Continue Playing
by Jeff Kirsch
In “Playing Games”, I shared some lessons that I learned while playing chess with my son. Chess is a rich example of the need for, and challenge of, planning ahead. For those unfamiliar with this game of skill and strategy, the goal is simple: Capture your opponent’s king and force him into a position known as “checkmate.”
During the game, opponents take turns moving one piece at a time until a player is considered to be in “checkmate”, meaning he can no longer move his king. An interesting element is the need to notify an opponent when they are one move away from being captured by declaring “check.” This is a great game rich with strategy and nuance, with more details here.
So how does chess fit into my “plan ahead” strategy?
If a player simply moves pieces on the board without thought as to how her opponent will act, pieces will be captured easily, leaving her with a weaker offense and defense. Opponents must be evaluated on how they will move; offense must be based on anticipation of defense. Chess is a game where there are two opponents with an obvious adversary, and the less obvious self. Those who properly anticipate the other player position themselves for maximum advantage.
The act of protecting information is similar to the practice of protecting the King. Those who seek to attack the protected information are opponents, and considered what they are doing as a game. I’m not suggesting that what we treat it as a game as well; rather, what is important is the strategy required for both.
Understanding that we are at a disadvantage from the start is key to devising our strategy. Our opponent needs to remain undetected until they have what they need. If they are discovered too early, the chances of achieving their goal drops dramatically.
Playing games
by Jeff Kirsch
Recently, my son told me a story about how he played chess with a friend at school. In his story, he said his friend executed a certain move; my son then asked me if I had ever tried that move. I was a bit confused; I’ve played chess on and off for at least 20 years, but I’ve never heard of this play. My son asked if we could play, and more importantly, if I could teach him. Looking at the clock, I thought about how I needed to get his siblings into bed, and that he needed to read a book for school.
He promised to read his book while I put his siblings to bed. After the other kids were in bed, I got him from his room (where he had read a chapter of his book), and we headed downstairs for his lesson.
I explained the chess pieces and how they moved; he remembered this from the last time we played. We began the game and I watched him bring his plan to fruition. I didn’t start with very much instruction, because I kne
w that the best instruction comes when you are “deep in the weeds”, so to speak. I took a few of his pieces, and the teaching began.
For each of his moves I helped him see what my next moves could be and how that would affect what he should do. With each move, he needed less and less instruction, but his questions became more complex. Of course, like most novice chess players, he still needed help remembering how the pieces moved (especially the knight). Looking at the clock, I realized it was just a few minutes till his bedtime, so I finally made an exchange of pieces I had put off for most of the ga
me. A few moves later he was in checkmate. He looked at me with a huge smile on his face and gave me a big hug. “That was fun, Daddy,” he said as I squeezed him tight. “I can’t wait to play again.” That is when two thoughts struck me, which I shared with him, and which I’ll share with you now.
In losing, you win
We hear all the time that most successful people failed, sometimes more than once, before
being successful. Even after those people “made it”, they still face bumps in the road. What came out of my mouth first to my son was, “In losing, you win.” I went on to explain that you have to lose a lot of games of chess in order to learn how to play the game. This came out almost automatically, but then I started to reflect on what I had said. I realized that I wasn’t just talking about the game, I was talking about life and all the challenges we face.
In information security it is easy to become overwhelmed. We always feel like we are three steps behind. We put together teams, we focus on security and secure practices, and try to funnel everything down to a few points where we can protect our vulnerabilities, only to find that someone left the back door open. To add insult to injury, we get raked over the coals because the one thing we forgot compromised everything we were trying to protect. However, until the day you forget to lock one door, you have no real concept of the consequences that await when you do fail. In that moment of failure we have the ability to learn the most.
A plan is good, but plan flexibly
My son went into the game thinking there was a defense he could set up in the beginning that would win the game. What my son didn’t take into account was that I would have a turn, and that I could attack his defense – thus also keeping him from the offense he had planned. He immediately understood his mistake and explained to me why he should have paid attention to what I was doing. I was again hit with the realization that the lessons from this game were more than just lessons about a game. If we only plan to defend our systems from attack, we fail to see the most critical vulnerability and fail to account for a possible offense.
