Hi folks,

I’m not an aviator, and the closest I’ve come to being a pilot was spending many hours playing Star Wars: X-Wing in the mid-nineties.

Yes, that was cutting edge graphics at the time and, yes, it was glorious.

Anyhow, so I’m not a pilot (in this galaxy), but I understand that there’s this concept called “crabbing”.  The deal is essentially this – if you’re flying from point A to point B and there’s no crosswind, then you can basically just point the plane in a straight line and you’ll make your destination.  But if there’s any sort of crosswind, you’ll be pushed off course, and you’ll need to periodically course correct in order to make your destination.

Makes sense, right?  And since, I imagine, most flights encounter some amount of crosswinds, corrections are constantly needed.

There are obvious metaphorical applications to life here as well.  The most elegant expression of which was probably articulated by Victor Frankl.  Any attempt of mine to capture his message will be totally inadequate, so I’ll just point you to him:

https://www.ted.com/talks/viktor_frankl_youth_in_search_of_meaning

At the risk of polluting the purity of Frankl’s message by applying to our context, it also has a very real application to the workplace.  At work we often encounter our own crosswinds – very rarely can we march down a clear path towards our destination without encountering resistance, well-intentioned or otherwise.  And for that reason, we must be willing to aim beyond our expectations and constantly course correct.  It’s only by aiming beyond our perception of the possible that we’re able to achieve our potential.

Although…

Rex

Hi folks,

It’s been a while.  Sorry to rob you of your favorite posts for so long.

A few weeks ago I visited some friends in West Virginia, deep in coal country.  It’s hard to overstate the importance of coal to that area and the yearning for a return of related jobs.  Which makes you appreciate your opportunities when you realize that people are clamoring for the chance to spend their days underground in dark and dirty tunnels, digging out flammable chunks of earth and liberating explosive gasses in one of the ten most hazardous professions.

The drop in coal demand was a surprise to many, including an Englishman who’s been dead for 134 years – William Stanley Jevons.  Jevons was an economist, and in his 1865 book The Coal Question, he articulated the Jevons Paradox.  It describes when technological improvements enhance the efficiency with which a resource is used, but the rate of consumption of that resource goes up instead of down.

In Jevons case, he was talking about the unexpected increase in coal consumption following the introduction of new, more efficient steam engines.  But modern examples abound, too – particularly in technology.  Our processing power has followed Moore’s law, but instead of using the increase in processing capabilities (and accompanying storage capabilities) to execute tasks more efficiently, we’ve used up every ounce of that additional capacity.  As our technology has become more efficient, our consumption has more than kept pace.

For those of us in security, that’s a problem.

Why?  Because the bigger our digital footprint, the more difficult it is to secure our data and assets.  In the words of another long-dead European guy:

Frederick becomes more right as what you’re trying to defend (digital or physical) increases in size.  The further our sensitive data and assets spread, the more challenging it is to adequately protect them.  So what can we do?

Practice digital minimalism.  Google indicates this isn’t really a thing in this context – I may trademark it.  But the gist is that less data, fewer systems, fewer applications = more security with less cost and less complexity.  Think IKEA for the IT world.

Eh, maybe not the frustrating assembly part, but the simple, streamlined design part.  The success of that approach depends on business discipline, too, of course.  IT should never self-generate – it should reflect the needs of the business – and the business should take a measured approach when requesting an expansion of IT.  But for those of us who live within the IT sphere, we can at least maintain a lean mentality for those things within our control.  By doing so, we’ll improve the security of the agency.

Rex

Hi folks,

My early academic career was, um… less than stellar.  Actually, I’ll just let Mark Twain sum it up:

But in recent years I’ve looked back on my school years as a missed opportunity – I passed up on a lot of knowledge.  So I’ve begun trying to fill in some gaps by reading classic novels for which I only read the cliff notes and by dabbling in some online courses.  And while I’ve stuck mostly to course offered by the big MOOC platforms like EdX and Coursera, I’m really intrigued by the potential of Khan Academy.

