Information Classification

Because of my work, classifying information comes as second nature. I have two separate and non-intersecting information streams. You are reading part of one of them.

100% of the talk about people on [...]]]> In this brave new internet world (as of about 1995), I’ve been thinking of my personal information sharing generally as public and private.

Information Classification

Because of my work, classifying information comes as second nature. I have two separate and non-intersecting information streams. You are reading part of one of them.

100% of the talk about people on social networks and things going horribly wrong are people who don’t make clear distinctions between the public, professional, personal, and social aspect of their lives. Getting into etiquette with social networks can be tricky. I find it best to, as a rule, separate business and pleasure.

Partial Disclosure

Public information is available for anyone in the world to read. I put it out there so that people can learn a bit about me.

The reason I started writing things in the public eye is because I realized that if I didn’t define myself and give people something to read who didn’t know me, someone else would. This is the same reason that I don’t publish raw slide decks of my presentations, but I put my speaking points intermixed with the slides in a blog posting. Text based communication loses a lot of intent and inflection, so I try to make up for it in this way.

I didn’t want to have a blog. Once upon a time, when I was younger (and even more naive), I thought that I could get by on merit alone; I believed that if I did good work, my work would be recognised for and stand on its merits. I read things like The Fountainhead (watch the movie) and took from it “Oh! If I do good work and work toward my own sense of excellence, I will triumph in the end!”

I don’t think so anymore.  I think success takes more than merit.

Not only do you have to do good work, but people need to know about it. You need to help people directly, impart lessons you’ve learned without being an arrogant jerk, and sell them on why a good solution is better than a thought-to-be-suffient solution.

Blogging

When Livejournal came out, I thought that this was lame in the same way Jennicam was lame. My conclusion was that blogging was about media and attention seeking. I didn’t have a need to have a public blog for people who didn’t know me could learn tons about me without my knowing them.

More importantly, it wasn’t interesting.

I found it massively egotistical that anyone would want to know what I bought at the grocery store or ate for lunch. I didn’t understand sharing of the mundane. Clearly many people do not share this opinion today.

The stuff I put on my blog are my presentations, the way I manipulate data for my own uses when I haven’t seen it represented in my way previously, or my attempts to explain the poorly explained. The ideal that I aspire to is “I wouldn’t find it interesting to read, I don’t write it.” I imagine that might come off as rampagingly egotistical at times, but I really make an effort not to be. I laugh at myself and at life as much as possible. It’s pretty ridiculous a lot of the time. My work tends to be very serious and can effect, in a real appreciable way, the lives of others. I take it very seriously. When people do important work badly, I can take it as a personal affront.

I would like to post more, but too much of it is sensitive, under contractual obligations, or in personal confidence. Unlike many people that do not share my views, I can’t disclose in good faith.

Social networks

What I find interesting about social networks, and by that I mean mostly Twitter and Facebook, is that it can introduce a gray area between public and private information; a social periphery of information that busy people share in order to keep in touch with people they think are cool.

That’s pretty much how I view a friends list; “These are people I think are cool.” If I would invite you to an informal party is my general baseline for inclusion into my social network.

Twitter: Low attention span blogging and random link sharing.

Bad Penny: Informal writings, past sharable presentations, and general information sharing of things I find interesting.

Facebook: Fun people that I associate with socially.

LinkedIn: People I have done business with or know professionally that I would vouch for. Yes. I really do know all of those people and have had dealings in the past.

Be Cool

As any good rule, it is proven by its exceptions. Excessively cool people are allowed to break most rules.

My advice to everyone: be excessively cool and don’t take things seriously that do not merit being taken seriously.

Life is too short to be taken seriously. — Oscar Wilde

Work and play are words used to describe the same thing under differing conditions. –Mark Twain

In every real man a child is hidden that wants to play. –Friedrich Nietzsche

Humanity has advanced, when it has advanced, not because it has been sober, responsible, and cautious, but because it has been playful, rebellious, and immature. –Tom Robbins

Necessity may be the mother of invention, but play is certainly the father. –Roger von Oech

Related posts:

1. New Facebook private features
2. New Nettiqute: A simple guide to communicating with your favorite geeks.
3. I judge you: A social networks commentary

As per usual large non-technical business operations, and I feel that I must classify Comcast as such, they launched a product [...]]]> After a few years of avoiding the cable industry, I went ahead and signed up for Comcast Highspeed2Go, a new bundled service where they resell Clearwire and combine it with conventional broadband home internet service.

