Serial Innovators

Serial innovators are not looking for opportunities. They look for concrete problems that cause potential customers significant pain--problems with solutions for which customers would be willing to pay. Serial innovators know they have an interesting problem when it meets three criteria:

Solving the problem has the potential for significant financial impact.

A solution likely can be found.

The problem and its solution are acceptable to both customers and management (it solves problems and fits strategy).

Serial Innovators follow Thomas Edison’s advice regarding innovating: “I don’t want to invent something that no one will buy.” They understand that technology is just a means to an end, the firm is in business to make money, and the only way they will be allowed to continue innovating is to develop a product that profitably solves customer problems.

4 methods for finding the right problem

Using Strategy to Identify Problems: Sometimes serial Innovators, like inventors, start investigating a problem area because the performance capabilities of a particular technology have reached a plateau, while performance demands keep increasing. To move to the next performance level requires shifting to a different technology.

Reframe Existing Problems: Serial Innovators have an uncanny ability to reframe existing problems. By immersing themselves in a problem, they see it through a different lens that allows them to capture aspects that had been previously overlooked.

Work Backward from a Far-in-the-Future Vision: Serial Innovators may work backward from a long-term goal to discover how tackling a series of short-term problems might allow them to ultimately produce, many decades later, that long-term vision. They would begin by developing a salable product based on the first technology step, providing a pathway of interesting (i.e., profit-producing) shorter-term problems to solve on the way toward their long-term end point.

Use Other Domains for Insight: Serial Innovators find the right problem by gathering insight from across multiple domains. Fred, a Serial Innovator in medical devices, routinely tracked university patent applications in his search for interesting problems. He initiated conversations with university Inventors to determine what they were doing and, more important, why. The “why” gave him insight into what problems these university Inventors thought were important. He also routinely visited university new venture incubators, investigating why they were trying to commercialize the various technologies--what problems were they trying to solve? When he found multiple academic researchers patenting and trying to commercialize different products to solve similar problems, he knew he was on track to finding an interesting problem to solve for the firm.

When a problem that has significant financial impact, a findable solution, a fit with the customer and the management, serial innovators shift from finding to understanding.

How to understand the problem deeply

First, prepare to understand:

In preparing to understand, serial innovators do not rely solely on themselves to define the problem and its unknowns. Part of their preparation includes assembling the people they need from the various domains that will help them completely understand the problem. Most frequently, they create a “team” of people in their network not formally assigned to the project, who they tap--sometimes individually, sometimes in groups--to help clarify various aspects of the problem. Then, with the help of their “team,” serial innovators define what they need to know.

Some serial innovators use the technique of asking the “why” question five times, “peeling the onion” to understand root causes. Another serial innovator puts together a “learning plan,” a simple document or presentation in which he and his team agree to and write down what they know as well as what they do not know about the problem, the project, and its objectives. Serial innovators believe there is more power in understanding what they do not know than what they already do, so they tend to focus on the “what don’t we know.”

Once they have defined the initial unknowns and assembled the resources necessary to eliminate them, they start the work of gathering and synthesizing information to eliminate the unknowns.

Second, think holistically: 

Serial Innovators gather information from a number of perspectives and then integrate across those multiple domains to understand completely. They speak of thinking holistically to “connect the dots,” the specific pieces of information associated with understanding the problem. But, in order to connect them, they first must “find the dots.” The task at hand is all about discovery. In their form of discovering, the real challenge is to view the problem from multiple perspectives, or domains. They think from the technical, customer, market, and competitive perspectives, melding information from each into an overall, holistic understanding of the problem and the various contexts in which it resides. Problems are viewed as more than technical or engineering challenges--they are multifaceted systems.

Innovators seek technical understanding but also recognize the importance of customer and end-consumer derived information in developing their understanding of a problem. At this point, the Serial Innovator is not trying to market a product--just trying to understand the problem from the customer’s perspective. Serial innovators perform their own market research instead of letting a separate division or outside firm conduct research for them. They need richness in the data, and they need to understand it personally. They cannot let other people interpret raw data for them.

