Hurry up and make a decision. Maybe.

Hi folks,

I have yet to get into the whole cryptocurrency thing. It’s clearly an awesome concept with all sorts of implications (good and bad) for individuals and society writ large, but I just haven’t had a motivation to buy into it. Maybe I should be buying more narcotics online, I don’t know…

fsdfsdfsf

Anyhow, the ideal time to have gotten into bitcoin was seven years ago, when the currency first emerged. That’s when Kristoffer Koch got into it, buying around $26 worth of bitcoin as part of some academic research. He forgot about them for  four years at which point they had become worth around $1 million. If he still hung onto them until today, they’d now be worth more than twice that.

dsfgdfsgf

Koch clearly didn’t know that was going to happen – he made a relatively blind investment. Had he waited until he had better information – until he saw the appreciation of bitcoin value, his $26 wouldn’t have yielded nearly the return that it did.

That’s the point of the consequences model developed by Danish organizational theorists Kristian Kreiner and Søren Christiansen. They argue that the greatest opportunity for impact is at the beginning of any timeline – precisely when you have the least knowledge. Yes, you’re making decisions with minimal information, but if you’re looking to have a big impact, you need to be comfortable operating without perfect knowledge. Wait too long for the knowledge you need in order to be sure you’re making the right move, and you’ll lose your chance for that big impact.

hghghj

But that big impact could be good or it could be bad, and that uncertainty paralyzes many, many people.

In security, we often don’t have the luxury of waiting for perfect information. Whether it’s responding to an attack, fixing a known vulnerability, or choosing a new defensive technology, any delay in our decision works to the advantage of the bad guys.

So how do we handle this? I’d argue the most effective is to push that knowledge curve to the left. How? By better preparing for expected scenarios. Suspect you’re going to have an incident where you need to determine the nature of the impacted assets? Then don’t wait until an incident to figure out what applications a system is supporting – develop that knowledge in advance through an asset inventory and make it available to your Ops team. Know that vulnerabilities are going to be uncovered in operating systems and software over time? Then improve your patching process to allow for rapid deployment of critical fixes. Think you’ll need a new IPS next year? Then start the research now well before it’s time to make the investment decision.

Better preparation allows quicker AND better informed decisions. Will we still have to make decisions without perfect knowledge? Yes. Should security professionals get comfortable with that? Absolutely. But we’re not helpless – we can push that knowledge curve to the left and help our future selves by investing some effort to develop knowledge today, before it’s needed.

95a75be55b1aeccee3d779b3707127b6d838d279687c7e3b2bad5c4411688f1e

That, too.

Rex

What’s a customer anyway?

Hi folks,

Like many people, my musical tastes go through phases. I have a core group of genres that are pretty static, but onto those I’ll periodically add additional genres that phase in and out over time. The current top of my Pandora playlists: sea shanties.

That’s right. Sea shanties.

AC meme

Either way, since many of these song were written in the 1800s, I sometimes have to do some research to figure out what they’re talking about. For example:

Come all ye young fellows that follows the sea
To me, way hey, blow the man down
Now please pay attention and listen to me
Give me some time to blow the man down

What does “blow the man down” mean? Turns out that people don’t really know. There are a variety of theories, but the precise meaning has been lost over time.

This happens in modern times, too. Or at least definitions evolve – sometimes from misuse of a word or phrase over time. I’m pretty sure “literally” is used properly about 10% of the time. Literally.

A term that’s been bothering me for a while is “customers”, usually as it relates to the concept of customer service.

a3fa3d0514f02dc0f0086b2f01ae036e5016aece3da01541f6a553309472ba4d

“Customer” has a pretty precise definition – somebody who pays for goods or services. And in that definition, the customer is a goal in and of themselves –you maximize your customers in order to maximize your revenue or profit. To that end, you provide good customer service to make sure that they’re happy, that they return to buy more from you, that they refer others to you, etc. Makes sense, right?

But “customer service” has become shorthand for good relations with somebody to whom you provide something and “customer” has become shorthand for somebody who receives something from you. And that fundamentally mischaracterizes most relationships. A person is not your customer simply because you provide them with the output of your efforts. For somebody to be a customer, your transaction with that person – typically the exchange of money – has to be the fundamental goal of your organization.

38218044

From an abundance of good intentions, we took on the mantra of “good customer service” and began referring to many of our colleagues throughout the agency as “customers”. They’re not and we disservice ourselves and them to characterize them as such. Our relationships with them far transcend our transactions.

So what are they?

They’re our partners. Partners share a common goal and both contribute to the pursuit of that goal. For us, we share the common goal of the security of our agency. And our partners contribute to that goal in a multitude of meaningful ways – ways that go far beyond the simple receipt of our work products.

Why spend the time to write about this?

