Outrunning the lions…

I’m sure you’ve probably heard the fable of the lion and the camera crew, where the moral of the story is that to survive it’s not necessary to outrun the lion, just the other people. Which is all very profound and wise (and quotable).

Over the years, I have helped hundreds of organisations with their security, and a question I am asked repeatedly is, “how do we compare?” Now, that’s not actually an illogical or unreasonable question to ask, especially by a board member. They are of course used to having their trading results made public, and compared to competitors. And in this regard, their survival as an organisation (and as a leader) indeed depends on them being ahead of their peers.

However, security isn’t like trading figures, and being ahead of their peers probably isn’t going to save them from suffering an incident.

Because the important thing to remember is that in the context of security, the lion isn’t restricted to eating one person at a time, and there are in fact an almost unlimited number of lions.

Cheer up. It’ll all be ok. Probably. ;)

What do you mean, I’m not the customer?

In case you missed it, there was a little bit of a hullabaloo a while back when people woke up to the fact that for the applications you use for free (like Google, Facebook and Twitter etc.), you’re not the customer. In fact, in this situation you are the product that Google et al sells to their real customer: the fee-paying advertisers.

It’s the economic reality that underlines why you as a user of Google email will quickly find that there is no support available, whilst in contrast, if you are an Adwords user, Google all-but falls over itself to speak to you and encourage you to get more from their system (i.e. spend more money).

And I’m not knocking it. As a model it works well: people who were never going to pay for an email service get one, and in return they surrender the rights to their personal details so that they can be advertised to. A marriage made in heaven.

However, the concept isn’t limited to application vendors though, and you don’t need to look too far to see that this is a very similar model used elsewhere. For example, as a regular personal banking customer, who keeps your bank within balance and uses a debit card, you make the bank absolutely no profit at all. Which is why the high-street branches have disappeared and the basic level of customer support is tardy.

So where do the banks make their profit from your personal account instead? They make it by selling merchant services to vendors, and taking a percentage from every transaction that you put through their systems. Gosh, I wonder if that’s why there is now a concerted push to ban cash within Europe?

Anyway, whilst you’re not the customer as such in any of these situations, rather amusingly you are still paying for it all (just not transparently, and not at source). For the advertising-driven applications, like Google, the advertisers will obviously be recouping their advertising costs from anything you buy from them. And for the banks, the vendors you visit with your debit card, will obviously be adding the merchant fees to your purchase price as an inevitable cost of business.

Now, this week’s homework assignment is for you to notice anyone else operating the same business model and call them out. Bonne chance! ;)

A little adversity goes a long way...

I don’t think I’m remarkably different from other parents in the way I feel about my children: I love them unconditionally, they are my absolute priority in life, and I would do anything for them. However, where I depart from the norm though is the way I think about them. As an example of this, after due consideration, I have decided that I don’t want to protect them from harm. Just the fatal stuff.

Why would that be? I believe that, in the same way that inoculations challenge their immune system and make it resilient to disease, bite-sized chunks of adversity will make my children stronger, more self-reliant and more resilient to life’s challenges. Consequently, I encourage them to try new things, and foster a culture of accepting failure as an inherent part of the learning process. Because objectively, it’s no big deal. Simply a necessary step-stone on the path to success.

And yes, I do eat my own dog food: I have a life-time’s worth of failure to reflect upon, and it’s done my outlook no harm at all. ;)

Know thyself!

When evaluating security controls, it is common to use self-certification as a way to strike a balance between cost and value. For example, whilst you could pay your auditor to flip every stone in your organisation (thereby funding their progeny through medical school), it makes much more financial sense to focus their time on the areas of greatest risk, or least foreknowledge. So how are these areas generally chosen? Typically, through the answers provided in a questionnaire.

Now, whilst using a questionnaire for the quantitative evaluation of security controls is quite straight forward (you count things that are there, or otherwise) the qualitative evaluation is much more subtle. Mostly because it is difficult to separate the answers from both personal and contextual bias.

