The Politics of Respect

201002111719.jpg There is a lot of perennial talk of social engineering and direct project/resource management. Attempts to solve complicated political situations with manipulation or a slick widget tend not to work very well over time. They are not addressing the underlying issue.

The wedge of compliance or a mandate from a framework may get some base requirements moving. However, in order to get people; chief executives and influential management, towing the line for a healthy risk and security governance program, it will take something more. It takes a bidirectional respect for the people involved and bringing the conversation to them in terms that they, your audience, understands.

In short, technology risk in general is not well understood by many practitioners. Outside of direct practitioners it is barely understood at all. Technology risks to business can be so complicated to understand that it needs to be interpreted and put into well understood terms that everyone understands, such as dollars.

Fostering a climate of respect and reward of long term goals instead of a short-term win is key to the success of any real life security governance program.

I have some thoughts on how to begin.

Respect your audience:

  • Present in terms they understand.
  • To foster long term success, win by soft persuasion to the right path and finding of common goals. Not with a compliance beatdown or audit hammer.

Respect peoples time:

  • Have an agenda for your meetings and stick to it. Get through your agenda, keep it focused, and conclude your meetings quickly. Make effective use of everyones time.
  • Focus your presentations. Have the subject matter you are presenting be relevant and interesting to your audience. “If your numbers are boring, then you’ve got the wrong numbers” said the esteemed Edward Tufte. Keep in mind his criticism of PowerPoint.
  • Realize that you must effectively communicate organization needs and concerns in a language and context so that it is understood. This will enable the organization, and individuals, to form a measured and concise response.

201002111703.jpg

Respect your resources:

  • Project management often overtasks. Assume and extol good will and respect and express it to those with whom you work. When performed correctly, you should find a net productivity gain. This is especially true with your indirect reports. Trust but verify, comrade!
  • Slow down your initial reaction to assign blame when priorities collide. Make a measured response that will be constructive to your resource, manager, executive, or business partner. Enter the conversation with at least the appearance of malleability and an open mind. The respect of at least entertaining the feedback, advice, and input of others into the decision making process earns good will and political capital.

Respect the constraints of your organization:

  • I can’t tell you the number of encounters I have had with peers who understand the role of a security engineer but do not understand risk management. An information security professional is very rarely tasked with eliminating all risks inherent in a system. Most often it is reducing risk and exposure to amounts that are acceptable to the organization for a cost they can tolerate. The biggest challenge that an information security professional has is communicating in relevant terms the unmitigated risks and exposures to the organization they are working within. Don’t take it personally when the perfect ideal is not made a reality. Optimize, compartmentalize, and reduce exposure. Getting this fit right is done by putting risk in terms everyone can understand, maturing an organization, and identifying exposures at an early stage of development.
  • Because of the vast differences in organizations, there is almost never a silver bullet solution to risk. Everything must be right-sized both at the design table and where the rubber meets the road. Often timetables for change will be longer than desired. The important part is that change is happening. The schedule can change as the landscape, challenges, and risks change.

Too often I hear other fellows in the trade using harsh words to begrudge people who do not understand risk management instead of lamenting their inability to express it in terms that they will understand. Too often problems arise in not communicating effectively and in not earning or giving respect. This failure in communication was what I read into this CSO Online article about a $10M raise in budget after a showboaty penetration report.

Ira says “grab by the balls.” I say “communicate effectively and with respect.”

pixelstats trackingpixel
February 12th, 2010 | Tags: , | Category: Business, Information Security, Politics | Leave a comment

Specialists, Generalists, Incompetence, and Cognitive Bias

I wanted to continue a bit where I left off with a non-technical explanation of what people such as myself do and my commentary on evolving technology management.

