Month: March 2016

Hi folks,

Yesterday we started by talking about Raoul Wallenberg Place, the name of 15th Street that I noticed during my bike rides into work.

We talked about Wallenberg’s amazing and inspiring activities during the height of WWII, placing himself in harm’s way to save tens of thousands of innocent lives.  In the course of doing so, he demonstrated numerous admirable qualities, some of which we can try to emulate.  Yesterday we talked about improvisation and confidence.  I have two more to touch upon, one of which is:

Acceptance of imperfection

This is perhaps the saddest part of Wallenberg’s story.  He couldn’t save everybody, so he had to prioritize as best he can.  In the case study, he chose to save the youngest first – “I’m sorry… I want to save a nation.”  It wasn’t the ideal outcome, but it was the best he could do.  Had he tried to save everybody, he would have failed to save anybody.

And how is this relevant to our work at our agency?

We can go way deep on this, but the gist is that much of Western philosophy argues that perfection doesn’t exist in this plane of reality.  Plato bucketed concepts of ideals/perfectionism as Forms, St. Augustine called them the Intelligible, but the idea is the same – nothing you can perceive with your bodily senses can be considered perfect.  Now, that’s certainly arguable, but I submit that nothing we do here at work represents a counter-argument to the concept.  For as much as we should all strive to do the best we can, achieving perfection probably isn’t in the cards.  So that then means, in the context of our daily activities:

^ This guy gets it.  If we keep waiting for perfection, we’re simply stalling.  Perfectionism isn’t an admirable trait when it obstructs progress.  Instead, we should listen to Skeletor:

And for as unnatural as it is to mix memes with the inherent reverence reserved for somebody like Wallenberg, I think he’d agree with the message.  We’re not going to achieve perfection, but that shouldn’t stop us from making progress.  Instead, let’s focus on our trajectory and make sure we’re headed in the right direction.  We don’t need a plan to get us to the ideal state, but we should always be executing a plan to get us closer and closer.

Rex

Hi folks,

Some of you know I ride my bike into work into DC.

I live in Alexandria, so I come over the 14th Street Bridge and ride up 15th Street until I hit New York Avenue.  When I’m not dodging angry cars and riding for my life, I occasionally become aware of my surroundings.  For a while I’ve noticed that from the Jefferson Memorial to the Washington Monument, 15th Street is called Raoul Wallenberg Place.  Only recently did I find out why.

Towards the end of WWII in 1944, knowledge of the Holocaust had spread, but the front lines of Allied advance were still too far away to stop the atrocities.  Citizens of neutral countries like Sweden could move freely within occupied territory, and Raoul Wallenberg – a wealthy, privileged, 32 year old Swede – volunteered to help.  With little more than his wits and his cover as a Swedish diplomat, Wallenberg saved nearly 100,000 lives.  This is a link to a case study of Wallenberg’s leadership – it’s well worth reading.

 

 

 

Seriously – go read it.  This post can wait.

 

 

 

There are countless lessons we can learn from an inspiration like Wallenberg – the defense of justice, courage in the face of danger, protection of those most vulnerable – but those are hard lessons to apply in our daily work lives.  Nonetheless, I think Wallenberg demonstrated several characteristics that we can benefit from emulating.  I want to talk about a couple today and a few more tomorrow:

• Improvisation: Wallenberg left for Budapest with only the rough outlines of a plan.  He’d assume the cover of a Swedish diplomat, distribute fake Swedish passports, and establish a series of safe houses under diplomatic protection – he’d figure out how to do that (and everything else) along the way.  He understood that time was his most precious resource (as it is for all of us), and that waiting to develop the perfect plan before deploying would only risk lives.  Being able to improvise upon arrival – to remain flexible in the face of changing conditions – was key to his success.
• Confidence:  Wallenberg was no more a diplomat than you or I.  But through unwavering displays of confidence – even under live gunfire – he convinced hundreds of armed and angry NAZIs that he had the authority to override their orders.

How are these characteristics relevant to our work in the Federal sector?

• Improvisation: The conditions around us are constantly changing – people, relationships, priorities, resources, etc.  On top of that, cybersecurity itself is an amazingly dynamic field.  Not only must we be comfortable with change in general, but also with our ability to adapt to it.  If we can’t quickly adapt to an ever-changing landscape, we will soon be left headed in what was once the right direction, but is now the wrong one.
• Confidence: Much of what we do is serve as security subject matter experts.  And if you don’t exude confidence in what you’re saying, you can’t expect others to accept you as an expert.  So whether it’s to the IG, our peers in IT, or throughout the rest of our agenct, we need to demonstrate an air of confidence when we’re acting as a SME (which should be pretty much all of the time).