As per usual large non-technical business operations, and I feel that I must classify Comcast as such, they launched a product that they could not support. I spent a few hours on the phone with them attempting to figure out why they disabled wireless cards they sent me. They sent me a total of three cards and then disabled each of them after about a week.

This last week I didn’t feel like giving Comcast another two hour free tech support call and sent all of their wireless gear back to them. Previously I spent a few hours talking to people in attempts to navigate their broken process in order to get home service installed and activated.

The time of a consumer seems to be a free resource according to Comcast. They have a robodialer calling me now asking me to call some number. No thanks. I’m already at my quota for time wasted talking to you guys this month. I’ll be happy to pay you when you send me a bill consistent with our agreements.

This is nothing new. Back when I managed leased lines from telcos, I eventually found a backchannel into their top tier of support to get recurring and completely preventable problems resolved. I monitored their uptime. I reported their outages. I gave them their remediation process. If I didn’t, the business that I worked for would suffer.

Usually I assume good will, but my experiences as a consumer and as a professional with Comcast in particular point in another direction.

My point here is that branding is considered more substantial than service. I’m sure this is a business decision that was made when they worked the numbers and determined that giving five 9s of uptime and quick problem resolution was more expensive than just running more commercials, forcing out competition, suing municipal projects designed to give an alternative, and having the illusion of support on Twitter.

In an upcoming white paper, some associates and I will be discussing some aspects of this issue. Sometimes quality of service and streamlined operational works matter. Occasionally a company makes a business case for giving good service and honest commitments. Invariably, they are purchased and wrapped under one of the huge brands to be forgotten after their customers are re-absorbed into the amoeba of near-monopoly mediocrity.

This seems to be the new model for innovators and people who are good at their jobs:

• Find an unmet market need to improve
• Do it better, faster, more reliably, or with pretty colors
• Get bought out and paid (mostly) in stock
• See your business die at the hands of the insiders that can’t improve themselves
• Move on to something else

Where does this leave the market? Large non-agile organizations who are prone to mismanagement buy all of the intellectual property and use political influence and bare-knuckle market pressures to keep themselves on top of the heap.

Result: the market and consumers suffer.

See also the current state of patents, software and otherwise.

Some services and systems should not be held to the minimum standard of MBA business sufficiency where any excess money spent past the point where the customer will not fire the vendor is waste. My experience tells me that the standard of five 9s is generally becoming a thing of the past. Huge websites turn themselves off for multi-hour maintenance routinely with no notice. Cell phone providers incur day-long nationwide outages. Cable companies turn down a variety of services without warning or notification for undetermined amounts of time.

No standard of service seems to be the preeminent emerging standard of service. The myth of the disposable worker is in full effect here.

I’m seeing this as a market opportunity for service providers. I would wager that consumers who can pay will pay to not talk to these people. That was the Speakeasy sales model when I was their consumer in the past:

We’ll provide you with DSL service and you won’t have to talk to any incompetent jerks. Pay a little more a month and it’s completely worth it.

Speakeasy could compete with Covad and Qwest offerings (even though they resell the both of them) because the big guys do such a bad job of taking care of their customers. Qwest and Covad are on board with this Comcast consumer model.

These MITMing businesses should increase as this continues since real competition is not currently allowed to occur simply because consumer time does have a value that is not being addressed.

The cable and other telcos had better watch out that they don’t kill their own markets. As soon as a fast data alternative comes along, be it from Google, a national broadband plan, or fast unlimited wireless, all of their business models are toast.

Keep it up, guys. We’ll see you in the technology deadpool soon enough.

Related posts:

1. Comcast Wimax
2. Phone followup (again)
3. BBB complaint: Vonage

The wedge of compliance or a mandate from a framework may get some base [...]]]> There is a lot of perennial talk of social engineering and direct project/resource management. Attempts to solve complicated political situations with manipulation or a slick widget tend not to work very well over time. They are not addressing the underlying issue.

