Preface: You likely don’t know me, and that’s ok. In fact, it’s generally how I like it to be. I want to change the world, not just plaster my name all over it as some sort of gratuitous ego stroke.
“The reasonable man adapts himself to the world: the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man.” (George Bernard Shaw,“Man and Superman”)
Jim is an inspiration, not just for his success with Milton Security over the past decade, as he pivots and adapts to changing markets and the needs of his clients, but in his tireless efforts to help others, such as in hiring veterans and his support of “fringe” movements like Security B-Sides, DerbyCon, and his recent foray into the world of security training, dedicating countless hours to building Raspberry Pi units for students, and so on. The list is lengthy, and for good reason. Jim is simply a really good dude who consistently puts himself out there for the betterment of others.
But this piece isn’t about Jim, nor is it about me. Ultimately, it’s about you and – more importantly – it’s about us, collectively, as a community and society and a family.
You see, I don’t want to be “just like Jim.” I want to be bigger and better. And I want you to be bigger and better, too. We all have our own strengths and weaknesses as individuals, but coming together as a unified team creates a much stronger force to reckon with. This is no small thing, nor is it something that everyone will be interested in doing. Moreover, this is not a call for egos to come lead the way. I firmly believe that our best future isnotfollowing the cult of personality, but by being self-managed, mindful, and innovative. We must challenge norms and the status quo. We must find ways to break through to people, organizations, and institutions to accelerate toward a great leap into a new tomorrow. We’re teetering on the razor’s edge, where falling one way devolves into anarchic hell, but the other direction… well, let’s just say, that other direction is pretty darned interesting, filled with wondrous technology, less extremism and hate and anger, and a lot of positivity that raises us all up.
Sound too hipster hippy-dippy? It doesn’t need to be that way. There are, in fact, working examples of a better future, which we all can build upon for a brighter tomorrow.
How To Get To Tomorrow
I believe there are three major keys to propelling us through this modern Dark Age into a better future. To me, that future is one where our organizations fundamentally function differently. “Security” as we know it goes away, instead replaced by a shared responsibility that cuts across all roles as it becomes a mix of embedded practices and emergent property. But getting there might be a little tricky, which means we have to be the beacon of hope that leads the way. Yes, this likely goes against your very fiber of being, forcing you to go out there and have positive interactions with others. It’s certainly a huge challenge these days as we see belief systems polarizing and devolving into extremist, obstinate, and rancorous vitriol. Yet, it’s absolutely necessary, and we know definitively that change must start with ourselves, as we’re the only ones we truly control.
1) Change the organizational model
The starting point – and it’s a biggie – comes with changing our organizational model. What this means in implementation is that we have to fundamentally alter how organizations function, how decisions are made, how people are cared for, how we are toward each other, and ultimately how the business performs. Luckily, there are already several positive examples out there about how this “better” organization might look and function, and one need only look so far as at Frederic Laloux’sReinventing Organizations (which you can download for free/cheap).
(Img src: http://www.enliveningedge.org/wp-content/uploads/2016/04/ReinventingOrganizationsImage-1024.jpg)
One of the top fears expressed in the face of a DevOps initiative is something along the lines of “OMGWE’REALLGONNADIE WE CANNOT LET DEVELOPERS PUSH CODE STRAIGHT TO PRODUCTION!!!” Ironically, when implemented correctly, this is not how DevOps truly functions. This treatise isn’t about DevOps, per se, so I’ll spare you the lengthy explanation of what DevOps is, how it really works, yada yada yada, but I will as an aside point you to an article I wrote a few months backaddressing a few common myths and misperceptions. The point in highlighting this concern here is that you will almost certainly encounter a bit of resistance, perhaps within yourself as well as your organization, when I tell you that there is in fact a radically different and better way to run our orgs.
