2019 Gartner Security and Risk Summit

I recently went to the 2019 Gartner Security and Risk Summit in National Harbor (outside of DC).  This was my second Gartner conference, and so far they’re 2 for 2 at delivering high-quality, impactful, intense 5 day conferences.  The event was jam-packed with great sessions, roundtables, workshops, and keynotes.

I can tell a conference is going to be great when I try to build my agenda before the event and I want to pick 2-3 sessions for many of the time slots.  Fortunately Gartner gives attendees of their events access to the slides and audio of the conference, so you can review what you missed.

I was also very impressed at Gartner’s midsize (companies with $50 million to $1 billion in annual revenue) sessions, where presentations, roundtables, and workshops where leaders from midsize companies could connect, collaborate, (and commiserate sometimes) on best practices related to their size of organization.

My major takeaways (and it’s hard to summarize) were:

  1. Identity is the new perimeter (not the network, not the device)
    • You hear people often now talking about “zero trust networks” (the idea that instead of thinking of the perimeter as your LAN/VPN that you protect and you trust people inside your network, you should instead focus on ensuring your identity and access management (IAM) approach is solid and build security around identify, using things like MFA and risk-based access management)
    • This also means that identity is a critical linchpin to security instead of the idea that devices/users inside a network are trusted devices/users
    • There was also a key point, from Neil MacDonald, here that non-human entities (e.g. DevOps pipelines) need to have unique identities that they authenticate against securely, so they don’t become a huge security hole in your infrastructure
  2. Communicate Risk with Business Perspective: It’s critical to communicate risk to executives/non-IT leaders/board in a way that actually articulates/visualizes risk and how cyber risk affects the business’ value chain/business model (and not talking about security technology at all)
    • It’s important to strike the right balance between quantifying risk and impact (the board demands numbers), and the fact that cybersecurity risk and impact isn’t a statistically mature field, so sometimes qualitative assessments are the only reasonable way to communicate risk (numbers can be overly precise when we don’t have a solid foundation to build them on) — there was a great session where four Gartner analysts debated this intensely, 2-on-2
  3. Information Security fundamentals are critical to do well, and organizations still don’t do them well – organizations spend too much energy on new projects/technologies (shiny new objects) instead of refining the fundamentals they do (e.g. log analysis, change management, asset management, vulnerability management)
  4. Select one primary security framework to orient your Information Security Program around (e.g. NIST CSF (which is dominating the survey data for US and international companies as their standard), ISO 27001) – more than one primary framework leads to confusion, and none means you either have no foundation or you’re trying to reinvent a wheel that industry is rapidly refining
  5. Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD) programs are very hard to run well, both technically and from a privacy compliance standpoint — individual state and international privacy legislation requirements make this very complex

If you want to hear more, check out some of the keynotes from the Gartner YouTube Channel; or check out other’s people’s perspective on the event, check out the Tweets from 2019 Gartner Security Summit or other blog posts like this one.

Know when Working Harder isn’t going to Work

A dedicated employee who will work harder, with a greater sense of urgency (and maybe some extra hours when needed) is great.  But what’s much more valuable than someone with that work ethic, is someone who can see when working harder isn’t going to work, and they need to change their approach.

Think about someone using a dull saw to cut a huge pile of wood to build a house — they’ll look at the schedule and say “I don’t have time to sharpen my saw”, which is ridiculous to think about.  But we do it all the time when we try to shift into a higher gear and work harder to “dig out” of a busy season/project instead of thinking about what should we change.

It is so valuable as a leader to determine when a situation can be surged over, and when you need different resources/capacity/people/tools to overcome the situation.  Years ago, I was helping a Project Manager whose team was continually well below the needed velocity to get to the project’s finish line on time.  He kept trying to work nights and weekends to get back on the track, but simple math made it very clear that he could not single-handedly get the project back on track.  So we had to investing in both a technology and some additional people to help his team finish — it was easy to easy for those investments on his project; but it was much better to ask for them early in the project’s life as opposed at the end when he would be doomed to fail.

Think about if you need better processes/checklists, or a tool (e.g. software application) to help you be more efficient), or more people on your team, or something else.  Take the time to step back and think about how to change the game you’re playing so you can actually win.

Audiobook MBA

I recently had the idea to create a list of audiobooks that would provide a comprehensive business education for those who wanted some MBA-level information without investing in a MBA degree.  But in Googling around, I realize that many people have already done this — the best I’ve seen so far is Josh Kaufman, who wrote a great book (I enjoyed the Audible version) Personal MBA, which I highly recommend as an introduction of key business concepts.  His website he has a list of 99 Great Business Books list across various categories, and the headphones buttons link to the audiobook version of these books.

Also of note, Laurie Pickard created her own MBA education through online MOOC’s and recommends a curriculum.

