Keeping It Supremely Simple, the NASA way

Any regular reader (hello to both of you) will know that I also follow an ex NASA engineer/manager by the name of Wayne Hale. Having been in NASA for much of his adult life and being involved across the board he brings a fascinating view of the complexities of space travel, and just as interestingly, to risk.

His recent post is about damage to the Space Shuttle’s foam insulation on the external fuel tank (the big orange thing),and the steps NASA went through to return the shuttle to active service after it was found that loose foam was what had damaged the heat shield of Columbia resulting in its destruction. His insight into the machinations of NASA, the undue influence of Politics as well as politics, and that ultimately everything comes down to a risk based approach make his writing compelling and above all educational. This is writ large in the hugely complex world fo space travel, something I would hazard a guess virtually all of us are not involved in!

It was when I read the following paragraph that my jaw dropped a little as I realised  that even in NASA many decisions are based on a very simple presentation of risk, something I am a vehement supporter of:

NASA uses a matrix to plot the risks involved in any activity.  Five squares by five squares; rating risk probability from low to high and consequence from negligible to catastrophic.  The risk of foam coming off part of the External Tank and causing another catastrophe was in the top right-hand box:  5×5:  Probable and Catastrophic.  That square is colored red for a reason.

What? The hugely complex world of NASA is governed by a five by five matrix like this?

Isn’t this a hugely simplistic approach that just sweeps over the complexities and nuances of an immensely complex environment where lives are at stake and careers and reputations constantly on the line? Then the following sentence made absolute sense, and underscored the reason why risk is so often poorly understood and managed:

But the analysts did more than just present the results; they discussed the methodology used in the analysis.

It seems simple and obvious, but the infused industry very regularly talks about how simple models like a traffic light approach to risk just don’t reflect the environment we operate in, and we have to look at things in a far more complex way to ensure the nuance and complexity of our world is better understood. “Look at the actuarial sciences” they will say. I can say now i don’t subscribe to this.

The key difference with NASA though is that the decision makers understand how the scores are derived, and then discuss that methodology, then the interpretation of that traffic light colour is more greatly understood. In his blog Wayne talks of how the risk was actually talked down based upon the shared knowledge of the room and a careful consideration of the environment the risks were presented. In fact the risk as it was initially presented was actually de-escalated and a decision to go ahead was made.

Imagine if that process hadn’t happened; decisions may have been made based on poor assumptions and poor understanding of the facts, the outcome of which had the potential to be catastrophic.

The key point I am making is that a simple approach to complex problems can be taken, and that ironically it can be harder to make it happen. Everyone around the table will need to understand how the measures are derived, educated on the implications, and in a position to discuss the results in a collaborative way. Presenting an over complex, hard to read but “accurate” picture of risks will waste everyone’s time.

And if they don’t have time now, how will they be able to read Wayne’s blog?

 

 


Price versus Value; Why it is Important in Information Security

Running my own business now means I have to work out how much I am going to charge for my services, and if the market (or client) is going to be willing to pay me that price. It makes for an interesting internal dialogue, especially as I have always been told to not sell myself short or underestimate the skills I have and the value they bring to a client.

I recently lost out on some work because the client decided to go with somebody established rather than a new company like me. To be fair to them they had paid me well for five days consultancy to help them work out what they wanted, and they were very pleased with what was delivered so I honestly thought they would choose me. Hubris at its best I suppose.

I suspect that by going with a larger, established company they may well be paying less than I quoted for (it was assistance with ISO27001 certification by the way). The established company would have a larger range of resources, some certainly more junior than me and the people I was going to subcontract with, a tried and tested approach they have used hundreds of times before, and larger resources to back them up throughout the process. The client will certainly become compliant and obtain the certification.

Now, I am not going to denigrate the work this competition do, but I imagine they would be very task oriented, focussed on getting the certification for their client, and ensuring they come back year after year for more support. Then they will be onto the next job and doing the same thing again in short order. I have been a part of this process myself in my old consulting days.

