Thoreau vs NIST

Hi folks,

We just passed our summer solstice, and with more daylight comes more time to spend outside.

One guy who didn’t need extra sunlight to spend time outdoors was Henry David Thoreau – the great American essayist and transcendentalist. In 1845, the trappings of modern life had become too much, and he abandoned them for a small cabin he built on Walden pond near Concord, Massachusetts. He stayed there for two years, and used his time there as the inspiration for his masterpiece, Walden.

Walden is full of awesome insights and quotes, but I think this is one of the best:

It’s from a section of Walden where he’s literally describing the arrival of Spring – the return of birds, lengthening of the days, new vegetation along the banks of the pond. But the quote is powerful beyond his intent. It’s often used to support persuasive communications – to promote the notion that it’s far more powerful to convince others to take action through persuasion rather than compelling them through force or threat of consequences.

It’s a idea that we in security need to embrace. All to often, we defend a new policy or restriction by saying “because (we || NIST || OMB || whomever) said so” or cloaking our logic in inscrutable technobabble that we’re sure our audience can’t understand, let alone refute. So our colleagues reluctantly accept these impositions that we deliver via the barrel of a policy gun, never really understanding the “why” behind the change.

These are missed opportunities for us. By failing to explain the “why” behind our actions, we pass on a chance to convert our impacted colleagues into allies and evangelists for the change. Instead of declaring a new change by decree or fiat, we should take the time to convince others of the necessity of our actions, thereby reducing resistance and greatly increase the likelihood of successful adoption. And that’s all good news for accomplishing our mission.

For any change we make – in our policies, our programs, our procedures – we should present the justification not as “well, NIST/OMB/etc tells us to do this”, but as a means for become more effective or efficient in accomplishing our mission. So instead of saying

“we lock an account after 5 unsuccessful login attempts because NIST 800-53 AC-7 says we should”

we should say

“we lock an account after 5 unsuccessful login attempts because allowing unlimited attempts would increase the chances that an attacker could guess a password and gain access to the system. We chose 5 because it was a reasonable limit for the end user and it limits our risk appropriately.”

That’s a lot easier to get behind.

Will there be times that we need to say “we’re doing this because someone up the food chain asked us to”? Yes, but they should be rare, and if we’ve built a reputation for thoughtful, candid justifications of our actions over time, our colleagues should be understanding of those uncommon occurrences.

^ Yeah, let’s not be that guy.

Rex

Unknown good deeds don’t count

Hi folks,

The weather has been pretty awesome lately, which means the bike trails are mysteriously more crowded than in, say, late January.  Strange…

The increase in bikes is nice to see, but many of the seasonal riders seem to forget the rules of the road when they get back on the saddle.  For those who aren’t familiar, the rules go something like this:

  • Ride right, pass left
  • Announce that you’re passing with either a bell or your voice
  • Signal for changes in direction
  • Don’t be a jerk

Pretty simple.  Even so, plenty of people seem unable to follow the rules – especially announcing that you’re passing.  Lots of would-be Lance Armstrongs fly by without a heads-up, startling other riders and increasing the likelihood of accidents.  Or so I hear.  I don’t get passed. *cough*

I’m pretty consistent about using my bell to give a heads up that I’m about to pass, but a few folks have chastised me for failing to give a heads-up – even when I’ve used my bell.  Which got me thinking – if I ring my bell, but nobody hears it, do I get credit for doing the right thing?

It’s a version of the metaphysical question, “if a tree falls in a forest and nobody is around to hear it, does it make a sound?”  There are lots of answers to that question.  In the 18th century, Irish philosopher George Berkeley promoted the concept of Subjective Idealism which basically says perception is reality – if nobody is there to perceive the sound, the sound didn’t happen.  In 1884,Scientific American seemed to agree, arguing that:

“sound is vibration, transmitted to our senses through the mechanism of the ear, and recognized as sound only at our nerve centers. The falling of the tree or any other disturbance will produce vibration of the air. If there be no ears to hear, there will be no sound.”

So, no, I don’t get credit.  I clearly need a bigger bell.

The same is true for our efforts at work.  We all put lots of effort into various activities dedicated to the security of our agency.  Every bit of effort we invest at work should be a fulfillment of our mission.  But if people don’t see that effort or the results of that effort, it doesn’t count.  They don’t understand that we’re adding value – that we’re fulfilling our mission.  So how do we fix that?  Two ways:

  1. Make sure that everything we do is output oriented.  If we’re spending energy on an activity that doesn’t produce, chances are it’s a wasted effort.
  2. Promote visibility and transparency of our activities.  All of our stakeholders should be aware of what we do to serve them.  And we can’t rely on them to discover our good work – we need to actively show them.

And this isn’t just about getting credit so we feel good about ourselves.  It’s about building relationships and trust throughout the agency.  If people don’t know that we do good work, they’re less likely to support our efforts, thereby reducing our ability to fulfill our mission.  Modesty may be a virtue (or maybe not), but it contributes nothing to promoting professional competencies, trust, and relationships.

So when it comes to the good work we do, let’s use a bigger bell and make sure people hear us.  If the agency wants our mission fulfilled, our colleagues need to know that we’re making it happen.

Rex