Hi folks,

My wife and I hate folding laundry.  Clean laundry will often pile up for a while until it reaches a critical mass and one of us caves, folding the whole gigantic pile in a long, marathon folding session.  (the effects of our procrastination may explain why we hate folding, but I digress)  When I’m the one folding, I’ll sometimes listen to an audio book or watch a movie.  The other day, I watched The Matrix.

The premise of the movie is that we’re all living in a computer-generated world intended to keep us distracted while our biological bodies are harvested for energy by an evil, rogue artificial intelligence.  Which is an updated version of the ol’ brain in a vat argument.  Which is an updated version of René Descartes’ evil demon argument.  Which is the foundation for this:

Close enough.

One of the big questions in philosophy is “how can you know something”?  The brain in the vat argument is skeptical of all knowledge, suggesting that only the existence of one’s mind is certain.  Plenty of smart people have taken issue with philosophical skepticism, including philosopher Hilary Putnam.  But while Putnam’s refutation depends on logic and language (the whole “this sentence is a lie” sort of thing), it’s really Ludwig Wittgenstein who shuts it down in my opinion.  He says:

If you are not certain of any fact, you cannot be certain of the meaning of your words either […] If you tried to doubt everything you would not get as far as doubting anything. The game of doubting itself presupposes certainty

The gist is that any investigation of life/reality/whatever needs to be rooted in some assumed knowledge – you can’t raise a doubt without having a bit of knowledge on which to base it.

See?  You doubted that quote because you know something about Lincoln.

It’s true for us in IT security, too.  We’re often called upon to investigate events that seem odd or suspicious.  But in order for that investigation to yield meaningful results, we need to know what normal is.  The foundation of our investigations must start with a knowledge of what’s expected – what devices should be on our network, who should be using them, what they should be doing, etc.  The more knowledge we have, the easier it is for us to isolate the things worth investigating – worth doubting.  If we have to start from scratch, we could fall down the skeptic’s rabbit hole and question everything in front of us instead of focusing on the anomalies.

So for those of us with investigative obligations, we need to pull our brains out of the vat and develop a solid understanding of our enterprise.  Because when we’re asked to figure out what went wrong, we don’t want to be left doubting everything we see.

Rex

Hi folks,

We just passed our summer solstice, and with more daylight comes more time to spend outside.

One guy who didn’t need extra sunlight to spend time outdoors was Henry David Thoreau – the great American essayist and transcendentalist. In 1845, the trappings of modern life had become too much, and he abandoned them for a small cabin he built on Walden pond near Concord, Massachusetts. He stayed there for two years, and used his time there as the inspiration for his masterpiece, Walden.

Walden is full of awesome insights and quotes, but I think this is one of the best:

It’s from a section of Walden where he’s literally describing the arrival of Spring – the return of birds, lengthening of the days, new vegetation along the banks of the pond. But the quote is powerful beyond his intent. It’s often used to support persuasive communications – to promote the notion that it’s far more powerful to convince others to take action through persuasion rather than compelling them through force or threat of consequences.

It’s a idea that we in security need to embrace. All to often, we defend a new policy or restriction by saying “because (we || NIST || OMB || whomever) said so” or cloaking our logic in inscrutable technobabble that we’re sure our audience can’t understand, let alone refute. So our colleagues reluctantly accept these impositions that we deliver via the barrel of a policy gun, never really understanding the “why” behind the change.

These are missed opportunities for us. By failing to explain the “why” behind our actions, we pass on a chance to convert our impacted colleagues into allies and evangelists for the change. Instead of declaring a new change by decree or fiat, we should take the time to convince others of the necessity of our actions, thereby reducing resistance and greatly increase the likelihood of successful adoption. And that’s all good news for accomplishing our mission.

For any change we make – in our policies, our programs, our procedures – we should present the justification not as “well, NIST/OMB/etc tells us to do this”, but as a means for become more effective or efficient in accomplishing our mission. So instead of saying

“we lock an account after 5 unsuccessful login attempts because NIST 800-53 AC-7 says we should”

we should say

“we lock an account after 5 unsuccessful login attempts because allowing unlimited attempts would increase the chances that an attacker could guess a password and gain access to the system. We chose 5 because it was a reasonable limit for the end user and it limits our risk appropriately.”

That’s a lot easier to get behind.