So what value would someone like me bring then, especially if the end goal is the same, i.e. certification? Put simply, I strongly believe in the differing cultures of one company to the next, and the fact that what is left at the end of the certification needs to be reflective of that culture and able to be adopted for the long term. That means policies, procedures, communications and the overarching ethos of the programme must be in harmony with the clients vision and goals. That is very hard to do with a boilerplate approach. I guess it comes down to “the personal touch” as well as a somewhat selfless approach in ensuring the client is educated in the process enough along the way that they could actually go through the process again with significantly less of your support.

Is it the most immediately profitable approach? Of course not, but it is how you build “sticky” relationships with potential clients by ensuring they see you are there for their benefit and not yours. With a bit of luck this will mean more opportunities with them in the future or recommendations to other potential clients.

There are certainly no hard feelings between me and the client I mentioned at the beginning, they are lovely, honest and transparent people who I enjoyed working with and who paid me a fair price for my time in the analysis phase, and I really do wish them the best of luck in their certification with their new vendor.

I just hope they call me when they realise what they could have had. <Disengage hubris mode>


A Lot of Talking…

One month in and (TL)2 Security seems to be attracting a fair amount of interest which is very heartening. What I am not used to however is projects just disappearing. In my old day job, if i decided to pursue a project we got onto it and did it until it was finished or I decided to abandon it. In my new world that decision is not up to me and so a number of leads have, as is the normal course of things, just gone cold on me.

It is, to say the least, very disconcerting, and I have a new found respect for salespeople as a result. Who knew I would be uttering those words today?

That said, I am also keeping busy preparing for two big speaking engagements coming up:

One Identity UNITE Conference, April 1 – 4 2019

This is a new conference for me, and one where I am doing the closing Keynote of the main conference on Wednesday 3rd April.

A closing keynote is an interesting one to do, and I discussed this with the organisers in a preparation call; the delegates will be tired and need buoying up , the message needs too be uplifting and inspiring, and does not need to be technical or even a core message from the conference.

To that end I will be talking about trust, why it is important, how we lose it and what to do when that happens. Trust is key in IAM, not least because it is a fundamental tenet of uniquely identifying someone under the auspices of the authorising them to a system. But it also matters as we continue to gather more and more details about people in order too ascertain their identity in the first place. I opened a business bank account recently and had to take a photo of my passport to be uploaded in order to be correctly identified. I have to trust that that bank will not lose my passport details or sell them on, and if they do, what are they going to do about it?

Wednesday 3rd April: Won’t Somebody Think of the Users? – Auditorium

I am looking forward to the conference, and while it is driven by a vendor for its users the agenda looks to be very engaging across the board. Any vendor that avoids selling directly during events like this is always OK in my books!

card_57bae26a3ac5378b4433ffaf300bdf12

European identity & Cloud Conference, May 14 – 17 2019

I have worked with Kuppinger Cole at this conference (and a couple of their other ones) since 2014; they put on a fantastic show with great talks, and a wide range of workshops and topics. The setup is very professional, and the staging and production vales are very high. As a speaker it is an absolute pleasure as everything is taken care of, your requests are taken seriously and they do their best to make the environment as easy as possible to work in.

In my experience, most conference organisers will focus mostly on the attendees; after all they are the ones that are playing to attend. Speakers are often bundled around, ignored until five minutes before we are required, told we have to use their Windows XP laptop with Powerpoint 2011 on it, and then quickly forgotten about.