Flexibility is critical not just in information security, but in all aspects of our personal and professional lives. People who plan ahead certainly can start out of the gate faster, but when they get a few miles down the road and their tire goes flat, how do they sustain momentum? If you can adjust your strategy not only to account for defense, but also to incorporate an offense, you double your chances for success. In the end, you even the playing field by using your strengths and understanding your opponents’ weaknesses.
In a moment of just playing a game with my son, I re-awakened the magic of chess and learned some valuable lessons. There are plenty of people who make fun of the game and those who play it, but there are just as many (if not more) who play it and get it. When you realize that it is not simply a game, but that it also has many lessons to impart, you find that “losing” really isn’t losing. But just as in chess, you’ll encounter people who don’t get what you do or why it is important. Instead of discounting them, find a away to convey what it is and why they should care. You aren’t going to convince everyone and it won’t be easy, but giving up before you start says a lot about your character and reflects the quality of your work.
When did that happen?
by Jeff Kirsch
How often do we take a drive and realize what we see around us? I know I can drive to and from work, or to a familiar destination and never see what is around me. I am not talking dangerously oblivious, mind you, but sometimes you miss the details of what you pass. Then one day you take some time, for whatever reason, to look and actually see. Typically the phrase “I don’t recall seeing that before” comes to mind in these situations. This behavior isn’t just limited to driving, but to any task we may do that could be considered mundane or repetitive. If this becomes commonplace in our routines, it can affect how well we perform our jobs, and potentially lead to critically missed opportunities.
Stick a Fork in it
Occasionally my family decides to have pancakes for breakfast, but more frequently we have them for dinner. My kids favorite of the three varieties I make are chocolate chip. I make three different kinds because you never know when someone is in the mood for one type, and if you make just one or two you are more than likely going to disappoint someone. In addition to the favorite chocolate chips, I also make blueberry and plain. Since the crucial ingredients are not thrown in until the batter is on the griddle it is very easy to make “custom” meals.
Recently, my oldest son decided he likes both blueberry and chocolate chip. It seemed like any other meal, and we had just had pancakes the previous weekend. I made them the same way, all the while to the chanting of three little voices saying “we want chocolate chip” and one little tiny voice saying “dadadadada”. I brought the plates to the table full of pancakes and everyone claimed their favorites. As I was helping my daughter get some pancakes on a fork I heard a sudden surprised exclamation from my oldest son on the opposite end of the table. As I began to turn I could see a look of surprised laughter on my wife’s face. She was trying to hold it back, but as I completed the turn to look at my son I couldn’t help but laugh out loud. All over his face was blueberry, in little speckles indicating something had burst. “I just stuck my fork in it to cut it and it exploded” were his first words. The whole table burst into laughter and we continued to eat our meal, but with caution.
Take it In
When we talk about technology and information security, we know that the landscape for threats is always changing. A person responsible for maintaining systems could sing the horrors of having to make sure all systems are properly patched. Likewise, those who are responsible for monitoring threats to the technology receive new information continuously about areas most at risk. In this fast paced world we try to keep up, but find we are always one step behind. We are left to maintain and defend from the known, while someone plans the unknown. Do we just give up, throw our hands in the air and walk away? Perhaps we need to take in all that we have missed while fighting the fires of the day.
In the information security community, we need to put our fears aside and see all that is around us. Putting ourselves in the mindset of someone who wants what we have can make us feel uneasy but it gives us a new perspective. It helps us identify areas others might want to try as an attack vector, and then makes us evaluate the risk and implement a strategy based on the threat. I know that taking time away from our responsibilities seems like a fantasy, but what we may find is that we streamline our everyday tasks by attacking our own thinking. We marvel at how fast technology moves and lament when we don’t get the features we desire now. For all the lamenting, we tend to keep our thinking a few technologies behind. There will come a time, if we continue on that path, where something will blow up in our face. Better to take in what’s around us at least once in a while to see what we are missing. We might possibly get the upper hand.
The Auditor’s Prerogative
by Jeff Kirsch
In my 13 years of experience as an auditor, I have found that the people I audit do not tell the truth.
That’s right; they tell me what they think I want to hear, they encourage me to believe they are honest, and then when I investigate further I always discover it’s all lies. So I’ve come to the conclusion that the best thing to do when asked questions is to lie right back.
