My Favorite Quotes July 11, 2016

“If you never change your mind, why have one?”

- Edward De Bono

“The illiterate of the 21st century will not be those who cannot
read and write, but those who cannot learn, unlearn, and relearn. ”

 - Alvin Toffler

“You’ve got to think about big things while you’re doing small things, so that all the small things go in the right direction.” 

 - Alvin Toffler

“I hear and I forget. I see and I remember. I do and I understand.” 

- Chinese proverb” 

“It is better to have enough ideas for some of them to be wrong, than to be always right by having no ideas at all.”

- Edward De Bono

VOL II. Cyber defense is going to change so much between now and 2021 most won't even recognize it.

So let's continue our journey together.  

Some might say that cyber defenses are nothing but a series of disconnected point solutions and that someone should tie it all together.  

I have thought about this argument a lot.   

If you have studied your CISSP, we can all easily visualize that every technological "thing", human or non-human ....  (person, processor, memory, application, storage, network device, network service) is really an endpoint to some other "thing".  Every "thing" in our tech world, "I/O's" to at least 1 other something else "thing".  From the greatest perspective, every "thing" is essentially connected to every other "thing" and I am not talking about just IoT here.  I believe vendors, service providers, and end users would probably agree with me. 

I can't extract value from continuing arguments that cyber defense is a series of point solutions. I argued that we should remain loyal to our current course, at least until something better comes along. My great great grandfather rode a horse. I drive a car. 

It remains the function of the highest-ranking enterprise security executive or smaller business lead security practitioner, to qualitatively or quantitatively understand their business's risks in cyberspace.  This is been written about and discussed many times.  Unfortunately living risk management has not been implemented or operationalized very many times. 

The industry's current path of layering point solution on top of other point solutions, might be viewed as an unsustainable model. 

The future will not be a linear extrapolation of the present. 

My question for your future is, 

Can you envision an organization that truly understands their cyber risks, and then makes cyber investment decisions continuously and only in proper proportion to the business risk they have agreed to tolerate in advance, during joint collaboration with their executive management?

VOL I. Cyber Defense is going to radically change

VOL I.  Cyber defense is going to change so much between now and 2021, most won't even recognize it. 

So let's start a journey together on that topic. I'll ask you a series of questions, over the next several weeks. My answers are not important, but your's are.
Here we go ....

I think of cloud in perhaps a strange way.  To me a cloud is not just a data center.  To me a cloud is really an app that lets me do something useful using a "behind the curtain" complex value chain, ....... without me having to understand much more than how to use the app.  Most started using my definition of cloud in 2007. And there wasn't a big fuss about cloud.  To the best of its ability at the time, "it just worked".
When customers say to me, "we have our own cloud".   Are they simply saying they have their own data center, or are they using my personal definition of cloud?

Try to view your world differently (periodically)

    

Why can't you see what's this picture?

I looked at this picture for one hour solid, non-stop, truly, before my brain shifted and let me see the simple picture ! !

Are you fixed in your same old mental patterns about cyber security defense?

3 Elements of followership . . . +1 more element for great LEADERSHIP.

How do you really know if you, as a cyber defense professional, are a great leader?

"I'll know it when I see it or feel it"  . . . maybe the best that can be said about leadership . . . for way too many.

I submit to all cyber professionals that if your team and your clients (internal or external) actually take your advice, engage in realizing your initiatives, and back your tough decisions, i.e., . . . FOLLOW YOU, the existence of their FOLLOWERSHIP proves that at least partial leadership has, in fact, occurred.  

But that is not necessarily . . .  great leadership.

Stay with me . . . 

Three (3) elements must be present for basic followership:

Brightness of the Future

Darkness of the Future

Frequency of Interaction

These three elements drive followership but not great leadership. All sorts of vile and despicable historical figures have created followership using brightness, darkness and frequency.

I submit to you that virtually every war was caused by vile historical figures using brightness, darkness and frequency; however no one would call them neither great leaders nor their results great leadership !