Not so Kuppinger Cole. Given I have spoken at their conferences some five times, and enjoyed every part of it means not only do they like what I do, but I also like what they do. To be fair, they also like to get the value for money out of me so I am going to be presenting one keynote and then involved in two other talks:

Tuesday 1§4th May: Facing the Post-GDPR Reality – Auditorium

Wednesday 15th May: How Traditional IAM Will Change Within the next 5 Years – ALPSEE

Wednesday 15th May: Panel: Anonymisation and Pseudonymisation – What Is It and Why Does It Matter? – AMMERSEE I

What I also like about working with Kuppinger Cole is that these are the titles they gave me. I could change them if I really wanted, but as they stand they challenge me to create interesting content and take it in a direction i may not have originally though of.

Ultimately, what I am saying is come and see my talks as i will be delivering with a smile and from a good place (not just the stage), and in fact every speaker will be doing the same. Come and see the difference a happy speaker makes at a fabulous conference!

 

 


What, No Expense Account? My RSA 2019 Itinerary

Yes, you read it here first, I will not be jetting into San Francisco on my private jet and staying at a hotel I wouldn”t tell you plebs about anyway.

RSA 2019 will be a first for me in that I am representing myself and not expensing my trip on the company dime. I am attending in part, to the generosity of ITSP Magazine, (cheers, Sean and Marco!) and all I have to do in return is type a few words out for them. They may already be regretting that decision after seeing me insulting you, dear reader, in my first sentence of this blog.

I often attend RSA without a solid itinerary, getting a lot of value of the “hallway track” and the multitude of events that are thrown in and around the city during the conference proper. However, since I now have some of my personal cash invested in this trip (I am staying in an AirBnB with a shared bathroom for goodness sake), it is probably wise to get at least some kind of structure together. To wit:

dirty-bathroom

Oh, the inhumanity…

The Sessions

  • HUM-T06: Humans Are Awesome at Risk Management
  • DevOps Wine0ing (Not Whining) Cocktail Party
  • ID-T07: Studies of 2FA, Why Johnny Can’t Use 2FA and How We Can Change That
  • CXO-T09: How to Manage and Understand Your Human Risk
  • InfoSecurity Magazine Breakfast Briefing
  • Threat Modelling Brunch with IriusRisk
  • Security Blogger Awards (is it still on this year?)
  • KEY-R02S: Burnout and You: Fireside Chat with Dr. Christina Maslach
  • CXO-R11: The Fine Art of Creating a Transformational Cybersecurity Strategy
  • PROF-F01: Five Secrets to Attract and Retain Top Tech Talent in Your Future Workplace
  • PROF-F02: Why the Role of the CISO Sucks and What We Should Do to Fix It!

In summary then, risk, stress, strategy and human beings; all the key ingredients of any information security function.

This is my first cut of the agenda, and I reserve the right to not attend these and attend others, especially if some of my friends, colleagues, old drinking buddies and interesting random strangers turn up. Because that is what RSA is really about; meeting, networking and swapping ideas and opinions in real time.

The educational element is excellent of cours,, but it is rare that they will address exactly the problems you are facing day to day. You will learn something, you will expand your knowledge and you will take fantastic advice away with you, but it is rare you will get an hour face to face with he speaker. Taking the opportunity to really network and chew the fat with your old chums, as well as new o9nes is an invaluable way of really focusing your efforts.

Of course I have some specific goals (remember my reason for staying in the AirBnB?); I will be networking to find potential consulting work in the future, looking for NED or advisory positions, and seeing what is coming on the horizon from the many vendors. I am also interested to see if Artificial Intelligence code has actually been written in anything other than PowerPoint, although I suspect I will be disappointed again on that front.. Meeting my old boss and mentor, my old Deputy,  a multitude of other pals, even the guy who reckons he is the sole founder of Host Unknown (when everyone knows that is me), is just icing on the cake. I am definitely looking forward to catching up with the person who said I could use their hotel room bathroom too.

There will also be a Host Unknown party, bought to you by the kind sponsorship of anyone who turns up, just like last year in Las Vegas during Black Hat and DefCon. I have heard at least two of the sole founders will be there to welcome the dollar bills of sponsorship from the attendees.