Interestingly, what Laloux describes in his “Teal/Evolutionary” organizational model is very similar to what we see with organizations that have successfully made the transition to DevOps. In these organizations, we see several attributes emerge, of which I think three are most important:
- Self-management: Everyone within an organization is empowered to make decisions, but they’re also charged with making the best decisions possible. What this means in practice is adhering to what Laloux calls “the advice process” wherein people are required to consult and consider input from all who are directly affected by a decision. He stresses that this is not a consensus process, but rather an information-gathering exercise to ensure that an individual can make the best decision possible. This notion can be quite scary, because it disempowers management, but on the flip side it is highly empowering to everyone else. Following the advice process is imperative, and having a self-managed organization means that with freedom comes great responsibility, and with responsibility must come transparency and accountability.
- Mindfulness: We have to grow beyond ourselves and get out of our own minds, and yet at the same time we need to be cognizant of our own minds and the traps we let ourselves fall into. Otto Scharmer, author of Leading from the Emerging Future: From Ego-System to Eco-System Economies, says “As individuals, we must begin to pay attention to our attention (self-awareness); as teams, we must begin to converse about our conversations (dialogue); as enterprises, we must begin to organize our organizing (networks of networks: eco-systems); and as eco-systems, we must begin to coordinate our coordinating (systems of awareness-based collective action, or ABC).” Mindfulness very much hinges on that first step of “[paying] attention to our attention.” It’s imperative that we look at ourselves as if from afar to understand why it is we’re reacting in a certain way to questions, facts, challenges, etc. Why we feel the way we feel can oftentimes be very informative and lead to new approaches that will effectively break down barriers and allow us to achieve more.
- Wholeness: An interesting generational shift that I’ve observed over the past 25 years has been in how we, as individuals, represent ourselves within the “workplace” construct. It used to be expected that we draw bright lines between “work” and “home,” never allowing overlap or intersection. I even saw this notion being reinforced socially in my upbringing, such as when exposed to fundamentalist indoctrination that hammered on phrases like “be not unequally yoked” (translated at the time as “don’t date outside your church congregation, and sure as heck don’t date someone of a different racial profile” eep!) or even historically in the civil rights movement as it challenged practices like “separate, but equal.” The concept of “wholeness” in Laloux’s organizational model is that we absolutely, positively must allow our whole self to be present in the workplace. We must stop denying parts of ourselves simply because we’re “at work” instead of “at home.” Such a shift has naturally occurred through remote worker policies, but I’ve seen where this has caused conflict between a traditional hierarchical structure wherein traditional, regressive, and recalcitrant HR and executive “leaders” try to enforce strict “workplace” rules onto people’s home work environments. I’ve even heard of HR personnel inspecting home work spaces to ensure that they meet “appropriate standards,” all the while allowing people to decorate their desks and cubicles with various “home life” reminders. The bottom line is that if we are not allowed to show up in our entirety, then everything and everyone suffers for it. We have to embrace ourselves – our whole selves – and the whole selves of those with whom we work. Failing to do this means missing out on social queues, opportunities for positive interactions, and the underlying means to be both passionate and compassionate in our work.
Much more can and should be said about this topic of changing how our organizations function, but I will for now point you once again toLaloux’s book. I strongly believe there is a better way for our organizations to behave, and I think we’re very nearly at that tipping point, thanks in large part to DevOps, in making the turn toward self-managed organizations that grant us freedom and responsibility built on a foundation of mindfulness and wholeness.
(Img src: https://pixabay.com/en/assembly-clown-futuristic-sofa-1706849/)
2) Change the perception and duty of “security”
I gave a talk several years ago titled“The Unintended Consequences of Beat Users Over the Head with Carrot Sticks” that gave the inklings of how to radically change security and hinting at a much more effective future. Not only do we need to change how our organizations function, but we also need to change our entire perspective on this “security” thing. We’ve all heard and said for years (decades?) that “checkbox security” is ineffective, and yet time and time again we end up right back to idiotically defining frameworks that devolve right back to the checkbox mentality. Even when we find potentially useful tools or approaches, they inevitably degrade and devolve. There are several reasons for this, many of which point directly at the organizational model (as previously discussed). However, there’s also something else at play, which is this: You cannot walk around telling people they’re stupid and doing things wrong and hope to get a warm reception that results in meaningful change. Such an approach has been shown repeatedly to fail and, in many cases, backfire. Moreover, we cannot create an enablement culture where responsibility is removed from those with the authority to make decisions. Referring back to the “advice process” mentioned above, decision-makers must be required to seek input from appropriate people, and then they must be held accountablefor the consequences of their decisions.
