Leadership Mode Activate

Congratulations, you’re getting promoted! You have excelled at the Thing You Do to such a degree that you’ll now be leading a whole team of people who Do That Thing. Very responsibility, much excite.

Okay wait, you may say. That’s cool, but I like Doing the Thing. I’m pretty good at it, and if I’m leading a team, will I still get to do it? Will I still get to perform the work that got me to where I am today?

The short answer is: Yes, you can! If it’s important to you to keep doing some “individual contributor” work as a manager, you can make that happen.

The long answer is: Well, you can. Like, if Mark Zuckerberg wants to go in and make some code changes to Facebook, he has the authority necessary to do that. And reportedly, in frustration with a pet bug or issue, Zuck has been known to bang out a fix and submit a merge request – which then hits a series of roadblocks around coding guidelines, localization, automated testing, and oh god why is this stuff so complicated these days ughhhhh.

And that’s good. It’s helpful for leaders to get their hands dirty from time to time, to get caught up on what their teams are doing, how they’re doing it, and get more context for the detail work involved.

But let’s be honest. Is Mark Zuckerberg’s time best spent mastering Facebook’s latest pull request rules around internationalization flow, or would that same time be better spent, I don’t know, figuring out how Facebook can ruin the world less?

As a manager, you too need to consider these tradeoffs. Yes, you have the ability to dig in and do the work yourself, but you now have a specialer ability: you can multiply your efforts across a whole group. As a leader, you’re in a position to solve bigger problems than you ever could by yourself, since you can deploy the full force of a team.

Leadership Mode Activate – Allen Pike

I could do without the Zuck reference, but the message is sound. This was something I struggled with when I became the manager of not just a team but a large team of people with arguably better skills than mine. Securing budget, running interference, talking with customers, and playing politics (albeit poorly) were more valuable than me changing firewall rules or adding a static route or running down anomalous traffic patterns.

Oh, I could also do without the giant robot analogy.

Still a good article.

Also on:

An Outcome-Based Analysis of U.S. Cyber Strategy of Persistence & Defense Forward

An Outcome-Based Analysis of U.S. Cyber Strategy of Persistence & Defense Forward:

The new U.S. Cyber Command (USCYBERCOM) vision and the Department of Defense Cyber Strategy embody a fundamental reorientation in strategic thinking.

With the publication of these documents, as well as 2017 National Security Strategy and the 2018 National Defense Strategy, there is a general conception among experts that the U.S. has, for the first time, articulated a strategy that truly appreciates the unique “symptoms” of cyberspace. The documents recognize that there is a new structural set of dynamics associated with the new domain of cyberspace that has incentivized a new approach to power competition—in particular, that hostile or adversarial behavior below the threshold of armed attack could nevertheless be strategically meaningful (that is, change the balance of power).

Yet most cyber experts have also argued that the ‘medicine’ prescribed by the Defense Department  and USCYBERCOM should be further scrutinized. Indeed, the side effects of the strategy of “persistent engagement” and “defense forward” are still ill-understood. As we have argued elsewhere, a United States that is more powerful in cyberspace does not necessarily mean one that is more stable or secure. More research is required to better understand adversarial adaptive capacity and escalation dynamics.

(Via Lawfare – Hard National Security Choices)

Also on:

CCleaner 5.50 with new options to control program updates

CCleaner 5.50 with new options to control program updates:

A new version of the file cleaning software CCleaner for Windows, version 5.50, features new options to control program updates.

The year 2018 has not been a very pleasant one for Piriform, maker of CCleaner, and Avast, Piriform’s parent company.  The integration of Telemetry collection, first without clear options to disable it and turned on by default, and forced automatic updates to a new version of CCleaner, were two of the major blunders in that year …

Closing Words

One cannot say that Piriform is not trying. The company introduced privacy options in the program after users complained about the new data collecting and the lack of options to turn Telemetry off. Now, after users complained that CCleaner would auto-update itself in September, options are introduced to control these updates in the program.

The ride would have been a lot smoother for Piriform if the company would have introduced these options before it made the changes or pushed the automatic update to CCleaner installations.

