Hi folks,

One of my favorite quotes on communications is by George Bernard Shaw, the Irish dramatist and critic, Nobel Laureate, Academy Award winner – just a general big brain kind of guy.

I think this gets to the heart of the issue with communications – all too frequently, one or more parties are operating under the assumption that effective communication has occurred when, in fact, it hasn’t.

There are an unlimited number of examples of this, but I’ll focus on just one tragic one.

In 1162, Thomas Becket was serving as Lord Chancellor to King Henry II of England. When the position of Archbishop of Canterbury – the highest church position in England – opened up, Henry appointed Becket, thinking he would prioritize the needs of the state above those of the church. Henry was soon disappointed, though, and Becket almost immediately resigned as Chancellor and became a serious thorn in Henry’s side as he agitated for stronger church power at the expense of Henry’s state.

In 1170, the feud came to a head when Becket excommunicated a bunch of Henry’s allies during their latest squabble. Henry, at his height of frustration, lamented aloud “who will rid me of this troublesome priest?” A handful of knights overheard this and interpreted it as a royal command, mounted their horses, and headed for Canterbury. Once there, they hunted Becket down and, in the middle of the cathedral, murdered him.

Right. That wasn’t Henry’s intent. But because of his position, his words had an unintentional, outsized impact.

There are modern equivalents, too. Jeff Weiner is the CEO of LinkedIn. Years ago, he got wind that his casual comments were having a big, unintended impact – direct reports would scramble to address what they thought were commands when he was actually only expressing an opinion. It was wasting precious time and energy, so Jeff came up with a plan. He implemented a three-tiered structure for his feedback – it would be categorized as either one person’s opinion, a strong suggestion, or a mandate. This helped clarify the weight his words should carry and thereby eliminate that wasted effort people spent trying to carry out imagined commands.

Now, most of us aren’t kings or CEOs, but we still have to be mindful of the impact of our words – especially folks who are in positions of authority. What we say can carry significant weight – often time more than needed or intended. If we have good people around us, we want to make sure we’re getting the most out of their expertise and judgment, not just getting copies of a single person’s (read:our) vision and opinions. Just like King Henry or Jeff Weiner, we all need to understand how our words carry weight and we need to choose them carefully.

Rex

Hi folks,

A few years back, I headed to an unnamed state that’s famous for its BBQ.  As a fan of all such things (consuming, not producing), I made a beeline for the first BBQ joint I could find upon landing.

As I stood in line waiting to order, the guy in front of me became agitated.  It sounded like he thought he didn’t get what he ordered and couldn’t get the woman on the other side of the counter to understand.  Eventually he yelled “DO. YOU. UNDERSTAND. THE. WORDS. I’M. SAYING?!” Things got awkward, the woman walked away upset, and the man remained angry and was asked to leave.  Nobody was happy.

A short time later I was at a client site, presenting to a Fortune 50 CISO and her team on the awesome job we were doing.  We had been struggling for a long time to communicate the value of our services to clients – clients who were paying lots of money for us to detect threats in their environment.  We had tried quantifying the number of threats detected, number of hits reviewed, aggregate risk ratings for those threats… nothing really resonated.  This time we thought we’d found the right metric – the reduced time an attacker had in the environment based on the speed of our detection.

Our client was unimpressed.

She was kind, but clear.  She said “That’s great, but I can’t do anything with this.  I may inherently understand the value, but I can’t take this to the board and have them care.  I need something expressed in terms that they care about – money.”

It’s a lesson our field needs to learn.  Security doesn’t happen in a vacuum – it’s an inherently collaborative effort.  And when we turn to our partners for assistance, we need to speak their language, understand their motivations, and communicate in terms that resonate with them.  Do we need to be an accountant to talk to a CFO?  No, but we need to acknowledge that they’re not a security professional and that the minute we use the term “buffer overflow”, we’ve lost.  Otherwise we risk being like the angry BBQ guy – isolated and hungry because we refused to adjust our communications.

Rex

Hi folks,

Among aristocratic families, marriage was/is a tool to cement relationships, gain power, and grow empires.  In America, having thrown off the yoke of a formal class structure, we’ve instead embraced an informal class structure where we celebrate family dynasties in politics, industry, entertainment, and elsewhere.  Because, apparently, what good is a society if you don’t have betters to look down at you?

