Ries on Gatekeepers

Eric Ries wrote the excellent book Lean Startup. In a recent interview with Firstround, he talks about how to integrate gatekeeping functions into a lean business.

There is a tremendous amount of wisdom in there, and almost all of it applies to security. The core is that the gatekeeper has compassion for the work and ambiguity of engineering, and that compassion comes from being embedded into the work.

Engineering involves starting with problem statements that are incomplete or inaccurate, and dialog about those problems leading to refinement of the understanding of both the problem and the solution. It’s hard to do that from a remote place in the organization.

This is an argument for what Ries calls embedding, which is appropriate for some gatekeeping functions. What’s more important for security is “a seat at the table.” They’re importantly different. Embedding is a matter of availability when a problem comes up where we need the voice of legal or finance. A seat at the table is that the person is invited to the meetings where the problems and solutions are being refined. That happens naturally when the person invited is a productive contributor. Many functions, from program management to test to usability have won a seat at the table, and sometimes lost it as well.

The first hurdle to a seat at the table, and the only one which is non-negotiable, is productive engagement. “We get more done because we invite Alice to our meetings.” That more might be shipping faster, it might be less rework, it might be higher quality. It is always things which matter to the organization.

The more productive the engagement, the more willing people will be to overlook soft skills issues. The famed BOFH doesn’t get a seat at the table, because as much as IT might want one, he’s abusive. Similarly, security people will often show up and say things like “one breach could sink the company,” or “your design is crap.” Hyperbole, insults, anger, all of the crassly negative emotions will cost not just Angry Bob but the whole security team their seat. These are behaviors that get drawn to the attention of management or even HR. They limit careers, and they also make it hard to give feedback. Who wants to get insulted when you’re trying to help someone? They limit teams. Who wants to work with people like that?

There are other, less crass behaviors with similar effect: not listening, not delivering on time, not taking on work that needs taking on. These soft skills will not get you to the table, but they’ll ease the journey, and most importantly, get you the feedback you may need to get there. But if you are in a gatekeeper role today, or if your security team aspires to rise to the point where you have a rope you can pull to stop the production line, the new article on gatekeepers by Mr. Ries is well worth your time.

One of the aspects of the post that’s worthwhile is providing crisp guidance, which reminds me of what Izar Tarandach talked about at Appsec 2018. (My notes, the video.)

Photo by Aryok Mateus.

Learning from Our Experience, Part Z

One of the themes of The New School of Information Security is how other fields learn from their experiences, and how information security’s culture of hiding our incidents prevents us from learning.

Zombie survival guide

Today I found yet another field where they are looking to learn from previous incidents and mistakes: zombies. From “The Zombie Survival Guide: Recorded Attacks:”

Organize before they rise!

Scripted by the world’s leading zombie authority, Max Brooks, Recorded Attacks reveals how other eras and cultures have dealt with–and survived– the ancient viral plague. By immersing ourselves in past horror we may yet prevail over the coming outbreak in our time.

Of course, we don’t need to imagine learning from our mistakes. Plenty of fields do it, and so don’t shamble around like zombies.

What Security Folks Can Learn from Doctors

Stefan Larson talks about “What doctors can learn from each other:”

Different hospitals produce different results on different procedures. Only, patients don’t know that data, making choosing a surgeon a high-stakes guessing game. Stefan Larsson looks at what happens when doctors measure and share their outcomes on hip replacement surgery, for example, to see which techniques are proving the most effective. Could health care get better — and cheaper — if doctors learn from each other in a continuous feedback loop? (Filmed at TED@BCG.)

Measuring and sharing outcomes of procedures? I’m sure our anti-virus software makes that unnecessary.

But you should watch the talk anyway — maybe someday you’ll need a new hip, and you’ll want to be able to confidently question the doctors draining you of evil humors.