The wedge of compliance or a mandate from a framework may get some base requirements moving. However, in order to get people; chief executives and influential management, towing the line for a healthy risk and security governance program, it will take something more. It takes a bidirectional respect for the people involved and bringing the conversation to them in terms that they, your audience, understands.

In short, technology risk in general is not well understood by many practitioners. Outside of direct practitioners it is barely understood at all. Technology risks to business can be so complicated to understand that it needs to be interpreted and put into well understood terms that everyone understands, such as dollars.

Fostering a climate of respect and reward of long term goals instead of a short-term win is key to the success of any real life security governance program.

I have some thoughts on how to begin.

Respect your audience:

• Present in terms they understand.
• To foster long term success, win by soft persuasion to the right path and finding of common goals. Not with a compliance beatdown or audit hammer.

Respect peoples time:

• Have an agenda for your meetings and stick to it. Get through your agenda, keep it focused, and conclude your meetings quickly. Make effective use of everyones time.
• Focus your presentations. Have the subject matter you are presenting be relevant and interesting to your audience. “If your numbers are boring, then you’ve got the wrong numbers” said the esteemed Edward Tufte. Keep in mind his criticism of PowerPoint.
• Realize that you must effectively communicate organization needs and concerns in a language and context so that it is understood. This will enable the organization, and individuals, to form a measured and concise response.

Respect your resources:

• Project management often overtasks. Assume and extol good will and respect and express it to those with whom you work. When performed correctly, you should find a net productivity gain. This is especially true with your indirect reports. Trust but verify, comrade!
• Slow down your initial reaction to assign blame when priorities collide. Make a measured response that will be constructive to your resource, manager, executive, or business partner. Enter the conversation with at least the appearance of malleability and an open mind. The respect of at least entertaining the feedback, advice, and input of others into the decision making process earns good will and political capital.

Respect the constraints of your organization:

• I can’t tell you the number of encounters I have had with peers who understand the role of a security engineer but do not understand risk management. An information security professional is very rarely tasked with eliminating all risks inherent in a system. Most often it is reducing risk and exposure to amounts that are acceptable to the organization for a cost they can tolerate. The biggest challenge that an information security professional has is communicating in relevant terms the unmitigated risks and exposures to the organization they are working within. Don’t take it personally when the perfect ideal is not made a reality. Optimize, compartmentalize, and reduce exposure. Getting this fit right is done by putting risk in terms everyone can understand, maturing an organization, and identifying exposures at an early stage of development.
• Because of the vast differences in organizations, there is almost never a silver bullet solution to risk. Everything must be right-sized both at the design table and where the rubber meets the road. Often timetables for change will be longer than desired. The important part is that change is happening. The schedule can change as the landscape, challenges, and risks change.

Too often I hear other fellows in the trade using harsh words to begrudge people who do not understand risk management instead of lamenting their inability to express it in terms that they will understand. Too often problems arise in not communicating effectively and in not earning or giving respect. This failure in communication was what I read into this CSO Online article about a $10M raise in budget after a showboaty penetration report.

Ira says “grab by the balls.” I say “communicate effectively and with respect.”

Related posts:

1. Politics in system security
2. The Trials of Toorcamp
3. ITCi 2007

Here is the abstract from Unskilled and Unaware of It: How Difficulties in Recognizing One’s Own Incompetence Lead to Inflated Self-Assessments (Justin Kruger and David Dunning, Department of [...]]]> I wanted to continue a bit where I left off with a non-technical explanation of what people such as myself do and my commentary on evolving technology management.

Here is the abstract from Unskilled and Unaware of It: How Difficulties in Recognizing One’s Own Incompetence Lead to Inflated Self-Assessments (Justin Kruger and David Dunning, Department of Psychology, Cornell University), a fairly well known publication that appeared in the Journal of Personality and Social Psychology (official link unavailable):

People tend to hold overly favorable views of their abilities in many social and intellectual domains. The authors suggest that this overestimation occurs, in part, because people who are unskilled in these domains suffer a dual burden: Not only do these people reach erroneous conclusions and make unfortunate choices, but their incompetence robs them of the metacognitive ability to realize it. Across 4 studies, the authors found that participants scoring in the bottom quartile on tests of humor, grammar, and logic grossly overestimated their test performance and ability. Although their test scores put them in the 12th percentile, they estimated themselves to be in the 62nd. Several analyses linked this miscalibration to deficits in metacognitive skill, or the capacity to distinguish accuracy from error. Paradoxically, improving the skills of participants, and thus increasing their metacognitive competence, helped them recognize the limitations of their abilities.

