Month: March 2016

Hi folks,

In 1915, Einstein was already an established genius. He had published his special theory of relativity ten years earlier, was the director of the Kaiser Wilhelm Institute for Physics, a professor at the Humboldt University of Berlin, and a member of the Prussian Academy of Sciences. Yet, he struggled.

His marriage was falling apart, he was living in a Europe ravaged by World War I, and he couldn’t seem to get his equation for general relativity right – all while fellow big-brain mathematician genius David Hilbert raced him towards the solution.

In November of 1915, Einstein was scheduled to present his theory in a series of 4 weekly lectures at the Prussian Academy. He wasn’t ready. In each subsequent lecture, he corrected the mistakes of the previous lecture as he continued to develop his theory. His efforts to convince people of his radical new theory were failing.

Finally, prior to his final lecture, he tested his latest equations on the orbit of Mercury – a problem that Newton’s theory of gravity couldn’t solve. It worked. His calculations matched exactly the observations of astronomers. Humankind had a new theory of reality.

The pages of algebra that constitute the theory condense elegantly into the following:

There are innumerable amazing things about this equation. But perhaps most important was Einstein’s ability to reach across disciplines and bring elements together for a unified theory.

G is the shape of spacetime and T is the distribution of mass and energy. G is founded in geometry and mathematics. T is founded in physics and matter and movement. The two naturally live in different universes. Yet Einstein brought them together, discovered the relationship, and changed the world forever.

How is this relevant to our work lives?

We live our lives in silos. We silo our lives into categories of family, friends, work, recreation. We silo our organizations into departments and divisions. We work on different floors, build walls and offices with closed doors, and insulate ourselves from the unfamiliar.

But beautiful things happen when we break down the walls – when we’re able to collaborate across boundaries and realize shared interests and goals. When we’re able to become greater than the sum of our parts. No, none of us will be the next Einstein, but at least we can try to break down some walls and see where we can unify people, groups, projects, ideas – unify for the betterment of us all.

Rex

Hi folks,

Spring is here in Washington DC, which means the arrival of massive hordes trying to time their visit with the peak for cherry blossoms at the tidal basin. Which I get, because at their peak, they look like:

Thankfully the influx of people gives us locals a great opportunity to get indignant about idling buses, people who don’t understand escalator rules, and inconvenient crowds who dare visit our amazing city to appreciate what we take for granted year-round.

The newest monument the crowds will be visiting is the Martin Luther King memorial on the tidal basin. Visitors will read a number of inspiring quotes from Dr. King on the side of the massive sculpture.  One quote that they won’t read?

I was a drum major for justice, peace and righteousness.

That’s because he never said those words. But they were on the monument when it was first unveiled:

What he actually said – in a speech predicting his own eulogy just 2 months before his assassination – was:

Yes, if you want to say that I was a drum major, say that I was a drum major for justice, say that I was a drum major for peace, I was a drum major for righteousness, and all the other shallow things will not matter.

Pretty different, huh? As Maya Angelou said, the abbreviated version makes King “look like an arrogant twit… It makes him seem less than the humanitarian he was. . . . It makes him seem an egotist.”  It totally mangled the context of the original.  The paraphrase was removed from the monument.

What does this have to do with work matters?

In the strategic security field, we’re frequently required to combine multiple abstract frameworks, align their various components, and distill them into understandable, actionable requirements for others in our organization to follow. Consider the risk management framework. There’s at least a half-dozen concepts converging in a single, umbrella effort. Each concept has its own levels of abstractness and tactical requirements and they all must fit together in an orderly, reasonable fashion. And since NIST is smart enough to avoid being overly prescriptive with this framework and the components, each agency needs to figure this out for themselves.

It’s not easy. We’ve unfortunately confused people from day 1 about our approach and we’re still struggling to get it right.

When we communicate, there are a handful of principles we should always follow. The one I want to touch upon today is providing the context.

Just like the quote on the King monument, the story around your communication matters. This is different than the meta, theories of communication kind of context.  This is simply explaining the “why am I communicating / what am I communicating about” as the first thing you do upon initiating a communication.