Here is the abstract from Unskilled and Unaware of It: How Difficulties in Recognizing One’s Own Incompetence Lead to Inflated Self-Assessments (Justin Kruger and David Dunning, Department of Psychology, Cornell University), a fairly well known publication that appeared in the Journal of Personality and Social Psychology (official link unavailable):

People tend to hold overly favorable views of their abilities in many social and intellectual domains. The authors suggest that this overestimation occurs, in part, because people who are unskilled in these domains suffer a dual burden: Not only do these people reach erroneous conclusions and make unfortunate choices, but their incompetence robs them of the metacognitive ability to realize it. Across 4 studies, the authors found that participants scoring in the bottom quartile on tests of humor, grammar, and logic grossly overestimated their test performance and ability. Although their test scores put them in the 12th percentile, they estimated themselves to be in the 62nd. Several analyses linked this miscalibration to deficits in metacognitive skill, or the capacity to distinguish accuracy from error. Paradoxically, improving the skills of participants, and thus increasing their metacognitive competence, helped them recognize the limitations of their abilities.

This principal, known now as the Dunning–Kruger effect, was given the dubious honor of winning an Ig Nobel prize in 2000. Astonishingly enough, media from the NPR Science Friday show that covered the Ig Nobels that year is still available 10 years later.

6a00d83451b44369e200e54f4fbb538833-800wi.jpg

It seems to be part of the human condition to have trouble recognizing both competence and incompetence in matters where the observer is not at the top of their game. For example, nearly all Americans and most Swedes think that they are better than average drivers.

This is entertaining and all, but I say this not to call attention to making fun of stupid or incompetent people in the world. Rather, how does one identify and work with people who are incompetent and not cognizant of it? What about if they are highly intelligent and are undervaluing their abilities? How does one know if ones self assessment is accurate? How can one right-size ability and decision making stature? How can one make a qualitative judgement of qualitative judgements?

It’s not a simple problem.

Certainly being a well rounded and traveled individual may help in finding this kind of clarity. This may also be something largely gained from journeyman tradecraft; seeing other methods and masters firsthand. This may be why people talk about risk management as being on par with a JD or MD; it takes a lot of time, passion, and diligence to become and stay competent and aware and literate of the many challenges present in diverse environments and constantly moving technology. The responsibility in the design, management and assessment of complicated systems is also large. Persistent errors here can literally cost lives, crash fortunes, and wreck business models. It may be one of the hardest careers.

The massive efficiency increases to work and leisure of the last 20 years, the strides that have been taken in the knowledge of how individuals most effectively learn, and with all of the information available on the internet, affords the opportunity to learn effectively and in a disciplined approach to become and stay competent in this field. I find that many people make casual reference to Gladwell’s “~10,000 hours = success in a field” rule which seems to be the take-away factoid from his book Outliers. I’m not really sure what to think of Gladwell and his writing, but it strikes me arbitrary. I think of competency in a large and deep field of knowledge to be like snowballs rolling down a hill; they start small, but they increase in size, depth, and have a sense of momentum.

Everyone can’t be a world famous polymath like Leonardo da Vinci or Johann Wolfgang von Goethe. Genius of that level seems to be cultivated only occasionally and is not a realistic role model for nearly anyone. I do know a lot of people that are like Richard Feynman however; a pretty competent man and likely fun at parties.

“A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects.” — Robert Heinlein

I do believe that many of this ages competent [wo]men are involved in information technology and the cream of IT are those that manage complicated systems. Certainly many of the geek cultural heros are, such as the Batman, Gregory House, Ryo Saeba, and James Bolivar DiGriz, show the common geeks aspiration to be widely competent. This may be the true root of what geek culture is all about.

<a href=Predictably to those familiar with my past work, this leads back to my usual harping on metrics and data analysis instead of so called best practices, third party industry rankings, or arbitrary standards. Meaningful data is the only way to get away from the constructs of cognitive bias that lead people to fear plane crashes and terrorism but feel completely safe driving a car in nearly any condition.

