Friday, August 9, 2013
Thursday, June 6, 2013
As Security Innovation gets bigger we've realized we need some way to preserve what makes the company special, for our customers and for our employees. I think it all comes down to Values, since that's what describes the 'Why' of what we do. Why is so much more important than What since it is the foundation, the motivation behind everything we do and in the end I think its the best way to capture the magic of who we are as a company. I think many people would start an excercise like this by defining Vision and Mission first, a top down approach. We've found its more powerful to start with values and build upwards from there.
First some definitions:
- Vision: Where do you want to go? What's over the horizon?
- Mission: Who are you? What do you do?
- Values: What do you value? Why are you doing what you do? What's important and if you gave it up would destroy the value of the company?
- A world free of security vulnerabilities
- To be the most trusted application security partner on the planet.
- To enable the success of our customer's application security programs.
- Improve the security of every application we touch
- Provide the world’s best combination of security expertise, trustworthiness, effectiveness, and technology to our customers
- Apply Standards, Education and Education (the Three Pillars of Success) to create a customized solution for each of our customers.
- Drive the success of each customer's application security program through a targetted set of standards, education and/or assessments based upon our understanding of their unique culture, process maturity and application security goals.
- We believe everyone has the right to secure software
- We believe everyone has the right to use a computer without fear
- We focus on the fix
- We believe developer education is a key means to achieving better security
- We believe increased awareness of security risks and mitigations will result in a healthier software ecosystem
- We believe 3rd party assessments of software can be used to keep development teams honest with themselves and their users
- We believe that can add the most value when our customers see us as a trusted advisor to improve security long term
- We believe in measuring and holding ourselves accountable to customer satisfaction in our services and products
- We believe in empowering our employees to learn and develop their skills
- We believe in an environment of trust and open communication amongst all members of the organization
Sunday, January 27, 2013
Thursday, January 24, 2013
I found myself having to go to Istanbul to meet with a customer and due to complicated rules of international chihuahua travel, I had to go alone. The plan was to leave home on a Wednesday, arrive in Istanbul on Thursday, meet with my customer on Friday (hopefully without too much jet lag), and then I had a day to myself on Saturday to see the city. After that I was to fly to Portugal, work from Lisbon for a few days and then meet the family, one week after I had departed, when we would all reunite in Portugal.
Tuesday, March 30, 2010
I came to Getting Results with a history of effectiveness and success. I had a solid sense of what I felt were the best ways to get things done, a set of process and principles that had worked well for me over many years. I am a process guy, a details guy and a lover of great strategy. I sweat the small stuff and I look at the big picture in order to guide myself and my organization to maximum results. Then I met JD...
I started with JD on a project to build security guidance for the ASP.NET development platform. A huge undertaking that involved discovering, consuming, and analyzing a huge amount of information from a huge amount of sources both written and verbal and then turning that into specific, contextual, prescriptive guidance for Microsoft developers. The goal was nothing less than to change the way in which web applications were written on the Microsoft platform. In order to make consumers more secure, the applications needed to be more secure. In order to make the applications more secure, developers needed to know what to do. That's where JD and team came in. What I saw in the course of this project, changed my view on how to get things done. JD accomplished what seemed impossible. In too little time, with too little resources, with a staggering amount of chaos to deal with, JD coaxed the team into writing a masterpiece. I couldn't see how it was done, but I was curious. Luckily for me I had the opportunity to work with JD on a number of other projects over the course of several years. I learned the process as it was developed and maybe even had a chance to contribute to it a little here and there. Whether I had any impact on it or not, it had a huge impact on me.
Before I explain what I learned, I want to set some context to explain how I used to get results. I was a huge believer in up-front planning. For a new project I would spend a lot of time designing and planning what needed to get done, how it would get done, when it would get done, who would do it and in what order. I was a master of this style. I could plan a complex project with a dozen team members and have an 18 month plan with all of the tasks laid out to the day and then we could execute to that plan so that 18 months from the start we had accomplished exactly what I had laid out at the start. Impressive right? Well, not really. I learned, the hard way, that I was focusing on the wrong things. I was focusing on tasks and activities. I was focusing on what got done, which I thought were the results, but I was neglecting the real results. Most importantly, I had the wrong assumptions. I assumed that a rigorous planning process could remove risk. I assumed that I knew up-front what I wanted to accomplish. I assumed that my plan was helping me when it was actually a prison.
So what did I learn from JD and how did it change how I do things? What kind of a difference did it make? Here are the key lessons I learned, my most important take-aways:
- Focus on scenarios and stories. I'd always used scenarios and stories as a tool, but I hadn't used them correctly. They were something I considered, they were an input to my plan, just one more thing that mattered. What JD taught me is that they are the only thing that matters. If you get this one thing right you win. If you get it wrong you lose. Planning should be about determining the right scenarios and stories you want to enable. Execution is about making these scenarios and stories real. You know you are done, you judge your success, by measuring against these scenarios and stories. Everything else is a means to this end.
- Expose risk early, fail quickly. Planning is an exercise in risk discovery and mitigation. You plan so that you can create a path to success while imagining the pitfalls and avoiding them. Planning is a mental exercise, it is not doing, it is imagining. JD helped me realize that the world is too complex to plan for every possible problem and it is too complex for you to be able to plan the best possible path. I learned that I should be exploring and optimizing as I go instead of trying to do it all up front. If the price of failure is not extreme (lost lives, destroyed business) and I can afford the exploration, I discovered I am better off reducing my up-front planning and jumping into the 'doing' sooner. By 'doing' I can expose risks early and I can determine if my chosen path will fail so I can pick another. I think JD calls it "Prove the Path". I like to think that mistakes and failure are bound to happen and I'd rather discover it fast while I have the chance to correct than discover it too late when I'm over-committed.