Auditing is not about making friends or helping improve the controls of a particular environment. Auditing is simply about finding out what people screwed up, and raking them over the coals until they cry out for mercy. Of course, the word “mercy” does not exist in the auditor’s dictionary, so instead you’ll need to humiliate the people who erred until they quit in shame.
Defensive Audit Techniques
Audits begin with a meeting between the auditor and those who are to be audited, otherwise known as auditees. This term is useful in depersonalizing your relationship with the auditee into a meaningless, unemotional concept. The first meeting is the perfect opportunity to set the auditee up for potential failure, or at a minimum to begin to establish trust by assuring them that they can tell you “the dirt” without fearing retribution. It is recommended you use phrases such as, “I am here to help you improve your environment.” Another of my personal favorites to lay on the auditee is,”We are not here to play ‘gotch’a”. Of course, make sure you say this with a thinly-veiled evil grin that you attempt to pass off as compassion and sympathy. Make sure you also throw around confusing audit term such as “compensating controls” and “scope creep” to throw them off.
Since you know that the auditee will not be honest, you must resort to established tactics to obtain accurate information. For example, if you need configurations from a system, request a meeting with the newest staff member under the guise of corroborating evidence. Since new staff members have not been jaded or burned by a previous audit, they are more willing to give you what you want without asking questions. If this is not an option, try stocking your request for information with several items you know will draw more attention than you really want. In their effort to vet the more complex stuff, auditees usually overlook a seemingly benign request for configurations.
Once you have the information, the auditee will want feedback as to your findings. This is a trap, especially when it happens early in the audit process. Telling them you found something wrong that is potentially significant, will immediately shut off access to more information that you might need. In these situations it is best to use phrases such as, “I am not sure if that is a problem, I need to talk with my manager.” This accomplishes two goals. The most obvious is that it shifts the blame to some unseen, and probably non-existent, person. Shifting blame is crucial to keeping the thin veil of trust pulled over the auditee’s eyes. Secondly, you postpone your potentially career-ending findings until after you have all the information you need. Dropping failures on the auditee at the last minute minimizes their chance for survival.
The final act of finesse is delivering the report. You are going to have an ongoing relationship with the auditee, usually not by their choice, which means you need to eliminate any chance that the people you are humiliating will be around for the next audit. Approach the meeting with an expression of deep concern for the environment, and stress that what you found isn’t personal. “You are working with what little resources you have, and it is difficult maintaining a control environment under those conditions,” always lets the people who will still be around know you understand their plight. Making the auditee’s who remain believe that you just saved their careers will greatly increase your chances to play “gotcha” in future audits.
Retrospective
In my 13 years as an auditor I have found that people are afraid of what they don’t understand. Auditors have gained a reputation, either justly or not, as people who are out simply to find every flaw they can. Auditors test to ensure controls are in place and operating effectively, but need to report when they find controls that fail. An audit is intended to help strengthen controls and give the company assurance that the controls you have work. We can move through our day thinking that what we say happened is what actually happened. But what happens to your credibility, and the reputation of your company, when you suddenly realize you were wrong? Having a good relationship with your auditor does not mean you have to be friends, but it does mean you need to find common ground to share trust. As an auditor I cannot ignore a failure in the control environment, but I can work with the auditee to make sure my understanding of the control environment is accurate. After having a conversation about findings, the auditor may find there are other controls mitigating the impact of a failure.
My satirical portrayal of the “evil auditor” was an effort to evoke emotions you may have during an audit. It is there to help you consider what type of relationship you and your auditor have, and give a push to start a dialogue. Working together with your auditor is not always fun, especially after eight-hour interrogations, but in can be a process that helps your organization and you achieve better results. But the next time an auditor knocks on your door, wait until after they leave to curl up under your desk – seeing that tends to inflate their egos.
Did I Think This Through?
by Jeff Kirsch
Taking pride in your service or product really gives your customers a sense of what they are getting. Getting past the sales pitch and seeing true emotions helps ease the mind of decision makers. It lets them know there is substance behind your service or product, not just show. But too much pride, seen as arrogance, can turn a customer into an enemy faster than bad service or poor quality. It gives a person a reason to find fault, and more motivation to speak out against you.