My own experience of this has been best informed through interviewing several thousand candidates for consultancy roles. As part of this, I have always used a brief telephone interview as the first step in filtering out any mismatches. And whilst the main purpose of the call is to evaluate the psychology of the candidate, the general format will follow a questionnaire targeted at exploring knowledge in several technical domains, along with detecting any affinity towards a particular Disney Princess.

As part of this interview, each technical domain is preceded with a request for the candidate to rate their knowledge on a scale of zero to five, where zero is no knowledge and five is they know everything. In my experience, the answers to these questions really only fall into three broad buckets: those who consistently answer three, those that consistently answer four, and those that alternate between answering one and four.

In practice, it is a rarity for anyone to answer zero or five, just as it is equally rare for anyone to rate theirself accurately: those with weak knowledge consistently over state, whilst those with strong knowledge consistently under state (if only as a form of professional modesty).

So what do I personally take away from this?

In my experience, a qualitative questionnaire is almost worthless to leave with someone to fill in later. In fact, even if you go through it interactively with someone, the answers themselves are rarely useful. For me, the real value lies in reading the interviewee’s body language (or aural cribs) as you take them through the questions.

Once complete, you will probably still not have a reasonable qualitative evaluation of any controls, but if you are paying attention, you will know exactly which areas your interviewee is worried about, or doesn’t understand. No matter what answer they actually gave.

There is no spoon. ;)

Why undermining authority figures is good for your children…

As a general approach to life, I tend to be quite happy holding an opinion counter to the crowd. Sometimes it will be something trivial and just a little quirky. At other times, it’ll be something fundamentally against the grain, which might get eyebrows raised and the spittle flying. Always though, it will be because I have taken the time to think about it.

An example of this is the way I look to protect my children. Many of the other parents I have spoken to are horrified to hear that when I was teaching my children about avoiding being a victim of abuse, I wasn’t coaching them to be wary of strangers, but instead I was warning them about family friends, teachers and relatives.

The other parents seemed to feel that I was undermining those in a position of authority, or in some way damaging my children’s idyllic childhood. And whilst I’ll happily admit to the former, I’ll strongly disagree with the latter. Because the statistics for abuse are crystal clear. The people that convention would have us believe are shining beacons of trust, simply aren’t. In fact, it is much worse than that. Those that our children are often taught to confide in, are actually their biggest threat. Over 90% of the perpetrators of child abuse will be someone the victim knows well [1].

So instead of following convention, I have done everything I can to instil in my children good judgement and self-trust. To be aware of the behavioural patterns in those around them, and to trust their instincts when they notice that they deviate unexpectedly.

That said, a little Jujitsu also goes a long way too. ;)

1. https://www.nspcc.org.uk/preventing-abuse/child-abuse-and-neglect/child-sexual-abuse/sexual-abuse-facts-statistics/

Why date rape drugs are everyone’s problem…

It’s quite likely that you have heard of the so-called date rape drugs, but you think that they are something that happens to people of a different gender, or age range, or social circle. If this is the case, then sadly you are just as wrong as I was, and I shall explain why.

Like some of you reading these words, my knowledge of these drugs used to be based entirely on a few headlines that I had read in the media, plus the Hangover series of films. It’s hardly what I would call encyclopaedic or well informed, but let’s face it: I’m a beardy, middle-aged man and not exactly ripe for being drugged in a bar. Or so I thought.

However, all that changed last year when my group of friends were targeted at a party and our drinks were spiked. To cut a long story short, we were lucky. For a start, I am physically quite large, and didn’t get enough of a dose to entirely rob me of my senses. So we managed to keep ourselves out of trouble, and in all, it ended up being a bit of a scare, but no lasting damage was done.