In addition to technical and customer perspectives, serial innovators have a keen awareness of their competitor’s capabilities. Serial innovators understand how technology--both theirs and their competitors’--fits into the market. They understand the trade-offs between the two, and are able to find the right balance between their technology and the demands of the market. They then use the insight they acquire by intensely studying their customers to give them an advantage over the products their competitors have engineered.

During this “dot-finding” process, serial innovators focus primarily on understanding individual customer needs and technical possibilities and on maintaining a sense of what competitors are doing. However, they occasionally circle back into considering the general market trends to ensure that there still is a market for the problem they are trying to solve--and that someone else has not already commercialized a product to solve that problem. During this part of the process, serial innovators look at individual customers to understand specific needs. To understand market opportunities, on the other hand, they look at the market in aggregate.

As serial innovators refine their understanding of the problem from each perspective, they redefine their objectives and enhance their support network. Then, when they have gathered sufficient information across all relevant dimensions, serial innovators make connections across these disparate types of information that others just do not see. Their special capability to synthesize information allows them to reach the desired “Aha!” moment needed to solve the problem. We’ve labeled this capability “discernment”--keen insight into seeing the solution of a profoundly complex problem with a multitude of constraints.

When we have asked serial innovators about this capability, they typically shrug their shoulders; “I’ve been told it’s a gift,” is one reply. They don’t know how they do it either. We tentatively conclude that they have gathered enough breadth and depth of knowledge through their multifaceted investigation of each problem that they can make an experience-based intuitive leap. This leap is possible in part because of their capabilities, and in part because management has granted them enough time and sufficient resources to truly understand the problem at hand.

Excerpted from Serial Innovators: How Individuals Create And Deliver Breakthrough Innovations In Mature Firms by Abbie Griffin, Raymond L. Price and Bruce Vojak. (c) 2012 Board of Trustees of the Leland Stanford Jr. University, reprinted by permission of the publisher, www.sup.org. 

The Seven Dimensions of any Business

Larry Wilson

Founder Pecos River Learning Center

With an engineering degree and two MBA's, I "get" where executives are when it comes to their businesses.

Let's go a bit deeper than Peter Drucker's original six (6) functions of management: Planning, Organizing, Staffing, Directing, Controlling and Reporting.

IN ANY HIGH RATE OF CHANGE ENVIRONMENT THE QUESTIONS YOU ARE WILLING TO ASK LEAD TO BETTER ANSWERS.  Your least leverage is simply reacting to events.

Larry Wilson is one of the most amazing people I never met. His book "Changing the Game" is mandatory reading for my students of all ages.

Again drawing from complex systems study I find executives and managers don't realize there are seven (7) fundamental dimensions to any game; even the game of business.  These dimensions apply to so many things: growing a business, securing a business, developing employees, proper use of technology, the list is as long as one chooses to make it.

Understanding these seven (7) dimensions opens new opportunity for growth.

THINK ABOUT THESE SEVEN (7) . . . making the following substitutions:
GAME = YOUR BUSINESS; PLAYERS = YOUR EMPLOYEES

1) PURPOSE IN PLAYING THE GAME

2) INFORMATION AVAILABLE TO PLAYERS

3) PERMISSABLE ACTIONS OF THE PLAYERS

4) CRITERIA FOR PROGRESS IN THE GAME AND BY THE PLAYERS

5) IMPACT OF RANDOM EVENTS ON THE GAME

6) DISTRIBUTION OF THE REWARDS TO THE PLAYERS

7) CRITERIA FOR TERMINATING THE PLAYERS OR THE GAME

Jack Reacher "Life is full of decisions"

Tom Cruise

as Jack Reacher

"LIFE IS FULL of decisions and judgments and guesses, and it gets to the point where you’re so accustomed to making them you keep right on making them even when you don’t strictly need to.  

You get into a what if thing, and you start speculating about what you would do if some problem was yours instead of somebody else’s."

- Jack Reacher

TO MY KIDS

This will only take five minutes and it will be my last speech.   I say it's my last speech because I'm not sure my previous speeches worked and I'm out of material.  