The Pitch
Deciding to take some time for ourselves, my wife and I decided to have someone watch our kids so we could go out for a casual dinner. We decided to go casual because we couldn’t get over the idea that someone might try to Stir the Potatoes again. We selected an Italian style restaurant, some place we hadn’t been to before. As we waited for our table we enjoyed the atmosphere and observed the people around us.
We were seated in a nice corner booth and our server came over to introduced herself. She explained all the nooks and crannies of the menu, including the restaurant’s special oven-fired chicken. While taking our order the server was delighted at my wife’s decision to mix and match things from the menu, since she had suggested “customizing” the meal. Her mood soured when I placed my order for the chicken parmesan. “Wouldn’t you like one of our oven-fired chicken meals instead” she asked, to which I indicated I did not. “But that is what sets us apart from other restaurants,” she insisted, to which again I responded no thank you. “You can get that anywhere,” she scolded, at which point my wife stepped in and suggested, “But it is better than any other place, right?” The server’s response was a resounding “No”, and she shook her head and walked away.
I looked at my wife and wondered how things went so wrong. “You made her mad,” my wife said. After eating our meal, our server returned with a desert tray. She had calmed down and was at ease describing the sample size deserts, highlighting which were her favorites. Of course I took one and my wife the other, ensuring the happiness of our server for the rest of the night.
The Sale
I was told by a good friend to start with a question, and so I ask, “What was she thinking?” Anyone who has worked with customers knows the mantra, “The customer is always right.” The truth is the customer wants to be right, and telling them they don’t know what they want so bluntly does not endear them to you. In information security, we have to sell something that on the surface most people don’t want. We are selling something they don’t see, something they can’t touch or taste. We tell them they are safe and to trust us, but how we often sell it is with a club.
As an IT auditor, I have unfortunately done the exact thing I’m saying you shouldn’t do. I believe at some point we all make this mistake. We are so enthusiastic about our work that we are blinded to what the customer’s point of view may be. It isn’t until you see that look on their face that you realize you need to brush up your “pitchman” skills.
Perhaps we need to step back after we are convinced the product is the right thing, and remember what gave us reservations in the first place. We can then work our way forward step by step, understanding where the “sale” may hit a snag. At those points, list what sold you on moving forward and put those ideas in your customer’s language. Removing yourself as a hurdle to selling security brings us that much closer to the finish line, and will restore the trust your customer needs to feel. The last thing you want to do is walk away asking yourself, “What was I thinking?”
Minefield of Bananas
by Jeff Kirsch
As adults we like to have some sense of order. We get into a routine; get up at the same time, take the same route to and from work, eat our meals, and head to bed all on a schedule. Sure, we like to think we add some randomness to our lives by not going to eat at the same place each day, but we go to eat at those “different” places at the same time every day. It’s not bad to have a routine; that is what gives you a sense of control in what sometimes seems like a chaotic world. The question is, how much tolerance do we have for randomness?
Me vs. Random
I have a morning routine that helps me get the kids ready so I can leave on time. Part of that morning routine is feeding my daughter. Recently she decided she likes to eat bananas. She also prefers to have the banana cut in half, and this is what turns out to be my demise. I go through the rest of the morning routine and lean over my daughter’s high chair tray to give her a kiss goodbye. I give a kiss, hug, and high five to my sons, and then I am off to work. A few hours into work, I push back from my desk and happen to look down to find a giant banana stain on my shirt. I came to work and walked around the office with this very noticeable stain on my shirt, without ever having realized the spot was there. As I wash the stain off my shirt I contemplate my options to avoid this situation in the future.
A few days later, my daughter was again eating her banana. As I leaned in to kiss her, I bent in a way that ensured she couldn’t get me with her banana. I gave a kiss, hug, and high five to my sons, then I went off to work. As I walked into my office building, I noticed my reflection in the window. Lo and behold, there was something on my pants around knee level. I looked down to find a nice banana stain just above the knee. I let out a sigh and headed up to the office, making a quick stop at the restroom to wash off my pants. I realized my strategy has not worked, so I began to reformulate a plan to ensure I didn’t continue showing up with stains on my clothes.
