Cyber Brains, It's not what you think, it's how . . . YOU THINK

"There would be no tabloid newspaper industry 

without the constant stupidity of normally intelligent people."

The Curricullum

Stanley Bing

LAY, BLAME, JUSTIFY, SHAME

It is tough getting things done in large complex organizations.   In my cyber security world a good day is when nothing bad happens.  

(You can probably relate.)

I have noticed that my cyber brain and the brains of others tend toward a certain state immediately when bad things happen . . .

Not very productive I must admit.

After I calm down a bit (usually after I have been contacted by executives) my cyber brain state seems to shift to . . . 

WOW . . . followed quickly by . . . 

"There are things that people have great difficulty accepting, because they mean that the vision of reality that we have built up over a painful history of superstition, confusion and struggle is profoundly inadequate."

The Key: A True Encounter

Whitley Strieber

At some point my cyber brain stabilizes and I realize if anything is going to get done, I am responsible.  I have to lead.

LAY, BLAME, JUSTIFY, SHAME

"For starters, even if there really is no way you can win, you never say it out loud. You assess why, change strategy, adjust tactics, and keep fighting and pushing till either you’ve gotten a better outcome or you’ve died. Either way, you never quit when your country needs you to succeed." 

Service: A Navy SEAL at War

Marcus Luttrell

If you haven't had the chance to see the movie or read the book "Lone Survivor" and to learn the remarkable story of Operation Red Wings and Navy SEAL Marcus Luttrell . . . you should.

About building my skunkworks

Autumn is spider season where I live !

That's a cool picture I took today but I'd rather talk about skunks . . . . not spiders.  

I am kind of excited about it and very proud of the work being done by my skunk works guys but .....I need to explain that a little more.  

The guys on my skunk works team actually report to me in a really large corporation.  So I guess old-school management would say I can tell them to work on whatever I want them to work on. 

But . . . . these guys are seasoned 30+ year cyber professionals and they have a lot of other things that they need to work on...... in addition to my little skunk works project. 

So I can't really do that.  

Since I have responsibility for solution conceptualization for the Fortune 500,  I really need their best thinking. Trust me. 

I must tell you we have produced some amazing results.  But we did not get there in neither a smooth pathway nor in a linear fashion. 

You see, to be in my skunk works you have to really know what you're doing.   You have to be relevant to large-scale complex global organizations with their mindset that they want to defend themselves all by themselves all the time.  They always think they are smarter than we are.  

DIFFERENT ISN'T ALWAYS BETTER, BUT BETTER IS ALWAYS DIFFERENT

So I've learned a few things about building a skunk Works team that can develop solutions without all the corporate bureaucracy that usually goes with it. 

My first learning has been that my team and I rarely agree on anything. At least at first. Our guiding skunk works principle is we want to radically change and provoke cyber professionals into thinking about solutioning in radically different ways.  That's pretty bold stuff so it would be a irrational to believe that seasoned professionals would agree on paradigm shift.  (See my earlier post on what paradigm shift really means)

Secondly I find myself spending a lot of time seeking clarity of communication and common definitions that we can agree upon.  Wow there I said it. Write that phrase down. 

As a flyer in the Air Force we always repeated verbal commands back to the party issuing the command.  In essence we were saying, "I heard you and here's what I heard you saying, is that correct?  

Wow what a concept.  (I even use it with my wife and kids). 

Try that communication style in your cyber business life.  Just tell people, "I am hearing you and here's what I think you are saying.  Am I right?

I think your cyber life will get a lot easier and we all need that.  

HERE IS OUR NEW WORD FOR TODAY . . . 

WATCH OUT FOR IT IN CYBER LIFE

Velleity

Oxford calls it: A wish or inclination not strong enough to lead to action. Our in-the-trenches definition: The desire, with no intention of doing anything.

Recommended Reading: "The Curriculum" by Stanley Bing

Stanley Bing

Manhattan and Mill Valley, CA

After contributing thousands of columns to Fortune, Esquire, and the Wall Street Journal, and writing nearly a dozen books on corporate strategy, Stanley Bing is at the top of his game, dispensing a lifetime's worth of hard-won wisdom to the next generation of masters.

stanleybing.com

"The Curriculum"

Stanley Bing
HarperCollins Publishers

"Marketing was invented to help sell things people don't need.  It's the fluffer.  Products and services that people actually need do not require marketing's song and dance.  That list, however, is limited: food, functional clothing, running water, some form of heat in the winter.  When you depart from those essentials, marketing is needed.  The more silly and useless the object or activity to be sold, the more intense the marketing needs to be."

"On the other hand, in an economy that drives people to an increasingly byzantine crossroads of ever more choices, and a deepening sense that enough is never enough, the resulting confusion and insatiability can only be satisfied by the hard sell."

The Curriculum
Stanley Bing
April 2014

CYBER PROFESSIONALS:  Unfortunately you must "hard sell" your bosses on what is right and what is needed.