I pose a question: can the competence of a complicated system be left to a specialist who is not competent to judge the quality of all of its components? The stakes are high after all, for what could be more important in a world that runs on the power of information but the secrets of powerful people and organizations? I contend that a conformist drive to make industry into a uniform, standard, and specialist product is directly at odds with that of producing quality work product for our industry as a whole. The business would prefer that an employee can be easily recruited, fired, or trained to perform this job, but I do not believe that this is a realistic goal for risk management specifically, and perhaps, IT in general.

In reading one of Andre’s dives into the waters of competence and speciality, I was stuck at his harsh but close to home hitting words about the state of the industry and professional credentials. He invokes Dan Geer. Here is the preface to the talk he cites, a keynote at Source Boston:

Good morning. If you were to come to my office, you would see on the wall these four rules:

  • Work like Hell
  • Share all you know
  • Abide by your handshake
  • Have fun

And later:

Only people in this room will understand what I am now going to say. It is this: Security is perhaps the most difficult intellectual profession on the planet. The core knowledge base has reached the point where new recruits can no longer hope to be competent generalists, serial specialization is the only broad option available to them.

Ah there it is again. Serial specialization might be closer to what I mean, but it is a bit hairsplitting to argue about if a skill set is generalist or serial specialist. I think the real criteria here is passion for learning and a will to do what is necessary to learn and work well.

I was discussing this with a friend who is a developer who has been kept pure from this circus but hears some of my tales. He had this to say when I asked him about his experience with efforts to make a homogenized software development environment. He asked that he not be named but his words from the developer side of the house sounded quite familiar to me:

Having worked in a variety of industries, at a number of companies, provides one with a reasonable substrate against which to compare and contrast the natures of the environments in which one works. A set of patterns emerge that reveal the nature of an organization. Unfortunately, many of them reveal weaknesses or inefficiencies in the modern place of employment.

College degrees are all but an afterthought nowadays. Employers have responded by creating a set of artificial restrictions. Since I started at my current employer, a policy has been enacted by the HR department, stipulating that an applicant seeking, for example, a software development position, must hold a degree in computer science. This is a terrible idea. What does HR know about finding talented programmers? Perhaps the most talented programmers I’ve worked with have been the ones that do not hold a computer science degree. A couple of them never even finished college. An ability to excel in software development is not restricted to those who have spent years and a bunch of money on formal training in the field. As with most other crafts, a good indicator of success is the zeal with which one pursues it. Why not allow those who are responsible for developing the software determine the qualifications for those who will ultimately be hired to help build it? Senseless policies like these disempower those accountable for the work and serve as a blockade to workplace efficiency. It’s not much of a stretch to feel like HR, in situations like these, is a congressional body for the workplace, passing more and more laws as though it’s an effort to convince others that their existence is justified.

Something else that becomes clear after working in various employment climates is how important it is to hire really good people. This sounds like an obvious statement, but chances are you don’t even know how much this affects you. Hiring great people is what allows a company to trust employees to be able to do their jobs with minimal intervention. Being able to trust employees in this way reduces the need for artificial barriers that stand in the way of getting real work done. These policies are often in place to protect a company or workgroup from someone doing something stupid. Employers should aspire to hire good people–the best they can–across the board, so that they don’t have to annoy the good people with policies or artificial divisions of work responsibilities that mainly get in their way. This is, of course, easier said than done, but if this approach were more prominently represented in hiring practices, I suspect we’d all be better off. But, hmm, where would everyone else work?

Practically speaking, it seems that the companies that are known for difficult interviews are the ones that have a higher caliber of employee across the board. I’m not talking about making interviews hard and annoying for its own sake, but rather interviewing “smart,” and determining a good fit, not necessarily who has paid the right amount of money for professional training.

Additionally I would like to mention that with the great responsibility and knowledge required to perform well in these critical roles, there is the sticky point of ethics and professional due care. The current industry standard of “not getting caught being a jerk” is pretty weak. This relates to my point of competence and generalist/specialist bias as there is a classical example that could be considered as a useful metaphor: Bushido. Will has his own rant on the subject which I recommend.