A week later I gave my daughter her morning banana, but this time I cut it up into small pieces. My thinking was, if I give it to her in small pieces she can’t jab me with it, and if she throws it I’ll notice. I went through the routine thinking I won this round – even though my daughter has already won the first two rounds. I saw she was done and walked over to get her out of her highchair to get her dressed, and that’s when it happened. First, let me tell you that the last thing I do before leaving for work is to put my socks and shoes on. I can’t say why that ends my morning routine, but it does. So as I walked over to my daughter in my bare feet, I stepped right into a minefield of banana pieces my daughter had thrown on the floor. Game, set, match. My one-year old just beat me three games to none.
Ordered Randomness
As IT professionals, we spend our time planning for the random event that could take down our critical systems. We design our systems and find order in a mostly random world, but we always know there is still the unknown. So it all comes down to how well we handle the response. By designing a program that balances order and randomness we prepare for suprises. If our first response to random events is to be disorderly, our designed responses will fail. However, if we maintain order while responding to random events, the chances of containing the event and minimizing the potential loss increases. My response to the situation presented by my daughter was meant to add order to the randomness. Perhaps the better response would have been to check my clothes before I left for work. Detecting random events early, maintaining order, and executing the response is how we avoid the banana minefields.
Designed to Fail
by Jeff Kirsch
If you have ever driven through a farming community, you are sure to have seen large silos seeming to tower over the serene fields and pastures. Some of you who live in large cities may find the vast expanse of nothingness more jarring than the silos, while others who are used to open spaces find those silos just as jarring. It all lies in the perception of serenity, and what you place in that silo.
The term “silo” has meaning to both farmers and business people, but each places different meaning on how they use it. A farm likely uses the silo to store grains, while the businesses use silos to segregate lines of business or business expertise. In the farmers’ case, the storage of the grain is only temporary, while in the business world those silos may house their store for years to come. Although segregation can make good business sense, shouldn’t we look to refresh our stock periodically?
A Birthday Wish
I recently had a combined birthday party for three of my children. Since it was my daughter’s first birthday, we decided to have an animal show as entertainment. This proved to be a huge success with all the friends and family who were there, from my grandmother to my little one year old. After the animal show we all ate our fair share of party food, opened presents, and ended with the grand finale of cake. In an effort to show she could hold her own, my daughter created more of a mess with her smashed cake than her three brothers before her. Amid the chaos of animals, food, family and friends, there was little time for the kids to play with their gifts, as is usually the case.
I waited until all the guests left and then began the process of getting the little ones’ new birthday wishes out of their packages. Anyone with little kids knows you don’t just open a box and say, “Go have fun.” No, this means untangling twist ties, loosening screws that shouldn’t be there, and of course putting some toys together. The first problem I ran into required a jeweler’s phillips head screwdriver on a factory tightened screw. Once I found a sufficiently small tool, I struggled to get the screw to loosen without stripping it completely.
I must say overall toys have gotten better with using snap-together technology, but some screws are still required, which resulted in my second roadblock.The design of the toy was such that, when I put the screw in, the screw driver went at a 30 degree angle to tighten it. I know they make special tools to make this sufficiently easy, but how hard would it have been to line the screw hole up with how the screwdriver needed to go?
Build it, Test it, then Build It Again
However minor this nuisance may seem, we allow these “small” design flaws to creep into our everyday lives without thinking about their consequences. We think in terms of our silo, instead of taking the bigger picture of the serene fields into consideration. Are we doing our jobs if the perception of what we do is “security for security’s sake”? And have we really protected anything if it is just seen as “security theater”?
I suggest that we need to listen to what we are being asked to do, execute on that, and then go back to the user and see if it accomplished their goals. If we do not accomplish the goal the first time, make the improvements or changes needed and go back to the end user again. This is much like the way the farmer empties the store from his silo periodically. Silos have their use when used properly, but if you leave grain in there too long, it spoils.
Time and budget limit the number of iterations of this process; not allowing ourselves to be complacent improves our end result. I spent a few semesters pretending to be a computer science major in college, and if I took away one important lesson it was this: You can build the best product or invent the best service, but if it isn’t useful to someone, you have failed. If you can make my one-year old happier by making it easier for me to get her shiny new toy in her hands, you are a hero to me.