And this isn’t important only so people don’t misconstrue the meaning of your words.  A 2006 study found that professionals change their tasks about every 3 minutes and they switch across about 12 projects, or “working spheres.” We’re all distracted with too much on our minds. If you’re trying to insert communication into somebody’s brain, some nice introductory context helps ease the transition. Never assume the reader or listener is already on the same page, ready to receive your message. Chances are they’re not.  Getting them there ASAP increases the chance that your message will be received as intended.

Rex

Hi folks,

In our last installment we talked about the need for a process to be justified by the ends – that a process cannot justify itself.

Thankfully there are plenty of processes that are well justified by their appropriateness and their results. We’ve talked about checklists before, and I want to share a similar example.

Peter Pronovost is a critical care specialist at Johns Hopkins Hospital. In 2001, he tackled a leading cause of unnecessary death in hospitals – line infections. He did so by developing a simple process and accompanying checklist that doctors and nurses could use when inserting a line:

• Wash hands with soap
• Clean the patient’s skin with chlorhexidine antiseptic
• Put sterile drapes over the entire patient
• Wear a sterile mask, hat, gown, and gloves
• Put a sterile dressing over the catheter site once the line is in

There’s nothing revolutionary here. These steps had been taught for years. But by distilling them into a simple process and creating a checklist procedure around them, the line infection rate dropped from 11% to 0%.

And while Pronovost’s own words echo the message of the last entry, “the use of checklists is not the endgame. Reduced infection rates are,” there is clearly much value in a process that saves thousands of lives.

“But Rex, I’m not a doctor/nurse and no process of mine is going to directly save lives. Thanks for setting the bar unreasonably high!”

I get that. It’s easier to justify a process when the outcome is saving a life. But if we abstract this example, I think we can observe some of the characteristics of a good process:

• Simplicity – the process should be distilled into it simplest possible form. Yes, some processes are inherently complex, but even the most complex can be explained in plain language. And simplicity is rewarded! A teenager won $400,000 for his 7 minute video explaining the theory of relativity.
• Causation – This is challenging, but the burden of proof is on us process owners. Within reason, we should be able to show causation for the impact we’re seeking. If we can’t draw a reasonable line from the process to the output, we can’t justify the process.
• Positive ROI – We need an end that outweighs the investment of the means. If you invest X in a process, you want >X in return. This isn’t always easy to measure, but ultimately somebody within the organization needs to make the call on upfront costs, priorities, opportunity costs, etc.

These requirements aren’t good only for new processes, either. Periodic examination of existing processes is needed as organizations grow, capabilities evolve, and priorities change – leaving processes outdated, misaligned, and inefficient.

Good processes aren’t a burden – they’re an asset. They help organizations generate predictable, high-quality results. But good process rarely emerge fully-formed and they rarely stand the test of time. Those of us charged with the wellbeing of an organization are obligated to accept only the processes that meet our standards – simplicity, causation, and positive ROI – and once we do, reevaluate them periodically to make sure they’re still up to par.

Rex

Hi folks,

My daughter’s school recently hosted an “80s day” when all the kids dressed like little Cyndi Laupers, Princes, and Billy Idols. Cute, but the 80s have been the throwback decade of choice for a while now – you’d think the 90s would have their turn, right? Wrong. Because “nostalgia for 90s fashion” is a phrase uttered by nobody. Ever.

But the 90s were good to us in some ways. The fall of communism in Europe, a growing internet, maturing hip hop, and… Adam Sandler movies.

Yeah, I know – not exactly Oscar material. But hear me out. The 1996 movie Happy Gilmore actually left us with an important lesson.

Happy Gilmore, played by Adam Sandler, is a wanna-be hockey star who discovers he can drive a golf ball better than any pro by using his club like taking a slapshot in hockey. Hilarity ensues and Happy wins the day using his unconventional approach.

What could we possibly learn from this? The lesson is that there’s a time to prioritize the process and there’s a time to prioritize the outcome.

Had Happy’s golf mentors tried to make him conform to a traditional golf swing, he’d undoubtedly have lost his advantage. By instead focusing on outcome – using that amazing, weird drive – Billy was able be the hero of the movie.

You may be saying “Rex, that’s just the ends justifying the means!” Not quite.

I think ol’ Leon was close to getting it right, but for our purposes – for the sake of organizational efficiency and focus – the means must be justified by the end. And not just in that they led us to a desirable outcome, but that they are a reasonable approximation of the best route of achieving that outcome.