I have a few more lessons I think we can learn from Wallenberg, but I’ll save them for later.  In the meantime, I encourage you to find your own.  He left a legacy from which we all can learn much.

Rex

Hi folks,

I’m a big fan of trees, and I’m lucky enough to have a number of large trees on the property around my house.  But they’re not just decoration – they’re functional.  Between the shade and the evapotranspiration (I win the obscure word of the day contest) of a tree, they reduce the ambient air temperature as much as 9 degrees, and the temperature directly under a tree by as much as 25 degrees.   They’re awesome.

The problem with trees is that they take a long time to grow.  So when we had to remove two dying trees from our lot last year, we lost a bunch of shade with no quick way to regain it.  We’ve since planted more trees, but it will take decades to realize the shading and cooling benefits of those new saplings.

The same concept applies to relationships.

No, seriously – hear me out.

The benefits of good relationships are innumerable – laughing at your stupid jokes, hugs, bailing you out of jail – but generally those benefits don’t manifest overnight.  Meaning that I can’t reasonably expect the same kind of support from somebody I befriended yesterday as I can from a friend of 20 years.

And further, even long-standing relationships need constant investment.  If I abandon a relationship for an extended period, I shouldn’t expect support when it’s convenient for me.  I’m sure we’ve all seen too many relationships deteriorate over time as people take them for granted and fail to invest in them.

So, just like trees, we need to plan and care for our relationships.  If we plan on working with individuals in the future, it benefits us to establish and invest in our relationship with them as early as possible.  And if we already have a relationship established, we can’t afford to neglect it – we need to nurture it continually so it’s ready for us when we need it.  Let’s get out there and make some friends!

Rex

Hi folks,

Maybe it’s just me, but I used to roll my eyes at checklists.  They’re usually pretty boring, they’re a symbol of bureaucracy, and they’re insulting by insinuating that I can’t remember what to do without them.  But then I learned that checklists beat the NAZIs and helped us win WWII.

In 1935, the US Army (there was no Air Force yet) was looking for a new bomber.  Boeing tossed its hat in the ring with the Model 299, a massive four engine plane that exceeded all of the Army’s requirements.  The Army was sold, but during testing on October 30, 1935, the plane crashed, killing Boeing’s chief test pilot and an Army test pilot while injuring several others.

The problem?  Planes had become too complex for pilots to fly by memory alone.

The crash nearly ruined Boeing, but the Army still wanted the planes, so Boeing developed a simple and elegant solution – the pre-flight checklist.  Following the introduction of the checklist, Boeing flew without incident and the Army ordered nearly 13,000 copies of what was renamed the B-17 Flying Fortress.  And as the pilots continued flying, they developed more checklists for routine activities, introducing more reliability, reducing the time to complete sequences, and reducing overall workload.

You may be thinking “uh, we’re not test pilots and we’re not fighting for the survival of democracy and freedom”.  Debatable, but potentially true.  Nonetheless we are doing reasonably complex things.  And we’re doing them routinely, which is the ideal combination for a checklist.   Responding to an incident?  Assessing common controls?  Flowing new policy through a control board?  All opportunities to see if developing a checklist would help improve the reliability and quality of our output.

Or, if nothing else, just use a checklist to make yourself feel better:

Rex

Hi folks,

Saint Augustine didn’t start his life in a saintly way.  During his hedonistic youth, he famously prayed “grant me chastity and continence, but not yet.”  And while he was a brilliant philosopher and theologian, he couldn’t have known that he was perfectly articulating the concept of the Present Bias.

The Present Bias (and other forms of temporal discounting) says that we discount rewards/impacts/punishments the further they are in the future.  So if I ask you if you want cake or fruit next Friday, you’re pretty likely to choose the healthy option of fruit.  But if I ask you if you want cake or fruit today, you’re much more likely to choose cake today.

What can we take away from this?  Likely much, but something that stands out to me is the need to push out the negative impacts of changes we require.  Meaning our customers and partners are more likely to agree to obligations they find onerous the further in the future those obligations are required.  For example, which seems more likely to get support from our customers?

• Please assess and report on the status of 100 controls by the end of this month.
• Please assess and report on the status of 100 controls by the end of this year.

Right – the latter.  Easily.

What does that mean for us?  We need to plan well in advance.  If we need those 100 controls assessed and we want to minimize pushback from our customers, then we can’t wait until 4 weeks before they’re due – we need to give them as much notice as possible.  Because when you look to a year out on the horizon, pretty much everything looks small and agreeable.

Rex