Hi folks,

The other night I went to a concert with some friends (or a “show” for you cool kids out there).

On the way to the show, a friend reminded me that I had actually seen the headline band as an opening act nearly 15 years ago. I had forgotten, but as I dug into my faded memory, I recalled very positive feelings and impressions from way back when. I was looking forward to another great experience. Sadly, it wasn’t meant to be. The band’s style had changed over the years, and I wasn’t a fan of their new music. Plus, I may be a bit less easily impressed in my old age…

When it was over, I was chatting with my friend about our impressions of what we just saw. I told him that I didn’t enjoy it nearly as much as I did 15 years ago.

• • Friend: What?! You didn’t even remember seeing them until I reminded you. How could you possibly compare the two experiences given your lackluster memory?
  • Me: Yeah, but I remember how I felt 15 years ago – I felt impressed and like I had just witnessed something new. I didn’t get that tonight.
  • Friend: You’re an idiot.

He may be right, but I stand by my assessment. The whole interaction reminded me of a great Maya Angelou quote:

Which, apparently, she never said and is misattributed to her. But it sounds like something she’d say and it’s a good quote, so why waste the attribution on some random dude instead of an authority on life like Maya Angelou?

Anyhow, the quote is powerful in its message. As time goes on, our everyday words and deeds may fade, but the way we made each other feel will remain with us until the end. Getting that finding closed, fixing that broken data source, implementing that new program – that’s all super important. But the core of what we do is service. Service to our country, service to our stakeholders, and service to each other. And if we can only get those important things done at the expense of our relationships with each other, then we’ve failed the big picture.

So in this season of thanksgiving, peace, and reflection, I hope we leave each other with feelings of appreciation, compassion, and camaraderie. We’re all in this together doing the best we can to serve a greater good. Thanks for everything you do.

Rex

Hi folks,

Last week I talked about how my battle against the leaves in my yard allows me to listen to some audio books. I just wrapped up McCullough’s 1776, which feels seasonally appropriate given that, in 1776, Washington finished the year with a spectacular victory at Trenton.

But before he enjoyed the victory at Trenton, he suffered a series of defeats at the hands of the British. Perhaps the most confounding in retrospect is the defeat at Fort Washington just weeks earlier in November of 1776.

Fort Washington and its twin Fort Lee were built by the Americans in the summer of 1776 to help prevent the insanely huge and powerful British fleet from sailing up the Hudson and outflanking the Americans. The forts were well built and the Americans were confident they would serve the purpose. They stocked the forts with men, weapons, and supplies and waited for their opportunity to prove their effectiveness.

On October 9th, that chance came. Three British warships sailed up the Hudson and, to the Americans’ dismay, passed right by the forts with minimal damage.

The forts had been proven ineffective at their mission to secure the Hudson. Yet Washington and his leadership continued to maintain the forts, leaving thousands of men there even though Washington himself wondered aloud about the wisdom of doing so:

If we cannot prevent vessels passing up [the Hudson], and the enemy are possessed of the surrounding country, what valuable purpose can it answer to attempt to hold such a post from which the expected benefit cannot be had. I am therefore inclined to think it will not be prudent to hazard the men and stores.

And he was right. On November 16, British forces overran the fort. The Americans suffered 3,000 casualties and lost numerous valuable supplies. It was a devastating, unnecessary defeat that nearly cost us the war. Washington and his leadership failed to act on changes in their underlying assumptions.

Hundreds of years later, Victor Frankl would say this about this about stimulus and response:

Frankl is cautioning people against reacting without thinking, but the converse is just a dangerous – failing to react. In Washington’s case, he knew that the forts had been proven ineffective and he recognized the risk of continuing to maintain them, but he failed to change course.

It’s often easier for us to maintain our current course even as the world around us changes. But by doing so we risk finding ourselves in a situation like Washington – doing things that are no longer relevant to the environment in which we live. In dynamic fields like IT security, this is particularly true. Some hypothetical examples:

• Why do some organizations still require 13 character complex passwords when they’ve implemented two factor authentication and have accounts lockout after 5 failed attempts?
• Why does some technology only look for data exfil over port 80 and 21 when they know attackers now use 53 and others?

As the conditions surrounding a decision change, it makes sense to reexamine that decision. Sometimes it will still make sense to continue with the current course of action. But sometimes what we’re doing simply no longer makes sense, and we put ourselves at risk by refusing to change.