0d673f8d86d6eefb60150903528af4d9dc50b804af26cef3e2d48f21bc3bf4ba

There’s a pretty awesome quote, variations of which have been ascribed to everybody ranging from Emerson to Buddha to Margaret Thatcher’s dad:

Watch your thoughts, they become words;
watch your words, they become actions;
watch your actions, they become habits;
watch your habits, they become character;
watch your character, for it becomes your destiny.

When we refer to partners as customers, we change the dynamics of the relationship. We focus on the transaction. We place ourselves in a servile position. We lose sight of the shared, common goal. If we’re going to pursue our mission as effectively as possible, we need as many allies – as many partners – as possible. We can’t afford to turn them into mere customers.

Rex

Good arguments need good timing

Hi folks,

I once worked with a friend who quoted The Big Lebowsky like it was his job. And when I admitted that I hadn’t seen it more than 10 years after its release, he pressured me into watching it. I did, and I thought it was merely /okay/.

Untitled34r

My friend was offended by my atrocious taste.

But it wasn’t my taste that was bad (this time) – it was that the world had moved on and the movie no longer felt fresh and new, even to somebody who hadn’t seen it. It’s the same way that my 6 year old daughter can hear a song by Cab Calloway and know “this is an old song.” Minnie the Moocher might be a great classic, but it’s obvious that it doesn’t fit into the current context.

index

When we’re communicating – whether it’s via a movie, music, or (more likely for all of us) via an email or presentation or discussion – timing is critical.  You could have the right message, the right person to deliver it, and the right audience, but if your timing isn’t right, you’re unlikely to succeed.

It’s the same concept described in Malcolm Gladwell’s Outliers – that many of the extraordinarily successful individuals in our society are successful, in large part, due to the timing of their birth.  Had their natural brilliance, ambition, and drive not intersected with the right timing, we’d have never heard of Bill Gates, Steve Jobs, and countless others.

Timing may not be everything, but it’s a big chunk of everything.

A great example of this is in the 1957 classic, 12 Angry Men. [spoiler alert] In the movie, juror #8 argues that the evidence presented against a young man in a murder case is insufficient to prove guilt beyond a reasonable doubt. At a key moment, after spending nearly 30 minutes trying to convince his fellow jurors of his perspective, he pulls from his pocket his strongest evidence – a knife identical to the “unique” knife used in the murder. It’s the turning point in the story – the point from where he’s able to eventually convince all of his fellow jurors of his perspective.

fsdfsadf

The question for all of us is; how long could we keep the knife in our pocket? Will we be overly anxious and show the knife too early?  Or will we withhold it too long and let the right moment pass us by?  Do we have the patience and sense of timing to only reveal our best evidence when it is most likely to resonate?

Rex

small words > big words

Hi folks,

The last time we talked about communications, we discussed how critical context is, and how ignoring the context of a famous quote by Martin Luther King Jr. nearly ruined his monument.

Untitled333

There are many more communications principles worth discussing. In my opinion, one of the most critical is simplifying the language we use. I had a professor once who said “don’t use a quarter word when a nickel one will do.” I didn’t fully appreciate it then, but I sure do after years in the consulting and Federal industries.

We all see it every day. Otherwise good ideas obfuscated by overly-complicated language – in presentations, in emails, everywhere. And for what purpose?

65f0a73bdd6faa72bedef3875291cecd6f4211e8db86a7e8228a6c5148d79159

^ That’s exactly the problem. The audience is left not knowing if the speaker is trying to sound impressive, is trying to hide something among the impressive words, or is just unable to simplify their language. But they are left with a feeling of disconnect – that the speaker isn’t communicating with their authentic voice. Because, really, when people are being authentic, they don’t use complex sentence structures and terms like synergy, paradigm shift, etc.

As I write this, we’re in the middle of the 2016 Presidential campaign. Politics aside, Trump has demonstrated a remarkable ability to communicate and persuade. How? In part, at least, by apparently communicating on a fourth grade level. And he’s not alone. According to the analysis by the Boston Globe, none of the candidates communicate above the 10th grade level.

67195962

On the other end of the scale, the first paragraph of NIST 800-37 ranks at 19.1 on the Flesch-Kincaid Grade Level scale. This is the paragraph that is supposed to describe “the need for information security and managing risk” – a paragraph, then, that seems not only relatively straightforward to write, but also pretty damn important to communicate well. We’ve talked earlier about the importance of easing your audience into a conversation or communication. I’m pretty sure that opining using doctoral-level language isn’t the most effective means of bringing your audience into the fold.

So what can we do?

Communicate like you’re talking to your friends. Don’t try to sound smart, don’t try to impress – just try to communicate.  Sure, if you’re talking about a specialized topic, you’ll need to use some specialized language, but that shouldn’t make your whole communication complicated. Use specific, specialized terminology when needed and wrap it with simple, straightforward words. You’re far more likely to engage your audience, sound authentic, and get the kind of response you’re looking for.

By the way – this post gets an 8.4 Flesch-Kincaid Grade Level scale. I should run for President.

Rex

 

PS – read this book: Why Business People Speak Like Idiots