Khan Academy was founded on the development of online micro lectures to help students understand math and science concepts.  The organization eventually developed a more robust education model where kids engage in passive learning – listening to lectures – at their own pace after school and school hours are reserved for working problem sets and collaboration activities.  I don’t know if this model would have helped engage my adolescent self, but it sounds awesome to my adult self.

There’s an opportunity to apply this philosophy in the workplace, too – specifically with meetings.

All too often we use meetings as a means to broadcast information – verbal, face-to-face versions of emails.  But it you don’t need or expect an interactive dialogue to accompany your announcement, email is a far better medium.  It’s instantly scalable, provides a written record, and encourages a crisp, concise articulation of thoughts.  In the spirit of the Khan Academy, an email announcement also allows the recipient to process the information at their own pace, enabling them to develop more thoughtful, useful responses.  And finally, it saves our precious face-to-face time to be used on activities we can’t accomplish separately – collaborations, working through problems together, etc.

We all should reevaluate how we use meetings.  Are we using them for useful, collaborative engagement with our stakeholders and partners?  Or are we defaulting to them as a broadcast mechanism that could easily be replaced by email?  If it’s the latter, let’s change our mindset and save meetings for exciting awesomeness that requires the active participation of all attendees.

Rex

Hi folks,

If I say “Fist to Five”, what comes to mind?  The latest indie band?  Violence?

Hmmmm.  Maybe.  But in this case, Fist to Five is a model for evaluating and building consensus in a group setting.  And it’s pretty awesome.

There’s a number of variations to the model, but the gist is this: for any proposal or decision, each individual on the team gets to vote.  To vote, they hold up one hand with 0-5 fingers.  The number of fingers indicates their level of support (or lack thereof):

• 5 fingers – This decision is amazingly awesome and I totally agree 100%.
• 4 fingers – I like this and I’ll support it as is.  Any reservations I have are minor and not worth discussing.
• 3 fingers – I have some reservations worth discussing, but I can support the decision as is nonetheless.
• 2 fingers – I have some reservations that need addressing or clarification before I can support this decision.
• 1 finger – I have strong reservations with this decision and/or suggested changes.  I can’t support the decision as is.
• Fist – What you’ve just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.

More or less.

If everybody has three or more fingers raised, then you have consensus.  If not, you work with the folks who raised fewer fingers to try and adjust the decision to bring them on board (without inadvertently alienating any of the folks who are already supporting the decision).  You adjust and vote until you get to the magical, happyland of a consensus.

That’s it.  Pretty simple, but it gives people the opportunity to voice gradations of consent or dissent while still pushing towards agreement.

Fist to Five – a phantonym and a model for peacefully solving disagreements.

Rex

Hi folks,

Last year was an exceptional year at my agency.  We built and refined approaches to security, closed material weaknesses, expanded our already awesome team – it’s hard to make more progress in a single year than we did in 2015.  So here we are in 2016, and it’s easy to look around and wonder what more we can do – we’ve already accomplished so much.

The summit of Mt Everest is 29,029 feet above sea level.  But the effort to reach the summit isn’t linear – it gets increasingly harder the closer you get to the summit.  Base camp is at 17,600 feet – well over half-way to the summit – and you can fly there.  Yet climbers turn back mere hundreds of feet from the summit because those few extra steps would literally kill them.   Last year was our trip to base camp.  It wasn’t easy, but we made a ton of progress very quickly.  The rest of our journey is our trek to the summit – it’ll be hard and slow, but the further we go, the more we distinguish ourselves among our peers.  What does that climb to the summit look like?

There’s a book called How Will You Measure Your Life? which talks about culture and provides this definition:

Culture is a way of working together towards common goals that have been followed so frequently and so successfully that people don’t even think about trying to do things another way.  If a culture has formed, people will autonomously do what they need to do to be successful.

