Patient Gardening

I was pulling weeds in my garden last weekend, and it struck me that there are a lot of parallels between gardening and cybersecurity.  I’m always overwhelmed when I first look at the garden and see all the weeds and the disorder. I feel really discouraged, because I don’t know where to begin.  My first impulse is to attack everything at once, but every time I take that approach, I never feel like I’ve made any progress when I knock off for the day.  Over the years, I’ve developed a couple of strategies that may help you bring your garden in order, too.

Vertical strategy - Pick a weed

Decide on a single weed, and eradicate it from your garden.  I usually start with dandelions. Dandelions are a good choice from a risk perspective -  a single plant can produce up to 15,000 seeds. Their distinctive yellow flowers make them easy to spot.  But dandelions have deep roots, and if you don't get the whole root, it will sprout again and be even harder to pull next time. I invested in a special tool to loosen the soil so I can get the whole root Since I'm only targeting, it’s pretty easy just to walk around the yard with the tool and pull every dandelion I spot. After about 10 plant, I develop a technique and get really good at uprooting dandelions.  I usually don’t need the tool for the next type of weed I choose, so I set it aside once I've gotten all the dandelions. It’s really gratifying to see that the dandelions completely eliminated from my property!  Now that I've gotten them down to zero, it will be really easy to spot - and eradicate - any new dandelions that spring up.  

Horizontal strategy - Pick a spot

Another way to go about weeding is to pick a small area - say your lettuce patch - and pull all the weeds in that small patch.  This technique is slightly more zen - you may be able to even sit down for a spell and pull all the weeds within reach.  It’s more immediately gratifying to completely purge a patch of weeds down to nothing but soil, and it allows you to get your priority areas to zero-defects.  Once you’ve cleared all the weeds, it’s also easy to keep clean - just pull up anything that pokes through the soil.

The great thing about pulling weeds is that it doesn’t have to be a big project if I don't want it to.  I don’t need a plan to be successful,  but I do need a strategy.  It’s a group effort, and every little bit helps - I’ve persuaded each member of my family to pull  a couple of weeds on her way out the door (assuming there’s no quarantine). 

What are you doing to weed your garden?

Flywheels and Bullets

Why are high-performers so much better at executing?  They seem to be able to take on new work and initiatives almost effortlessly and even gain momentum in the process. How do they do it?

There is never a single decision or action that will propel you to excellence.  Success is incremental. Jim Collins, author of Good to Great, writes of what he calls the Flywheel Effect.  Rather than thinking of work as a series of steps, think of it as a well-placed nudge to a wheel that is already in motion.  If you exert the right degree of force at the right inflection point, you will increase the momentum.  It will feel inevitable: if you do A, you almost can't avoid doing B, and C just follows naturally, and so on.  This builds organic momentum.  

Now the problem is discovering what actions propel the flywheel.  Experiment.  Fail as much as you have to, but fail small.  Fail early.  Fail when it's cheap and easy to clean up any mess you make.  Most important, fail while you still have momentum so you can course correct and find the right way to build momentum.   The key is to fail until you find the sweet spot, the synergy. Then you stoke it patiently over a long period of time and you will see that your results begin to amplify.  You will also begin to discern an underlying logic that you can extrapolate into other categories of work. The flywheel principle explains why the Lean principle of failing fast is such a key element.

Another of Collins' dictums is to fire bullets first, then fire a single cannonball.  The idea here is that you can significantly reduce risk and maximize return by starting.  Fire as many bullets as you need to in order to get your range and windage.  Then when your target is within perfect range, and you are hitting bulls-eyes with the small bullets, bring out the big gun, and knock out the target.  In other words: baby step, baby step,  baby step, baby step, baby step, baby step, giant leap,  baby step,  etc.

Slow and steady may win the game, but taking well-timed, calculated risks can provide exponential returns.

Tension, Desire, Fear

We're going about cybersecurity all wrong.

I just read a blog post by the ever-inspiring Seth Godin, and this part made me think about what's missing from cybersecurity:

Alas, awareness is not action.
Everyone reading this is aware that Peru is a country. But that doesn’t mean you’ve visited recently, or have plans to go soon.
Everyone reading this is aware that turnips are a root vegetable. But knowing they exist doesn’t mean you’re going to have them for dinner.
Awareness is important, but it is insufficient.
Action comes from tension, desire and fear. Action is the hard part.

By now, everyone in your organization has gotten the cybersecurity memo.  Everyone from the CEO to the person who maintains the grounds knows security is important, and want to do the right thing. It's condescending, maybe even counter-productive to treat our colleagues as though they've never heard about security.  Take it to the next level by building the right combination of tension, desire, and fear to inspire our organizations to execute on security.

Most of us security people have the fear part down pat: if you don't do all the security things I tell you to, something really bad is going to happen.  The problem is that we've probably been saying that for years, and nothing bad happened.  The wolf never came, and even if it did, the bite didn't hurt that badly, so everybody stopped listening to to the Little Security Boy.  We need to employ other strategies to inspire our leadership and colleagues to action.

One way to create tension is to make it easier to do the right thing than it is to keep doing the same, wrong thing.   Try breaking the problem down into the smallest possible components.  Analyze the work you want done.  What is the logical first step?  What would this process look like if it were easy?  Identify the easy parts, the cheap parts, the fast parts. Once we've done a few small things, we can build on our success.  Remember that it took years for things get to where they are now, so it's naive to think we can fix them overnight.  What we can do is do something.  We must do something. Today.  Tomorrow.  Every day.  Start the ball rolling - if we can keep it rolling, pretty soon it will gain its own momentum.  First we create the tension by making the work seem easy.

When we think of security, the term desire doesn't exactly jump out. Desire is a positive emotion, and we all have plenty of it.  We desire to do a good job, to be recognized, to do the right thing. We desire less stress, less distraction, more wins.  Everybody knows things could be better, security-wise - they want them to be better.  But they don't know where to start until you create the tension by getting the ball rolling.  Making progress - any progress, even if all we've done is stop the bleeding - starts a virtuous cycle in which the team starts to want to do more. Let's celebrate the work that's been done, no matter how tiny, and try not to remind the team about the mountain of work that still needs to be done.  By focusing on the success, we create the desire to build on that success.

Let's stop talking to people as though they've never heard about cybersecurity.  Let's stop playing the fear card, and build tension to fuel the desire to start moving our organization toward a more secure place.