At this point, it’s worth saying (for those who don’t know) that the effects of this group of drugs tend to be to supress the conscious, rational part of your mind, and make you very suggestible to things you might not normally do. Along with this, they also disrupt the formation of memories, so afterwards you may only have a vague recollection of events. It’s easy to see why they are called date rape drugs, but it’s not as two-dimensional as that.

In the weeks after my own brush with these drugs, I shared my experience with friends, colleagues and family, and was surprised to find that it wasn’t some freak rarity, but that many of the people I spoke to had their own stories to tell. And the more I listened, the more it became clear that my preconceptions were very wrong, and I imagine that yours might be too, because:

• It’s not just about sex: many of those drugged were robbed rather than assaulted.
• It’s not just something that men do to women: many were men who were raped by other men, or men who were robbed by women.
• It’s not just strangers who are a threat: many were drugged by someone they knew, such as a colleague or relative.
• It’s not just the naïve who were caught out: some were among the brightest, most street-wise people I know.
• It’s not just something that happens to youngsters: many were adults with families of their own.
• It’s not just something that happens in bars and clubs: many incidents occurred after meals, in homes, or at office events.

And if after reading all that, you are still thinking it is nothing to do with you, then I’ll leave you with a final cheery thought. Due to circumstances, most of those drugged didn’t realise what had happened until much later and any evidence was long gone. So even if they knew who drugged them, they felt helpless to act.

Out of all the stories I heard, an unpalatable aspect was that only one person was held to account: a co-worker who had been fired, but had received no criminal record. Which means that every single one of them is still out there, free to repeat their actions as they wish. That’s a lovely thought, isn’t it?

So, do you still think it’s something that happens to other people?

Act your shoe size, not your age…

When I was but a wee lad and dinosaurs still roamed the earth, one of the insults I would regularly trade with my peers was the classic, “act your age not your shoe size”. Which makes sense if you are eight years old and using UK shoe sizes, but probably doesn’t work so well if you are older or live elsewhere in the world… …Or does it?

For you see, somewhere between then and now, my reading list expanded to include a broader church than just Whizzer and Chips. And along the way I bumped into Zen Buddhism’s concept of Shoshin, or “the beginners mind”.

For those not familiar with Zen, Shoshin is in essence the ideal way that a beginner might approach a new topic: fully conscious of their lack of knowledge, but open minded and eager to learn. It’s a concept that lives in the same postcode as Proust’s “new eyes”, only several houses further along the street.

So armed with this new perspective, if we were to head back to the playground of my youth, the insult is gone and instead the words become a marshalling cry to see the world anew, without assumption and prejudice. Which is no bad thing.

What was the last insult you traded, that turned out (with thought) to be anything but?

A brief thingy of time…

One of the things I love about having children is that at times I find myself starting to explain something to them, only to realise mid-flow that I am struggling to put a complex concept into words that they can readily understand. Because the sobering truth of the matter is that if you can’t do so easily, then you need to accept that you don’t actually know the subject that well yourself. Ouch.

This week’s ego deflating moment came after I had finished watching a film with my fourteen-year-old daughter. The film had an aspect of time jiggery-pokery to it, and she was saying that it didn’t make sense that someone in the past might know what would happen in the future. The conversation wandered on through some of the possible ways that I thought this might happen, such as parallel universes, time dilation, and gravity lensing, et al. And whilst she appeared to be interested (or was doing a great job of faking it) I was acutely aware that some topics which I thought I understood well, had suddenly become peppered with terms like “thingy”. A sure sign that something wasn’t quite right.

Fortunately, I am the kind of person who is perfectly comfortable with finding that I have gaps in my knowledge. Mostly as (rumour has it) I’m also bright enough to recognise them as opportunities for growth and to backfill them quickly, given the opportunity.

This isn’t an approach that is universally-embraced though, and I’m sure that you can think of times where you may have met someone in a professional context that clearly didn’t know their subject-matter well, but yet wouldn’t simply close their mouth.

What was the last “thingy” moment you had, and what did it prompt you to (re)learn?