The obligation of any parent is to pass on what they've learned.  I tried my best to do that.  Any New generation will always say "but the world is different now" and they are partially  right.  The parents are right too.  Although many things change very fast some things stay remarkably  constant. ( My parents turned out to be right more times than I  ever gave them credit for. )

Here's what I pass on:

1.   Experience is the best teacher - if you can survive the experience. 

2. The value of a college education cannot be overvalued or over appreciated.  Get one. 

3. Write down your goals for this week,  this month, this year and the next two years.  Keep them where you can see them.   Keep your goals simple and measurable.  Write down why you want to attain them.  

4.   Spend 70% of your time taking action to attain your goals.  Spend 20% of your time refining your goals.   Spend 10% of your time in rest and recreation.  Spend 0% of your time thinking about the past.  

5.  Time goes faster the older you get.  

6.   Treat others the way you would like to be treated. 

7.  When your parents are gone sometimes you will wish they were still around.  

8.  Of whatever money you make: save one third, spend one third and pay the government the other third. I didn't do this and I wish I would have

I'm not sure exactly what I learned in college but it proved to me that I could do it and it built my confidence in me. It also proved to others that I could do it so they had confidence in me. 

I'm not sure exactly what being a Captain in the Air Force accomplished but it proved to me that I could do it and it built my confidence in me. It also proved to others that I could do it so they had confidence in me.  

Love,  

Your Dad

Banks viewing DDOS as the new norm

Larger banks and financial institutions are now viewing defending against DDOS attacks as business as usual. Let's review a few basics before we examine that issue in more detail.

Way back when denial of service attacks first began, they were used as primarily a cyber crime extortion tactic.  The attackers would offer to cease attacking a website in return for cash payments.
That approach has somewhat faded although we do hear of extortion periodically against mainly on-line gaming sites.  There is little question that increased sophistication by law enforcement in tracking extortion payments has been a significant factor in reducing extortion as a criminal business driver.

It appears the groups responsible for denial of service attacks now fit the definition of hactivists and nation states.

BOTS and BOTNETS
The rise of the bot and the linking of bots into botnets under centralized command & control brought denial of service attacks to a new level.  Unfortunately I still find way too many executives confused about bots and botnets.  Let me propose simple definitions of bots and botnets that might help us understand where we are in this aspect of the complicated landscape of cybersecurity.

I think of a bot as a simple piece of malicious code, usually fairly small in size, that has found its way onto a personal computer at home, a host server within an enterprise computing infrastructure or a server at a hosting company.  Unfortunately bots are now being found on smartphones, tablets, digital security cameras and internet ready TV's.  Any digital device attached to a network can store a bot.  Readers will do well to remember that the vast majority of bots remain undetectable to common anti-virus scanning.

Although many bots do carry some rudimentary capability to probe their host environment, by and large the dominant capability of most bots is to communicate with and receive instructions from a central command and control server.  When multiple bots do that they have become part of a botnet.  Botnets being instructed by a command and control server to flood a website with thousands if not millions of web page requests per second, constitute a distributed (many bots) denial of service (DDOS) attack.  DDOS constitutes an ongoing problem for major financial institutions.  

PAST, PRESENT, FUTURE
Prior to 2012, most DDOS attacks against financial institutions lasted several hours and may have extended to several days at most.  Beginning around mid 2012 the duration of DDOS attacks significantly elongated.

Some evidence exists that compromised or organized crime associated hosting facilities (read lots of computing power . . . . lots of communications bandwidth) in central Europe and Asia have become the attack origin of choice for DDOS attackers.   Given access to or control of larger computing and bandwidth, Botnet operators devised ways of very rapidly populating very larger numbers of bots within these hosting facilities.

Of additional concern is the widespread availability of consumer cyber crime tools, including toolsets capability of launching or participating in a DDOS attack.

Large financial institutions are well advised to expect, anticipate and make advanced preparations to defend against DDOS attacks on an ongoing basis for the foreseeable future.

2013

So here we are 2013.  As usual I am getting some invitations to keynote a couple cyber events.  I am actually thinking I might do a few this year.  Anyway, belated Happy New Year.

The intent of this blog is to be provocative.  That is, ..... to provoke defensive cyber professionals into challenging their dominant paradigms around security.  Remember a paradigm is what we think about something before we think about it.

Think along with me for a second.

Have you ever made a mistake?  In anything . . . . work, family, relationships, neighbors ?
Raise your hand if you have ever made a mistake. (Be honest).

