Month: February 2018

Hi folks,

I’ve been itching to go watch the Black Panther movie, but with a small baby in the house, it’s been hard to carve out enough time.

I’ve read some of the reviews, and they’re almost universally glowing from both critics and fans alike. But other movies sometimes generate divided opinions – critics vs fans, critics vs critics, etc… Which made me curious about how critics do their job.

It turns out that the foundations of theater/film/art critics were established a few hundred years ago by Johann Wolfgang von Goethe. Aside from having an awesome name, Goethe was one of the world’s last true renaissance men, making a lasting impact in literature, science, politics, and more. One of his many contributions was through his love of theater, and his proposal that a critique of a play should answer the following three questions in order:

1. What is the playwright trying to do?
2. How well has he or she done it?
3. Was it worth doing?

The order was important to Goethe. He wanted critics to avoid rushing to personal judgement – “I didn’t like it, so this wasn’t worth doing” – and instead try to understand the perspective of the artist first, forcing them into relatively objective analysis.

Um, maybe.

Either way, I like the approach. But on the production side, we need to rearrange the order. When we’re talking about new security initiatives, it becomes something like:

1. What are we trying to do? – What’s the idea? What ends or change are we trying to accomplish?
2. Is this worth doing? – Is there a compelling need for us to undertake this new effort? What benefit does this bring to our stakeholders?
3. How well can we do it? – Do we have the necessary resources? How can we measure our success? What is our stakeholder’s perspective?

As with Goethe’s original list, the order is important. Before we undertake any new initiative, we should have very solid answers to the questions “what are we trying to do” and “is it worth doing?”. All too often we get excited by a new idea and skip over the second question, failing to truly assess if it’s an idea worth pursuing. It’s easy to be blinded by the excitement of a new idea and the default position most of us have – that of course our ideas are worthwhile! But that’s not always the case.

And that’s not the end of our analysis. Once we objectively conclude that something is worth doing, we need to determine if we can actually do it. Do we have the right resources? Is the timing right? Are we the right people to do this?

If we pause and really examine the re-ordered Goethe questions, we’ll likely find that some of our ideas, while novel and interesting, aren’t likely to affect the change we want and, thus, aren’t worth doing. Or maybe they’re incredibly awesome, but we simply don’t have the necessary resources. And if we abandon those ideas early on, we can reallocate our resources to initiatives that are more likely to have a positive impact and we’re more likely to successfully complete, making us all the more effective.

That’s right, Dorothy. Goethe would have liked your thinking.

Rex

Hi folks,

The other day I met some fellow parents at my kid’s school and we did the usual introductions. Of course, about 10 seconds into the conversation, I had forgotten their names, which made follow-ups for a playdate awkward.

That happens to me all the time, and it drives me crazy. Nothing says “I value you as a person and would like to develop a relationship” quite like “uh, sorry, what’s your name again?” I know it’s a common problem, though, and not one limited to people. Organizations forget, too.

In 1885, Prussian psychologist Hermann Ebbinghaus published his hypothesis of the forgetting curve which basically states that the more time that passes after an event, the less we’re able to remember about the event. A few years ago, a former colleague of mine from Mandiant, Grady Summers, applied this theory to cyber compromises, asserting that the organizational support for improvements to cybersecurity are greatest immediately following a compromise, and that such support dwindles over time. So if you’re trying to improve the security of your organization, you need to move fast and take advantage of the quickly closing window of opportunity.

This isn’t limited to compromises, of course. It could be a shift in the regulatory industry, an audit finding, or any other event that grabs the attention of decision makers and compels them to support change. But regardless of the impetus, the forgetting curve remains, and the window of opportunity is only open for a limited time.

So what’s the solution? Well, according to Ebbinghaus, overlearning is the way to go – practicing a skill past the point of initial mastery. Of course, when we’re talking about the opportunity that comes from unwanted events…

Yeah, I agree. In my mind, there are two practical approaches First, you want to move fast to implement desired changes post-event. That generally means being prepared with a list of desired changes prior to an event so you’re not caught flat footed

Second, find a way to keep the lessons learned fresh. Ideally, we’d again follow Ebbinghaus and his spaced repetition approach, but we don’t need to suffer the effects of the negative event ourselves. We can also leverage compromises or negative events in other organizations to help remind ourselves about why we’re going through all this effort to improve our security. You can flatten out that forgetting curve with quick, concise debriefs of other public compromises as they happen. They should highlight similar impacts as those your organization felt as well as the corresponding efforts you’re taking to make sure your organization doesn’t suffer from the same fate. While your support will likely still diminish over time, it won’t drop off nearly as quickly.

By being prepared and sharing regular, active reminders of why people should support your efforts, you should be able to capitalize on a bad event and make good things happen.

Now, if I could only remember where I put my keys…

Rex

Hi folks,

We’ve had a string of bad weather recently, so my kids and I have been spending a bit of time indoors.

True, but either way, my daughter and I recently engaged in several intense rounds of Battleship. After some cautionary looks from my wife that seemed to say “don’t be a jerk – stop trying so hard to win against an eight-year-old child”, I kicked back, abandoned my density-based hunting algorithm, and let my mind wander.

One of the interesting things about Battleship is that the board pieces have no offensive power. So while it may seem like your aircraft carrier or battleship should be your most powerful pieces, they’re actually your most vulnerable because their large size makes them easier to detect. The smallest piece – the destroyer – only takes up two squares and is often the last piece to be found by an opponent.

We face similar situations at work as well. The larger our work product, the bigger the target.

Much of our work product manifests as program documentation. In our collaborative environment, we give others the chance to comment on new process and program documents that we’re preparing for release. And as a result, we’ve all felt the pain of seemingly endless review cycles and torrents of barely relevant comments.

We often bring this pain upon ourselves. To make our documents as thorough as possible, we include tons of detail and address all related topics. But instead of a tight, concise document that addresses the core issue, we’re left with a sprawling tome encompassing all things security. That’s a big target for stakeholders who want their voice to be heard through their comments.

We’ve talked in the past about using straightforward language. And while that helps, we also need to pursue shorter, smaller documents. The leaner our documents, the more limited and relevant the feedback we receive, and the faster we’re able to make fixes and move on. There’s lots of advice online about writing concisely, but most of it focuses on the sentence or paragraph level. That’s important, but so is the choice of topics to include. The more topics, the more content, and the bigger the target. The more narrow the scope, the more concise the document, and the smaller the target. Hemingway liked this approach.

Rex