Cyber defense professionals . . . build followership thru brightness, darkness and frequency but then add the elusive 4th element and become GREAT LEADERS.

http://youtu.be/GK907TwM7q0

As JFK, a great leader is in "it" with the followers.  That's the elusive 4th element that drives Great Leadership.

I am in all of this with you.

Cyber Brains, It's not what you think, it's how . . . YOU THINK

"There would be no tabloid newspaper industry 

without the constant stupidity of normally intelligent people."

The Curricullum

Stanley Bing

LAY, BLAME, JUSTIFY, SHAME

It is tough getting things done in large complex organizations.   In my cyber security world a good day is when nothing bad happens.  

(You can probably relate.)

I have noticed that my cyber brain and the brains of others tend toward a certain state immediately when bad things happen . . .

Not very productive I must admit.

After I calm down a bit (usually after I have been contacted by executives) my cyber brain state seems to shift to . . . 

WOW . . . followed quickly by . . . 

"There are things that people have great difficulty accepting, because they mean that the vision of reality that we have built up over a painful history of superstition, confusion and struggle is profoundly inadequate."

The Key: A True Encounter

Whitley Strieber

At some point my cyber brain stabilizes and I realize if anything is going to get done, I am responsible.  I have to lead.

LAY, BLAME, JUSTIFY, SHAME

"For starters, even if there really is no way you can win, you never say it out loud. You assess why, change strategy, adjust tactics, and keep fighting and pushing till either you’ve gotten a better outcome or you’ve died. Either way, you never quit when your country needs you to succeed." 

Service: A Navy SEAL at War

Marcus Luttrell

If you haven't had the chance to see the movie or read the book "Lone Survivor" and to learn the remarkable story of Operation Red Wings and Navy SEAL Marcus Luttrell . . . you should.

About building my skunkworks

Autumn is spider season where I live !

That's a cool picture I took today but I'd rather talk about skunks . . . . not spiders.  

I am kind of excited about it and very proud of the work being done by my skunk works guys but .....I need to explain that a little more.  

The guys on my skunk works team actually report to me in a really large corporation.  So I guess old-school management would say I can tell them to work on whatever I want them to work on. 

But . . . . these guys are seasoned 30+ year cyber professionals and they have a lot of other things that they need to work on...... in addition to my little skunk works project. 

So I can't really do that.  

Since I have responsibility for solution conceptualization for the Fortune 500,  I really need their best thinking. Trust me. 

I must tell you we have produced some amazing results.  But we did not get there in neither a smooth pathway nor in a linear fashion. 

You see, to be in my skunk works you have to really know what you're doing.   You have to be relevant to large-scale complex global organizations with their mindset that they want to defend themselves all by themselves all the time.  They always think they are smarter than we are.  

DIFFERENT ISN'T ALWAYS BETTER, BUT BETTER IS ALWAYS DIFFERENT

So I've learned a few things about building a skunk Works team that can develop solutions without all the corporate bureaucracy that usually goes with it. 

My first learning has been that my team and I rarely agree on anything. At least at first. Our guiding skunk works principle is we want to radically change and provoke cyber professionals into thinking about solutioning in radically different ways.  That's pretty bold stuff so it would be a irrational to believe that seasoned professionals would agree on paradigm shift.  (See my earlier post on what paradigm shift really means)

Secondly I find myself spending a lot of time seeking clarity of communication and common definitions that we can agree upon.  Wow there I said it. Write that phrase down. 

As a flyer in the Air Force we always repeated verbal commands back to the party issuing the command.  In essence we were saying, "I heard you and here's what I heard you saying, is that correct?  

Wow what a concept.  (I even use it with my wife and kids). 

Try that communication style in your cyber business life.  Just tell people, "I am hearing you and here's what I think you are saying.  Am I right?

I think your cyber life will get a lot easier and we all need that.  

HERE IS OUR NEW WORD FOR TODAY . . . 

WATCH OUT FOR IT IN CYBER LIFE

Velleity

Oxford calls it: A wish or inclination not strong enough to lead to action. Our in-the-trenches definition: The desire, with no intention of doing anything.