Why I still think my job is fun

I work for a Fortune 10 company.  My team is responsible for creating complex cyber defense solutions for my employer's Fortune 500 customers (which is about 95% of them).

I still like my job.

I like it because I can pick up the phone and go meet with just about any Chief Information Officer, Chief Technology Officer or Chief Information Security Officer that I want to. Not a bad job.

In today's cyber-centric world, they agree to meet with me much more often than not.  They meet because of who I work for now and my previous background in the Pentagon. (I guess there is always a certain allure about how DOD defends itself in cyberspace.)

So I've met with a lot of them and they tend to change their employers pretty frequently. (My record is I have met with a certain CISO at 4 different companies.)

Over time these meetings became very similar to me, although they are never boring. (Based on similarity, I even started writing my meetings notes before the meeting! The before/after meeting notes correlation was about 80%!)

Hold that thought.

Now . . . it also seems more and more DOD and Intel tech executives are taking C level tech jobs in the Fortune 500. I suspect the pay is better. These folks can get frustrated when they realize enacting DOD/Intel approaches in the private sector is very challenging. (It just seems that way.)

Back to the similarities thread . . .

So somewhat frustrated, I called my team and yelled, "I can meet with any C level tech executive and they are thirsty for something better."

GENERAL PRINCIPLE: DIFFERENT ISN'T ALWAYS BETTER, BUT BETTER IS ALWAYS DIFFERENT.

That is how my team went on to develop and continuously improve both Adaptive Cyber Risk Management and Advanced Persistent Defense. (Both of which are being well received by the way.)

So what makes this fun?  I go out with my team into our customers world and help my team make something of value happen. Then I take evening and weekends to critically question if our different is truly better.

. . . AND THAT'S FUN FOR ME ! ! !

Time out from Cyber Technology, try some Mumford

Lewis Mumford, KBE (October 19, 1895 – January 26, 1990) was an American historian, sociologist, philosopher of technology, and literary critic. Particularly noted for his study of cities and urban architecture, he had a broad career as a writer. Mumford was influenced by the work of Scottish theorist Sir Patrick Geddes and worked closely with his associate the British sociologist Victor Branford. - Source Wikipedia

If you are like me, I sometimes get burned out on all this technology.  Trying to design better info structures to protect data can get tiring.

"One of the functions of intelligence is to take account of the dangers that come from solely trusting to the intelligence."

Lewis Mumford

So on a recent escape to the beach . . .
I took along a copy of . . . 

I was introduced to the works of Mumford by 2 undergrad engineering students at Georgia tech in 1986. What were these college students doing getting totally jazzed by Volume One The Myth of the Machine in 1986 !!!

28 years later I got around to reading Lewis Mumford. He is a tough read but well worth it.  (I average 10 pages per hour.)

"A certain amount of opposition 
is healthy to a man. 
Kites rise against, not with, the wind"

Lewis Mumford

Cross purposes in cyber defense

In your experience, do different enterprise stakeholder groups ever operate at cross purposes in cyber defense? 

"The 1967 USS Forrestal fire was a devastating fire and series of chain-reaction explosions on 29 July 1967, that killed 134 sailors and injured 161 on the aircraft carrier USS Forrestal (CVA-59), after an electrical anomaly discharged a Zuni rocket on the flight deck. Forrestal was engaged in combat operations in the Gulf of Tonkin during the Vietnam War at the time, and the damage exceeded US$72 million (equivalent to $509 million today) not including the damage to aircraft. Future United States Senator John McCain was among the survivors."
 - Source Wikipedia


Doug Gould (my good friend and developer of Adaptive Cyber Risk Management) often starts his cyber talks by telling the Forrestal fire story.

Now I understand why he uses the story to illustrate common challenges to enterprise cyber defenders.

As Doug tells the story, there are 2 ways to fight a fire on a ship.  Foam and water. Both methods work.  

In the story, the foam team got there first and was making progress in fighting the fire. Then the water team arrived and essentially washed the foam away. The resulting damage, injury and loss of life was greater than it should have been had the foam team and the water not run over each other.

The Forrestal fiasco caused the United States Navy to re-think its procedures, resulting in radically more effective approaches to ship board explosions and fires.

Cyber analogy:  In my experience I have seen enterprise business unit cyber teams acting at cross purpose with the corporate CISO office way too many times.

When supported and mandated by executive management, Doug Gould's Adaptive Cyber Risk Management creates a common shared vision and basis for true multi-stakeholder collaboration.

PLEASE.  LET'S AVOID A REPEAT OF THE USS FORRESTAL FIASCO IN CYBER DEFENSE.

STOP USING THE WORD PERSPECTIVE

Is the new "in" word that makes one look like an executive ...."perspective"?  It seems like everyone uses the word perspective all the time.  I was on a call today and a guy used the term perspective three times in the same sentence. If I want to know somebody else's perspective I'll ask that somebody else.  In my perspective our collective perspective is now too overly perspective.  Just my perspective.