Now You: Do you still use CCleaner?

(Via gHacks Technology News)

My answer is no, I do not trust CCleaner or Pinform or Avast. You should make your own decision, but my council is against trusting them.

Also on:

Why Passion is Overrated (instead, here’s what you should do)

Why Passion is Overrated (instead, here’s what you should do):

I often hear people say if they only had a real passion, they would be able to follow it, break free from their mundane job and create their dream life.

But what to do when you don’t have a passion? Are you just supposed to wait until it one day magically drops from the sky to rescue you?

I feel there’s this mistaken belief, that some people ‘have a passion’ for something, which enables them to live a fabulous, meaningful life, whereas others don’t and thus are stuck in the hamster wheel.

… What do I love doing I asked myself? I felt completely blank and confused. It didn’t help that well-meaning family member and friends just told me to follow a different passion. What if I didn’t have one?

This is where a lot of people get stuck.

I was certainly stuck until I realised that doing something is better than doing nothing. You learn a lot from doing something. Anything is better than nothing.

(Via Pick the Brain | Motivation and Self Improvement)

Japan impresses me. There are restaurants and shops and ryokan that have been operating for years or decades or longer where they focus on what they do, they take pride in what they do, and they refine how they do what they do in evolutionary rather than revolutionary ways. Watch Jiro Dreams of Sushi for an extreme version of this mindset. This is changing, of course.

Back on the late, lamented PVC Security podcast we talked often about “finding your passion”. It sounds nice, but I think we did our listeners a bit of a disservice. We did talk about how to find your passion a little, but we failed to properly acknowledge other paths and the realities of life.

Also on:

Rules for … Sanity

Rules for Online Sanity:

Loving these rules for Online Sanity put together by Kai Brach. If you’re not subscribing to his newsletter Dense Discovery, you’re missing out. Super thoughtful and full of delight. Here’s the newsletter I found this gem in.

(Via swissmiss)

Other than #6, these apply to life and work and being. Drop the “online” reference from #2 and you have a decent set of communication precepts.

Also on:

What Happened to Cyber 9/11?

What Happened to Cyber 9/11?:

A recent article in the Atlantic asks why we haven’t seen a”cyber 9/11″ in the past fifteen or so years. (I, too, remember the increasingly frantic and fearful warnings of a “cyber Peal Harbor,” “cyber Katrina” — when that was a thing — or “cyber 9/11.” I made fun of those warnings back then.) The author’s answer:

Three main barriers are likely preventing this. For one, cyberattacks can lack the kind of drama and immediate physical carnage that terrorists seek. Identifying the specific perpetrator of a cyberattack can also be difficult, meaning terrorists might have trouble reaping the propaganda benefits of clear attribution. Finally, and most simply, it’s possible that they just can’t pull it off.

Commenting on the article, Rob Graham adds:

I think there are lots of warning from so-called “experts” who aren’t qualified to make such warnings, that the press errs on the side of giving such warnings credibility instead of challenging them.

I think mostly the reason why cyberterrorism doesn’t happen is that which motivates violent people is different than what which motivates technical people, pulling apart the groups who would want to commit cyberterrorism from those who can.

These are all good reasons, but I think both authors missed the most important one: there simply aren’t a lot of terrorists out there. Let’s ask the question more generally: why hasn’t there been another 9/11 since 2001? I also remember dire predictions that large-scale terrorism was the new normal, and that we would see 9/11-scale attacks regularly. But since then, nothing. We could credit the fantastic counterterrorism work of the US and other countries, but a more reasonable explanation is that there are very few terrorists and even fewer organized ones. Our fear of terrorism is far greater than the actual risk.

This isn’t to say that cyberterrorism can never happen. Of course it will, sooner or later. But I don’t foresee it becoming a preferred terrorism method anytime soon. Graham again:

In the end, if your goal is to cause major power blackouts, your best bet is to bomb power lines and distribution centers, rather than hack them.