So while Washington was a role model in many ways, we also have the opportunity to learn from his mistakes. We should question assumptions and decisions when we get new information and then we should change as necessary. Otherwise we risk being outflanked by the British and thrown on a prison ship with a 33% chance of survival… or maybe we risk finding ourselves following outdated practices. Either or.

Rex

Hi folks,

It’s the tail end of fall, which for me means a mad dash to rake all the leaves in my yard to the curb so the city can vacuum them up.

And since I gratefully have a bunch of trees, I spend a lot of time getting those leaves out of my yard. To make the most of it, I usually listen to audio books while I rake. Recently, I’ve been listening to David McCullough’s 1776. It’s a riveting review of the year of our nation’s birth. The author draws upon a variety of sources to tell the story, including journals of British generals.

Henry Clinton was a Major General in the British army who was sent to America in 1775 to help quell the rebellion. While he was apparently a gifted intellectual and military leader, he also had an abrasive personality and hadn’t developed a good working relationship with his superior, General Howe. Following a series of setbacks and failures in the Carolinas, Clinton rejoined Howe’s main forces to assault New York City in August of 1776.

Clinton had lots of ideas about how to attack the rebels entrenched at New York, but he began to annoy Howe with his suggestions and wasn’t making traction. Instead, Clinton took his plans and gave them to a peer – General Burgoyne – to deliver to Howe for consideration. Howe, receiving the message from a more trusted and respected source, adopted the plans and used them to defeat the Americans in the battle of Long Island.

By changing the messenger of his plans, Clinton followed one of the lessons laid out in Aristotle’s Rhetoric. In Rhetoric, Aristotle lays out the basis for rhetorical theory. He identifies three modes of persuasion; ethos (the personal character of the speaker), pathos (the emotional influence of the speaker on the audience), and logos (the rational logic of the argument). Clinton realized that he wasn’t respected by Howe and, thus, wasn’t the best person to deliver his message. So he put aside his pride and gave his ideas to a more respected peer, letting him secure support for the argument. Clinton had prioritized the acceptance of the message over his personal image or reputation.

All too often we feel the need to be the sole messenger of our ideas. We do this for numerous reasons – maybe we don’t trust others to deliver the message effectively or maybe we want credit for the idea. But if the idea is what’s truly important, it’s critical that we assess our effectiveness as the messenger. Are we considered a credible source? Are we seen as an authority on the topic? Does the audience like us? And if the answer to any of these is no, who can better deliver the message? Because for as likeable as we all are, we’re not the right spokesman for every situation.

<this message has been sent to you by somebody you trust and respect more than Rex>

 

Hi folks,

One of the advantages of riding my bike to work is that I’m mostly unimpacted by traffic. Well, except when I’m in the fallout zone of some drivers yelling at each other.

That was true earlier this week. A line of cars were stopped at a light, waiting to turn left. The light was green, but the traffic wasn’t moving. A few cars back in line, a driver was using his horn, voice, and gestures to let the world know he was displeased with the lack of progress. And not in a gentle “greetings, fellow human being, you may not have noticed that the light is green” kind of way.

What the driver couldn’t see is that there was nowhere for the cars in front of him to go. Traffic was completely stopped, so instead of blocking the box, the cars in front were staying put – as they should – to avoid making the whole situation worse.

We’ve all been that metaphorical angry driver before – shouting at the world because it’s not doing what we expect, all the while ignorant to the underlying reasons for the upsetting behavior.

I recently attended a weeklong course on communications. The sessions had a heavy focus on 1:1 communications and we worked through a series of role playing scenarios during which we were handed a page worth’s of information on our character’s perspective. Despite explicit instructions to follow a formula of “listen, inquire, give feedback”, most of us initially jumped straight to “let me tell you what I think” mode. Even in pretend scenarios, we were so anxious to make our perspective heard, we neglected the perspectives of others.

With some practice, we all improved and were able to improve the outcome of the scenarios by simply shutting up and listening before rushing to give our opinions. But it’s something that we all need to practice – especially when we’re dealing with colleagues or clients we consider difficult. By listening instead of talking, we can often find the elusive common ground from which we can start building positive, productive relationships.

Rex

Hi folks,

As you may know, I enjoy riding my bike.  I bike to work during the week and on the weekends I go mountain biking.  I typically ride by myself or with some friends, but occasionally I’ll enter a race or organized event.

