Anti-patterns and Patterns for Directing Security Projects – Design Monday

Archive for the ‘Project Management’ Category

Anti-patterns and Patterns for Directing Security Projects – Design Monday

Posted by

An implementation is like a movie, directed by leadership and produced by project management. Successful security implementation projects start strong, start with style, start like movies. As projects are running, what else can cinema teach us?

I began this series of cyber security design principles with an insight: to see things differently, look at different things. Spend a week with an artist, designer, or director. Find a security lesson. Share what I find. Sometimes my process is easy, sometimes difficult. Yet no one has challenged me more than Federico Fellini.

Federico Fellini. Distinctive, acclaimed, the Italian filmmaker was legendary in the twentieth century. He directed thirty-one films, “was nominated for twelve Academy Awards, and won four in the category of Best Foreign Language Film, the most for any director in the history of the Academy.” You’ve seen a movie scene inspired by (or directly copied from) a Fellini film. It’s guaranteed. Let’s take one example: Fellini’s Casanova. The film follows the titular Casanova on an adventure across Europe, while highlighting what makes Fellini a legendary director and a example for cyber security.  

Anti-patterns in project management from Fellini’s Casanova:

  • Micro-manage your people. “Puppets are happy to be puppets if the puppeteer is good,” Fellini said of his relationship with his actors. Donald Sutherland, who played Casanova, described it as being the worst experience of his filmmaking career. Every action micro-managed and scripted, until nothing of the talented actor remained.
  • Force your people to fit your stereotype of talent. Sutherland is unrecognizable as Casanova. Fellini has him wearing a false chin and nose. He raised Sutherland’s hairline, which then necessitated false eyebrows to even the look out.
  • Over-engineer details that don’t affect the final result. Fellini, unsatisfied with the color and waves from the water, had a plastic simulated lake created for Sutherland to row across. Almost a decade later, furious the color blue wasn’t the right color blue, Fellini would delay production while an entire faux ocean shore was created with plastic sheets for And the Ship Sails On.    

James P. Carse popularized the idea of finite and infinite games. Most games we are familiar with are finite: you play to win, you play to maximize your results at the expense of the other players. Infinite games ongoing: you play to continue others to play. Federico Fellini films were finite games. Sutherland never worked with Fellini again. By contrast, the Golden Age of cinema was an infinite game. (Well, infinite, until it stopped in the 1950s.) Major film studios had in-house production crews and contracted actors. While the roles varied and films came and went, the directors were incentivized to keep the best people playing with them.   

Cyber security in an organization is like the Golden Age of cinema. The leader’s role is encouraging people to want to play with us again and again, implementation after implementation.

Don’t be Fellini. Manage projects with the following patterns:

  • Set the vision and collaborate with people on execution. Listen.
  • Personalize the approach and tasks for the people on the project. Individualize.  
  • Maximize efforts where they matter by minimizing where they don’t. Simplify.

Directing implementation projects is both an art and a game. It is the art of engaging people in an infinite game. Good security projects leave people hungry to play again.

Afterwards

Security is often a story about crime, and criminals often make mistakes even while succeeding. Imagine someone stealing backup tapes to get at stored credit cards, not realizing they were also stealing people’s spreadsheets. In 1975, thieves broke into Technicolor labs and made off with film from 120 Days of Sodom. The heist also swooped up seventy reels of film from Casanova, forcing Fellini to reshoot weeks of material.

A good reminder to classify and protect data according to what criminals value … rather than what a snarky blogger might value.


This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Start projects like movies – Design Monday

Posted by

Saul Bass forever changed cinema.

Saul Bass designed corporate identities. He created movie posters. In both, his signature style was minimalism and clarity. Consider the iconic AT&T bell logo (1969), or the Magnificent Seven poster below (1960). Clean. Concise. But he is best remembered by his reimagining of the movie title sequence. Originally, the titles were how the film provided credits. And because of this, people naturally ignored them, using the time for a concession run.

