes to align IT policy and strategy
  4. Design processes – think about the process model for operation and improvement
  5. Measures and metrics – think about what we’ll measure to ensure the service is working

Notice what’s missing? People. I mean, ITIL practitioners will reply, “no, no, no. We have the 4P’s: Product, People, Process, and Partner.” Fair enough. But compare the two lists. People are not the focus. And to anyone who has been in the workforce as an enterprise end-user? It shows. We can feel it. Because people designing IT and IT security don’t think much about the people who’ll use it, the people who use it don’t think much about what we’ve designed.

Case in point: credentials. Research shows that people with more technical knowledge don’t take more steps to protect their data than people with basic knowledge (User Mental Models of the Internet and Implications for Privacy and Security). Most people know they should use separate passwords for every app (91%). But most people use the same password anyways (66%). Most people know they should use MFA. But most people don’t (66%). The problem isn’t one of awareness. (Source: LastPass and Security Ledger.) In not considering how regular people use and secure technology, we’ve created a situation where people simply opt out.

Enterprise IT is a like the original mice. Xerox, the mouse Apple copied, cost $400 or $1200 in 2020 US dollars. Doug Engelbart’s, the mouse Xerox copied, required a training course that took 6-months to master the damned thing. That’s ITIL thinking. That’s the type of technology people will be aware of, but not take steps to use.

Design thinking, the focus on people and rapid prototyping, led to a mechanical mouse setup which would dominate mice designs for the next twenty years. The original Apple mouse was $25. (Adjusted for inflation, that’s $79, which is coincidentally the price Apple charges for the optical Magic Mouse in 2020.) A child could pick up the mouse and immediately use it. Most of my generation learned in grade school. It just worked, worked well, and worked at a fraction of the cost.

In my office hangs Five Phases of Design Thinking by Maisey Design. It’s a reminder. When working on security services and specific controls, keep the focus on people.

The Apple Mouse, Photography Wikipedia

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Security design, album covers, and Dieter Rams – Recap

Posted by

CyberSecurity design weekly recap for June 22-27.

This week: Peter Saville and the New Order’s Blue Monday cover. A pervasive thought in CyberSecurity is that people don’t implement controls because they’re not knowledgeable. More information means better security. The entire discipline of security awareness is based on this idea. But is this correct? I mean, Peter Saville didn’t need to listen to the music to design brilliant covers. Principle: Don’t listen to all the music.

Previously: Dieter Rams and his design principles. Be principled. Develop a small set of architectural principles to guide the technical design. Live with them. Argue them. Disagree and commit. Apply and iterate them. But be principled.

One thing more: I’ve mentioned I have Dieter Rams principles hanging in my office. The Maisey Design Shop produced the piece, which is available as a poster from Etsy or as a boxed canvas from iCanvas. It’s too late for father’s day. But, come on! There’s always a holiday coming up. Check them out.


This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

We don’t need to know the music – Design Monday

Posted by

Peter Saville never listened to the music before designing the album cover. The Joy Division’s Unknown Pleasures cover with the pulsar. New Order’s Blue Monday and the iconic floppy disk cover. Saville designed without all the information and this always bothered me.

A pervasive thought in CyberSecurity is that people don’t implement controls because they’re not knowledgeable. More information means better security. The entire discipline of security awareness is based on this idea. But is this correct? Some studies suggest otherwise. Take User Mental Models of the Internet and Implications for Privacy and Security, for example. Researchers found that people with technical in-depth knowledge of the Internet didn’t actually take any more steps to protecting their information than non-technical people.

Our capacity is finite. We can hold three ideas in our mind. We can remember seven digits in a sequence. We can maintain a hundred-fifty relationships with people. Our semantic memory can only hold so many facts. The question is how we use that capacity. The goal is to fill our lives with right ideas, the right facts, the right people. In other words, the right amount to take action.

Back to Peter Saville. Saville knew art. He knew symbols, shape, and color. He didn’t know what a floppy disk was before hanging out with New Order’s band. He certainly did not know binary. (His code was a base-10 system.) He put it this way: “I understood the floppy disk contained coded information and I wanted to impart the title in a coded form, to simulate binary code in a way-therefore converted the alphabet into a code using colours.” The resulting cover was the striking floppy disk with the color-coded wheel. In the end, Saville knew exactly what he needed to know to do what he needed to do. Blue Monday became one of the most recognizable covers in the late twentieth century.

