Join us as we talk about how trying to achieve perfection can kill any Cybersecurity - and really almost ANY program - in its tracks. From TLC (yeah - that's right - the 90's group) to internal auditors... we're all over the map on this one more than Carmen San Diego...
S01E03 - Perfection.mp3
Paul [00:00:11] Hello and welcome to F Sides.
Jason [00:00:15] In a very D.J. voice. That was Paul.
Paul [00:00:17] And that was Jason.
Jason [00:00:20] And this.
Paul [00:00:21] And this is.
Jason [00:00:21] Oops
Paul [00:00:24] Sorry, Jason. Whoops. I messed up. Let's rerecord it.
Jason [00:00:27] No, no. Look, dude. Paul, we don't have to always be perfect perfection, though. Let's just keep going. Let's go. Move it along. Move it along.
Paul [00:00:34] All right. I think it's your line next. Go ahead.
Jason [00:00:37] See that great, great, great recovery? This is cyber. Cyber, very obviously, humanity podcast, where we're going to focus on the human side of cybersecurity.
Paul [00:00:46] Yeah, well, our intro wasn't perfect, but this fits very well into our subject this week that perfection is the enemy of good or even adequate, actually. So let's move to our intro. So thanks for joining us today for our tens to tens of looks.
Jason [00:01:03] Actually, think this is our. I don't know what number of episodes this is, but we're now at 25 listeners which has been verified by the Guinness Book of World Records. We are now at 25 yeah. We got the Guinness Book of World Record for the lamest podcast with the most listeners.
Paul [00:01:21] Pretty good. Oh I thought we were going to go with Nielsen has been tracking us but I like the Guinness. You really took it to that next level, so that was good. So how do you know that we have 25 confirmed?
Jason [00:01:30] Well, we were at 15 and I recently got nine cease and desist letters in the mail. So that put us at 24. And then my ex-girlfriend was sending me an insta post saying My podcast sucks. So that puts this at 25 because you had to listen to it to know that it sucked, so.
Paul [00:01:45] Oh, well, that's good. At least. At least we know. Hey, it doesn't, we don't have they don't have to be raving fans. They just have to listen for it to count. That's what I'm here for.
Jason [00:01:53] Raving Mad fans. We like that.
Paul [00:01:57] So. Well, you know, this is this is an interesting topic this week. All our all our topics are interesting. But this one's, you know, one close to my heart, because I've lived this many times of, you know, trying to build perfect. And this doesn't this isn't just about security, right? This is everything in life. But trying to build perfect to the point that you can't move forward and you're so focused on perfect that, you know, you can't put the things in place that you need to to help you progress. Have you experienced that?
Jason [00:02:28] Jason I have ever since I was a kid. I think I was ten years old. And the movie called Perfect Quintessential Cheesy Eighties Movie with John Travolta and Jamie Lee Curtis. And you can Google it on YouTube for the trailer. Jamie Lee Curtis was such a serious face. She's a she's a one of us was a yoga jazzercise instructor and. Oh, wow, you know, perfect body, perfect workout. What's so wrong with wanting to be perfect, man? I love that. So, yes, I'm very familiar with wanting to be perfect since I was a kid.
Paul [00:02:59] You know, it was interesting for me that when I started my civilian career, when I got out of the Marine Corps, I was so focused on being a leader and a manager who was perfect, right? Never, never mistaken, and so focused on designing a perfect program that, you know, I would spend a year designing things and then, you know, and then the situation in the organization would change and then I would have to redesign it. And then, you know, I saw this with one specific part of my program that the situation kept changing. I kept having to redesign, but I never really made good progress. And I learned a very valuable lesson of that early in my career that, you know, you you can understand what perfection looks like, but start building now. Start building that incremental components that get you to adequate, start with adequate and then build to good and then to perfect. What's your thoughts on that?
Jason [00:03:51] Oh, it's great to tag on to your status dropping. When I was in the military, it saved the planet.
Paul [00:03:56] Oh.