In the end, the world is wide and filled with wonder and things that we as humans will never fully understand. I would suggest, as an ideal, not to fear the unknown but appreciate it for the challenge that it is to do something that you haven’t done before. There will always be people who have something to teach you. Learn from them.

At the end of the day, it is the seasoned veterans from the trench warfare of operations and gladiatorial arenas of the boardrooms that will steer a ship to calm safe waters. They have the best stories, have seen the mountaintops, have looked into the yawning abyss, and have come to you to tell the tale. Are you ready to hear them?

Image References:
Creating Passionate Users
Dave Gray

pixelstats trackingpixel
January 24th, 2010 | Tags: , , , | Category: Information Security | 3 comments

Agile Infosec

This is a reprint of my comment to a Joshua Corman’s posting on The Fudsec Blog. Consider going there to read his article and the discussion that followed.

I can’t link to my comment there and, since I’m going to continue down the rabbit hole on this particular topic, I wanted to be certain that I had a link to reference should internet churn happen.

I see where you’re trying to go here, but I’m not quite with you.

First, the OODA loop can easily turn into the usual Hamster Wheel of Pain as Jaquith mentions in his book Security Metrics: Replacing Fear, Uncertainty, and Doubt. If you shared the link entitled On Sheep, Wolves, and Sheepdogs with non-insiders, I believe most people would find it offensive. People don’t like being called a sheep because they don’t understand the dizzying details and byzantine process and pitfalls of our industry that is largely driven by irrationality. I also don’t really find it directly relevant or constructive in a complexity and technology risk management discussion, though it is if someone objected to carrying a gun in church.

After talking with Mr Gragido, him bring up this blog entry, my saying that I had read it already, and his encouraging me to join the conversation, I find myself ready to talk about some of the same talking points that I’ve been bringing up for the last couple of years:

  • relevance
  • metrics
  • unjustifiable complexity
  • over-specialization
  • mental inflexibility

First, most of what everyone in the industry speaks about is entirely irrelevant to business. Completely. If the information security profession wants to be taken seriously, they need to be relevant and speak in terms that the business will understand. Everything else I bring up is in line with this first point.

Second, almost nothing is measurable. There are many workflows, scorecards, risk valuations, and frameworks, but nearly all of the time, they are not put in terms that the consumers of risk information find relevant. Metrics need to be automated (cheap to gather) and meaningful.

  • Measuring if past implementations have been effective or if the ROI was achieved after the unforeseen operational costs. Basing decisions on rich data case study would be great and also nearly completely unavailable.
  • No information sharing between consumers anywhere. There is no Consumer Reports for enterprise technology. Every vendor or analyst has their hand out and it significantly colors their recommendation findings IMHO. Enterprise doesn’t share the data that matters.
  • A vulnerability scanner provides what is the worst kind of metric; one that isn’t meaningful to anyone. The risk practitioner knows that it is only a faction of appreciable risk, a non-practitioner looking at a scorecard may draw unjustified conclusions based on the score delta, etc.

Third, with all this talk about cloud computing, people seem to be forgetting that cloud computing is not anything new. It’s distributed computing bundled with an API and given a fluffy concept to be marketed. This is not helping anything. If we as an industry are going to add a bunch of additional layers to the old conceptual model, we do not need to evolve, we need to optimize. I’ve asked around. Almost no one knows what we do. We’re the gnomes that fix their shoes at night and lead people to believe that their shoes fix themselves. If we’re going to accept giant expansion of the threat landscape in accepting massively insecure Web 2.0 applications and, at the same time, accept outsourcing all of our data to complex distributed systems where it intermingles with everyone elses data in a way that people throw up their hands, as it is too complex, and declares “it is in the cloud,” someone needs to appreciate that they are making this risk decision. It is our responsibility to communicate this. No one else will do it.