Saul Bass saw it differently: “The audience involvement with the film should begin with the first frame. Use titles in a new way to create a climate for the story that was about to unfold.” Take my favorite of his title sequences: Grand Prix (1966). The engine revs. The cars come into view. The engineers and mechanics movements are isolated, amplified, repeated, glorified. Everything about those first few minutes pumps me up. I frankly can’t recall anything else about the film. But I never forgot that intro.

Of course, my reaction was a bit of a problem for studios. “There was a backlash against inventiveness in credit design, first from the industry and then from at least one well-known critic.” Jan-Christopher Horak writes in Saul Bass: Anatomy of Film Design. Quoting Variety in 1957, “An offbeat credit runoff, while pleasing to the patrons, does an injustice to the talent since the audience’s attention is diverted from the names.”

Let’s put Saul Bass’s story aside for a moment and turn towards designing and architecting cyber security capabilities. In the final phase, when planning the implementation, how are we treating the critical beginning of the project?

Most kick-off with the equivalent of running credits while stakeholders are getting popcorn. A 2018 study by the Project Management Institute (PMI) into project failures reflects this status quo. Projects failed due to vision (29%), poor communication (29%), and unsurprisingly, inadequate support from stakeholders and sponsors (26%). We read off the checklist and they check-out.

“In a sense,” says Art of the Title, “all modern opening title sequences that introduce the mood or theme of a film are a legacy of the Basses’ work.” It’s short form storytelling. It’s an entire theme of a movie boiled down to simple ideas well visualized. An opening title sequence frames the movie and creates excitement for what’s to come. If we want our implementation to be successful, this is what our kick-off meeting must deliver.

Start strong. Start with style. Plan the kick-off meetings like Saul Bass planning a title sequence. The project will be our blockbuster. Start it like one.

The Magnificent Seven, Poster by Saul Bass

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Friday Books and Talks 01/16/2015

Posted by

I am revisiting some classic books, investigating ideas about constraint management.

Critical Chain
by Eliyahu M. Goldratt

“Critical Chain,” a gripping fast-paced business novel, does for Project Management what Eli Goldratt’s other novels have done for Production and Marketing. Dr. Goldratt’s books have transformed the thinking and actions of management throughout the world.
It’s Not Luck
by Eliyahu M. Goldratt

Learn more about the powerful techniques first presented in the best-selling business novel, The Goal. In this book, Dr. Goldratt, through examples in a variety of industries, shows how to apply TOC to sales and marketing, inventory control, and production distribution. In addition, techniques in conflict resolution are introduced on both a business and personal level.

Peer Incites next week

Posted by

I will be on Peer Incites next Tuesday, March 6th, for a lunch time chat on team management. The talk is scheduled for 12-1pm ET / 9-10am PT.

DevOps — the integration of software developement and IT operations — is a hot topic these days. In my current role, I took on IT operations in 2008 and took on software development in 2010. I have been driving the combined team using value proposition lens of the nexus of passion, skillsets, and business value. Add to this my favorite topic, training and skill hops, and we get a winning mix for leading a productive DevOps team.

I will dig into the nuts-and-bolts next Tuesday. Details are below. Hope you can join us.

Wolfgang

 

Mar 6 Peer Incite: Achieving Hyper Productivity Through DevOps – A new Methodology for Business Technology Management

By combining IT operations management and application development disciplines with highly-motivating human capital techniques, IT organizations can achieve amazing breakthroughs in productivity, IT quality, and time to deployment. DevOps, the intersection of application development and IT operations, is delivering incredible value through collaborative techniques and new IT management principles.

 

More details at:
http://wikibon.org/wiki/v/Mar_6_Peer_Incite:_Achieving_Hyper_Productivity_Through_DevOps_-_A_new_Methodology_for_Business_Technology_Management

The team, the tools, and the time

Posted by

“Want to find out how good someone is? Take away all their tools and say, ‘Now do it.'” — @SecShoggoth

Have you heard of Thomas Thwaite? He took a maker’s approach to toasters. By reverse engineering a £3.99 Argo toaster, Thwaite was able to build his own model. He smelted the iron. He melted the plastics. He may have argued with a volleyball named Wilson. I am not sure on that last point. But after nine months and £1187.54, Thwaite had himself a toaster.