Tags: , , , , ,

(Via Schneier on Security)

Also on:

The SEC and Cybersecurity Regulation

The SEC and Cybersecurity Regulation:

American companies are getting hacked, and the Securities and Exchange Commission wants corporate executives to do something about it. According to a White House Council of Economic Advisers report released earlier this year, malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. The report acknowledged a widely recognized root of the problem: “[C]yberattacks and cyber theft impose externalities that may lead to rational underinvestment in cybersecurity by the private sector relative to the socially optimal level of investment.”

But despite outrage and hearings in Congress after major breaches, like the Equifax hack disclosed last year, Congress has not passed new legislation. There is no current central federal mandate that offers protections for personal data. Instead as a legal treatise puts it, the U.S. “has a patchwork system of federal and state laws and regulations that can sometimes overlap, dovetail and contradict one another.”It’s in that context that the Securities and Exchange Commission (SEC) has, under its authority of enforcing the federal securities laws, steadily increased its regulation of cybersecurity-related matters. A top SEC official said last year that: “The greatest threat to our markets right now is the cyber threat.” And SEC Chairman Jay Clayton told the Senate Banking Committee that in regard to cyber attacks, companies “should be disclosing more” and that there should be “better disclosure about their risk portfolios and sooner disclosures about intrusions.” In another statement, Clayton announced:

The Commission is focused on identifying and managing cybersecurity risks and ensuring that market participants––including issuers, intermediaries, investors and government authorities––are actively and effectively engaged in this effort and are appropriately informing investors and other market participants of these risks.

The SEC’s jurisdiction covers a considerable range of cyber-related issues. This post tracks the commission’s strategy for incentivizing investment in cybersecurity defenses by mandating disclosure and imposing liability on the victims of data breaches. Recent SEC activity suggests that this is a direction the agency is headed in, particularly with little sign of cybercrime slowing anytime soon.

The SEC’s Cybersecurity Foray

In 2011, at the urging of Sen. Jay Rockefeller, then the chairman of the Senate Commerce Committee, the SEC’s Division of Corporation Finance issued guidance on companies’ disclosure obligations relating to cybersecurity risks and cyber incidents. The document established that: 

The [Securities Act of 1933 and Securities Exchange Act of 1934], in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures …

The SEC then went on to identify several specific areas that require disclosure of cyber-related information, including investment “risk factors,” the business’ description of itself, disclosure controls and procedures, among others. The SEC later affirmed the importance of these guidelines in a 2014 roundtable event convened shortly after the release of the NIST Cybersecurity Framework. At that event, SEC chairwoman Mary Jo White stated: “The SEC’s formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data protection, and disclosure of material information.” Following the roundtable, the SEC’s cybersecurity oversight principally consisted of issuing further guidance documents, risk alerts, and, in some cases, directing companies to disclose information on specific cyberattacks in comment letters.  

Liability for Victims of Breaches

In October 2015, the agency brought its first an action against a corporation that suffered  a data breach. Under Regulation S-P, which requires financial firms to adopt written policies and procedures that are “reasonably designed” to protect customer records and information, the SEC found that a St. Louis investment firm had failed to establish cybersecurity policies and procedures in advance of a data breach that compromised the information of approximately 100,000 people. The firm ultimately settled with the SEC for $75,000. In announcing the settlement, a SEC official noted: “[I]t is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients.”

In 2016, the SEC again brought an action under Regulation S-P. After a former Morgan Stanley employee downloaded data related to 730,000 accounts to his own personal server, which was then likely hacked by a third-party, the bank agreed to a $1 million penalty. (The employee, Galen Marsh, also pleaded guilty to illegally accessing confidential client information.) In particular, the SEC order noted that Morgan Stanley’s policy and procedures failed to include “reasonably designed and operating authorization modules … that restricted employee access to only the confidential customer data as to which such employees had a legitimate business need; auditing and/or testing … and monitoring and analysis of employee access.”

The Creation of the Cyber Unit and the Commission’s 2018 Guidance

In September 2017, the SEC chairman Jay Clayton issued what a Washington Post report described as “an unusual eight-page statement on cybersecurity.” In that statement, Clayton revealed that hackers had breached a SEC network that stored documents filed by publicly traded companies, potentially giving the intruders access to nonpublic information. Also in that same statement, Clayton laid out a broader strategy for policing public companies’ cybersecurity strategies. He said:

[T]he Commission incorporates cybersecurity considerations in its disclosure and supervisory programs, including in the context of the Commission’s review of public company disclosures, its oversight of critical market technology infrastructure, and its oversight of other regulated entities, including broker-dealers, investment advisers and investment companies. 