That’s where many of us fall into a trap by prioritizing the process over the outcome. Especially when dealing with activities that the regulators will examine – as if pointing to a considered, refined process excuses a poor outcome.

Because the weight of a man’s opinion is directly proportional to the amount of lace in his collar, I’m invoking Sir Francis Bacon:

As if you would call a physician, that is thought good for the cure of the disease you complain of but is unacquainted with your body, and therefore may put you in the way for a present cure but overthroweth your health in some other kind; and so cure the disease and kill the patient.

As Sir Bacon implores, it’s not about the process – the ultimate goals of the organization must be the priority. Is it okay to kill the patient as long as you cure the disease?  Most patients would say no.

Further, a process that doesn’t materially improve our rate of success is less than worthless. At a minimum, it diverts valuable resources for no perceptible benefit. Worse yet, it could point us in the wrong direction entirely.  The means are not justified by the end, even if the process is well-intentioned and even if we happen to achieve our goals with no thanks to the process.

Some who work with me may think I loathe NIST and their guidance.  Far from it.  What I loathe is the elevation of NIST and related regulatory efforts above the goals of the agency – the fetishization of the process over the outcome (I stole that term from here). NIST, FISMA, A-123, audits, etc are critical components for encouraging the pursuit of security across the Federal sector – but they should never become the primary goal.

Our goal is security, not the process of becoming secure. Performance, not compliance.

Rex

Hi folks,

1959 was a pretty big year.  Castro took over Cuba, the Dalai Lama had to flee Tibet, the Guggenheim opened in NYC, and Khrushchev threw a fit when he wasn’t allowed into Disneyland.

Also happening in 1959?  Honda entered the US market by trying to sell motorcycles.

When Honda planned for their entry into the US market, they looked at the kinds of motorcycles Americans were riding – (relatively) big Harleys and Triumphs – and they tried to sell similar bikes.  The problem was that Honda’s bikes weren’t adept at the sustained, high-speed kind of riding Americans did, and they frequently broke down.  Honda was spending all its money shipping the bikes back to Japan for repairs.  They were failing.

When an American Honda engineer took a Japanese market small motorcycle into the dirt hills of California to blow off some steam, his friends took notice and wanted the kind of bike he was riding – the kind of bike Honda assumed Americans wouldn’t want.  Over time there was a groundswell of demand for these cheap, small bikes and Honda to start selling them to the public.  Their strategy quickly shifted from emulating the existing market to responding to this new market demand.

What does this have to do with work?

• Honda’s initial plan was what’s called a deliberate strategy.  It was planned in advance with clear objectives, assigned resources, and expected results.
• Honda’s new plan is a classic example of an emergent strategy.  It’s a strategy that develops as a result to changing circumstances or sometimes one that develops when there was no initial strategy.

Most of what we do in my division is planned.  At least my boss hopes it is.  But when we go to execute these plans, we want to channel our inner Honda.  We want to be aware of changes in our environment and respond in a way that best serves the organization.  We want to be open to new and better opportunities as they arise.  We want to be flexible.  When the horse you’re riding dies, dismount.

Rex

Hi folks,

It may be just me, but I see the term futurist tossed around a lot these days.  I’m pretty sure the blame can placed on the Iron Man movies:

I mean, who doesn’t want to be an uber-genius billionaire philanthropist playboy superhero?

But for as made-up as the term sounds, it’s real and used to describe a person who tries to predict the future based on trends in the present.  Yes, this is a legitimate profession and people get paid for this.  No, they typically don’t use tarot cards and crystal balls.

Either way, some of these futurists subscribe to the theory of accelerating change.  Mostly it describes a continual increase in the rate of technological change, but it can also describe accompanying societal change as well.  And in some ways we’ve seen this during our lifetimes:

When it comes to technology, change arrives quickly.

So if you work in technology, it’s safe to assume you need to be adept at reacting to change.  Duh, right?  But what happens when a technologist – especially one from the even more quickly changing security field – tries to push change upon a population who likes the status quo?  Or at least doesn’t like your change?  Well, there’s usually pushback – attempts to slow/stall/stop the change.

There are innumerable examples of this how this pushback manifests, but a great one is from outside the technology field.