It’s going to be a long, endless week, but I do know that I will come back with more knowledge, more passion, more energy and more excitement for our industry than ever before.

And a whole lot less cash in the bank, so if you see me, don’t forget to offer food and drink.


The Art of the Presentation (Part 1 of 3)

In a post a few years ago I talked about The Art of the Conference, and what conference organisers can do to improve their conferences and make lives easier for their presenters. I was reminded of this post again recently as this is the sixth year that I am mentoring a rookie speaker at BSides London, and in my initial conversation with them I discussed a three stage approach to creating, practising and delivering the talk (the latter of which touches on the content of my previous post).

This post focusses on the first part of this process, the actual creation of the talk.

The Idea

This is actually the hardest part of the entire process (aside perhaps from actually standing in front of 200 people of course). In my experience many people try to not only come up with a wholly unique idea, but then try and explore it in too much detail. Given your talk will probably be competing against many other talks, the easiest way to make yours stand out is with it’s simplicity. Take the core of a topic, and honestly ask yourself what your view on it is; do you agree with it, if not why not, what could be better, what is your experience of it and how have you addressed it? By keeping it simple your audience will have more chance of remembering what you said. This process could take anywhere from minutes to weeks and weeks dependent upon your experience, knowledge and confidence. Don’t assume however that just because you have an opinion that everyone else is fully knowledgeable of it either; if nothing else you are bringing your own unique viewpoint.

The Creative

This is a point at which your approach may differ, but I have always found this the best way of actually inspiring myself and getting my story straight. I fill a sheet of paper with boxes (below) and then start to sketch out, not always legibly) the approach I am going to take on the deck I produce. I do this because it ensures I don’t write any actual prose on the topic; personally when I do this I find it very difficult to then pull myself away from the prose when presenting. It is a mental block of sorts of course, but this approach allows me to sketch out the story of my talk without having to get attached to a certain way of saying things

I try and avoid too many words as they are a distraction to the audience, and focus on high resolution images that help embellish my point or provoke an appropriate reaction from the audience. There are some very good books on creating slides for presentation that I have referenced, Presentation Zen and Slide:ology; I strongly recommend these to anyone who wants to up their game on the visual presentation side of things.

This approach also allows you to build a story; making sure your presentation has a beginning, middle and end help draw your audience in. What talk would you rather watch…

My talk is about a simple technology we used to allow someone to Tweet over a phone call.

or

John Doe is a man who was imprisoned on the flimsiest of evidence and with ludicrously high bail. He had restricted access to legal counsel and even family were not allowed to visit him. His entire campaign for justice was focussed around his significant Twitter followers, and given his elevated fame in his industry was where most of his support would come from. Here is the story of how we used a Raspberry Pi, two cans, a length of string and Python to allow him to live Tweet from his weekly phone call, directly and un-redacted, and ultimately beat the corrupt government that had arrested him.

Your approach needs to be simple, but that doesn’t mean it needs to be dull.

The Timings

Timing a presentation is very difficult, but after some experience I have found I can not only tell roughly what the length of a presentation created like this, but can also vary it in length, sometimes upon to 100%. The other rule of thumb is to dive the number of minutes you have by the number of slides. One slide for roughly every minute is a good place to start, but keep an eye out for when that number increases. Trying to cover more than one slide every 15 seconds is going to be very challenging.

The Takeaways

I often say that people will remember less than 30% of what you said less that 30 minutes after you have finished speaking. Not only is this where the simplicity of your deck is important, but also making sure you leave the audience with clear activities or advice on what to do next is vitally important. If you don’t do this, you will leave the audience somewhat nonplussed even if your content is great. As one close friend of mine said to me after I had asked for feedback:

It was a good talk, but I got to the end and thought “meh, so what?”

Your talk can be interesting, but if it doesn’t have a point, you will always be in the “meh” zone.

Next time (or maybe the time after), The Art of the Presentation (Part 2 of 3) – Practising.