It goes on to talk about how to form a culture.  Essentially, a culture is formed over time by the repeated responses to actions.  Get a negative response?  Your culture will adopt a “don’t do that again” position.  Get a positive response?  Your culture will encourage that action.

Changing a culture is a huge undertaking in any circumstance, let alone when you’re not in the leadership chain.  But that’s exactly our task.  It’s daunting, it’s challenging, and it’s frustrating.  But it’s also necessary and rewarding.  Because we can only succeed in our mission if we enable and support our colleagues to adopt the frame of mind that bakes security into everything they do.

None of this is easy – there’s no shortcut to changing a culture, especially when you’re trying to change from the side rather than the top.  This is by far the most challenging task in front of us.  But if we can make it happen, we’ll be legends.

Rex

Hi folks,

Two economists are walking down the street when a Ferrari passes them. The first economist says to the second “I always wanted one of those” to which the second replies “obviously not.”

Hilarious, right?

Well, it’s (maybe) chuckle-worthy if you’re familiar with the concept of revealed preference, a theory promoted by American economist Paul Samuelson in the mid-20^th century. It says that consumer preferences are best evaluated by examining their purchases. There’s all sorts of math and caveats associated with the theory, but that’s the essence of the joke – if the first economist actually wanted a Ferrari, he’d have one.

And while the theory may not have launched many comedic careers, I think there’s a lot of applicability outside economics. Cybersecurity gets a lot of attention and talk these days – from the public, the regulators, agency leadership, the Hill… But it’s hard to discern how that attention and talk translates into actual priorities. When the chairman and ranking member of the House Oversight and Government Reform Committee say cybersecurity is a “top priority”, what does that really mean?

I suggest following your inner economist – look for the investments in cybersecurity. Do those investments indicate that it’s an actual priority or does it indicate that it’s an afterthought? Has the government/agency/organization not only made monetary investments, but also assigned the best people to the task, given them the support they need, and championed progress? Those resource investments will tell you exactly how much of a priority it is. It’s the economics version of “actions speak louder than words.”

Rex

Hi folks,

The other day I was digging through some old family papers and I found something interesting. No, no unknown fortune or half-sibling nobody talks about – I found out I’m unwittingly carrying on a family legacy. A legacy of security nerds.

My granddad worked for the Army for decades. During the Vietnam era, he developed counter-guerilla technology and later got into computers. I knew that, but what I didn’t know was that towards the end of the 70s, he got into information security. And in 1978, he wrote this paper on secure computer facilities:

Computer Facility Security – 1978

I’m not clear on why he wrote it, but I definitely dig the graphic on the last page. And there are two lessons I took away from it:

• Learn from other fields of study. The original Rex had spent decades focused on physical security for both military and civilian environments. The lessons he learned in those fields helped inform his efforts in information security. We have the same opportunity today to apply lessons and knowledge from other fields – psychology, warfare, accounting – to what we do in information security.
• Security is a long-term problem. If you read the paper, O.G. Rex was talking about many of the same issues that consume us today; environmental security, insider threats, access controls, etc. Nearly 40 years have passed since he wrote this paper. We’ve had some of the best and brightest minds in the world working on making technology more secure, but it still has a long way to go. We live in a world that increasingly values instant gratification, but we’re not going to get it in our field. Our victories are small, incremental and sporadic, but we can’t give up. We need to be patient and continue to fight the good fight.

Not a bad yield for digging through some old papers.

Rex

Hi folks,

I was recently asked by an OIG to give a presentation on communication and collaboration.  I gathered a number of the topics we’ve discussed on this site and gave the presentation last week.  It went really well, and I hear from my hosts that they’ve already adopted a few of the approaches from the presentation.

I want to share the slide deck (with extensive speaker notes – close to verbatim) in case it’s helpful to anybody else.  The template isn’t mine, but hopefully the content is useful.  Please feel free to use it as you see fit.
IT_Audit_Meeting_RGB_20160602

Rex