In the 1990s, President Clinton was taking a stab a health care reform.  He failed for many reasons, but one of the factors was a series of very successful attack ads that fomented doubt about the proposal.  The famous Harry and Louise ads were gloriously simple – a married couple sitting around complaining about the proposed changes, ending the ad with Louise wistfully wondering aloud “There’s got to be a better way.”

This is perhaps the laziest – but also perhaps the most effective – means of refuting a proposal.  The objector doesn’t have to come up with a better idea – they just have to implant suspicion that a better idea exists.  And in the intersection of an ever-changing field like infosec and the not-bleeding-edge government, it’s likely true that a “better way” exists as capabilities evolve and solutions emerge.  But that shouldn’t get in our way or progress.  Again, listen to Skeletor:

How can you combat this insidious lazy man’s effort to avoid change?  One way is by formulating counterarguments.  Counterarguments don’t directly confront the “better way” opposition, but they strengthen your proposal in multiple ways:

1. They make you consider the ways in which your argument can be improved (and hopefully you then make those improvements)
2. They make you anticipate the ways in which your argument will be opposed, allowing you to develop counter-strategies
3. When you share your counterarguments, you show your audience that you’re considering multiple angles, increasing the faith in your conclusions

Much of what we do in strategic security is submit proposals to an audience for consideration.  And because we’re human and thereby convinced of the righteousness of our own proposals, we often forget to consider the likely opposition.  This reduces our rate of getting proposals/plans/etc passed.  The more frequently we develop counterarguments for our proposals before sending them out the door, the better our batting average becomes.

So there you go.  From Iron Man, to accelerating change, to President Clinton, to counterarguments.  How you like me now?

I’ll take it.

Rex

Hi folks,

When I was a consultant and had business development objectives, I was super focused on networking.  One of the things I needed to do well was concisely articulate my value and the value of my team.  These were my elevator pitches.

For instance, at Mandiant my pitch was:

I work at Mandiant. We’re a boutique cybersecurity company focused on detecting and responding to state-sponsored corporate espionage.  I’m responsible for client service delivery to all of our managed service clients – I lead a team of 10 managers who serve over 100 clients across the globe and across industries, ranging from Fortune 10 to small non-profits.

Not the best, but it’s relatively concise (it takes about 15 seconds to deliver) and it generally gets the idea across – “this is my identity, this is what we/I do, here’s an allusion to some bona fides.”  It’s a lightweight version of a mission statement.

Now that I’m a Fed, there’s a lot less pressure to expand my network.  I no longer live in fear of missing out on the one great contact that will pave my path to making partner.  So I got lax about practicing my elevator pitches.  In fact, if you ask me today the quintessential DC question “what do you do?”, my answer is a rambling, James Joyce-style stream of consciousness that leaves you wishing you had never asked.

That needs to change.  Not just for me, for many of our organizations.

That’s where a mission statement effort comes into play.  Based on a recent internal stakeholder survey, people apparently aren’t clear on who my division is, what we do, what’s our value.  Everybody on our team needs to be able to concisely and uniformly articulate this.

We need to get really good at telling people how awesome we are.

As a senior official once told me, “if you don’t tell your story, somebody else will and you may not like what they say.”

So we’re working on that story now.

Rex

Hi folks,

Last week we talked about Raoul Wallenberg and the many lessons we can learn from him.

If you haven’t read those posts first, scroll down and start with part 1.

Today I want to share one final lesson I took away:

Understanding your audience

Wallenberg understood what motivated his enemies.  Militaristic fascists bent on genocide weren’t going to be swayed by humanitarian appeals or an argument coming from a perceived underdog.  They would only respond to authority.  Wallenberg understood this and founded his approach on the perception of authority – his status as a “diplomat”, the official-looking passports, etc.

Yes, we (hopefully) don’t have enemies like Wallenberg did.  But we do have customers, and peers, and bosses, and all sorts of people we’re trying to convince on a daily basis.  If we’re going to be as effective as possible, we need to understand what motivates them.  For example, if you want to naturally resonate with my motivations, it’s pretty well known that you shouldn’t start a conversation with “Well, NIST tells us to…”  You’re far better off explaining why an idea makes sense for the agency rather than presenting an appeal to authority.

We all have our own personal motivators, and the more we can craft our discussions in ways that align to the motivators of our audience, the more persuasive we’ll be.

Rex