Use Your Words
by Jeff Kirsch
If you have been around small children for very long, you will probably hear parents utter the phrase, “Use your words.” This is usually in response to a child having a tantrum or resorting to yelling to get attention. Parents are reminding their children that the way to communicate is through using their words so others know what they want.
Brain “Cache”
My oldest son has enjoyed playing online games since he was about four years old. We have always tried to encourage him to play games that have educational value, but we also allow him to play games just for fun. One Saturday afternoon my son was playing a semi-educational game. At the end of the game a certificate would print out congratulating him on his success. Before starting the game he was asked to enter his name. He proceeded to play the game and got his certificate. Then he decided to play the game again; the program asked him for his name just like the first time. This is where I got involved. “Daddy,” he called out; I came in the room thinking he had closed the window he was in and needed me to get him back to his game. Turned out he had a different problem.
“Why doesn’t the game remember who I am?” he asked. After getting filled in on what happened, I offhandedly said, “must be poorly handled cookies”. Like any 5-year old, he asked what cookies where doing in the computer. “These aren’t cookies you eat,” I began, and then explained how websites use small files to keep information about you and your online usage, like your name. This took more than a few minutes to explain, but he finally understood the concept. His next question was, “Why didn’t the website people test this out?”
The most amazing thing about kids isn’t how much information they can take in without being filled up, but their ability to remember what they have learned. The following day my in-laws were over for dinner, and my son was playing some online games again. My father-in-law walked into the den and I overheard him talking to my son. When he returned to the kitchen he said, “The only types of cookies I know about are the kind you eat but, your oldest told me there are cookies in the computer.”
Whose Words?
We spend a lot of time learning our specialties, and as part of that comes a whole set of terms and acronyms. It becomes natural to talk in our own language, even when we deal with people not in our specialty. This is where problems begin, especially when we are called on to be part of a larger team that includes such people. A failure to find a common language can result in a project failing to meet deadlines, or worse. In the long run, you may find yourself being shut out of such cross-team projects, which are your best opportunity to show people you really have an expertise.
Language can become a barrier, even when it is not our intent. It can be frustrating to “outsiders” when we speak our own language; it can even sound like we are talking down to them, when that’s not our intent. Likewise, we may become frustrated when others try to speak our language and fail to understand the nuances of our terms. There are times when the best way to talk about what you know is in your own terminology. In fact, if we take the time to educate others on those terms, we can even expand our status as an expert. Likewise, if we take the time to learn the terminology of others we gain their respect and make it easier to communicate our ideas. In the end, that respect and communication are what lead us to provide the best results for our clients and organizations. We spend our childhood learning to use our words, then our adulthood learning other people’s words.
How to Catch a Balloon
by Jeff Kirsch
How often do we trivialize an idea as t0o simple for a complex problem, or t0o complex for a simple problem? We open the discussion to invite ideas to help us reach our goal, but in the end the solution you think of first is usually what you choose to execute. It is difficult to allow others to solve your problem, especially when your reputation is on the line, but if you handle the situation properly you still can come out ahead while helping others grow along side you.
The Challenge
Recently I took my sons to a birthday party for their cousin. As with most kids’ parties I have attended, there were balloons and my boys wondered if they could have one. When the party wrapped up, they asked their aunt and uncle if they could have a balloon, for which they were each rewarded with one. The balloons, and the boys, survived the ride home and they played for the rest of the evening with their new treasurers. Later, as I was taking them up for bath time I noticed one of the balloons had floated to the top of our two story stairwell, and the string was short enough I could not reach it.
As my middle son pleaded with me to “reach for it” he suddenly stopped and said “I have a great idea daddy”. He ran off and my wife and I looked at each other as if to say “oh boy, what is his big idea.” He returned to the bottom of the stairs and to my surprise was holding a pillow. With a chuckle I asked him what I was supposed to do with the pillow, thinking to myself I could throw the pillow at the balloon to move it but I would risk popping it. The response I got was even more unexpected than seeing him holding the pillow in the first place, “Wave it like a fan to move the balloon to where you can reach it.”