This principal, known now as the Dunning–Kruger effect, was given the dubious honor of winning an Ig Nobel prize in 2000. Astonishingly enough, media from the NPR Science Friday show that covered the Ig Nobels that year is still available 10 years later.

It seems to be part of the human condition to have trouble recognizing both competence and incompetence in matters where the observer is not at the top of their game. For example, nearly all Americans and most Swedes think that they are better than average drivers.

This is entertaining and all, but I say this not to call attention to making fun of stupid or incompetent people in the world. Rather, how does one identify and work with people who are incompetent and not cognizant of it? What about if they are highly intelligent and are undervaluing their abilities? How does one know if ones self assessment is accurate? How can one right-size ability and decision making stature? How can one make a qualitative judgement of qualitative judgements?

It’s not a simple problem.

Certainly being a well rounded and traveled individual may help in finding this kind of clarity. This may also be something largely gained from journeyman tradecraft; seeing other methods and masters firsthand. This may be why people talk about risk management as being on par with a JD or MD; it takes a lot of time, passion, and diligence to become and stay competent and aware and literate of the many challenges present in diverse environments and constantly moving technology. The responsibility in the design, management and assessment of complicated systems is also large. Persistent errors here can literally cost lives, crash fortunes, and wreck business models. It may be one of the hardest careers.

The massive efficiency increases to work and leisure of the last 20 years, the strides that have been taken in the knowledge of how individuals most effectively learn, and with all of the information available on the internet, affords the opportunity to learn effectively and in a disciplined approach to become and stay competent in this field. I find that many people make casual reference to Gladwell’s “~10,000 hours = success in a field” rule which seems to be the take-away factoid from his book Outliers. I’m not really sure what to think of Gladwell and his writing, but it strikes me arbitrary. I think of competency in a large and deep field of knowledge to be like snowballs rolling down a hill; they start small, but they increase in size, depth, and have a sense of momentum.

Everyone can’t be a world famous polymath like Leonardo da Vinci or Johann Wolfgang von Goethe. Genius of that level seems to be cultivated only occasionally and is not a realistic role model for nearly anyone. I do know a lot of people that are like Richard Feynman however; a pretty competent man and likely fun at parties.

“A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects.” — Robert Heinlein

I do believe that many of this ages competent [wo]men are involved in information technology and the cream of IT are those that manage complicated systems. Certainly many of the geek cultural heros are, such as the Batman, Gregory House, Ryo Saeba, and James Bolivar DiGriz, show the common geeks aspiration to be widely competent. This may be the true root of what geek culture is all about.

Predictably to those familiar with my past work, this leads back to my usual harping on metrics and data analysis instead of so called best practices, third party industry rankings, or arbitrary standards. Meaningful data is the only way to get away from the constructs of cognitive bias that lead people to fear plane crashes and terrorism but feel completely safe driving a car in nearly any condition.

I pose a question: can the competence of a complicated system be left to a specialist who is not competent to judge the quality of all of its components? The stakes are high after all, for what could be more important in a world that runs on the power of information but the secrets of powerful people and organizations? I contend that a conformist drive to make industry into a uniform, standard, and specialist product is directly at odds with that of producing quality work product for our industry as a whole. The business would prefer that an employee can be easily recruited, fired, or trained to perform this job, but I do not believe that this is a realistic goal for risk management specifically, and perhaps, IT in general.