Ok.  So after you made a mistake, did you ever say to yourself, "No matter what happens I swear I will never make that mistake again?"  (Yea.  You probably did that at least one time in your life.  I know I have.)

Did you ever - after swearing you wouldn't do it ever again - go on and make the exact same mistake a second time?   Yea. Crazy.  I have.  Just ask my wife or kids!

So trying harder and promising ourselves that we won't repeat our mistakes DOESN'T WORK.  We usually follow that up with Laying Blame or Justifying our mistakes based on some external event or external force.  We then try Massive Action to try to cloud our mistakes with tons of activity.

You see, you can be taking massive action in cyber defense, but if one is on the wrong track, it doesn't matter what speed you're going.  You won't get there!

We know from the writings of R. Buckminster Fuller, that all know cases of biological, sociological and technological extinction flow from a common root cause.  That root cause of extinction is OVER SPECIALIZATION.  Few would argue with me that cyber security is highly specialized.

When one inbreeds specialization, one outbreeds ADAPTABILITY.  (Star Trekkies, remember The Borg!)

The antidote to over specialized cyber thinking/doing is COMPREHENSIVE cyber thinking/doing.  COMPREHENSIVE cyber thinking/doing considers everything in all 7 layers of the OSI model from the mobile edge through the software defined private or public data center.  I have members of my technical team working on just such comprehensive cyber operating models, liking risk assessments to security architectures to security operations to proactive threat analyses and action taking to the business continuity and disaster recovery plan.

START THINKING ABOUT BUILDING SMALER PERIMETERS AROUND CRITICAL ASSETS.  Th e dominant paradigm of defending all assets via a common perimeter has been rendered as totally OBSOLETE.

Well its been another great week in cyberspace.  Yes I jest.

This week I got a call from an "Expert in Cyber security".   I hung up after 45 seconds since I consider the term "Expert in Cyber security" a double nested contradiction in terms!  (Ok. It wasn't really 45 seconds but it was as quick as I could while being relatively polite.  I was introduced once as an "Expert in Cyber security".  I insisted the introduction be retracted before I started my talk.)

Folks, I don't see many things getting better.  Consultants like to talk about industry best practices.  Speaking from experience, most companies who have been breached thought they were doing industry best practices in cyber defense at the time.  AND THEY STILL GOT BREACHED.  HELLO?

Lets stop fooling around and lets dump the term industry best practice.  Lets call it what it really is INDUSTRY MOST PREVALENT PRACTICES.  Not best, just prevalent.  Ok?

So we have been talking about paradigms, Thomas Kuhn, Scientific reductionist thinking, Descartes, Bacon, and the fact that our current cyber defense model is in crisis.  That model, the current dominant paradigm, what everyone tells their auditors is that all assets can and are being equally defended through the use of a common perimeter.  Think about that.

If you are a front line practitioner, you are under funded and over worked.  You bought the latest tool sets only to find they came complete with unintended consequences.

No wonder you are under funded.  All funding flows from internal audit.  They are being told the current paradigm of uniform defense through a common perimeter.  So why would you need more money?

I really love it when clients tell me how important this all is because the have to brief their board of directors. Seriously?

In my talks I sometimes use this photograph

When it comes to malicious cyber activity, many companies think the bad guys have entered our safe environment.  You might consider that actually we are doing business in their world.  Think about it.

If you could actually defend your assets perfectly, what would you do and what would you do differently?

Stay tuned.

Peter Drucker

I read today Peter Drucker taught that senior executives should spend one half of their time alone thinking problems through. Okay.

I was also thinking about mature companies that have withstood the test of time and who are now passing over the top of the "S"curve.  Do any companies immediately come to mind?

Mature companies that have withstood the test of time really don't need great executives and leaders.  However in many cases they have them anyway.  

"Back in the day", large stable companies gave managers the time to properly develop and to properly season.  Obviously that is no longer the case today.

For instance I just read that the average chief marketing officer is in the job for about two years.  So it's clearly either produce results or get out.

Do you ever wonder where this is all leading?

No wonder cyber security executives really don't have time to think through the issues.  