Then a few days later, the SEC announced the creation of a Cyber Unit within its Enforcement Division; the new unit would be tasked with “targeting cyber-related misconduct.” Outlining the Cyber Unit’s priorities in a speech, a SEC official explicitly pointed to “requir[ing] registered entities to have reasonable safeguards in place to address cybersecurity threats” and “cases where there may be a cyber-related disclosure failure by a public company,” among others. 

Next, in February 2018, the commission voted to unanimously to approve a “statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.” The SEC described the new document as “reinforcing and expanding upon the staff’s 2011 guidance.” One area where the commission affirmatively noted that it had gone further than the staff guidance was in articulating “the importance of cybersecurity policies and procedures.”

The first part of the document tracks the specific disclosure obligations first announced in the 2011 guidance. In a company’s periodic reporting, the document said, disclosure of cyber risks and incidents are generally necessary for  a company’s: business and operations, risk factors, legal proceedings, management discussion and analysis of financial condition and results of operations, financial statements, disclosure controls and procedures, and corporate governance. Exemplifying its effort to compel companies to more rigorously consider cyber risks, the commission added a disclosure requirement for “the nature of the board’s role in overseeing the management of [cybersecurity] risk.”

After that, in a section titled, “Policies and Procedures,” the SEC recommended that: “Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder.” The SEC then went on to cite specific regulations requiring companies to have certain policies in place to identify and evaluate risk. Commenting on the implications of the document, a Mayer Brown post noted, “[t]he guidance encompasses more than disclosure.”

Notably, the commissions’ two Democratic-recommended members were critical of the guidance for not going far enough. Commissioner Kara Stein questioned the efficacy of “re-issuing staff guidance solely to lend it a Commission imprimatur.” She called for measures beyond disclosure, including seeking notice and comment for a slate of new rules that would require companies to take proactive security measures. (Stein, whose term ends on Dec. 31, also advocated for more robust cybersecurity regulation by the SEC in a recent speech at Georgia State University College of Law). Commissioner Robert Jackson Jr.’s statement cited analysis from the recent White House Council of Economic Advisers report that suggested that 2011 guidance had not resulted in meaningful disclosure. (A New York Times article in March of this year reported that in 2017, only 24 companies reported breaches to the SEC, while researchers found that there were more than 4,000 cyber-attacks during that period.)

Recent Actions Imposing Liability on Victims

Since the creation of the Cyber Unit, the SEC has brought two enforcement actions against victims of breaches. The agency also recently issued a substantial report suggesting future enforcement against victims of breaches that are not in compliance with certain safeguards. 

In April 2018, the SEC announced its first-ever enforcement against a company for a failing to disclose a breach. In 2014, Russian hackers stole the personal information for more than 500 million accounts from the company formerly known as Yahoo. But Yahoo did not disclose the breach until two years later, when it was in the process of closing the sale of its operating business to Verizon. Meanwhile, Yahoo made no mention of the breach in its SEC filings. The commission found that Yahoo’s statements violated both statutes and regulations requiring the accurate disclosure of “material” information. Yahoo ultimately agreed to a $35 million fine.

In September, the SEC brought another first-of-its-kind enforcement action. This time, the agency found a financial firm in violation of a rule that it had never enforced before that requires investment firms to maintain an up-to-date program for preventing identity theft. The order outlined a phishing scheme in which attackers impersonated the firm’s contractors over a six-day period in 2016 and convinced employees on the firm’s support line to reset certain passwords. The hackers then used the new passwords to gain access to the personal information of 5,600 customers. Even though the firm did have some protection in place, the SEC found them inadequate, in part because in two instances, the malevolent actors called from phone numbers the firm had previously associated with fraudulent activity. The SEC ultimately found the firm’s conduct so egregious that it deemed the violation “willful.” The firm agreed to pay a $1 million settlement.  