Will there be times that we need to say “we’re doing this because someone up the food chain asked us to”? Yes, but they should be rare, and if we’ve built a reputation for thoughtful, candid justifications of our actions over time, our colleagues should be understanding of those uncommon occurrences.

^ Yeah, let’s not be that guy.

Rex

Hi folks,

The weather has been pretty awesome lately, which means the bike trails are mysteriously more crowded than in, say, late January.  Strange…

The increase in bikes is nice to see, but many of the seasonal riders seem to forget the rules of the road when they get back on the saddle.  For those who aren’t familiar, the rules go something like this:

• Ride right, pass left
• Announce that you’re passing with either a bell or your voice
• Signal for changes in direction
• Don’t be a jerk

Pretty simple.  Even so, plenty of people seem unable to follow the rules – especially announcing that you’re passing.  Lots of would-be Lance Armstrongs fly by without a heads-up, startling other riders and increasing the likelihood of accidents.  Or so I hear.  I don’t get passed. *cough*

I’m pretty consistent about using my bell to give a heads up that I’m about to pass, but a few folks have chastised me for failing to give a heads-up – even when I’ve used my bell.  Which got me thinking – if I ring my bell, but nobody hears it, do I get credit for doing the right thing?

It’s a version of the metaphysical question, “if a tree falls in a forest and nobody is around to hear it, does it make a sound?”  There are lots of answers to that question.  In the 18^th century, Irish philosopher George Berkeley promoted the concept of Subjective Idealism which basically says perception is reality – if nobody is there to perceive the sound, the sound didn’t happen.  In 1884,Scientific American seemed to agree, arguing that:

“sound is vibration, transmitted to our senses through the mechanism of the ear, and recognized as sound only at our nerve centers. The falling of the tree or any other disturbance will produce vibration of the air. If there be no ears to hear, there will be no sound.”

So, no, I don’t get credit.  I clearly need a bigger bell.

The same is true for our efforts at work.  We all put lots of effort into various activities dedicated to the security of our agency.  Every bit of effort we invest at work should be a fulfillment of our mission.  But if people don’t see that effort or the results of that effort, it doesn’t count.  They don’t understand that we’re adding value – that we’re fulfilling our mission.  So how do we fix that?  Two ways:

1. Make sure that everything we do is output oriented.  If we’re spending energy on an activity that doesn’t produce, chances are it’s a wasted effort.
2. Promote visibility and transparency of our activities.  All of our stakeholders should be aware of what we do to serve them.  And we can’t rely on them to discover our good work – we need to actively show them.

And this isn’t just about getting credit so we feel good about ourselves.  It’s about building relationships and trust throughout the agency.  If people don’t know that we do good work, they’re less likely to support our efforts, thereby reducing our ability to fulfill our mission.  Modesty may be a virtue (or maybe not), but it contributes nothing to promoting professional competencies, trust, and relationships.

So when it comes to the good work we do, let’s use a bigger bell and make sure people hear us.  If the agency wants our mission fulfilled, our colleagues need to know that we’re making it happen.

Rex

Hi folks,

Earlier this week, I was on my typical commute – riding my bike over the 14^th street bridge, passing the Jefferson Monument, and riding up 15^th street towards the office.

At 15^th and Independence, there’s a young girl standing at the corner – alone and sobbing.  I ask if she’s okay and she says “no, I lost my phone and I don’t know where my parents are.”  Not good.  So I hop off my bike and start to try and help.  Over the course of the next few minutes, I do a couple things:

• Look around for people who look like they’ve lost a kid.
• Ask her a bunch of questions to try and get her calm and focused on something other than being lost and losing her phone.
• Walk her to the Washington Monument to find a cop or park ranger. (fail – they don’t open until 9am)
• Walk back towards higher ground to try and spot her family.

So far, I’m not doing a great job.  Yes, she’s no longer alone and scared, but she’s not with her family and we haven’t made any real progress.  It was only after about 5 minutes that I realize what I should have asked immediately: “Do you know your parent’s phone number?”

Yeah, I know.