When designing the specific security controls, the trick is to be Peter Saville. On the one end of the spectrum are those who don’t understand the technology enough to take action. Picture the clueless boss stereotype. On the other end are those who understand it too much and get too deep into the implementation. Consider a firewall engineer who moved into security and now spends way too much time on network security, at the expense of the rest of the security program.

Determine how much information you need to take steps towards implementing security controls. The CyberSecurity architect sets the requirements. The IT subject matter expert implements technology to meet the requirement. Know enough, yes. But don’t waste time listening to the music.

New Order Blue Monday cover by Peter Saville, photography as credited.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Security design, the art of Chindōgu, and denim jeans – Recap

Posted by

CyberSecurity design weekly recap for June 15-20.

This week: Kenji Kawakami and the Japanese art of Chindōgu. From shoe umbrellas to chopsticks with cooling fans, the playful anarchy unlocks our creativity. Toss aside the checklists. Have fun with the controls. Forget being productive for a moment. Forget being useful. Join the un-useless revolution. Principle: Take controls from useless to un-useless to useful.

Previously: Bart Sights and Levi denim jeans. When planning the implementation and ongoing operations, consider how the technology can develop a patina. Think of it like denim jeans, where every day, every wear, the jeans and security becomes better molded to you. Principle: Plan to wear in, not wear out.

One thing more: Check out The World According to Jeff Goldblum on Disney. Generally, it’ll inspire you. Specifically, episode 104 is on Denim and Goldblum visits Bart Sights Eureka Labs.


This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Take controls from useless to un-useless to useful – Design Monday

Posted by

Kenji Kawakami started a useless revolution. Or perhaps better said, an un-useless revolution.

The art of Chindōgu, which Kenji Kawakami invented, is the art of creative problem solving. There are principles, of course. (Aren’t there always?) Chindōgu address real problems, like the shoe umbrellas keeping the top of our shoes dry. They aren’t useless. Unlike Rube Goldberg machines, Chindōgu emphasize simplicity and practicality. You must actually build a Chindōgu design for it to be considered a Chindōgu. Oh yes, Kawakami built chopsticks with a cooling fan. “There must be the spirit of anarchy,” goes one principle, and the resulting design makes people laugh by “finding an elaborate or unconventional solution to a problem.”

CyberSecurity needs a spirit of anarchy. Security needs a spirit of play. The reason many of us got into this line of work? It was fun. Perhaps security needs Chindōgu.

There’s no place in more need of the Chindōgu spirit than control selection. We have pages upon pages of standards. We have checklists with best practices. The audit and compliance team handed over a list of regulatory requirements. Forget all that. Get together over a whiteboard and start brainstorming. How can the team meet the most controls with the least effort? What’s a fun way to do some of the controls? Remember, not useless. Un-useless.

Once I led a workshop such as this. We ended up with a game of Mousetrap implemented with a series of Python scripts. As the adversary followed their attack path, like a marble rolling down the track, a series of humorous actions befell them. We had a blast.

The book 101 Un-Useless Japanese Inventions includes a telescoping hand for taking photos. Here’s the problem. A Chindōgu is a tool that a person could use, while paradoxically, a Chindōgu is a tool that no one would actually use. But the telescoping hand, or as it is known today, the selfie stick, took off. The stick graduated from Chindōgu to being useful, a must-have for tourists. Our Mousetrap scripts met a similar fate, serving as the inspiration and starting point for an Endpoint Detection and Response (EDR) platform.

Bringing back the playful anarchy unlocks our creativity. Toss aside the checklists. Have fun with the controls. Forget being productive for a moment. Forget being useful. Join the un-useless revolution. You’ll be surprised at where the security controls end up.

A 360-degree camera hat for taking panoramic pictures, photography by Amusing Planet.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Security design, aesthetics, and MRI machines – Recap

Posted by

Security design weekly recap for June 8-13.

This week: Paul Hekkert and the Unified Model of Aesthetics. \When work looks like work, work gets done. But there’s a problem. The best way to keep things familiar is to keep things the same. Yet we design security capabilities to push things forward. Principle: Balance familiarity with novelty.

Previously: Doug Dietz and the GE Healthcare MRI for children. We don’t talk to kids about the MRI. We talk to them about the jungle experience. We don’t talk to end-users about passwordless. We talk to them about a more enjoyable work experience. Good design begins with empathy. Principle: Empathy is the Heartbeat.

One thing more: You can watch Doug Dietz on the TED stage talking about empathy. Transforming healthcare for children and their families: Doug Dietz at TEDxSanJoseCA 2012