I thought I knew the answer, and in seconds I was shown that I wasn’t the only one who had a solution. So I took the pillow from my son and created a draft to move the balloon to where I could reach it. As I handed it back to him, I could see in his face that I had made his day.
The Lesson
When attempting to solve a problem, you need to make sure you are open to all possibilities. Understanding that you have ideas, but allowing others to provide input and feedback and not immediately dismissing their contributions, can improve your chances of finding the best solution. Take those ideas and think each through, weighing the pros and cons of each. When you finally decide on a course of action, involve those who helped you formulate your solution and give them the credit they deserve. In the long run, you will establish a support system of experts that work together to innovate and provide a higher value service than we each can individually produce.
I’m not embarrassed to say that my young son told me how to rescue his balloon. As a father I learn from my kids every day, and as a husband I rely on my wife to help me realize solutions that work. You shouldn’t be afraid to engage friends, family, or co-workers to solve problems, no matter how simple or complex. You never know what new skills you may learn in the process.
I look forward to your feedback, so we can work together to find better solutions and grow as a community.
The most important step
by Jeff Kirsch
In a step-by-step program, how do you know which step is most important?
It is fair to suggest that all steps, if outlined, are important. After all, someone took the time to distill and list them out. Regardless, However, one step stands out above all the rest: the first step.
The first step represents the decision to act. The first step leads to change. When it comes to protecting information, the most important step is the decision to protect your own information.
I recently took a trip to the Bureau of Motor Vehicles (BMV) to renew my plates. You can always count on waiting at the BMV, and whenever you wait very long you are guaranteed to hear or see something not meant for you. After taking a number, I found a comfortable place between the throngs of people on the bench and waited.
But I don’t like him…
First I overheard a mother and her young daughter discussing the mothers boyfriend and plans for the weekend. When the mother was done, the daughter started crying. Over and over the little girl told her mother she didn’t like him. The mother pleaded with the daughter, “you always have fun with him” and then declared “why are you just now telling me how you feel, how could you do this to me.” He was in the restroom unaware, but everyone waiting in line watched the situation unfold. A conversation that should be held in private, was shared with about 60 other people. This women could be responsible for protecting your private information, how comfortable does this make you feel? How much confidence do you place in the adherence to privacy policies given a lack of respect for her own personal information.
Wow, that was uncomfortable
Next the nice grandmother sitting on the other side of me added to the sharing. As the mother and small child got up to join the boyfriend in line, the woman next to me learned over saying “Wow, that was uncomfortable.” I agreed, and we exchange the typical “isn’t it fun waiting in line.” After a few minutes of silence, she turned back to me and said “I have been waiting all morning.” She told me of the three doctor appointments she had, and how long she waited for each one. Then she shared where she had to get to after she was done here. I sighed, and agreed that it is tedious to have to get someplace for an appointment knowing you are going to have to wait longer than the appointment will last. I may have a friendly face, but a face does not reveal who I am. In the end, the information this person gave me probably was more private than the woman and her daughter, yet she exclaimed how personal the previous conversation had been. How often do we reveal more information than is necessary to communicate with people we barely know?
What is my license number?
Probably the most revealing was a man and his son that replaced the mother and daughter. The son was getting his temporary license and sat next to me to complete his paperwork. The son starts filling out the application, then the father asks the son if he has his social security card. Showing his dad how responsible he is, he pulls the card out from the stack of papers and sets it right on top of the application ready to go. A few minutes later the son asks his father “What is my license number?”, to which dad replies “you are applying for one, why do you think we are here.” The card sat out on the sons lap until he was called up to the counter to complete the process, fifteen minutes later. My first thought after he left was to let him leave before I got on the road. Then I reflected on the fact that his SSN was sitting right there for any person to see, and write down. Can you truly expect the son or father to be able to identify what information is private and should be protected?
Before taking responsibility for others information, we need to be responsible with our own. The one step to taking the first step is to think. When we take the time to think about what we reveal, we go through the same process others would expect us to do with their information. Think the next time you are in a public place, and wonder if someone just like me or worse someone not like me, is listening to what you are saying and taking notes. Could the next time be the one time that leads to an outcome you really don’t want to think about.
Engage with Michael
-
Journey Into the Breach