So it’s kind of big news when a marriage unites two of the American “royalty” families.  Like the marriage of the Ford and Firestone families via the grandkids of both founders.  Which made the corporate breakup in 2001 – after more than 100 years of partnership – perhaps a bit awkward.  What could have caused the end of such a long and fruitful relationship?  The death of more than 240 people as the result of flawed Firestone tires installed on the roll-over prone Ford Explorer.

The fallout for both Ford and Firestone was huge.  On top of the tragic losses of life, both Ford and Firestone spent about $2 billion each on tire recalls and undisclosed millions in lawsuit settlements.  Not a good era for either company.

Much like the auto industry, IT is a very interconnected, interdependent world.  Our systems and networks don’t exist in vacuums – they establish relationships with other systems and networks.  Those relationships extend trust and, by doing so, open themselves to risk – shared risk.  Ford inherited risk from Firestone when it decided to install the tires on their vehicles.  We in IT inherit risks in the same way – from our OS, development frameworks, plugins, connections, etc.  If something goes wrong with those components, the impact is felt by our system.

Sadly, many system owners strangely see this interconnectedness as an opportunity for risk transference   It’s not.  These kinds of risks are shared risks, not transferred risks.  When the Firestone tires failed on Ford vehicles, no amount of finger pointing (try as they might) could exonerate Ford – they were significantly impacted by the realized risk.  You can’t just walk away from inherited risks – they impact you, too.

Information security is a team effort and none of us are in a position to ignore a risk to our system.  We must work together to solve all problems – even if it’s “somebody else’s responsibility”.

Rex

Hi folks,

I have a (totally unbiased) fondness for historical figures with sweet sideburns, so it’s not shocking that I like Theodore Parker.  I mean, he’s no Burnsides, but who is?

So Theodore Parker – who is he?  He was a Unitarian minister in antebellum New England.  Abolitionist, transcendentalist, and pretty big brain – he generated a lot of good quotes in his day.  Among them:

I do not pretend to understand the moral universe; the arc is a long one, my eye reaches but little ways; I cannot calculate the curve and complete the figure by the experience of sight; I can divine it by conscience. And from what I see I am sure it bends towards justice.

Pretty solid, right?  In just a few short sentences, he divines the future evolution of humanity, prepares the reader for a long journey, and admits his inability to see the destination himself.  It would be totally understandable for any subsequent orator to simply reference Parker’s quote rather than try to improve or build upon it.  But those who want to affect change don’t usually make do with the status quo.  So, in February of 1965 – in the shadows of the assassinations of JFK and Malcom X – Martin Luther King Jr delivered a sermon at the Temple Israel of Hollywood.  In it, he included the following quote:

the arc of the moral universe is long but it bends toward justice

It’s a quote that King used many times, including during the March on Selma in 1965.  King, for all his awe-inspiring oratory skills, wasn’t afraid to lean on those who came before him and improve upon what they produced.  The same is true for all of our great leaders – they make use of the works of others and they don’t hold those works sacrosanct.  They update/change/edit in order to improve those works for their needs.  Parker’s quote worked well for a more verbose era, but King needed something more succinct – so he made some improvements.

The same is true for all of us.  What we do may not hold a candle to the works of Parker, King, and other giants of history, but our work is important nonetheless – important enough to warrant critical examination of those who came before us and important enough for us to make improvements as needed.  NIST special publications, OMB memorandums, FISMA, and other guiding documents for our field have been created by smart, dedicated, driven people – but they’re not infallible and they’re not custom tailored for our specific needs.

It’s incumbent upon us to lead in our own way and, in the pursuit of a better tomorrow, bravely make changes to that which may seem “good enough”.  It’s not dismissive or disrespectful – it’s just improvement and it should be welcomed.

Rex

Hi folks,

Like tens of millions of people, I’m a fan of Game of Thrones. (very minor spoiler alerts) For those who haven’t watched it, the gist is that there’s a big power struggle for control of this fantasy kingdom and while all these subplots play out regarding the intrigue and plotting of various power players, only a handful of people are aware of the looming threat from the north – an undead army which promises to wipe out mankind given the chance.

At the risk of reading too much into simple entertainment, I think there’s a huge lesson in the story.

One of the great things about cybersecurity is that the enemy is very well defined – people who are trying to do bad things to your assets and data. It’s hard to ask for a clearer mission. And while most of us are responsible for smaller components of the mission – say vulnerability scanning, or intel management, or training – all of our efforts point in the same general mission direction: stop the bad guys.