Recommended Reading: "The Curriculum" by Stanley Bing

Stanley Bing

Manhattan and Mill Valley, CA

After contributing thousands of columns to Fortune, Esquire, and the Wall Street Journal, and writing nearly a dozen books on corporate strategy, Stanley Bing is at the top of his game, dispensing a lifetime's worth of hard-won wisdom to the next generation of masters.

stanleybing.com

"The Curriculum"

Stanley Bing
HarperCollins Publishers

"Marketing was invented to help sell things people don't need.  It's the fluffer.  Products and services that people actually need do not require marketing's song and dance.  That list, however, is limited: food, functional clothing, running water, some form of heat in the winter.  When you depart from those essentials, marketing is needed.  The more silly and useless the object or activity to be sold, the more intense the marketing needs to be."

"On the other hand, in an economy that drives people to an increasingly byzantine crossroads of ever more choices, and a deepening sense that enough is never enough, the resulting confusion and insatiability can only be satisfied by the hard sell."

The Curriculum
Stanley Bing
April 2014

CYBER PROFESSIONALS:  Unfortunately you must "hard sell" your bosses on what is right and what is needed.

Why I still think my job is fun

I work for a Fortune 10 company.  My team is responsible for creating complex cyber defense solutions for my employer's Fortune 500 customers (which is about 95% of them).

I still like my job.

I like it because I can pick up the phone and go meet with just about any Chief Information Officer, Chief Technology Officer or Chief Information Security Officer that I want to. Not a bad job.

In today's cyber-centric world, they agree to meet with me much more often than not.  They meet because of who I work for now and my previous background in the Pentagon. (I guess there is always a certain allure about how DOD defends itself in cyberspace.)

So I've met with a lot of them and they tend to change their employers pretty frequently. (My record is I have met with a certain CISO at 4 different companies.)

Over time these meetings became very similar to me, although they are never boring. (Based on similarity, I even started writing my meetings notes before the meeting! The before/after meeting notes correlation was about 80%!)

Hold that thought.

Now . . . it also seems more and more DOD and Intel tech executives are taking C level tech jobs in the Fortune 500. I suspect the pay is better. These folks can get frustrated when they realize enacting DOD/Intel approaches in the private sector is very challenging. (It just seems that way.)

Back to the similarities thread . . .

So somewhat frustrated, I called my team and yelled, "I can meet with any C level tech executive and they are thirsty for something better."

GENERAL PRINCIPLE: DIFFERENT ISN'T ALWAYS BETTER, BUT BETTER IS ALWAYS DIFFERENT.

That is how my team went on to develop and continuously improve both Adaptive Cyber Risk Management and Advanced Persistent Defense. (Both of which are being well received by the way.)

So what makes this fun?  I go out with my team into our customers world and help my team make something of value happen. Then I take evening and weekends to critically question if our different is truly better.

. . . AND THAT'S FUN FOR ME ! ! !

Time out from Cyber Technology, try some Mumford

Lewis Mumford, KBE (October 19, 1895 – January 26, 1990) was an American historian, sociologist, philosopher of technology, and literary critic. Particularly noted for his study of cities and urban architecture, he had a broad career as a writer. Mumford was influenced by the work of Scottish theorist Sir Patrick Geddes and worked closely with his associate the British sociologist Victor Branford. - Source Wikipedia

If you are like me, I sometimes get burned out on all this technology.  Trying to design better info structures to protect data can get tiring.

"One of the functions of intelligence is to take account of the dangers that come from solely trusting to the intelligence."

Lewis Mumford

So on a recent escape to the beach . . .
I took along a copy of . . . 

I was introduced to the works of Mumford by 2 undergrad engineering students at Georgia tech in 1986. What were these college students doing getting totally jazzed by Volume One The Myth of the Machine in 1986 !!!

28 years later I got around to reading Lewis Mumford. He is a tough read but well worth it.  (I average 10 pages per hour.)

"A certain amount of opposition 
is healthy to a man. 
Kites rise against, not with, the wind"

Lewis Mumford

Cross purposes in cyber defense

In your experience, do different enterprise stakeholder groups ever operate at cross purposes in cyber defense? 