This last weekend I rode in one of the local “epic” rides.  This one was 40 miles of mostly single track throughout Montgomery County, Maryland.  I was out of shape from a month of not riding while on paternity leave, I was tired (see aforementioned paternity leave), and it was raining.  Wet roots and rocks abounded and made for treacherous riding.  I was able to stay upright, but my friend wrecked twice, first earning a large, instant bruise on his hand, and then potentially some cracked ribs from sliding off a rain-slicked bridge.  It wasn’t our favorite ride.

Normally, a long, challenging ride leaves me with some feeling of satisfaction.  Not this time.  By the end of the third hour my friend and I had our fill.  We were tired, wet, sore, and – in his case – injured.  Thankfully, we had an odometer which told us how far we had traveled.  We knew the course was 40 miles, and we eagerly watched the remaining distance to the finish line shrink with each pedal stroke.

But a funny thing happened.  40 miles came and went, but we still weren’t done. Clearly, the odometer was inaccurate.  Our hearts sank as we continued on with our ride, no longer having the proximity of the finish line to help motivate us.

 

Yeah, I know.  There’s no crazy ending here.  We eventually dragged our sorry carcasses across the finish line and limped our way to the car.  Story over.

But the problem we encountered is one we deal with all the time in the workplace.  The human body and mind are built to reward accomplishments.  Dopamine is a neurotransmitter that provides a feeling of pleasure whenever we do something good for ourselves, including accomplishing a goal.  It’s a key part of our motivation and reward system – without it, we’d flounder as individuals and a species.

The problem during my ride is that once we realized our odometer was busted, my friend and I lost those incremental hits of dopamine as we edged closer to the finish line.  Our motivation dropped, and the usual last-mile surge of energy never materialized.

At work, this happens when goals and objectives aren’t clearly established or are constantly changing.  A clearly defined goal – hopefully with some nice, incremental milestones along the way – helps an organization tap into the brain’s motivation/reward system and use the power of dopamine.  We’ve all done this on a small scale.  If you’ve ever made a to-do list and felt the satisfaction of crossing off accomplishments, you’ve felt the power of dopamine.  And as leadership super-thinker Simon Sinek confesses, some of us (myself included) add already-done items to our lists just to cross them off.

With the end of the Fiscal and performance calendars, now is a great time to consider this lesson.  Clear, measurable, achievable goals are important for a multitude of reasons, but perhaps they’re most important because they tap into one of the most primitive parts of our brain and help drive us all towards success.

I know, right?

Rex

 

Hi folks,

It’s been a while, but I have a good excuse – we have a newborn in the house and my lack of sleep has meant I’ve only recently regained the ability to put together a coherent thought.  Or maybe not.  I’m not sure – we’ll see how this goes.

For my wife and I, late nights spent trying to calm a baby while staying awake ourselves often means watching TV.  We don’t watch much TV otherwise, so that means we have all sorts of entire, multi-season shows we can binge watch.  With our last kid, the show of choice was Breaking Bad.

If you haven’t watched it, you should – it’s awesome.

Either way, the main character adopts the nom de guerre of Heisenberg.  If you’re like me, you have a vague recollection of Heisenberg’s Uncertainty Principle from high school chemistry.  Or was it physics?  Maybe English lit?  Regardless, some googling helped refresh my memory.

Werner Karl Heisenberg was a German physicist and one of the pioneers of quantum mechanics.  In 1927, he introduced his uncertainty principle which, in layman’s terms, states that when measuring the location and momentum of a particle, the precision of those measurements are inversely proportional to one another.  Meaning that the better your measurement of position, the worse your measurement of momentum.  But that doesn’t make sense, right?  You’d think a really good microscope would provide more precise measurements all around.

 

Heisenberg – clearly tired of people asking him stupid questions like the above – developed a thought experiment to demonstrate his argument.  It’s called the Heisenberg Microscope, and it basically says in order to measure the location of a particle, you’re going to use a technique that impacts its momentum.  Vice versa for measuring momentum.

It’s a concept strongly founded in the Observer Effect which says that simply observing a situation changes the outcome.  This is a fun theory, and it’s pretty applicable outside of the hard sciences.  The idea in management science is this – by measuring certain performance metrics, you can improve the performance of an individual or organization.  There a plenty of studies supporting this, but one from 2011 in the International Journal of Operations and Production Management describes three distinct effects of performance management:

• Trigger – revealing a need for change in a process or activity (read: are our goals the right ones?)
• Guidance – improving the alignment between what a process plan says should take place and what actually does that place (read: are we doing what we say we’ll do?)
• Intensification – increasing the frequency of process assessments (read: do our processes actually support our goals?)