That’s what makes infighting so deeply disappointing.

Yes, disagreements on tactics will occur. Yes, some friction is good and helps us to refine and strengthen our plans. But territoriality, subversion, a lack of cooperation… that’s a waste of our precious collective resources for something that contributes nothing to the mission. These problems aren’t exclusive to .gov, of course. Internal conflict is everywhere. But much of the Federal sector embraces the concept of “rice bowls” as if it’s a defensible approach to business. As if responsibilities, once assigned, can never be changed because the individual’s interest trumps that of the organization. It’s a reflection of the outdated, inefficient, silo-based business model. It’ll die out eventually, but not soon enough.

Rex

Hi folks,

For all the issues Greece has today, the Greeks may deserve a little bit of a pass. They may not be able to handle their finances, but Western civilization has a debt of their own to them. Pythagoras, Democritus, Socrates and his crew… over the course of a few centuries, Greece churned out a whole bunch of big brains that changed the world.

One of those big brains was Zeno of Elea. Zeno is probably best known for two things: being a badass and frustrating mathematicians for nearly two millennia. He’s a badass because, while near death after being tortured to reveal the names of his co-conspirators in a plot to overthrow a tyrant, he pretended to have a secret for said tyrant, only to bite his ear off with his dying breath. He frustrated mathematicians with his paradoxes, the most famous of which are his arguments against motion, including the paradox of Achilles and the tortoise.

The gist of the paradox is that any object in motion, no matter how fast, cannot catch up to another slower object that got a head start. This being ancient Greece, the fastest guy they knew was Achilles, who is now perhaps best known for being the role played by Brad Pitt when he redefined 40 year old male body image standards. The jerk.

How does the paradox work? Basically, a tortoise gets a head start – maybe 100 meters. Then Achilles starts, but by the time he reaches the 100 meter mark, the tortoise has moved on, perhaps another 10 meters. Achilles then covers that ten meters, but the tortoise has moved on again, another meter. And so on. Achilles can never catch up, even if he gets really, really close. It took 2000 years for math to disprove Zeno’s paradox with convergent series thanks to Scottish mathematician James Gregory.

But we all know better even without the mathematical equation, right? And so did the ancient world. We all instinctively know that Achilles is faster than a tortoise, and that he could easily pass it despite a delayed start. It’s just obvious, even if we don’t have the definitive proof.

What would have happened if the world had waited for a mathematician to prove what we already knew? Would we have thrown up our hands and accepted defeat at the hands of a tortoise because nobody could disprove Zeno’s paradox? And what about all the other things we knew, but couldn’t prove – had we waited for definitive proof before simply accepting that something is even if we can’t express why, what advances and discoveries would we have missed?

In the Federal information security world, many have fallen into this trap.

Audits and regulations have become such a huge part of our world, that many people refuse to consider actions that aren’t prescribed by an outside, authoritative source. As if the absence of a reference by NIST or OMB somehow invalidates the value of an idea.

This lack of initiative and creativity isn’t caused by NIST or OMB – it’s our fault. We’ve become so conditioned to prioritize a lack of findings that we’re living the infosec equivalent of teaching to the test – focusing exclusively on known evaluation criteria. The problem is that our adversaries don’t play by the same rules – they don’t look only for unimplemented NIST 800-53 controls to exploit, they’ll exploit anything they can find. For as great a document as 800-53 is, we can’t afford to be limited by it. It and all the other guidance out there are not the definitive documents for information security.

Here’s the good news.  If this is fundamentally our fault, we can fix it.  We need to be comfortable doing things that aren’t prescribed by an external authority. We’re all hired as experts – let’s put our expertise to work. We need to use our creativity, our sound judgment, and our instincts as valid inputs into the information security process. Otherwise we risk missing out on progress while we wait for somebody else to prove what should have been obvious to us all along.

Rex

Hi folks,

I have yet to get into the whole cryptocurrency thing. It’s clearly an awesome concept with all sorts of implications (good and bad) for individuals and society writ large, but I just haven’t had a motivation to buy into it. Maybe I should be buying more narcotics online, I don’t know…

Anyhow, the ideal time to have gotten into bitcoin was seven years ago, when the currency first emerged. That’s when Kristoffer Koch got into it, buying around $26 worth of bitcoin as part of some academic research. He forgot about them for  four years at which point they had become worth around $1 million. If he still hung onto them until today, they’d now be worth more than twice that.

Koch clearly didn’t know that was going to happen – he made a relatively blind investment. Had he waited until he had better information – until he saw the appreciation of bitcoin value, his $26 wouldn’t have yielded nearly the return that it did.

That’s the point of the consequences model developed by Danish organizational theorists Kristian Kreiner and Søren Christiansen. They argue that the greatest opportunity for impact is at the beginning of any timeline – precisely when you have the least knowledge. Yes, you’re making decisions with minimal information, but if you’re looking to have a big impact, you need to be comfortable operating without perfect knowledge. Wait too long for the knowledge you need in order to be sure you’re making the right move, and you’ll lose your chance for that big impact.

But that big impact could be good or it could be bad, and that uncertainty paralyzes many, many people.

In security, we often don’t have the luxury of waiting for perfect information. Whether it’s responding to an attack, fixing a known vulnerability, or choosing a new defensive technology, any delay in our decision works to the advantage of the bad guys.

So how do we handle this? I’d argue the most effective is to push that knowledge curve to the left. How? By better preparing for expected scenarios. Suspect you’re going to have an incident where you need to determine the nature of the impacted assets? Then don’t wait until an incident to figure out what applications a system is supporting – develop that knowledge in advance through an asset inventory and make it available to your Ops team. Know that vulnerabilities are going to be uncovered in operating systems and software over time? Then improve your patching process to allow for rapid deployment of critical fixes. Think you’ll need a new IPS next year? Then start the research now well before it’s time to make the investment decision.

Better preparation allows quicker AND better informed decisions. Will we still have to make decisions without perfect knowledge? Yes. Should security professionals get comfortable with that? Absolutely. But we’re not helpless – we can push that knowledge curve to the left and help our future selves by investing some effort to develop knowledge today, before it’s needed.

That, too.

Rex

Hi folks,

Like many people, my musical tastes go through phases. I have a core group of genres that are pretty static, but onto those I’ll periodically add additional genres that phase in and out over time. The current top of my Pandora playlists: sea shanties.

That’s right. Sea shanties.

Either way, since many of these song were written in the 1800s, I sometimes have to do some research to figure out what they’re talking about. For example:

Come all ye young fellows that follows the sea
To me, way hey, blow the man down
Now please pay attention and listen to me
Give me some time to blow the man down

What does “blow the man down” mean? Turns out that people don’t really know. There are a variety of theories, but the precise meaning has been lost over time.

This happens in modern times, too. Or at least definitions evolve – sometimes from misuse of a word or phrase over time. I’m pretty sure “literally” is used properly about 10% of the time. Literally.

A term that’s been bothering me for a while is “customers”, usually as it relates to the concept of customer service.

“Customer” has a pretty precise definition – somebody who pays for goods or services. And in that definition, the customer is a goal in and of themselves –you maximize your customers in order to maximize your revenue or profit. To that end, you provide good customer service to make sure that they’re happy, that they return to buy more from you, that they refer others to you, etc. Makes sense, right?

But “customer service” has become shorthand for good relations with somebody to whom you provide something and “customer” has become shorthand for somebody who receives something from you. And that fundamentally mischaracterizes most relationships. A person is not your customer simply because you provide them with the output of your efforts. For somebody to be a customer, your transaction with that person – typically the exchange of money – has to be the fundamental goal of your organization.

From an abundance of good intentions, we took on the mantra of “good customer service” and began referring to many of our colleagues throughout the agency as “customers”. They’re not and we disservice ourselves and them to characterize them as such. Our relationships with them far transcend our transactions.

So what are they?

They’re our partners. Partners share a common goal and both contribute to the pursuit of that goal. For us, we share the common goal of the security of our agency. And our partners contribute to that goal in a multitude of meaningful ways – ways that go far beyond the simple receipt of our work products.

Why spend the time to write about this?

There’s a pretty awesome quote, variations of which have been ascribed to everybody ranging from Emerson to Buddha to Margaret Thatcher’s dad:

Watch your thoughts, they become words;
watch your words, they become actions;
watch your actions, they become habits;
watch your habits, they become character;
watch your character, for it becomes your destiny.

When we refer to partners as customers, we change the dynamics of the relationship. We focus on the transaction. We place ourselves in a servile position. We lose sight of the shared, common goal. If we’re going to pursue our mission as effectively as possible, we need as many allies – as many partners – as possible. We can’t afford to turn them into mere customers.

Rex