"The 1967 USS Forrestal fire was a devastating fire and series of chain-reaction explosions on 29 July 1967, that killed 134 sailors and injured 161 on the aircraft carrier USS Forrestal (CVA-59), after an electrical anomaly discharged a Zuni rocket on the flight deck. Forrestal was engaged in combat operations in the Gulf of Tonkin during the Vietnam War at the time, and the damage exceeded US$72 million (equivalent to $509 million today) not including the damage to aircraft. Future United States Senator John McCain was among the survivors."
 - Source Wikipedia


Doug Gould (my good friend and developer of Adaptive Cyber Risk Management) often starts his cyber talks by telling the Forrestal fire story.

Now I understand why he uses the story to illustrate common challenges to enterprise cyber defenders.

As Doug tells the story, there are 2 ways to fight a fire on a ship.  Foam and water. Both methods work.  

In the story, the foam team got there first and was making progress in fighting the fire. Then the water team arrived and essentially washed the foam away. The resulting damage, injury and loss of life was greater than it should have been had the foam team and the water not run over each other.

The Forrestal fiasco caused the United States Navy to re-think its procedures, resulting in radically more effective approaches to ship board explosions and fires.

Cyber analogy:  In my experience I have seen enterprise business unit cyber teams acting at cross purpose with the corporate CISO office way too many times.

When supported and mandated by executive management, Doug Gould's Adaptive Cyber Risk Management creates a common shared vision and basis for true multi-stakeholder collaboration.

PLEASE.  LET'S AVOID A REPEAT OF THE USS FORRESTAL FIASCO IN CYBER DEFENSE.

STOP USING THE WORD PERSPECTIVE

Is the new "in" word that makes one look like an executive ...."perspective"?  It seems like everyone uses the word perspective all the time.  I was on a call today and a guy used the term perspective three times in the same sentence. If I want to know somebody else's perspective I'll ask that somebody else.  In my perspective our collective perspective is now too overly perspective.  Just my perspective.  

Any Cyber budget is appropriate

Any Cyber budget is appropriate if it is derived from Board of Directors deliberation using comprehensive risk curves.   Some argue companies spend too little on cyber defense.  Most likely all companies have compromised hosts.  The mathematics of security is the mathematics of risk.  Unfortunately comprehensive risk curves are becoming a thing of the past.  As Dr. W Edwards Deming stated, "In God we trust, everyone else must use data".  

Newtonian cause & effect thinking

Classical Newtonian physics taught us the principle of cause and effect.  For every observable effect on the physical universe there is a corresponding cause. For every observable cause there is a corresponding effect. Stated another way, for every action there is a reaction.

Sir Isaac Newton lived from 1642 to 1727.  

The work in general and special relativity of Albert Einstein (1879 - 1955) challenged much of Newton.

Later the quantum mechanics work of Max Born, Werner Heisenberg and Wolfgang Pauli in the early 1920s challenged the dominant Newton principals even further.

Little argument can be raised that much of what we knew about nature based on Newtonian physics was being radically reorganized by the latter stages of the 20th century.

Cause and effect thinking got a turbo boost in business during the 1980’s rise of total quality management.

As we launch into 2014 cause and effect thinking remains a dominant force in business and (of course) politics.

In cyber security, when we see a large scale compromise (effect), we seek to understand the corresponding cause.  Further than Newton, we must now seek to know who caused what, when and how.

Security professionals must then tell their bosses that defenses have been expanded/adjusted so “this won’t happen to us” or “this can’t happen to us again”.

If enterprise cyber defenders can ever be successful in overcoming the attackers offensive advantage, they must employ an even greater force of creativity than their adversaries.

Cyber defenders should restate the Newtonian principal.  SOME CAUSES CAN CREATE SOME EFFECTS SOME OF THE TIME.

The time is now for cyber defenders, architects and product developers to think WAY OUT OF THE BOX AT THE MACRO LEVEL.  WAY, WAY, WAY OUT OF THE BOX.

Wayne Gretzky ?