A tweet by Tyler Hudak (@SecShoggoth) had me comparing toasters to information technology. Just what is a tool? Is it that application you are using? Fine. Let’s rewrite the app to show how good we are. But wait … what about the IDE? Is that a tool? No worries. We will use cat and bang the C code out straight. What about the compiler? What about the language itself? The OS? The computer itself? How about the motherboard and daughter cards? What about ICs? The transistor?

“If you want to make an apple pie from scratch, you must first create the universe.” Carl Sagan sums up the slippery slope we ride.

We live in a remix society. We — in the IT and InfoSec industry — work on the largest hackable platform in human history. Everything we do depends upon the work of others. Everything we make builds upon the tools of others. Every day we take from and give back to this hackable platform we call modern IT.

We can compare the new generation’s approach to IT as the Nintendo generation. Heck, they just download an app, point-and-click, and done. That’s not IT.

I recall folks lambasting my generation because we had a GUI. Heck, we had keyboards and mice. All we had to do was boot up, point-and-click, and done. That’s not IT. That’s not real computing.

I wager the generation before were heckled because they did not have to use punch cards. And don’t get me started about slackers who use transistors instead of vacuum tubes.

There is a certain rugged nostalgia for folks like Thomas Thwaite. People who toss aside the benefits of society to forge their own way are admirable. Equally admirable, in my opinion, are those who save time and money with clever hacks to the platform. These are folks that excel thru expert use of modern tools.

See, IT has become a team sport. The one man toaster and the lone sysadmin are throw backs. The way forward is mastery of your specific tool-set combined with a team of folks equally skilled in complementary tools. Give me a team, tools, £1187.54, and nine months. We will change the world.

Wolfgang

 

Note this article comes from a discussion on Twitter between@SecShoggoth, @RogueClown, and @LenIsham.@SecShoggoth blogged on expanding your skill sets beyond the tools you are comfortable with here: Tools and News.

Everything includes training

Posted by

True story. I worked with a guy maybe a decade ago. We’ve kept in touch. He sees an article on Slashdot and thinks, “wow, that sounds like Wolfgang. I should send him the link.” He clicks the link, only to find that I am in the piece. The guy called me laughing this morning and said he can’t get away from my ideas on training.

Anyways, if you have worked with me, worked for me, or worked within ear shot of me, you’ve heard me say one or more of the following many, many times:

  • In IT, you don’t hire people for what they know. You hire people for what they can learn and what they do.
  • Everything includes a training component. Train during every initiative, every implementation, and every project.
  • Technology is like sports: most of the work is training before the game. High performing teams and high performing techies spend 20% of the time training.
  • Skimping on spending for training because of retention concerns is like saying: “I’m concerned that if people know what they’re doing, they’ll leave. And if they don’t know what they’re doing, they’ll stay.”
  • IT management is a Chinese finger puzzle. You pull too hard, and you can’t get out. You put in too many hours, you get diminishing returns.

Lisa Vaas at Software Quality Connection puts it all into perspective in “I Like My IT Budget Tight and My Developers Stupid”.

 

Project management beyond scope, budget, time

Posted by

I was asked: “To me Project Management is about scope, budget, and timing. You nail those three things (and I always do) and the rest is?”

The golden triangle of project management (scope, budget, time) has never changed. I still have a copy of the book my father gave to me years back that drives home the importance of these three. It was written by Ford and Detroit Art Services back in the 1980s and was the go-to manual on PM.

In the twenty or thirty years of project management practice since that book was created, the stark reality set in about the customer. We can have perfect project (to scope, under budget, shipped early) that fails to deliver what the customer actually wants. The PM is completely satisfied. The customer is the complete opposite.

Today project management practice includes things like managing stakeholders, communications, and HR. Because projects do not exist in a vacuum, it also includes integration and procurement. The result is deliverables that (hopefully) better meet the customer needs and are sustainable.

Being on time and on budget is akin to showing up. It is the prerequisite to success, not the guarantee.