And, most recently, on Oct. 16, the SEC made headlines with an investigative report “cautioning that public companies should consider cyber threats when implementing internal accounting controls.” The report analyzed nine public companies that fell victim to cyber fraud, wiring a total of $100 million to hackers impersonating either executives (often the CEO) or third-party vendors. One firm made 14 payments amounting to over $45 million in losses before the scheme was uncovered by an alert from a foreign bank. While the commission declined to bring actions against the investigated firms, the report suggested that internal accounting controls required by federal securities laws “may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds.” As a memo from Davis Polk observed,“[t]he report thus effectively serves as notice that in the future, a company experiencing a cyber event could later find itself in the SEC’s crosshairs.”


Jack Goldsmith and Stuart Russell note in a recent Hoover essay that there has long been skepticism of the regulation of digital networks in the United States. Indeed, many attribute this lack of regulation to the U.S. technology sector’s extortionary record of innovation. But as a greater volume of  sensitive information is stored online and, in turn, stolen,, the pendulum may be shifting in the other direction. Especially in the absence of new legislation from Congress, the SEC seems determined to put cybersecurity on the agenda of the nation’s corporate boardrooms.

(Via Lawfare – Hard National Security Choices)

Also on:

The key to workplace productivity is not an app

The key to workplace productivity is not an app:

You could waste a lot of time looking for the right productivity app.

There are over 19,000 productivity apps in the iTunes store, and endless recommendations of apps that promise to magically give hours back to your day. But here’s the thing: switching between apps all day long is actually the enemy of productivity.

Researchers have found that the average worker toggles between apps 10 times every hour. With each context switch, there’s another possibility of distraction. And after each distraction, it takes on average (pdf) 23 minutes and 15 seconds to truly get refocused on the task at hand.

So how might workers keep productivity software as a tool working for them, rather than the other way around? We spoke to three productivity app founders to find out.

“People talk about productivity like it’s all about numbers and lines of code, but real productivity is about the feeling you get when you close the laptop for the day,” says Moah. “I go home happy when I feel accomplished.”

(Via Quartz)

Also on:

Three reasons your career has stalled

Three reasons your career has stalled:

For those who are curious about why they haven’t risen to the rank they feel worthy of at work, it may be time to start pointing fingers at pandas.

Yes, pandas. That’s the term Elena Lytkina Botelho and Katie Creagh of the management consulting firm ghSMART have given to problems that on the surface seem small and are likely easy to fix (think body odor, or a speaking style that colleagues find off-putting, for example) but can end up stalling a person’s career.

“Pandas look innocent, but their powerful jaws deliver a bite stronger than a jaguars’,” Botelho and Creagh wrote in a recent piece for Harvard Business Review. When they examined the cases of 113 candidates who got shortlisted for C-suite roles but didn’t get the job, they found that 62% of them “had at least one ‘panda’ issue and 10% had more than one.”

They also found that 93% of the so-called panda traits hampering the candidates’ prospects fell into one the following categories: 

(Via Quartz)

Also on:

Is right vs. looks right

Is right vs. looks right:

Shane Parrish, author of the generally excellent Farnam Street blog, had a great post this morning about defensive decision making – the type of decision making that focuses on what “looks right” vs. what “is right.”

Defensive decision making is the “IBM” option. Since “no one got fired for buying an IBM,” it is intended to protect the decision maker. Organizations can often create a massive decision-consequence asymmetry in that they become so risk averse that most decisions come with small upside if they go well and large downside if something goes wrong (e.g. get fired).

So, the natural incentive is to just make the “default” decision. There is no risk to one’s reputation and it is always defensible.

This points to why so many cultures talk about “thinking out of the box” but never actually do so. It also speaks to why cultural change is very hard.

And, finally, it is a great reminder that approaching building products and services for customers with first principles thinking and hypothesis isn’t just about hiring the right people.

(Via A Learning a Day)

I witnessed this same decision made in a totally different place and time, It was wrong. Everyone in the room then later said it was wrong but looked right at the time.

Also on: