Hi folks,

When I was a consultant and had business development objectives, I was super focused on networking.  One of the things I needed to do well was concisely articulate my value and the value of my team.  These were my elevator pitches.

For instance, at Mandiant my pitch was:

I work at Mandiant. We’re a boutique cybersecurity company focused on detecting and responding to state-sponsored corporate espionage.  I’m responsible for client service delivery to all of our managed service clients – I lead a team of 10 managers who serve over 100 clients across the globe and across industries, ranging from Fortune 10 to small non-profits.

Not the best, but it’s relatively concise (it takes about 15 seconds to deliver) and it generally gets the idea across – “this is my identity, this is what we/I do, here’s an allusion to some bona fides.”  It’s a lightweight version of a mission statement.

Now that I’m a Fed, there’s a lot less pressure to expand my network.  I no longer live in fear of missing out on the one great contact that will pave my path to making partner.  So I got lax about practicing my elevator pitches.  In fact, if you ask me today the quintessential DC question “what do you do?”, my answer is a rambling, James Joyce-style stream of consciousness that leaves you wishing you had never asked.

That needs to change.  Not just for me, for many of our organizations.

That’s where a mission statement effort comes into play.  Based on a recent internal stakeholder survey, people apparently aren’t clear on who my division is, what we do, what’s our value.  Everybody on our team needs to be able to concisely and uniformly articulate this.

We need to get really good at telling people how awesome we are.

As a senior official once told me, “if you don’t tell your story, somebody else will and you may not like what they say.”

So we’re working on that story now.

Rex

Hi folks,

Last week we talked about Raoul Wallenberg and the many lessons we can learn from him.

If you haven’t read those posts first, scroll down and start with part 1.

Today I want to share one final lesson I took away:

Understanding your audience

Wallenberg understood what motivated his enemies.  Militaristic fascists bent on genocide weren’t going to be swayed by humanitarian appeals or an argument coming from a perceived underdog.  They would only respond to authority.  Wallenberg understood this and founded his approach on the perception of authority – his status as a “diplomat”, the official-looking passports, etc.

Yes, we (hopefully) don’t have enemies like Wallenberg did.  But we do have customers, and peers, and bosses, and all sorts of people we’re trying to convince on a daily basis.  If we’re going to be as effective as possible, we need to understand what motivates them.  For example, if you want to naturally resonate with my motivations, it’s pretty well known that you shouldn’t start a conversation with “Well, NIST tells us to…”  You’re far better off explaining why an idea makes sense for the agency rather than presenting an appeal to authority.

We all have our own personal motivators, and the more we can craft our discussions in ways that align to the motivators of our audience, the more persuasive we’ll be.

Rex

Hi folks,

Yesterday we started by talking about Raoul Wallenberg Place, the name of 15th Street that I noticed during my bike rides into work.

We talked about Wallenberg’s amazing and inspiring activities during the height of WWII, placing himself in harm’s way to save tens of thousands of innocent lives.  In the course of doing so, he demonstrated numerous admirable qualities, some of which we can try to emulate.  Yesterday we talked about improvisation and confidence.  I have two more to touch upon, one of which is:

Acceptance of imperfection

This is perhaps the saddest part of Wallenberg’s story.  He couldn’t save everybody, so he had to prioritize as best he can.  In the case study, he chose to save the youngest first – “I’m sorry… I want to save a nation.”  It wasn’t the ideal outcome, but it was the best he could do.  Had he tried to save everybody, he would have failed to save anybody.

And how is this relevant to our work at our agency?

We can go way deep on this, but the gist is that much of Western philosophy argues that perfection doesn’t exist in this plane of reality.  Plato bucketed concepts of ideals/perfectionism as Forms, St. Augustine called them the Intelligible, but the idea is the same – nothing you can perceive with your bodily senses can be considered perfect.  Now, that’s certainly arguable, but I submit that nothing we do here at work represents a counter-argument to the concept.  For as much as we should all strive to do the best we can, achieving perfection probably isn’t in the cards.  So that then means, in the context of our daily activities:

^ This guy gets it.  If we keep waiting for perfection, we’re simply stalling.  Perfectionism isn’t an admirable trait when it obstructs progress.  Instead, we should listen to Skeletor:

And for as unnatural as it is to mix memes with the inherent reverence reserved for somebody like Wallenberg, I think he’d agree with the message.  We’re not going to achieve perfection, but that shouldn’t stop us from making progress.  Instead, let’s focus on our trajectory and make sure we’re headed in the right direction.  We don’t need a plan to get us to the ideal state, but we should always be executing a plan to get us closer and closer.

Rex

Hi folks,

Some of you know I ride my bike into work into DC.

I live in Alexandria, so I come over the 14th Street Bridge and ride up 15th Street until I hit New York Avenue.  When I’m not dodging angry cars and riding for my life, I occasionally become aware of my surroundings.  For a while I’ve noticed that from the Jefferson Memorial to the Washington Monument, 15th Street is called Raoul Wallenberg Place.  Only recently did I find out why.

Towards the end of WWII in 1944, knowledge of the Holocaust had spread, but the front lines of Allied advance were still too far away to stop the atrocities.  Citizens of neutral countries like Sweden could move freely within occupied territory, and Raoul Wallenberg – a wealthy, privileged, 32 year old Swede – volunteered to help.  With little more than his wits and his cover as a Swedish diplomat, Wallenberg saved nearly 100,000 lives.  This is a link to a case study of Wallenberg’s leadership – it’s well worth reading.

 

 

 

Seriously – go read it.  This post can wait.

 

 

 

There are countless lessons we can learn from an inspiration like Wallenberg – the defense of justice, courage in the face of danger, protection of those most vulnerable – but those are hard lessons to apply in our daily work lives.  Nonetheless, I think Wallenberg demonstrated several characteristics that we can benefit from emulating.  I want to talk about a couple today and a few more tomorrow:

• Improvisation: Wallenberg left for Budapest with only the rough outlines of a plan.  He’d assume the cover of a Swedish diplomat, distribute fake Swedish passports, and establish a series of safe houses under diplomatic protection – he’d figure out how to do that (and everything else) along the way.  He understood that time was his most precious resource (as it is for all of us), and that waiting to develop the perfect plan before deploying would only risk lives.  Being able to improvise upon arrival – to remain flexible in the face of changing conditions – was key to his success.
• Confidence:  Wallenberg was no more a diplomat than you or I.  But through unwavering displays of confidence – even under live gunfire – he convinced hundreds of armed and angry NAZIs that he had the authority to override their orders.

How are these characteristics relevant to our work in the Federal sector?

• Improvisation: The conditions around us are constantly changing – people, relationships, priorities, resources, etc.  On top of that, cybersecurity itself is an amazingly dynamic field.  Not only must we be comfortable with change in general, but also with our ability to adapt to it.  If we can’t quickly adapt to an ever-changing landscape, we will soon be left headed in what was once the right direction, but is now the wrong one.
• Confidence: Much of what we do is serve as security subject matter experts.  And if you don’t exude confidence in what you’re saying, you can’t expect others to accept you as an expert.  So whether it’s to the IG, our peers in IT, or throughout the rest of our agenct, we need to demonstrate an air of confidence when we’re acting as a SME (which should be pretty much all of the time).

I have a few more lessons I think we can learn from Wallenberg, but I’ll save them for later.  In the meantime, I encourage you to find your own.  He left a legacy from which we all can learn much.

Rex

Hi folks,

I’m a big fan of trees, and I’m lucky enough to have a number of large trees on the property around my house.  But they’re not just decoration – they’re functional.  Between the shade and the evapotranspiration (I win the obscure word of the day contest) of a tree, they reduce the ambient air temperature as much as 9 degrees, and the temperature directly under a tree by as much as 25 degrees.   They’re awesome.

The problem with trees is that they take a long time to grow.  So when we had to remove two dying trees from our lot last year, we lost a bunch of shade with no quick way to regain it.  We’ve since planted more trees, but it will take decades to realize the shading and cooling benefits of those new saplings.

The same concept applies to relationships.

No, seriously – hear me out.

The benefits of good relationships are innumerable – laughing at your stupid jokes, hugs, bailing you out of jail – but generally those benefits don’t manifest overnight.  Meaning that I can’t reasonably expect the same kind of support from somebody I befriended yesterday as I can from a friend of 20 years.

And further, even long-standing relationships need constant investment.  If I abandon a relationship for an extended period, I shouldn’t expect support when it’s convenient for me.  I’m sure we’ve all seen too many relationships deteriorate over time as people take them for granted and fail to invest in them.

So, just like trees, we need to plan and care for our relationships.  If we plan on working with individuals in the future, it benefits us to establish and invest in our relationship with them as early as possible.  And if we already have a relationship established, we can’t afford to neglect it – we need to nurture it continually so it’s ready for us when we need it.  Let’s get out there and make some friends!

Rex

Hi folks,

Maybe it’s just me, but I used to roll my eyes at checklists.  They’re usually pretty boring, they’re a symbol of bureaucracy, and they’re insulting by insinuating that I can’t remember what to do without them.  But then I learned that checklists beat the NAZIs and helped us win WWII.

In 1935, the US Army (there was no Air Force yet) was looking for a new bomber.  Boeing tossed its hat in the ring with the Model 299, a massive four engine plane that exceeded all of the Army’s requirements.  The Army was sold, but during testing on October 30, 1935, the plane crashed, killing Boeing’s chief test pilot and an Army test pilot while injuring several others.

The problem?  Planes had become too complex for pilots to fly by memory alone.

The crash nearly ruined Boeing, but the Army still wanted the planes, so Boeing developed a simple and elegant solution – the pre-flight checklist.  Following the introduction of the checklist, Boeing flew without incident and the Army ordered nearly 13,000 copies of what was renamed the B-17 Flying Fortress.  And as the pilots continued flying, they developed more checklists for routine activities, introducing more reliability, reducing the time to complete sequences, and reducing overall workload.

You may be thinking “uh, we’re not test pilots and we’re not fighting for the survival of democracy and freedom”.  Debatable, but potentially true.  Nonetheless we are doing reasonably complex things.  And we’re doing them routinely, which is the ideal combination for a checklist.   Responding to an incident?  Assessing common controls?  Flowing new policy through a control board?  All opportunities to see if developing a checklist would help improve the reliability and quality of our output.

Or, if nothing else, just use a checklist to make yourself feel better:

Rex

Hi folks,

Saint Augustine didn’t start his life in a saintly way.  During his hedonistic youth, he famously prayed “grant me chastity and continence, but not yet.”  And while he was a brilliant philosopher and theologian, he couldn’t have known that he was perfectly articulating the concept of the Present Bias.

The Present Bias (and other forms of temporal discounting) says that we discount rewards/impacts/punishments the further they are in the future.  So if I ask you if you want cake or fruit next Friday, you’re pretty likely to choose the healthy option of fruit.  But if I ask you if you want cake or fruit today, you’re much more likely to choose cake today.

What can we take away from this?  Likely much, but something that stands out to me is the need to push out the negative impacts of changes we require.  Meaning our customers and partners are more likely to agree to obligations they find onerous the further in the future those obligations are required.  For example, which seems more likely to get support from our customers?

• Please assess and report on the status of 100 controls by the end of this month.
• Please assess and report on the status of 100 controls by the end of this year.

Right – the latter.  Easily.

What does that mean for us?  We need to plan well in advance.  If we need those 100 controls assessed and we want to minimize pushback from our customers, then we can’t wait until 4 weeks before they’re due – we need to give them as much notice as possible.  Because when you look to a year out on the horizon, pretty much everything looks small and agreeable.

Rex

Hi folks,

We in information security hear a lot of feedback about when we should provide rules and when we should provide guidance.  Sometimes we have various parties battling it out over which we should provide, pulling us in either direction, trying to make their case.  It’s at times like that we need all need a bit of inspiration.  That when we need to turn to:

That’s right.  Betty Crocker.

How, exactly, is a fictional dessert baker a great example of the distinction between guidance and rules?  Think brownies.  When you buy a box of Betty Crocker brownie mix, it has very clear and easy-to-follow instructions on the box for making brownies.  But they’re not rules.  In fact, our friend Betty encourages you to experiment.  On her website, she provides a dozen other recipes for which you can use her brownie mix.

Why does she do this?  Is Betty Crocker an anti-authoritarian revolutionary?  Is she baking anarchy brownies and handing them out at Occupy protests?

She does this because there’s no harm in messing with her recipe.  In fact, the home baker might have a better idea for what to do with the brownie mix.  And that’s the key distinction between rules and guidance.

• If the purpose is to stop harm, it should be mandatory – a rule.
• If the purpose is to help an implementer do their job, it should be optional – guidance.

There’s all sorts of nuances therein (e.g. what constitutes harm), but as a general principle, that works.  Potential for harm?  Make a rule.  No potential for harm?  Provide some guidance.

And why not just make everything a rule?  Because it locks us in to a way of doing things, reducing our agility and creativity.  So when our customers demand more rules from us (which is a phenomenon I’ll never understand), we need to be cautious about what we provide as a rule and what we provide as guidance.  Just think “what would Betty Crocker do?”

Rex