- Ruthless effectiveness. I thought I was ruthless already. I thought I went after results like a Pit Bull and didn't let go till I'd chewed it to a pulp. I was right, but that's not the most effective path. Ruthless effectiveness isn't being a Pit Bull and never letting go. Ruthless effectiveness is knowing when something is good enough and knowing when it will never be good enough. Ruthless effectiveness is learning to let go. I am a perfectionist, I like things to be more than good. I want them to be great, exceptional even. I can forget the rule of diminishing returns once I have my teeth into something. JD taught me to let a project go, to ship the book, to release the software when you've maximized its value and when it will make the most impact. Let go when there are external reasons to let go, don't let your own internal attachment cause you to hang on to something too long. It felt crazy to me when I first saw it, almost irresponsible. But it works. Its a ruthless focus on results. Nothing personal.
I'm sure your take-aways from Getting Results will be different from mine. We are all different, have different goals and are all in different places in regards to our abilities and motivations to be effective. There is so much in this guide, it has so much to offer, that I think anyone who reads it will get something out of it. If you are lucky, it may even change your life like it did mine.
Tuesday, August 18, 2009
I love this article on seeking from Slate magazine, I think it is one of those ideas that can help you gain a new perspective on human behavior (including your own). The article describes how the act of seeking is hardwired into our brains as an end to itself. The article then goes on to describe why this brain circuitry can be overactivated by Google, Blackberry and other common technologies
J.D Meier gives a great synopsis of the article in his post, Seeking is the Granddaddy of Emotional Systems. He boils the article down to five bullet points:
- You can’t stop doing it. You have an insatiable need to search. It’s stronger than the basic drives for food, sex, and sleep. We’ll even seek at our own expense.
- Seeking is the granddaddy of the systems. “Seeking” is the master emotional system that influences the rest of our emotional systems.
- Each stimulation evokes a reinvigorated search strategy. It’s self-reinforcing. Stimulating the lateral hypothalamus puts mammals in a loop of foraging, excitement, and craze.
- Seeking is the motivational engine that gets us out of bed. “Seeking” is the natural drive that motivates us each day.
- Abstract rewards excite us as much as tangible one. Our “Seeking” circuits are the ones firing when we get thrilled about the ideas or make intellectual connections.
The word seeking is overloaded with meaning, so it took me some thinking to parse out what the article means to me. I don’t think it means people are seekers in the sense of seeking philosophical enlightenment, or amazing impactful results, or even new meaningful knowledge. Some people are, but that’s not the norm. The people who do amazing things have channeled their base-level seeking to achieve more powerful results, plus they have the innate capabilities that allow them to get those results. As a species we are seekers for tidbits, like mice searching for nuggets of food. The base level seeking impulse is very simple. Search for something that fulfills a simple need (food, shelter, comfort, etc). Its the searching for something that matters. The acquisition matters less and wears off quickly. Then we are off to seek again.
Its the happiness conundrum. You think you will be happy if you get X. Where X could be money, partner, knowledge, results, reputation, house, status, etc. But this is where we are tricked by our own biology. We are not meant to be happy or satisfied for extended periods of time. We are restless creatures and our biology gives us the happiness ‘high’ for a small amount of time and takes it away. We go back to seeking. If we were truly happy and satisfied we would stop seeking and evolutionarily that is a very bad thing.
We think happiness is good, therefore we seek it (its a meta-search if you will :)). But the search for happiness is endless and we will never truly reach the goal. So what are we to do? I think there are two choices, not necessarily mutually exclusive. While its cliche, I think we can choose to enjoy the journey - the seeking - as much as possible. If you consciously realize you are seeking and are ok with that, not fooled into thinking this search will end your constant seeking, then I think you can choose to enjoy it for what it is. The other choice is to try to make a conscious decision to be satisfied. I think satisfaction means you are happy with what you have and what you are. You can rest for a while and maybe stop seeking. Careful though - stay satisfied too long and you may become like the little creatures in H.G Well’s “The Time Machine” who have evolved into a state of feeble satisfaction due to having conquered all possible challenges in their environment.
Thursday, May 14, 2009
The way we think of our lives and how we fit into the world is in the form of stories. That’s why narrative is so powerful, it taps into the essence of how we think about being human. Most of us have a subconscious narrative that runs through our lives, whose power we may not even realize. If you can tap into that narrative, understand what your story is, then you have the power to change it! Its like lucid dreaming. The power of a lucid dream is that you suddenly realize you are sleeping and you have the power to modify the dream in ways you hadn't previously realized were possible. Likewise, if you are conscious of your internal story you have leverage to change your life in ways that may not have seemed possible before.
Once you understand your own narrative, what’s to stop you from learning others? If you can get a glimpse of someone else’s story then you can gain a deeper understanding of their perspectives, their priorities, and their motivations. People can be motivated by a wide variety of things (money, approval, achievement, etc). Understanding someone’s internal narrative can help you tap into their values and motivations in powerful ways!
Finally, you can use narrative and story to get your points across and share your perspective. Try this exercise sometime. Try to convince someone with plain facts and data and then try to convince them with a story that explains where you are coming from and how their decision or actions fit into that story. Which is more effective? By sharing stories not only can you get understanding you get the chance to modify your own understanding, your own story, as a result of the interaction.