Jason [00:03:57] God. Seriously, God bless your service. I'm going to. I'll drop some references when I got my MBA.
Paul [00:04:04] Oh, wow. And I.
Jason [00:04:05] Got to know.
Paul [00:04:06] More. By the way, there's a story about this.
Jason [00:04:09] We had this really great exercise right in the beginning to get a sense of culture in a company of what how they approach this topic that Paul brought up. They said, if you're a are you are ready, aim, fire organization. Are you aim, aim, aim are you a fire, fire, firee or are you a fire, ready, aim? in the four corners of the classroom. Everyone got up and went to what they think their organization was. No shock that Intel was a name. A name and no shocked at Nike. We were big or what? The University of Oregon. Nike was firefighter fire and I specifically was in the fire ready aim because I believe in you got to get moving you got to get that momentum going. And if you I'm not a fan of analysis paralysis and I think it slows things down because people want to be well, I got to make sure I'm doing it right. I got to have this perfectly planned out. I have to be perfect with my execution. And you end up just stuck in a room analyzing crap. Hang on. I got this loose cable thing on my leg here. It's from. It's from when I rewired my computer monitors. Yeah, most people find it shocking. I'm not a certified electrician.
Paul [00:05:13] Yeah. Oh, that was a horrible joke, Jason. That shocking, shockingly bad joke. Ha ha ha.
Jason [00:05:19] I like that. I like that. That's a dad joke. You know, my dad has schizophrenia, but he's good people.
Paul [00:05:26] Okay, we're going to get that. Wow.
Jason [00:05:31] Jason is. Well, you're very bad. You're very bad. A dad jokes. I'm getting that where.
Paul [00:05:35] I clearly getting bad jokes is not a skill thief.
Jason [00:05:39] The joke doesn't have to be perfect.
Paul [00:05:40] Paul That's true. It will be funny, but we can talk to that later. So do you have any examples of where you where to using that approach really helped you in where you had a peer who it.
Jason [00:05:57] No, just. Well, no. Every project I approach every every task my team undergoes, anytime I taking under a new initiative, getting to 100% is just not possible. And it's that the law of diminishing returns. The idea that once you get to 80% of efficacy in something or you get to that 80% mark and this is a proven theory in business. I think in nature it is true. Is it to get that extra 20% cost, so much energy and so much effort, it's it's honestly not worth it. That sometimes done is good that 80 or 90% efficacy is a great.
Paul [00:06:32] No, no, I hear. Yeah. Getting to that last part. But what I'm talking about is have you ever personally experienced where you learn like, oh, okay, wait a minute, I been going down analysis, paralysis route or I've been oh yeah.
Jason [00:06:47] Overthinking my jokes.
Paul [00:06:49] Yeah. Oh yeah. Okay. That's in real life example. They're in real time, everybody. So, you know, I think that again, early in my career, what I was trying to start a vulnerability management program and I tried to make it like solve all problems for all people, right? That it would be automated and it would have all these different elements and it would, you know, take in data and automatically route it to the right people. And I spent so much time doing that and explaining it to people that I had these super complicated graphs, and now they look back at it. I'm kind of, you know, I feel a little bit embarrassed by it because I've made something that was really could have been very simple, very, very complicated because I thought that's the right way to go. And then when I step back and I, I, I made it more simple and made it adequate, like, hey, we're just going to get the data in, we're going to manually mail it to people and get them to start the process of patching. I actually was starting to get results versus my multi year program that I was trying to build that just wasn't going anywhere. So I mean, I've had that personally happen.
Jason [00:08:00] You know, there's a there's for those non techie for those playing at home that are in non technology. There's a big movement in the last 20 years called the Agile Methodology for Software Development, how we develop the technology. And it's this idea that instead of this old school approach of planning things out from beginning to end, I know on what day I'm doing, what when? Six months from now it's called waterfall is that they approach it from more of an iterative or one step at a time approach to Hey, let's not let's not figure out or try to get to this goal of 100%. Let's just get something very simple and deliver fast and get something working. Something that's, you know, minimal viable product is some of the terminology they use. Get me the MVP. Just, you know, for example, if I'm building a house, don't you start with the foundation. Hey, you know what? Not even epic. Let's let's today we're going to lay concrete. That's our goal for this next two weeks. We're going to just lay some concrete. We're going to do it great. But we're going to keep it simple and small and you iterative approach to it. I think that's that fits this model as well as the idea of, okay, I'm just going to go for something and get something started, get something built, and then I start adding on to it.