If you're like me you might get tired of hearing business executives talk about Wayne Gretzky. 

"We can't be chasing the puck; we've got a skate to where the puck will be." I’m sure  you have heard it too. Skating to where the puck will be is the best known quote attributed to Wayne Gretzky.

If you are a younger person (a Millenial as you might be called), you might not know that Wayne Gretzky was a hockey player.  He made it to the hockey hall of fame.  Wayne Gretzky retired from playing ice hockey in 1999.  

HOW MUCH OF WHAT WE LEARNED IN 1999 APPLIES TO BUSINESS TODAY?

"Skating to where the puck will be" became a popular business phrase in the late 90s but I'm shocked that some executives are still using it today.

Unfortunately,  although that phrase may be good for ice hockey, BUSINESS IS NOT ICE HOCKEY. 

You see because ice hockey operates in a closed system, the puck has a well defined area in which it can travel.  The puck can only go so many places.  NO UNEXPECTED EXTERNAL FORCES CAN INFLUENCE THE TRAVEL OF THE PUCK.  Nothing can enter that ice area from the outside to alter the dynamics of the game. 

Business operates in an open system. Business does not operate within closed system defined boundaries.   Why are we still talking about Wayne Gretzky when our businesses operate subject to open system dynamics?

The New York Times published an interesting article regarding how the open, instant and transparent communications culture of Millenials (younger people) is challenging our top-down, fear based business organizations.

It's worth your time to read it.

http://www.nytimes.com/2013/11/10/jobs/embracing-the-millennials-mind-set-at-work.html?ref=technology

SOMETIMES

Sometimes I encounter job related stress from projects or people.  Maybe you do too.
Sometimes I need to de-stress just to keep going.  Maybe you do too.
So I was de-stressing the other day and it occurred to me .........

Sometimes my family thinks I am the source of our money.
Sometimes I remember the real source of my money is my employer.
Sometimes I remember the real source of my employer's money is my employer's customers.
Sometimes I remember their money really comes from their customers.

What a revelation ! ! !

Yesterday I bought something from a company who is a customer of a customer of my employer.
So if the above is true, yesterday I triggered an (albeit small) economic cycle which will soon reward me (albeit small).

You're reading this may not be helpful to you, but my writing it was helpful to me.

Apologies.

Learning is not compulsory

Deming taught:

96% of all failure is systems failure. 

The remaining 4% is people failure.

Executive Management owns the system.

The system must include the customer.

Does any one know of a company that practices these beliefs?

COMPLEX SYSTEM DYNAMICS

Have you ever heard business managers and executives comment (and maybe even complain) about how complex things have become?  I sure know I have and I bet you have too.

Have you asked yourself what resources might be available and might be useful in better accommodating today's complexity?

Unfortunately most people are unaware of a very useful and proven body of new science/engineering referred to as complex systems dynamics.  It is a perfect adjunct to traditional linear engineering education and professional practice.  Ironically, the field originated at MIT back in the 1950's !

This body of mental model thinking brings profound complex problem solving leverage to our world.

People rarely ask me where/how I come up with some of the approaches I use.  We seem to be so busy looking for answers that we forget to ask questions.

Personally, private study and experimental application of complex system dynamics mental models have driven more success and advancement in my career than my Bachelor of Science in Mechanical Engineering, Master of Arts in Business Management or Master of Business Administration degrees.

I would refer those interested in learning more to http://www.pegasuscom.com/aboutpci.html

This is not a consulting company looking for your business. http://www.pegasuscom.com/aboutpci.htm is a resource site of available written learning materials.

Look over their website.  Please contact me if you have questions about where to start your learning journey in this remarkable field.

Proof of Synergy??

It's not really that relevant that I first encountered this mathematical argument on a white board in a 5 sided building in Arlington, Va.

A = B

A² = AB

A² - B² = AB - B²

(A - B) (A + B) = B(A - B)

A + B = B

B + B = B

2B = B

2 = 1

Don't just knee jerk and run the data thru the algorithm.  Remember that when complex systems fail, they fail in complex ways, so much so that their very failure may be hard to detect.