Fourth, people have become way too specialized to the point of not understanding what their actions have on other teams. It may be the case that literacy in many areas of our practice is hard. As complexity increases, the amount of people who will be up for it will decrease. The dispassionate that only came for a day job that pays a lot of money will not care enough to do what it takes to get their hands around it. We need to be clear that this complexity we’re developing will accelerate the Peter Principal of technology and technology-dependant business management. I find it interesting that Technological Management is a stub here, though I am not surprised. We need to work toward a middle ground so that communication can happen on a level playing field. ASVS may help us to do this.

Fifth, and finally, best laid plans need to be right-sized on the ground. A mechanic’s touch needs to be worked into human resource valuation. Flexibility and agile organization has to be valued more than the ability for bad managers to find someone else to blame for the systematic problems that they have had a part in creating. Complacency is too widespread. Complacent organizations are driven by the minimum standards of compliance. Leaders do not talk much about compliance as it is way in their review mirror.

If we as risk managers can not put risk in terms that the decision makers and shareholders can understand without calling them sheep or cattle, then we are not worth anything. If we can’t make the argument inside of the technology discussion, what chance do we have translating that to those who do not have an interest in technology?

pixelstats trackingpixel
January 23rd, 2010 | Tags: , , , , | Category: Information Security | One comment

Mike’s SE Presentation at HH09

Mike Murray‘s talk on Social Engineering from this year’s Hacker Halted.



Hacker Halted Redux

Good stuff, Mike!

pixelstats trackingpixel
January 21st, 2010 | Tags: , | Category: Information Security | 2 comments

New Nettiqute: A simple guide to communicating with your favorite geeks.

It’s been quite a while since I’ve seen an updated guide on email etiquette or netiquette in general.

This may be because there is about 300 guides written by out of work journalists whose’ exposure to technology was having played with an iPhone for about 5 minutes. I believe that they’re in the same place in my brain where banner ads and sponsored links land and are thus culled and ignored almost immediately. Ask the big geeks you know, and you will find that they have brain-based adblock enabled as well.

(I just spent 5 minutes trying to figure out if I should put an apostrophe there and where it would correctly belong in that sentence. I think I know too many grammar nazis.)

Oh.  Okay.  Thanks.  Fixed.

So really, what I mean to say is that there doesn’t seem to be one of worth lately, though I’m sure someone will add some in the comments to this posting eventually. The things like social networks and twitter, the places where one is really needed, are the places where a bunch of people write 500 horrible guides.

Here’s where nettiqute was when this whole internet thing happened. Notice how a lot of people you know don’t not-do these things. Notice how Eternal September will never end. This is why a lot of old school types have quit irc or have retreated to backwater +i or +k channels.

Here’s ten four things to keep in mind

1) If it is important, it’s not something that should be sent in a text message. Text messaging is for 14 year old girls and introverts who don’t mind taking 5 minutes to communicate what they could have talked about in 30 seconds. Perhaps what they really need to make is a subvocalizing phone. Then like one half of the female population will be on confs with each other most of the waking day.

On second thought, please don’t. Please do not make those.

(Did you know that Google Voice already had confs built in?)

2) If you are having an issue with your computer or technology and want to talk to me about it, send it from an IM client that can screen share so that you can demonstrate it and I can fix it. [Only close family and intimates eligible. Offer void when I am busy or already frustrated.]

So anyway.

3) Twitter. If you can avoid it, do. If you find that you have to use it, is painful enough already without having to look at stuff like this:

FirefoxScreenSnapz076.jpg

But he’s not like that all day and night, right?

FirefoxScreenSnapz077.jpg

Wrong.

I hear you’re cool and all in person, but I can’t do this anymore, Chris! Argh!

This came in while I was writing this:

TweetDeckScreenSnapz002.jpg

Quoting fictional characters? Picard is someone’s role model? Gah. It’s like this all over Twitter. It’s horrible.

Additionally: No Mom, I will not teach you to use Twitter. It was bad enough an idea when I taught you to text message. I learned my lesson.

4) Don’t touch my phone. I’m serious.

severed-hand.jpg

pixelstats trackingpixel
January 20th, 2010 | Tags: , , , , | Category: Internet | 4 comments
« Newer Entries  
  Older Entries »