So she calls, her sister comes and finds her, and all is well.  I ride off to work and think about how I could have handled that better.  While I did some things right, there’s a bunch of things I did wrong:

• I didn’t use all the tools at my disposal (read: my phone)
• I didn’t ask in what direction her parents were headed
• I tried to solve the problem myself without recruiting help
• I didn’t pause and think through my plan before trying to execute

In this case, no real harm done.  But it highlighted to me the value of developing scenarios and practicing for them.  I’ve never had to help a lost kid before, so I was reacting on the fly rather than following a plan.  In a workplace analog, this could have been, say, a compromise of our systems.  If we didn’t have a plan, we’d be making stuff up as we go along, flailing about and likely failing to direct the desired outcome.  The same is true for most of what we do.  Our best chance to realize our desired outcome is by developing a plan to achieve it, practice according to the plan, and follow it when the time comes.  Yes, we need to be flexible to adjust as necessary, but even a plan that needs major adjustments is more likely to yield success than creating an approach as you go along.

With that in mind, I’m working with my own kids on plans for if we ever get separated.  And at work, I’m looking for repeated, predictable activities for which we can improve our related plans.  Because in either scenario, we don’t want to waste our time with activities that aren’t likely to get us where we want to be.

Rex

Hi folks,

As you know, we’re ramping up some of our security training efforts, so the topic of learning is on my mind.  And who better to teach us about learning than Socrates?

Most of what we know about Socrates comes from what his student, Plato, wrote in a series of dialogues starring his teacher.  In the dialogue Protagoras, Socrates and Protagoras argue over whether virtue can be taught.  Just prior to their big debate, Socrates is approached by a Protagoras fanboy who asks Socrates to put in a good word for him so he can study with the famed sophist.  Socrates – likely being a painfully annoying guy in real life – teases the youth by asking a series of questions:

• If you wanted to be a great doctor, with whom would you study?  And what would studying with them make you?
• If you wanted to be a great sculptor, with whom would you study?  And what would studying with them make you?
• And so what are you trying to become by studying with Protagoras?

The fanboy struggles to come up with an answer other than “wise.”  To which Socrates basically asks “what’s the point?”

It’s a similar challenge that we face on a daily basis.  We hear about things that excite us and – out of the best of intentions – we enthusiastically embrace them in the interest of improving.  New technology?  Better philosophy?  Latest book?

But that doesn’t always work out in our favor.  Take the 2013 Target hack, for example.  Target took security seriously and invested hundreds of millions into it, buying the best technology and lots of talent to staff it.  But when they were compromised and the alarm bells started ringing, nothing happened.  Why?  At least one speculation is alert fatigue – when your highly trained personnel become desensitized to alerts and fail to react appropriately.  So Target – with best of intentions – jumped at the chance to install newer/better/faster/stronger technology, but didn’t fully consider the end game: how could they effectively consume the output of that technology?

While we’ve recently talked about the value of failure, that doesn’t mean we want to fail.  We have limited resources, and we want to focus those resources where they’re most needed and most likely to yield positive progress.  New ideas and capabilities are exciting and they can drive us towards unexpected levels of excellence.  But instead of immediately jumping on board the latest trend/best practice/technology, we owe it to ourselves, our colleagues, and those we serve to fully consider the end game – what are we trying to achieve?  And are we likely to achieve it?  And that means pausing to consider, in the spirit of Socrates, what’s the point?

Rex

Hi folks,

As you heard last week, I’m continuing to remodel a bathroom in my house.  Which not only makes Home Depot my third space, but also adds a sense of adventure to potty-training my 3 year old.

It’s also been a good (re)education on the limit of my skills.  Like how I described last week when I tried to stucco my walls and they ended up looking like Salvador Dali and Bob Vila had a party in my basement.  So I reversed course, chiseled 200 pounds of concrete off my walls, and cried bitter tears over how much time I wasted on a project dead end.

Last week we talked about the need to embrace failure as a learning opportunity – and the steps you should take to extract value from your failures.  Those generally look like:

• Actively look for failures
• Analyze them and uncover the root causes
• Get comfortable with failure through experimentation

In my case, finding the failure wasn’t hard.  It was staring me in the face.  But uncovering the root cause(s) was more challenging.  I found two.

One, I took the first solution that came my way.  I had a problem in front of me – how to cover a concrete block wall in a water/mold resistant way with only .5” of clearance – and lots of googling hadn’t yielded much help.  So when I stumbled across this idea, I ran with it.  It was only after I was halfway done that I came up with an alternative, superior solution.  Had I let my creative process continue for a while rather than jumping at the first seemingly viable solution I found, I could have avoided a lot of wasted effort.