CIO 101 for Entrepreneurs

This morning I got to share IT infrastructure, business strategy, and business
architecture tips and recommendations with some local current and future entrepreneurs at The Capitol Post in Old Town Alexandria.  Capitol Post is a great organization focused on inspiring Veteran entrepreneurs to find professional clarity and scale those visions.  They offer several great things, including  a cool co-working space right in North Old Town Alexandria, classes, and a startup accelerator program.

img_9850

Here are the slides and strategy template I went through with the group this morning, helping entrepreneurs deal with IT.   We talked about:

We talked about how IT for non-technical entrepreneurs can be like personal finance for non-financial people — it’s very important, but it’s hard to motivate yourself to invest the time you need to understand it, make some solid plans, automate it, and then move on to creating value.

It’s been a year since I last taught at Capitol Post (https://mikehking.com/2015/09/11/talking-technology-bunker-labs/), and it’s great to see how much they’ve grown (the office is beautiful and their getting ready for their next cohort to go through the Bunker Labs DC accelerator.

Don’t get Stuck in the Past, Present, or Future

As I’ve gotten older, I’ve realized how each person has different tendencies.  Some of us are introverted.  Some are analytical.  In addition to personality axes like introverted vs. extroverted, thinking vs. feeling (see Myers-Briggs); people often have a tendency to either live in one of these times instead of balancing their time among them:

  • Past – Looking back at what has happened in your life, learning from mistakes and reflecting on what happened and what they learned about themselves through those experiences
  • Present – Engaging in the present, connecting with people and experiences as they happen
  • Future – Looking down the road and making plans, setting a vision and goals for your life

Each of these perspectives is important in moderation, but people sometimes get into trouble by being too focused one view — they can get stuck reliving the past (they miss life entirely, always looking behind them), living only in the moment (reacting to the present without looking down the road and making any plans) so life happens to them instead of creating the life they want, or only focusing in the future, so life passes them by while they make and refine plan after plan.  Don’t get stuck in only one of these — make time to look at all 3.

To quote the cinematic classic Spaceballs, which is almost partially relevant to this discussion:

Colonel Sandurz: Try here. Stop.

Dark Helmet: What the hell am I looking at? When does this happen in the movie?

Colonel Sandurz: Now. You’re looking at now, sir. Everything that happens now, is happening now.

Dark Helmet: What happened to then?

Colonel Sandurz: We passed then.

Dark Helmet: When?

Colonel Sandurz: Just now. We’re at now now.

Dark Helmet: Go back to then.

Colonel Sandurz: When?

Dark Helmet: Now.

Colonel Sandurz: Now?

Dark Helmet: Now.

Colonel Sandurz: I can’t.

Dark Helmet: Why?

Colonel Sandurz: We missed it.

Dark Helmet: When?

Colonel Sandurz: Just now.

Dark Helmet: When will then be now?

Colonel Sandurz: Soon.

Dark Helmet: How soon?

Organizational Operating System Upgrade?

I’ve started reading Brian Roberton’s book Holacracy, which talks about an organizational
management approach focused around self-organization and protected autonomy.  It’s an interesting attack on the base assumption that we should build companies in the traditional, top-down approach where a CEO directs leaders who direct other leaders, through layers and layers of business leaders.  Holacracy is the first non-traditional approach I’ve seen to business architecture (designing a company) that is cohesive and specific.  Managing teams with a methodology like Agile Scrum is powerful, but Scrum doesn’t scale to an entire organization, without armies of Scrum of Scrum Masters.  Early in the book, Brian lays out this metaphor of a business having its own operating system (including the org chart, business processes, etc.):

…the operating system underpinning an organization is easy to ignore, yet it’s the foundation on which we build our business processes (the “apps” of organization), and it shapes the human culture as well.  Perhaps because of its invisibility, we haven’t seen many robust alternatives or significant improvements to our modern top-down, predict-and-control “CEO is in charge” OS.  When we unconsciously accept that as our only choice, the best we can do is counteract some of its fundamental weaknesses by bolting on new processes or trying to improve organization-wide culture.  But just as many of our current software applications wouldn’t run well on MS_DOS, the new processes, techniques, or cultural changes we might try to adopt simply won’t run well on an operating system built around an older paradigm.