Interestingly,The Oatmeal recently published a lengthy comic strip on “the backfire effect” and why, when confronted with facts counter to their belief state, people will have a strong negative reaction that actually drives them in the wrong direction. This effect is also frequently experienced in our organizations when we try to force security practices down the throats of IT, development, or executives. Equally important is to remember that people will not change unless they want to change. Fundamentally, this means changing the overarching incentive model within which people exist in order to “encourage” behavioral changes.
Our end goal in changing the perception of “security” must also lead to changing the “duty” of “security.” You’ll notice I keep putting quotes around “security,” and there’s a reason for this (not bad grammar, thank you very much). Much of what has historically been called “security” (or “security practices”) is really nothing more than appropriate and necessary IT operations or good software development. A firewall is generically just another network device. Static or dynamic application security testing is just another form of quality testing and quality assurance. Very little of what has historically been lumped under the heading of “security” necessarily belongs in a separate “security” team or function. In fact, this practice of building separate silos for security practices has created this negative enablement culture wherein people think “Oh, I don’t have to concern myself with X because that’s security’s job.” This mindset is fundamentally and fatally flawed, and can clearly be seen in root cause analyses of incidents throughout the history of modern computing.
As such, we have to change the “duty” of “security” to focus on 1) embedding practices within a more appropriate location, 2) shifting to an accountability structure (as noted above: freedom and responsibility) that also includes a very neighborly education and awareness component, and 3) working to get away from traditional “security” notions altogether (if all that remains of “security” is oversight, consulting (education and awareness), incident response, and maybe a small amount of security architecture, then is it really a “security” team, or is it something else altogether?).
Break the model, break the mindset, break the traditional barriers… reinvent yourself and your team to drive “security” into the core of everything everyone is doing. In this regard we see the “business enablement” argument for security, but it also becomes implicit rather than explicit, allowing for much greater top-to-bottom alignment with business mission, objectives, and priorities.
(Img src: https://pixabay.com/en/display-dummy-board-face-technology-915135/)
3)Live in the future
This final point is going to seem contradictory to the earlier point on mindfulness. After all, much of what we’re taught from dogma is that “mindfulness” means “living in the present.” And, to a degree that’s true and appropriate. We should absolutely be “present” in every moment, being aware of our surroundings, our interactions, and ourselves. BUT… that does not mean we should be settling for the status quo, or allowing our organizations, our communities, and our societies to be static, decaying and degrading to a disastrous end. If you’re not continuing to learn and evolve, then you’re dying, plain and simple. And, sadly, if you look at where the average state of security practices are today across all industries, it’s a good 10+ years behind where most “progressive” thinking rests today.
One of my greatest frustrations over the years is how organizations behind the curve consistently want to take an incremental approach to security. In 2014, while I was still with $bigscaryanalystfirm, I spoke with at least a couple hundred organizations that had small IT shops (typically less than 100 people) and yet have revenue of a billion dollars (US) or more. Which is to say, small organization, but definitely not “small business.” Every one of these conversations had the same structure: “$oversight_entity is very concerned about the recent Target breach and wants to know what we’re doing about it. We think now is probably a good time to start a formal security practice.” It took no small amount of effort and self-control to repress shuddering apoplexy in my response. In my head I was screaming “YOU’RE 15 YEARS TOO LATE AND SHOULD BE JAILED FOR YOUR INCOMPETENCE!” (neither helpful nor constructive), but outwardly my response was always to walk them through the set of “basic security hygiene” practices that they needed to have in place universally, and then talk about how they could “jump to the next curve” (borrowing the phrase from Guy Kawasaki inThe Art of Innovation).