Infosec Lessons from Mario Batali's Kitchen

There was a story recently on NPR about kitchen waste, “No Simple Recipe For Weighing Food Waste At Mario Batali’s Lupa.” Now, normally, you’d think that a story on kitchen waste has nothing to do with information security, and you’d be right. But as I half listened to the story, I realized that it in fact was a story about a fellow, Andrew Shakman, and his quest to change business processes to address environmental priorities.

I also realized that I’ve heard him in meetings. Ok, it wasn’t Andrew, and the subject wasn’t food waste, but I think that makes the story all the more powerful for information security, because it’s easier to look at an apparently disconnected story, understand it, and then bring the lessons on home:

“Once we begin reducing food waste, we are spending less money on food because we’re not buying food to waste it; we’re spending less money on labor; we’re spending less money on energy to keep that food cold and heat it up; we’re spending less on waste disposal,” says Shakman.

That’s right! Managing food waste doesn’t have to be a tax, it can be a profit center, and that’s awesome. Back to the story:

Lupa’s Chef di Cuisine Cruz Goler spent a couple of months working with the system. But he ran into some problems. After the first week, some of his staff just stopped weighing the food. But Goler says he didn’t want to “break their chops about some sort of vegetable scrap that doesn’t really mean anything.” Shakman believes those scraps do mean something when they add up over time. He says it’s just a matter of making the tracking a priority, even when a restaurant is really busy. “When we get busy, we don’t stop washing our hands; when we get busy, we don’t cut corners in quality on the plate,” says Shakman.

That’s right, too! We can declare priorities, and if only our thing is declared a priority, it’ll win! What’s more, what’s a priority is a matter of executive sponsorship. The fact that the health department will be upset if you don’t wash your hands — that’s just compliance. Imperfectly plated food? Look, people are at a restaurant to eat, not admire the food, and that plate’s gonna be all smudged up in just a minute. In other words, those priorities are driven by either the customer or an external party. No argument that any internal or consulting party brings in will match those. They’re priority 1, and that’s a small set of requirements.

But for me, the most heartbreaking quote came after the chef decided not to use the system in that restaurant:

Despite the failure of LeanPath in the Lupa kitchen, Shakman is still convinced his system can save restaurants money. But he’s learned that the battle against food waste, like so many battles people fight, has to start with winning hearts and minds.

It’s true, if we just win hearts and minds, people will re-prioritize their tasks. To an extent. But perhaps the issue is that to win hearts and minds, we sometimes need to listen to the objections, and find ways to address them. For example, if onion skins aren’t even used in stock, maybe those can just be dumped on a normal day. Maybe there’s a way to modify the system to only weigh scrap on 1 day out of 7, so that the cost of the system is lessened. I talked about similar issues in security in my “Engineers Are People, Too” talk, and the Elevation of Privilege game is an example of how to make a set of threat modeling tasks more attractive.

Lastly, I want to be clear that I’m using Mr. Shakman and his company as a strawman to critique behaviors I see in information security. Mr. Shakman is probably a great guy and dedicated entreprenuer who’s been taken way out of context in that story. From the company’s website and blog they have some happy customers. I mean them no harm, think what they’re trying to do is an awesome goal, and I wish them the best of luck.

Air Safety: Terrorism and Crashes

There have been two fatal air accidents this week, one in Ukraine in which 170 people died, and one in Kentucky, in which 50 people died. In neither case is terrorism being blamed as I write this.

The safety engineering that makes air travel so safe is astounding. The primary activities, from pilot training to maintenance to operations, are all excellent, and they’ve gotten there through a well designed feedback loop that analyzes every error. (oh, to have such a thing in information security! Errors being made public!)

Given that the air safety loop is so good already, and given the enormous resources being put into measures of dubious effectiveness, I’m curious: Would those resources be better spent further improving general aviation safety, or are they relatively well deployed in the areas of passenger and luggage screening?

PS: I know I have readers who are deeply interested in aviation safety. Can I ask you to provide some good links for further reading?