I love TED talks. I am not sure if there is a better source for 10 minute chunks of information and inspiration. As I do a fair share of presenting in my career – never on the scale of a Ted talk (yet) – I appreciate the nuances of the speeches – the quick pace; the professional demeanor of the speaker; the powerful messages; the simplicity of the delivery. In the quiet times of my day (usually while munching on my lunch at my desk), TED talks provide me with food for thought. Many times I come upon a talk that truly trips something in my brain. And this is one of those moments.
This TED talk by Margaret Gould Stewart discusses the design challenges of massive websites – Facebook and YouTube namely. Based on her work in managing user experiences for those sites, she outlines a few key nuggets of advice. As I listened to her experiences, I realized these are really good points for CISOs today. While she was faced with a complex, massive user base, she makes the point that Designing for Scale is as much an art as science. CISOs too face a complex challenge and must think about designing a security program that scales. She lists three main points when designing for scale:
The little things really matter. Citing the update of the Facebook “Like” button, the speaker highlights the preparation and study it took to make such a seemingly meaningless change. Sound familiar? Oh, this little change to the firewall rule set isn’t a big deal… Oh yes it can be. A CISO must help build the culture of an organization where, when it comes to security, little things DO matter. Those pesky phishing attempts, that suspect attachment on the email, the development server that ‘is just going to be online (unpatched, unsecured) for ONLY a few weeks.’ I did a Pen Test years ago and happened to stumble onto a password file copied off for safe keeping by an admin ‘for a few days.’ 60,000 cracked accounts and passwords later… You get my point.
Designing with data includes relying on iteration, research, testing, intuition and human empathy. The speaker makes a note that being “Data driven” doesn’t mean just making decisions based on numbers alone. Rather we must use the data to augment and improve our understanding while applying our own context and intuition around those numbers to make better decisions. Context around security data is imperative. It is the context that makes the difference between a non-event and a serious malware on a system administrator’s or executive’s laptop. Intuition is critical for a CISO to know when an idea needs to be vetted harder when it comes to risk; human empathy will protect a CISO from being seen as the bully that says “No” every time.
Manage change very carefully. Change is a powerful thing. It can go well. But it can just as easily go really bad. Regardless, change is going to happen nonetheless. The speaker says ‘it’s impossible to completely avoid change aversion when you’re making changes to products that so many people use.’ CISOs face a considerable change management challenge. Security typically interrupts, or at least, modifies how people behave and use products, services or software. An awareness of this impact – understood at the human level – can go a long way in gaining supporters across the organization.
My favorite part of the presentation is the statement of ‘being a part of something that is so big, you can hardly get your head around it, and the promise that it just might change the world.’ That, my security friends, is the definition of being in your role today.