Month: February 2016

Hi folks,

We in information security hear a lot of feedback about when we should provide rules and when we should provide guidance.  Sometimes we have various parties battling it out over which we should provide, pulling us in either direction, trying to make their case.  It’s at times like that we need all need a bit of inspiration.  That when we need to turn to:

That’s right.  Betty Crocker.

How, exactly, is a fictional dessert baker a great example of the distinction between guidance and rules?  Think brownies.  When you buy a box of Betty Crocker brownie mix, it has very clear and easy-to-follow instructions on the box for making brownies.  But they’re not rules.  In fact, our friend Betty encourages you to experiment.  On her website, she provides a dozen other recipes for which you can use her brownie mix.

Why does she do this?  Is Betty Crocker an anti-authoritarian revolutionary?  Is she baking anarchy brownies and handing them out at Occupy protests?

She does this because there’s no harm in messing with her recipe.  In fact, the home baker might have a better idea for what to do with the brownie mix.  And that’s the key distinction between rules and guidance.

• If the purpose is to stop harm, it should be mandatory – a rule.
• If the purpose is to help an implementer do their job, it should be optional – guidance.

There’s all sorts of nuances therein (e.g. what constitutes harm), but as a general principle, that works.  Potential for harm?  Make a rule.  No potential for harm?  Provide some guidance.

And why not just make everything a rule?  Because it locks us in to a way of doing things, reducing our agility and creativity.  So when our customers demand more rules from us (which is a phenomenon I’ll never understand), we need to be cautious about what we provide as a rule and what we provide as guidance.  Just think “what would Betty Crocker do?”

Rex

Hi Folks,

One of our biggest challenges in the security field is proving our value.  This is the nature of a counterfactual – it’s really difficult to prove that something we did prevented something that didn’t happen.

The diagram below shows multiple precursors flowing along a timeline, eventually leading to a negative impact (i.e. a harm).  Interrupting those precursors stops the harm.  But interrupt the precursor too far in advance – before that squiggly line – and you’re not likely to get credit for saving the day.

Of course, before that squiggly line is exactly where you want to be preventing harm.  Waiting until the last minute to prevent a harm is risky.  There’s a whole host of security activities that are performed well in advance of the squiggly line – training, policy development, vulnerability scanning.  None of that is a last minute save, so none of those activities are likely to get direct credit for stopping the bad guys.

But we know better.  And, thankfully, many of our more astute colleagues and senior executives do, too.  They know that without all the effort we put in well before the squiggly line – all the controls, all the procedures, all the reporting and planning and assessments – any organization would be in a world of hurt.

So if you’re not on the “front lines” of security and you feel a bit disconnected from a heroic, last minute saving the day, that’s by design.  Because by doing what you do early enough, we’re stopping the bad guys before they even hit our radar screen.  Thanks for everything you do.

Rex

 

Thanks to Malcolm Sparrow for use of the above diagram from his book The Character of Harms.

Hi folks,

I’ve recently been exposed to behavioral economics – the intersection of economics and psychology.  It’s a huge and complex field of study, but one of the big take-aways for me is the need for simplification.  Two items for your consideration:

• The impact of complexity on customers:  The Free Application for Federal Student Aid form is 6 pages and over 100 questions – longer than the IRS Form 1040EZ (1 page, 37 questions).  Studies have shown that the complexity of the form dissuades people from applying for aid – disproportionately dissuading those in the most need.  And while other studies have shown that the form could be reduced the length of the form by 80% without eliminating any critical information, the form remains complex and customers continue to be poorly served.
• The impact of complexity on organizations:  Colin Chapman was the founder of Lotus, the legendary line of race and performance cars.  He’s perhaps best known for directing his engineers and designers to “simplify, then add lightness.”  Why?  “Adding power makes you faster on the straights. Subtracting weight makes you faster everywhere.”  This philosophy can easily be applied to us.  As we simplify ourselves – our processes, our teams, our approaches – the faster we’re able to complete/change/integrate them.

The simpler we keep things – our communications, our policies, ourselves – the better we serve our customers and the more agile we become.

Rex

Hi Folks,

U.S. President Eisenhower is known for a great many things – leading the Allies to victory over Germany in WWII, launching the interstate highway system, creating NASA and DARPA, fighting segregation and McCarthyism…   But one of his lesser-known impacts was the inspiration he provided to author Stephen Covey.

In 1954, quoting a university president, Eisenhower said “I have two kinds of problems: the urgent and the important. The urgent are not important, and the important are never urgent.”  At a high level, this described what became known as the Eisenhower Decision Principle – a means of organizing and prioritizing activities by the intersection of importance and urgency.

Covey, author of the business super-book 7 Habits of Highly Successful People, adopted this for the time management matrix he outlined in his book First Things First:

You want to handle each quadrant differently.

• Quadrant 1 needs immediate attention.  These are worthy of your attention and need to be addressed now.
• Quadrant 2 is for long-term strategizing.  This is where you want to focus most of your attention.  Like quadrant 1, these are worthy of your attention, but you have more time to address them in a considered manner.  Delay too long, however, and they’ll migrate towards quadrant 1.
• Quadrant 3 is for things that aren’t important, but for whatever reason you need to handle it right now.  Think TPS reports.
• Quadrant 4 is the Angry Birds quadrant.  There’s no real value other than taking a break from the other quadrants.  Don’t spend too much time here or you risk the other quadrants getting out of control.

I think one of the better visualizations I’ve seen for the grid is the following:

But perhaps the biggest challenge is accurately assessing the categorization of a task.  If everything is urgent, nothing is.

Hopefully this is familiar to all of you.  If not, it’s is a pretty useful tool for prioritizing your time.  We all have more on our plate than we can handle – things are going to drop off.  We just want to make sure we don’t drop the wrong things.

Rex