In reading one of Andre’s dives into the waters of competence and speciality, I was stuck at his harsh but close to home hitting words about the state of the industry and professional credentials. He invokes Dan Geer. Here is the preface to the talk he cites, a keynote at Source Boston:

Good morning. If you were to come to my office, you would see on the wall these four rules:

• Work like Hell
• Share all you know
• Abide by your handshake
• Have fun

And later:

Only people in this room will understand what I am now going to say. It is this: Security is perhaps the most difficult intellectual profession on the planet. The core knowledge base has reached the point where new recruits can no longer hope to be competent generalists, serial specialization is the only broad option available to them.

Ah there it is again. Serial specialization might be closer to what I mean, but it is a bit hairsplitting to argue about if a skill set is generalist or serial specialist. I think the real criteria here is passion for learning and a will to do what is necessary to learn and work well.

I was discussing this with a friend who is a developer who has been kept pure from this circus but hears some of my tales. He had this to say when I asked him about his experience with efforts to make a homogenized software development environment. He asked that he not be named but his words from the developer side of the house sounded quite familiar to me:

Having worked in a variety of industries, at a number of companies, provides one with a reasonable substrate against which to compare and contrast the natures of the environments in which one works. A set of patterns emerge that reveal the nature of an organization. Unfortunately, many of them reveal weaknesses or inefficiencies in the modern place of employment.

College degrees are all but an afterthought nowadays. Employers have responded by creating a set of artificial restrictions. Since I started at my current employer, a policy has been enacted by the HR department, stipulating that an applicant seeking, for example, a software development position, must hold a degree in computer science. This is a terrible idea. What does HR know about finding talented programmers? Perhaps the most talented programmers I’ve worked with have been the ones that do not hold a computer science degree. A couple of them never even finished college. An ability to excel in software development is not restricted to those who have spent years and a bunch of money on formal training in the field. As with most other crafts, a good indicator of success is the zeal with which one pursues it. Why not allow those who are responsible for developing the software determine the qualifications for those who will ultimately be hired to help build it? Senseless policies like these disempower those accountable for the work and serve as a blockade to workplace efficiency. It’s not much of a stretch to feel like HR, in situations like these, is a congressional body for the workplace, passing more and more laws as though it’s an effort to convince others that their existence is justified.

Something else that becomes clear after working in various employment climates is how important it is to hire really good people. This sounds like an obvious statement, but chances are you don’t even know how much this affects you. Hiring great people is what allows a company to trust employees to be able to do their jobs with minimal intervention. Being able to trust employees in this way reduces the need for artificial barriers that stand in the way of getting real work done. These policies are often in place to protect a company or workgroup from someone doing something stupid. Employers should aspire to hire good people–the best they can–across the board, so that they don’t have to annoy the good people with policies or artificial divisions of work responsibilities that mainly get in their way. This is, of course, easier said than done, but if this approach were more prominently represented in hiring practices, I suspect we’d all be better off. But, hmm, where would everyone else work?

Practically speaking, it seems that the companies that are known for difficult interviews are the ones that have a higher caliber of employee across the board. I’m not talking about making interviews hard and annoying for its own sake, but rather interviewing “smart,” and determining a good fit, not necessarily who has paid the right amount of money for professional training.

Additionally I would like to mention that with the great responsibility and knowledge required to perform well in these critical roles, there is the sticky point of ethics and professional due care. The current industry standard of “not getting caught being a jerk” is pretty weak. This relates to my point of competence and generalist/specialist bias as there is a classical example that could be considered as a useful metaphor: Bushido. Will has his own rant on the subject which I recommend.

In the end, the world is wide and filled with wonder and things that we as humans will never fully understand. I would suggest, as an ideal, not to fear the unknown but appreciate it for the challenge that it is to do something that you haven’t done before. There will always be people who have something to teach you. Learn from them.

At the end of the day, it is the seasoned veterans from the trench warfare of operations and gladiatorial arenas of the boardrooms that will steer a ship to calm safe waters. Thy have the best stories, have seen the mountaintops, have looked into the yawning abyss, and have come to you to tell the tale. Are you ready to hear them?

Image References:
Creating Passionate Users
Dave Gray

I can’t link to my comment there and, since I’m going to continue down the rabbit hole on this particular topic, I wanted to be certain that I [...]]]> This is a reprint of my comment to a Joshua Corman’s posting on The Fudsec Blog. Consider going there to read his article and the discussion that followed.