Paul [00:09:09] Yeah, that's adequate. By the way, the waterfall methodology is not related to TLC Waterfalls, the song, very good song, but it is something different. And Waterfall, you know, I think is what I grew up on the waterfall methodology in that I was trying to plan for every contingency and it just doesn't work like that in real life because business changes so fast that, you know, you you need to get moving and see what works right and that you know, you can use the plan do check act model. The Deming model is what it's called where you plan out a little bit of what you do, you do it, you check and see how that worked. And then based off of what the results are of your check, you go and react to it and make modifications and go through the cycle again. So I'm a very big believer in that. Early in my career I was not and I wish somebody had talked to me about don't worry about building perfection out the gate because you'll make a lot more progress.
Jason [00:10:03] Yeah. Great pop culture reference, Paul. Your glasses are belying your pop culture ability of nineties pop music. And you know what? Do you know what TLC stands for? Speaking of acronyms? No, I do. You're going to drop acronyms and not know. We have this problem. We do drop acronyms and we need to make sure to explain it.
Paul [00:10:22] So I literally look it up. Who's saying water?
Jason [00:10:25] Initials of their three initials of their first name is t balls left. I actually t. Okay.
Paul [00:10:31] Clearly I remember the song. I don't know enough about it.
Jason [00:10:35] Is the Walking Encyclopedia podcast.
Paul [00:10:37] Thank you for correcting me in a very, very public manner. Embarrassing me. So I appreciate that because humility is an important part of learning. So thank you, Jason.
Jason [00:10:47] You know, can I segway in about a word you talked about bringing it back to cybersecurity. For those practitioners that are listening to live in the cybersecurity world, this is a challenge I have, too, with when we talk about security controls and security controls for non-active or non-tech listeners is basically like the AV alarm system on your house. How are you protecting your house? An alarm system would be considered a control. Having a guard dog is a control. It's a way to prevent bad things from happening.
Paul [00:11:15] Under the law.
Jason [00:11:16] So in cybersecurity, we have these things called controls that are just basically locks on your door alarm system for your windows. And how good those things perform is something that we're very keen on knowing in cybersecurity, you have a shitty lock, you're going to want to know that, right? Like, Oh, that's a really crappy lock. So we try to measure how good the lock is. This is this is a challenge in cybersecurity where people think they need or sometimes you can get stuck where, oh, I need that lock to be the best lock on the market. It needs to be un penetrable and nobody can get into it. And the reality is you can't look at the lock like that because you're never going to be perfect with that control. You're going to have to you're going to get to maybe 80%. You get one of the better locks out there because when you start layering in all your controls and 80%, you're going to end up coming above 80% in your overall security risk profile. So don't try to get over achieve perfection in any control, but try to get close to that is my opinion.
Paul [00:12:09] Yeah. You bring up a good point because we also need to get our partners involved in this because again, early in my career I remember being audited on things.
Jason [00:12:17] I thought we said, we're keeping our wives out of this. Why are you bringing her into this?
Paul [00:12:20] Yes, I will. I'm going to make this about my life in general. So sorry.
Jason [00:12:26] This is going to be upset if she's not on the show and you're going to bring you in.
Paul [00:12:29] Which then bring our spouses into the show, they end up doing a lot.
Jason [00:12:32] Of I like being married. I'd rather not.
Paul [00:12:35] Make a good point to share again. Sure.
Jason [00:12:39] So explain, partner, when you said bring your partner because actually I didn't know.