Brian describes an entire methodology, like some of the prescriptive ceremonies and roles you see in Agile Scrum; which I’m still wrapping my head around.  The core tenets of independent, autonomous roles seems incredibly powerful, because it seems to make companies much more scalable.  And it reminds me of the core factors that Daniel Pink identified in Drive as what employees wants in their job:

  1. Autonomy: People want to have control over their work
  2. Mastery: People want to get better at what they do
  3. Purpose: People want to be part of something that is bigger than they are

Holacracy’s concepts explained in 107 seconds: https://www.youtube.com/watch?v=MUHfVoQUj54

Work on your life, Not just in it

I was chatting with some friends recently about making time to reflect on your life, and making time to really connect with close friends, digging into each other’s lives.  It stuck me that the concept of ‘You need to work on your business, not just in your business’ (paraphrased) from The E-Myth is very relevant to both business and your personal life.  Gerber is making the point that entrepreneurs often get mired in the distractions of doing day-to-day things (operations) without making time to build a business (strategy, business architecture) — things like enabling the company to scale by defining strategic objectives/plans, processes, expectations, etc.

Just like that, it’s all too easy for me to live my life in a reactive mode, trying to work on the next crisis, both in my job at at home, without taking time to sit down, reflect, think about my priorities and objectives, and what types of mental models/worldviews are informing those goals.  In your life, don’t forget to make time to think about your life — whether it’s in a structured way (e.g. creatingyourlifeplan.comlivingforwardbook.com) or just taking time every month or quarter to reflect, journal, and dream about what you want to change in your life.  Companies are much better at strategic planning than most people are (though certainly not perfect Holacracy Bicycle Metaphor ).

How to Pick IT Systems for your Small Business

If you’re the CIO, Director of Technology, IT Person, or Only Person (Solopreneur) at your organization, here are 5 areas of questions areas to consider when determining if a specific IT system or process would align with your small company’s needs:

  1. Alignment:  Does this system align with your business model (how you do business) and your current infrastructure?
  2. Lock In:  Would this system lock you (Vendor lock-in) into this vendor or system long-term?  Could you export your data and move to another system as you grow?
  3. Investment-worthy:  Is this system worth the investment of money and time (your time, your employees’ time, your customers’ time?
  4. Get Traction:  Would this system get traction with your employees and/or customers?  Does it align with how you do business, or would you spend your time forcing people to use it?
  5. No Huge Risks:  Are there any significant risks (red flags, deal-breakers) that should drive you away from this system? (e.g. cyber security, loss or productivity, removes future options you want)

align-framework

Shameless plug:  If you’re interested in learning more about setting up the technology for your company, or future startup, check out this free class I’m teaching next week (Thursday, Sept 10, 2015), sponsored by Capitol Post, in Old Town Alexandria:  Technology 101 for Entrepreneurs (How to Choose to the Best Systems for your Business).

How does a CTO Spend Time?

I’ve recently realized that I’ve been drawing a similar pie graph several times recently, explaining how I spend my time as a Chief Technology Officer (CTO) at a small business.  I thought I’d share for those interested in how I spend my time juggling the demands of CTO across various company priorities.

CTO_time

If you’re interested in learning more about small business CTO activities, including technology strategy when you’re too small to have a dedicated CTO, check out this free, upcoming training in Old Town Alexandria, sponsored by Capitol Post, that I’m teaching next month (Sept 2015):  Technology 101 for Entrepreneurs (How to Choose to the Best Systems for your Business).

The Risk of Oversimplificiation

Have you ever noticed how when something is simplified enough that it doesn’t intimidate people, people start to have a lot more opinions?

It makes sense that people who aren’t rocket scientists shouldn’t make recommendations on rocket ship designs.  But as complexity is reduced, two problems often arise:

  1. People start to make recommendations on things they shouldn’t, due to nuances or context they don’t understand
  2. People spend entirely too much time talking about details that aren’t important

aws_dashboardProblem #1 can be very dangerous.  I was discussing today how technologies like cloud hosting feel so accessible that people often make decisions where they don’t really understand the associated impacts and decisions.  Amazon Web Services (AWS) has a great dashboard that lets AWS users see all their cloud-based infrastructure. This dashboard is very powerful in the right hands, but often makes non-technical decision makers feel like they can manage their organization’s IT infrastructure, without realizing the impact of not having redundant systems, data backups, and disaster recovery solutions in place. (Note:  If you’re looking for AWS cloud expertise, check out JHC Technology or Halfaker.)

Problem #2 can also be very damaging to organizations — organizations sometimes spend shedtoo much time talking about what color the walls of their new office space should be, instead of what they should focus on strategically next year.  This concept is known as Parkinson’s Law of Triviality (Bicycle Shed Principle).  They call it the Bicycle Shed principle because of a story told by Mr. Parkinson about when decision makers charged with designing a nuclear power plant focused most of their time on what materials should be used to build a storage shed. (Thanks Ramit Sethi for introducing me to this concept.)

Watch out for both cases — it’s important for decision makers to be aware of where their expertise ends and where their attention should be invested.  Note:  A leader shouldn’t avoid areas outside of their expertise, but they should realize when they need to focus on certain parts of a decision, or when they need to rely on internal or external experts.