I can’t link to my comment there and, since I’m going to continue down the rabbit hole on this particular topic, I wanted to be certain that I had a link to reference should internet churn happen.

I see where you’re trying to go here, but I’m not quite with you.

First, the OODA loop can easily turn into the usual Hamster Wheel of Pain as Jaquith mentions in his book Security Metrics: Replacing Fear, Uncertainty, and Doubt. If you shared the link entitled On Sheep, Wolves, and Sheepdogs with non-insiders, I believe most people would find it offensive. People don’t like being called a sheep because they don’t understand the dizzying details and byzantine process and pitfalls of our industry that is largely driven by irrationality. I also don’t really find it directly relevant or constructive in a complexity and technology risk management discussion, though it is if someone objected to carrying a gun in church.

After talking with Mr Gragido, him bring up this blog entry, my saying that I had read it already, and his encouraging me to join the conversation, I find myself ready to talk about some of the same talking points that I’ve been bringing up for the last couple of years:

• relevance
• metrics
• unjustifiable complexity
• over-specialization
• mental inflexibility

First, most of what everyone in the industry speaks about is entirely irrelevant to business. Completely. If the information security profession wants to be taken seriously, they need to be relevant and speak in terms that the business will understand. Everything else I bring up is in line with this first point.

Second, almost nothing is measurable. There are many workflows, scorecards, risk valuations, and frameworks, but nearly all of the time, they are not put in terms that the consumers of risk information find relevant. Metrics need to be automated (cheap to gather) and meaningful.

• Measuring if past implementations have been effective or if the ROI was achieved after the unforeseen operational costs. Basing decisions on rich data case study would be great and also nearly completely unavailable.
• No information sharing between consumers anywhere. There is no Consumer Reports for enterprise technology. Every vendor or analyst has their hand out and it significantly colors their recommendation findings IMHO. Enterprise doesn’t share the data that matters.
• A vulnerability scanner provides what is the worst kind of metric; one that isn’t meaningful to anyone. The risk practitioner knows that it is only a faction of appreciable risk, a non-practitioner looking at a scorecard may draw unjustified conclusions based on the score delta, etc.

Third, with all this talk about cloud computing, people seem to be forgetting that cloud computing is not anything new. It’s distributed computing bundled with an API and given a fluffy concept to be marketed. This is not helping anything. If we as an industry are going to add a bunch of additional layers to the old conceptual model, we do not need to evolve, we need to optimize. I’ve asked around. Almost no one knows what we do. We’re the gnomes that fix their shoes at night and lead people to believe that their shoes fix themselves. If we’re going to accept giant expansion of the threat landscape in accepting massively insecure Web 2.0 applications and, at the same time, accept outsourcing all of our data to complex distributed systems where it intermingles with everyone elses data in a way that people throw up their hands, as it is too complex, and declares “it is in the cloud,” someone needs to appreciate that they are making this risk decision. It is our responsibility to communicate this. No one else will do it.

Fourth, people have become way too specialized to the point of not understanding what their actions have on other teams. It may be the case that literacy in many areas of our practice is hard. As complexity increases, the amount of people who will be up for it will decrease. The dispassionate that only came for a day job that pays a lot of money will not care enough to do what it takes to get their hands around it. We need to be clear that this complexity we’re developing will accelerate the Peter Principal of technology and technology-dependant business management. I find it interesting that Technological Management is a stub here, though I am not surprised. We need to work toward a middle ground so that communication can happen on a level playing field. ASVS may help us to do this.

Fifth, and finally, best laid plans need to be right-sized on the ground. A mechanic’s touch needs to be worked into human resource valuation. Flexibility and agile organization has to be valued more than the ability for bad managers to find someone else to blame for the systematic problems that they have had a part in creating. Complacency is too widespread. Complacent organizations are driven by the minimum standards of compliance. Leaders do not talk much about compliance as it is way in their review mirror.

If we as risk managers can not put risk in terms that the decision makers and shareholders can understand without calling them sheep or cattle, then we are not worth anything. If we can’t make the argument inside of the technology discussion, what chance do we have translating that to those who do not have an interest in technology?

Related posts:

1. What we do
2. The Politics of Respect
3. ITCi 2007