And this is where the notion of “living in the future” comes into play. Don’t just tell people what to do (that rarely seems to work anyway). Don’t just tell people what they’re doing wrong. Don’t just tell people how they’re failing.Show people how to live a better life.All of the touchy-feely things that I’ve discussed throughout this article (and have likely left you feeling quite uneasy) all come back to this very important idea: The future is now, if only you’ll take the first step and show people what it’s like to live in it.
What that future looks like is, of course, highly malleable. But the future is coming right quick, and it is far preferable to get ahead of the changes before the sands shift under your feet and leave you buried or lost.
One of the key changes that is in the very near future is what I call “autonomous computing.” Beyond self-driving cars, trucks, and aircraft, we’re already starting to see autonomy in computing environments (for example, read up on “dark data centers”here, here, and here). Imagine, if you will, that a human will draw up a spec for hardware, which will be shipped to a fabrication facility that is largely automated, which will automate packaging, which robots load into containers driven by self-driving trucks to fully automated shipyards where cranes load them onto ships that leverage automation and GPS to heavily self-navigate to an American port, where another automated crane system will unload the container and place it onto another self-driving truck, which will then pull into a data center load dock, where the container will be unloaded automatically, inventoried, and readied for automatic installation. The design and specs for all these systems and environments will still require a human (for now), but 90%+ of this process will be readily automated in the not-too-distant future. Now apply this thinking to monitoring and response. Do we really need a SOC full of people staring at screens pushing buttons when graphics change colors? Where do we actually need a human in the loop? And let’s not forget about AI (the real AI, not the farcical “AI” we hear about in marketing BS today) that can actually compose poems and interact with people sufficiently to pass the Turing Test. How much bigger of a step will it be for a human to say “Computer, let’s collect data from X and look for anomalies.” while the computer then writes all the code and connectors on the back-end to make this all happen. And here we thought Star Trek was Science Fiction!
Now let’s talk about how we make all of this happensafely and securely. Think of all the data involved in this system and all the ways it can go wrong (ah ha, the “hacker” mindset!). How do we build resiliency into these systems? How do we ensure that autonomous computing isn’t so fragile or so easily compromised that it becomes a house of cards just waiting to collapse on us, bringing civilization down with it.
Or, let’s also look at how aggressively pushing people toward such a reality also helps quietly serve larger societal needs. Think about the potential positive impact on global climate change, or hunger, or even healthcare. But also then consider the potential impact on jobs and well being, even here in a “first world” country. All of this automation means displacing personnel. How do we account for all of that, too?
Living in the future means looking at all of these pros and cons, applying mindfulness, wholeness, and compassion, and finding the best version of ourselves (as individuals, communities, and organizations) and then modeling how to get there. Experimentation and continual learning is a core principle of DevOps, as it is of Laloux’s organizational model. We must demonstrate and live these values, showing people that there can be a better future.
And, yes, there will be skepticism and negativity. We’re all confronted with such things on a regular basis. In fact, many of us are dyed-in-the-wool skeptical burnouts. It happens. But I think there’s a better future just waiting for us, if only we let ourselves experience it.
Embrace automation. Embrace new approaches to running our organizations. Live the values by pushing for small changes, like “freedom and responsibility” and use of the “advice process.” Push for transparency and accountability. Be transparent. Be accountable. Let people make decisionswhile helping them make the best decision possible.
Make the choice to change the world, because I think most of us (maybe all of us) can agree that the world we’re in today is not our final destination, nor is it even a desirable waypoint (it’s like an old rundown highway rest area that stinks horribly, and yet you gotta make that stop).
As Gandhi said, “You must be the change you want to see in the world.”
Ben Tomhave, MS, CISSP
"Principal Security Scientist" atNew Context