Two, and perhaps most instructive, I didn’t realistically assess my own skills prior to starting the work.  It’s one thing to watch a few (dozen) YouTube videos on something, but it’s another thing entirely to actually execute it well.  In my case, I knew from prior experience that I wasn’t really skilled at this art, but I stormed forward, blinded by the prospect of a solution to a difficult problem.

The point is this.  That value can be extracted from failure if we put in some effort.  Once I stopped lamenting my poor remodeling choice, I was able to 1) commit to a more thorough creative process next time and 2) commit to a more realistic assessment of my skills.  So the next time I have a problem in front of me, I’ll be less likely to waste time and resources pursuing a solution I can’t effectively implement.  And not only are these specific lessons ones we can all adopt, but the process of extracting value from failure apparently works.  And all of these are lessons easily implemented as we pursue our mission within ECD.

So, boom – multi-layered value achieved.

Rex

Hi folks,

For the past few weeks, I’ve been working on a bathroom remodel in my house.  Which is about as awesome as it sounds.  I’ve (re)discovered that I’m good at the demolition part, but I don’t really enjoy the whole “put things back together in a functional way” part.  But, it’s been a learning experience.

Beyond simply relearning my shortcomings as a general contractor, I’ve picked up a few lessons along the way.  Today I want to share the first lesson: there’s value in failing and failing fast.

My house was built in 1939 and has some unconventional (read: not nearly to modern code) “features” sprinkled throughout.  Which means I had to come up with some creative solutions – one of which was stuccoing the basement walls with concrete.  And while that solved one problem – the tight space tolerances – it also ended up looking like crap.  So I’m now chiseling 200 pounds of concrete off my walls.

Unfortunately, yes in my house.  But for as much as I wish I had made the right decision in the first place, I’m glad I declared the stucco a failure and took a different course.  Because living with my bad decision for years to come would have been far worse than stopping, changing direction, and correcting this early in the process.

Comfort with failure is a modern theme in business as well.  Countless articles and books extol the virtues of failure – but only under certain circumstances.  You need to be well positioned to extract value from failures in order to make them worthwhile.  In 2011, Amy Edmondson of Harvard Business School outlined three activities through which an organization can learn from failure: detection, analysis, and experimentation.  Years of research went into her conclusions, but at their core, they’re pretty simple:

• You need to look for failures, both large and small, both stand-alone and aggregate.
• When you find them, you need to consciously analyze them, uncovering the underlying root causes.
• Finally, try to produce failures through experimentation when appropriate and culturally embrace the inevitability of failure.

Within my team at work, we do some of this well, but we have ample room for improvement.  While I think/hope we have a culture that doesn’t blame the messenger and, thus, encourages the identification of failures when they happen, we don’t perform any real analysis of failures nor do we frequently set up experiments where failure is a likely outcome.  If we’re going to get the most value out of our failings, these are things we should do better.  So, we’re going to experiment a bit more, but also prepare to sink some time into examining our inevitable failures.  If nothing else, all our new failures will give us good stories for years to come!

Rex

Hi folks,

It’s easy to look around and shake your head at the prices paid for all sorts of things.  Paying $5000 for a Rolex instead of $50 for a Timex. Buying an $8000 bike instead of a $500 one. Buying a $17,000 Brioni suit instead of hitting the 4-for-$1 sale at Jos A Bank.  Or the fact that the Kardashians somehow earn an income.  To many of us, such choices are bewildering.  But with a bit of insight into some economics theory, those choices begin to make more sense.  Especially the bike one – just saying.

Economists explain seemingly illogical prices through marginalism.  For years, economists had defined the value of something as a function of its cost – like the materials and labor invested in its production.  But in 1871, William Stanley Jevons published his Theory of Political Economy which flipped the concept of value on its head.  It wasn’t the cost, but rather the demand for an object that established its value.  Value is defined by the consumer, not the manufacturer.

We can apply the lessons of marginalism to our work as well.  The value of our work isn’t measured by the effort that goes into it.  Rather, it’s measured by how useful the output is to our stakeholders.  Working for years on a product that nobody wants doesn’t increase its value – it’s just wasted effort.  We need to align our efforts to the needs of our stakeholders in order to maximize our value.

How?  By consulting with them and making them a part of the design process.  Do they get to direct every step of our process or all of our activities?  No.  We’re the security experts and sometimes our expertise will point us in a different direction.  But if our goal is to provide our stakeholders with something they value, we generally need to defer to them – to the extent practical – and let them guide us towards what they’ll find most useful.

Rex