It is the final task of an implementation. The stakes are high. One of your people hits a wrong button. The entire system comes crashing down. My question: Is this good luck, or bad?
For an answer and inspiration, I look to Massimo Bottura. Bottura is a chef and restauranter. At his Michelin 3-star restaurant, Osteria Francescana, a similar situation played out. The pastry chef, Taka Kondo, was platting the final course. One tart slipped. Smash! And to Kondo’s surprise and relief, Massimo Bottura burst out laughing. Good luck! The Oops! I dropped the lemon tart was born. The dessert has become legend.
You can hear Bottura tell the story himself at the video below. For now, I want to turn to the question of how to get lucky. So many things must go right when deploying technology, we can use all the luck we can get.
One factor in seeing the opportunity in accidents is associative barriers. High associative barriers lead to functional fixedness. By contrast, people with low associative barriers tend to find connections and opportunities others don’t. I’ve previously covered techniques to get beyond functional fixedness: discuss an item without naming it, and discussing what an item does rather than it is. (See Play with the spaces between the words.) Here, let’s cover building new associations.
New associations can prime us to turn accidents into good luck. It provides a larger net for catching ideas. The exercise is simple. List the assumptions. Imagine what would happen if the opposite were true. We can (and probably should) do this at multiple stages in designing security capabilities; from the vision to our assumptions about the organization, the security function, the security controls, the tools, and our assumptions about implementation. For example:
- A tart from a Michelin 3-star restaurants is carefully plated and perfectly constructed.
- It is messily deconstructed. Innovation: Oops! I dropped the lemon tart.
- The authenticating security credential is a person’s ID and password.
- A person can authenticate without a password. Innovation: passwordless.
- A security perimeter is enforced by the network, that is, by a firewall.
- A perimeter is enforced regardless of network. Innovation: Zero Trust.
- Defense-in-depth necessarily means having deep control coverage.
- Defense can be achieved with only a few controls. Innovation: attack path.
The other factor in finding the opportunity in accidents is time. Rushed people don’t get lucky. Stressed people don’t get opportunities. The psychology of stress and time shows people develop tunnel vision and repeat well-known and practiced techniques. The same is equally true for rushed and stressed projects and initiatives. The same goes for rushed and stressed teams and operations. This is an anathema to getting lucky, of course. We’re highly unlikely to see possibilities and to take them on when in this state. Buffer time and down time create the space for getting lucky.
“Leave a free space for poetry. Leave a free space from obligation. You have to be ready to see what others don’t even imagine,” Massimo Bottura says in the video below. He could be speaking directly to us about designing security capabilities. “Make visible the invisible.”
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.