Paul [00:12:43] When I say partner, I mean your work partnerships that you have. So for instance, internal audit, early in my career, I was always frustrated because it felt like the internal auditors, when they came and reviewed my processes, they were looking for perfection. Right? That's what I always perceived it to be, is like, okay, they're critiquing me on this. That means they don't think it's perfect. And when I went and studied and worked with a lot of auditors later in my career, I found out that's not what they're doing now. You will find auditors throughout your career who, you know, if it's not perfect, they're not going to they're not going to give you any credit. You're just going to get a finding that happens. But most of your audit partners will look at it. And if you can explain what what you want to get to and how your steps are going, like the steps you're putting in place achieve that goal. Both of them will get on board with you because one of the things I've heard in my career is that, you know what, we have to build that planet for perfect, because we'll get audit funding. And what I'm suggesting is, no, you won't. If you can share your vision, right. What you're trying to achieve, your audit partners will will support you.
Jason [00:13:50] You know, so for those of you for those of you playing along at home, they may not be familiar with internal audit, which through my perspective, the only the only word worse than the F word is audit except for except for within context what Paul is talking about, not an IRS audit. Internal audit is actually our friends in most positions. They make sure that we say what we, what we, what we're doing, that we're actually saying what we're doing when it comes to having the lock on the door, having the alarm system, having these controls in place that are like a third level, third layer of defense, of making sure that we're assuring what we're doing. So they're actually our friends. So audit is not a bad word in this?
Paul [00:14:31] No, I agree. Our auditors have helped me more in my career than a lot of other teams. And yeah, you know, and that's again, get over the fear of I have to be perfect because I'm going to be audited or I'll get to be a.
Jason [00:14:43] Guinea honest man. Any security team if you're if you're if you're ever answering an internal audit for a company and I've heard this from CISOs and cybersecurity practitioners across the board, they're like, oh, I'm well, I'm just going to tell them that we're doing that even though they know it's not 60% or 70% or so. Now, just be honest.
Paul [00:15:01] Yeah, I mean, and that's.
Jason [00:15:02] Okay not to be perfect.
Paul [00:15:04] And they're okay with that. You will find your auditors will support you in your journey if you can share with them the story. So, you know, there's no reason not to build ed programs, not to not focus on being perfect, right? Understand what you're trying to achieve. But again, you don't have to have everything laid out because business situation and environmental situation will change. So you need to be have the flexibility to adapt as you go along.
Jason [00:15:32] Right. Be back to the movie Perfect. The Great Eighties movie. You check it out. I think you can find it anywhere on a streaming service will be John Travolta. Will be John Travolta, not Jamie Lee Curtis.
Paul [00:15:45] Well, we there is one blockbuster left, so you might be able to find the B just because I've literally never heard of this movie. Is it streaming anywhere?
Jason [00:15:53] Let me let me Google that for you.
Paul [00:15:55] So whether there's an inside joke to that one, because I asked Jason a couple of questions years ago and he kept sending me to let me Google that for you. So I finally got there. Happened to Google.
Jason [00:16:05] That for you. Dot com, dot com. It's great.
Paul [00:16:09] I never want to ask him questions. So but now that I think this was a good discussion and again, that what you what you're hearing from Jason and me is that you don't have to be perfect. Sometimes adequate is a great start and you can build on adequate to good and then you can move to quasi perfection. But as Jason said, perfection while a good goal. Don't don't be upset if you don't achieve it because, you know, it is exceptionally expensive to get to perfection.
Jason [00:16:41] Absolutely. And to give another example, Paul, how do you get a Pikachu on a bus?
Paul [00:16:47] This is going to be a bad I don't know, Jason, how do you get them to get.
Jason [00:16:50] You Pok-em-on?
Paul [00:16:52] Oh, all right. Well, this will be one of the podcasts that most listeners will probably be glad to be done with because they don't have to listen. We're bad, bad jokes, but thank you for sharing those with us today, Jason.
Jason [00:17:04] Awesome. Thanks, everybody. Take it easy out there. Oh.
Speaker 3 [00:17:10] Is DNA asleep in?