Michael Kohl

678-770-6200

On Paradigms

Thomas S. Kuhn

American Physicist

Creator of the word "Paradigm"

To understand where cyber security needs to go, lets go a bit deeper into the term paradigm.  Paradigm means the sum totality of what everyone knows to be true.

Rene Descartes

We are currently living during the later stages of the scientific industrial paradigm.  So follow along for a moment.  The scientific industrial paradigm was in-part ushered in by Rene Descartes (1596-1650) writing his "Discourse on the Method" in 1637 and introducing our current 3-space X axis, Y axis, Z axis "Cartesian" coordinating system.

Francis Bacon

In the same historical period of time, Francis Bacon (1561-1626) wrote his "Novo Organum" in 1620.  Combined, these 2 works contributed profoundly to bring Europe out of the dark ages and into the age of reason.  Descartes and Bacon provided foundational bases for The Scientific Method which helped drive us to our current scientific industrial paradigm.

The Scientific Method (which we were all taught as scientists and engineers) features reductionist thinking under which problems are broken into smaller (supposedly) more easily solvable pieces.  Without dispute, the Scientific Method and reductionist  problem solving contributed greatly to technological progress since the mid 1600's.

Unfortunately malicious activity in cyberspace by nation states, hactivists, and cyber criminals is demanding that we quickly and profoundly evaluate our current defensive approach to vital information infrastructures.  Incremental improvement in cyber defense substantially lags behind the acceleration and sophistication in offensive technique.

***************
THOUGHT EXPERIMENT:   Pause for a moment and think of the current dominant paradigm (what no one would ever question) concerning the state of cyber security defense.  Name some cyber security defensive systems, processes and practices that are never questioned by cyber defense practitioners.
***************

In my last post I mentioned that Thomas Kuhn (1922-1996) the American born, Harvard educated physicist first introduced the term "Paradigm" into our vocabulary in his 1962 book, "The Structure of Scientific Revolutions".

In that book Kuhn also gave us the Kuhn Cycle. The Kuhn Cycle describes the major phases we experience when long held belief and practice clash with contradictory experience. Kuhn postulated that Normal Science (and engineering I might add) proceeds along using the scientific method and reductionist problem solving.  As enough problems have been reduced to smaller and smaller pieces, certain observations and results begin to appear that causes our model to drift from the norm.  When enough of these divergent observations and results have accumulated we have a model that is termed "in crisis".

With a model in crisis, change in thought and practice becomes acceptable again and we move to a model revolution.  With the revolution maturing comes the leap to paradigm shift and the adoption of a new normal science and engineering.

I believe we are currently experiencing the model crisis phase of the Kuhn Cycle as it relates to cyber security enterprise defense.

In my current role as a senior executive on the AT&T Security Solutions team,  I meet with Chief Security Officers of large corporations.  Although I cannot nor will not reveal the details of those discussions, I will comment that those discussions are congruent with the above thought trail.

In my next post I will introduce a very strong force that is currently disrupting the linear thinking of the scientific industrial paradigm.  I believe you will quickly connect the dots as to the applicability of that new force in driving a new and better cyber security paradigm.

The purpose in this blog

The purpose in this blog is not to gain agreement nor stimulate disagreement.  It's true purpose is to encourage pathways and distinctions that allow executives and security practitioners to creatively think differently. 

To the best of my ability I am attempting to apply the laws of complex systems that I've learned, to our pressing challenges in cyber security.   Many like me who have been trained in complex systems thinking are currently working on predicting the weather, the migratory patterns of animal herds, Neuroscience or the mass movement of financial markets.

My major hypothesis is that complex systems thinking is applicable to cyber defense.
You see, "different isn't always better but better is always different."  Agreed?
My hypothesis further includes my belief that in order to change the current offensive and defensive reactionary game being played in cyberspace, we need to subvert the dominant cyber paradigm.

The term paradigm was first introduced into our vocabulary by Thomas Kuhn in his 1962 book "The Structure of Scientific Revolution". The book should constitute mandatory reading for all cyber professionals.
Essentially Thomas Kuhn defines the term paradigm as those beliefs about any subject which will never be questioned as to their truthfulness.  I'm talking here about commonly accepted facts.

In my next entry I'll talk about the nature of the reactive games currently ongoing in cyberspace.