Security leaders have a bold vision. Leaders have a grand strategy. Leaders excite and engage people to get things done. Along the way, leaders make decisions.

This blog series is about making better decisions. IT security is a new discipline. But creativity and ingenuity are as old as humanity. Week by week, we’ll look to artisans, to architects, and to designers. We’ll uncover principles we can apply to lead and to design security capabilities.

Latest Design Article

Pilot with chaos. Cyber security is complex. The proverbial butterfly flapping its wings in Brazil producing tornado in the United States. Thankfully, we have chaos theory and security chaos engineering.

– Read the latest design article –

Cyber Security Design Principles:

• Set the vision
  • Frame the initiative: reinforce values
  • Empathy is the heartbeat
  • Listening to users is the start not the end
  • Let go of the past to invent the future
  • Showcase the vision
  • Contrast the status quo with the new vision
  • Tell a story with the project name
• Protect the organization
  • Start with empathy: empathy is the heartbeat
  • Explore complexity: premature simplification is bad security
  • Scale with a philosophy and methodology
  • Reinforce the organization’s values
  • Be provocative and build on strengths
  • Identify friction with better metrics and data visualizations
  • Follow signs of friction to find security champions
  • Asset valuation: remember the chairs
  • Design for change and stability
• Define the security capability
  • Develop team values to make decisions
  • Prioritize: dare to be ugly
  • Define what we do by what we don’t do
  • Balance familiarity with novelty
  • Apply design thinking
  • Make security an inside job
  • Build Roombas not Rosies
  • Focus on the context and surroundings
  • Change the game
  • Designate security advocates
• Develop the technology architecture
  • Future-proofing: choose versatility
  • Re-use: nothing is right everywhere
  • Architecture principles: be principled
  • Play with the spaces in between
  • Mimic, don’t copy or steal
  • Be better, be different
  • Use the power of architectural patterns
• Determine the security controls
  • Frameworks fade but security is eternal
  • Take controls from useless to un-useless to useful
  • Don’t listen to all the music
  • Find your own way without brainstorming or crowdsourcing
  • Be ahead of the curve and ahead of the criminals
  • Balance depth with economy of mechanism
  • Shape the conversation with careful choices
  • Start with minimum viable security
  • Add details to make end-users happy: add some nice rims
  • Identify improvements as security matures
  • Good security has the aesthetics of a good coffee pot 
• Plan the implementation and transition
  • Take it one metaphor at a time
  • Hand out Ray-Bans not safety goggles
  • Plan to wear in, not wear out
  • Plan to get lucky
  • Execute a series of playful pilots to refine the plan
  • Pilot with chaos
  • Start strong, start with style, start like movies
  • Direct security projects like Hollywood’s Golden Age
  • Partner with IT and design for disassembly

Finally: Here are some of my folksy sayings on cybersecurity leadership and design.