The benefits of these kinds of effects within security are obvious.  Rarely does everybody naturally agree on the objective of a security program – think of the cliché scenario of a infosec professional who wants to lock everything down to a nearly unusable state vs the business unit representative who wants easy access to the entire internet.  Anything that drives an examination and consensus building around those goals – a trigger effect – lays the groundwork for better inter organizational relationships and better focused efforts for the security program.  Similarly, ensuring a tight relationship between those goals and our processes (intensification) – and making sure we follow those processes (guidance) – is critical to maintaining a secure environment.

So while Heisenberg says we can’t get an accurate performance assessment since our measurement itself will change the results, it sounds like that’s a good thing.  Let’s select some metrics for each of our security programs and start monitoring!

Rex

Hi folks,

A friend of mine is starting a new job soon, and his primary responsibility will be the establishment of a new capability and program. While he has plenty of relevant experience as a consultant – identifying stakeholders, developing an understanding of needs, boiling down wish lists into something more practical – he’s never had to stand up a program before. I’ve had the opportunity to do so in several contexts, so he came to me for advice.

I think he was hoping for a pretty concrete answer – something like “oh, here’s the book/methodology/process everybody uses”. And while countless authors and organizations like PMI would love to sell you their ideas and frameworks, there’s no single definitive solution to the complexity of creating something new. Because whatever plan you have, it’s going to need to adapt and change to the conditions you encounter. As said by 19^th century Prussian general Helmuth von Moltke, “no plan survives first contact with the enemy.” Or, my preferred version:

So what’s the answer then? Just wing it? That seems… irresponsible. Yeah, it would be.

The answer is to have an approach that’s inherently flexible – one that doesn’t box you into a corner or set you up for failure. In fact, one that plans for failure in the first place. There’s a bunch of these approaches out there, but one I like and has worked for me is the result optimization model. It looks something like this:

The idea is to iterate your development and deployment. It’s a pretty flexible model, but the way I like to use it is to develop a fully functional draft program, deploy, gather lessons learned, revise, and rinse and repeat. By actually deploying a program into a live environment – instead of waiting until you think you have the perfect product – you’re able to learn far more than you can through theoretical discussions at a whiteboard.

Now, there are some likely outcomes of this approach. Your first program iteration won’t do everything you want it to do. If you haven’t adequately set expectations, some stakeholders may be disappointed.   And if you don’t already have a reputation for excellence, folks may think your initial draft is the best you can do.

But then again:

The good news is that there’s a number of ways to use this approach, adjusting the fidelity of each release to meet your needs. Does your organization have a low tolerance for failure? Then only release well-refined iterations. Need a quick success to establish or repair a reputation? Then take an agile-like approach and release incremental functionality and build upon each release.

I happen to like releasing fully-scoped draft programs, setting expectations for failure/friction and planning for the development and deployment of new iterations over the course of several months or years. That way, I can adhere to a broad, meta-plan that gives some overall predictability to how the program will mature over the long term. The time between deployments gives me the opportunity to see the program in action and gather feedback for improvements. And knowing the we’ve already scheduled new deployments many months in advance can calm nervous stakeholders who don’t immediately see all their needs met by the initial draft. But my ability to take this approach is very dependent upon the buy-in of my stakeholders, so your mileage may vary.

Regardless, the iterative nature of the result optimization model lets us reap the benefits of planning without being too tied to a single, rigid plan that, as Mike Tyson told us, is likely the break as soon as it’s deployed. Or, in the words of another great fighter:

Rex

Hi folks,

I’ve given a load of presentations on information security topics. I purposefully focus on bridging the gap between the general users who have no technical expertise and the techies who often have difficulty relating to general users. For presentations to users, I dumb down technical issues in ways anybody can understand, emphasizing why they’re important and the potential impact of ignoring them. For presentations to techies, I focus on soft skills like communications and relationship building, trying to provide some incentive and means for better interactions outside of the IT world.

I came across an old (well, about a year old) general user presentation the other day that I think is worth sharing. It pushes the audience to understand some slightly more technical concepts, but it’s resonated well each time I’ve presented it. If nothing else, some of the example slides are good for demonstrating the concepts of various web application attacks.

Feel free to take these slides and use them as you see fit. Modify, edit – whatever works for you. And please don’t hesitate to provide feedback if you have it. I’m always interested in improving the deck for the next presentation.

Internet Self-Defense 101

Rex