80/20/80 Rule approach

 

The 80/20 principle has been round for many many years and is in use daily  across business and just about every genre. It's quite simple and straightforward it basically means that for 20% of the effort you can actually get 80% of the results you want.

The Pareto principle[2] as it's known has a very valid set of findings and it is a good "Rule of thumb", the  rule of thumb, is a whole different thing as that's when you look at Daniel Kanemann and and the whole thing around using intuition [1].

My take on it is a slight addition to the 80/20 principle I like to think of 80/20/80 rule, I call the "All-mo-done", (almost done). If you think about it,  it's true most of us especially in business and at work want to get things done now. We all love progress. We all I hope strive to add value with intentionality. 

Something that occurred to me the other day while I was doing some chores basically tidying up,  is that quite often,  will outsource things to a service provider or consultant or associates or subcontract to get someone else to do it. 

I always try to get the worst job of the day done first, you know clean the cat litter tray type thing. Some jobs are too over whelming so are best tackles in a couple of goes, hence the 80/20/80..... Have you ever considered that you could do 80% of the work for 20% of the effort involved and get all the glory for what we call it and show the minimum viable product MVP??

What I'm trying to say to you is quite often we look at job and we just scope it all out (109%) and get someone else to do it for us because we're too busy it's not but she's her time whatever. Doing that means the outsourced resource gets the benefit of the 80% "Quick wins" for 29% of the effort! 

When you apply Dave Allen's principles of Getting Things Done (GTD) [3], sometimes your better off doing the job, than specking it out for someone else! As we say in the IT security industry the "JFDI" approach you can  look that one up later [6]!! You can actually achieve an awful lot by doing the 80% in 20% of the time, yourself this does two things;

One because there has been demonstrable progress and achievement, what a waste of your effort scoping it all to it have a commissioned.  The work your boss or whoever your doing it for,  realises you've actually my quite a lot, with tangible results. 

What you then do is scope out the remaining 20% of the job which you know it's gonna take 80% of the effort and then you've got you've already delivered and demonstrated  the low hanging fruit, that phrase im not a fan of, but does apply and it does make sense. The fact that you've got the MVP [5] ready to go before you've even commissioned the work to finish it off!

Sometimes you might actually find that when you get round scope in the last bit it's actually not worth the amount of effort and money involved in doing it but you can demonstrate that because you've already shown by delivering  80% of the results very quickly, the last 20% if it's required it's gonna probably cost 80% of the funding to do the job hence my 80 2080.  You absolutely know the external resource will be earning their money!

Because that last 20% could well be 80% the effort and 80% of the cost to finish the project.You might want to think carefully about your "Definition of done" [4] and about rescoping. Another thing to consider is that why you're going through doing 80% of it very quickly and looking at it your understanding very intimately all of the last bits that remain to be done, this may mean rescoping a project it may mean realigning your expectations and it could even mean instead of investing that money in doing that final piece if you can make do with a bit of a reshaped phase 1, you have a proof of concept and do the last 20% later if it's still required. 

In summary it's just a different way of thinking 80 20/80 get the 80% done very quickly because often you can't even scope out the last 20% and the finishing until you understand the job intimately you might as well do the big part yourself and deliver them very quickly and then you can really work out if the requirements are changed what the functional and non-functional requirements are for the last bit.  Then decide if the business case to do it stacks up in the first place.

References:

[1] https://hbr.org/2015/05/from-economic-man-to-behavioral-economics

[2] https://www.techtarget.com/whatis/definition/Pareto-principle

[3] https://gettingthingsdone.com/what-is-gtd/

[4] https://www.agilealliance.org/glossary/definition-of-done/

[5] https://www.productplan.com/glossary/minimum-viable-product/

[6] https://jfdi.info/about/what-does-jfdi-mean/

BLUF for Crisis Communications

Background

One of the key issues with Crisis Management is clear and effective communications. a good set of principles are; ABC Accuracy, Brevity & Clarity. In the military, the BLUF approach (Bottom Line UP Front) is used and this is supported by the 5(W)HO system; Who, What, Where, When Why, How and the Outcome.

Crisis Management should be conducted using the same approach.

Who

Identify the individuals and their for in the  crisis. Who are the key players? What are their names and what are their roles?

What

Identify the crisis. What are the current circumstances and what is the situation you are trying to address, what is the issue your communicating about?

Where

Identify the location of the crisis, incident or situation. Where is the crisis taking place, the scope and the boundaries of the incident or crisis?

When

Identify the time of the crisis. When is the crisis taking place, when does the message relate to, what is the time-frame, validity, deadline for any task and the time that the outcome has to be reported back?

Why

Identify the reason for the crisis. Why is the crisis taking place, why is the communication being written?

How

Identify the solution. How do you propose to resolve the crisis, how is the outcome to be achieved or what is the effect being sought?

Objective

Identify the outcome of the communication or tasks being communicated. . What do you want to achieve What is the expected outcome?

Crisis management is a decision making process, many of the facets of Crisis Management are about Strategic Decision Support. It is not about standing back and watching events unfold. It is about taking control and steering events in the right direction. It is about influencing and changing the outcome of the crisis.

Crisis Management is an iterative process is about dealing with the current situation and dealing with preparing for the future, through lessons learned and feedback.

The use of keywords in the email subject line.

The first thing that your email recipient sees is your name and subject line, so it’s critical that the subject clearly states the purpose of the email, and specifically, what you want them to do with your note. 

A typical email subject could be [Classification][Operational Codeword] [Action Verb] [Subject]

Example 

(1)Subject: OFFICIAL /SUN BURST /DECISION - Supplies required

(2)Subject: OFFICIAL / SUN BURST / REQUEST - Information on current supply levels required

Military personnel use keywords that characterize the nature of the email in the subject. Some of these keywords include:

• ACTION – Compulsory for the recipient to take some action
• SIGN – Requires the signature of the recipient
• INFO – For informational purposes only, and there is no response or action required
• DECISION – Requires a decision by the recipient
• REQUEST – Seeks permission or approval by the recipient
• COORD – Coordination by or with the recipient is needed
• SITUATION - The following is a Situational Update
• REFERENCE - This email contains information to be indexed and stored
• AUTHORITY - This email contains the authority to execute a previous request
• UPDATE - This email contains an official update relating to the situation.
• CASCADE - This email is an official communications for cascade

This type of standardised reporting and control also means important emails and communications can be searched for by date and time to aid with context and sense making during the ongoing situation. 

References: 

[1] https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN32225-AR_25-50-003-WEB-6.pdf

[2] https://www.animalz.co/blog/bottom-line-up-front/

[3] https://www.cnbc.com/2019/04/23/ex-us-navy-officer-how-to-write-emails-with-military-precision.html

[4] https://rockcontent.com/blog/bluf-meaning/

[5] https://hbr.org/2016/11/how-to-write-email-with-military-precision

From Plans to playbooks

 

 

Building on the experience gained over the past six year of running Cyber Response exercises, it is becoming clear that Cyber Incidents should  not be led by the ICT function. Cyber Incidents are in fact service disruptions. The Information Assurance trinity (Confidentiality, Integrity and Availability)

reflects the holistic approach to the security of information.

 

Cyber incidents come in different shapes and sizes. If one system is affected, then generally. The ICT function will be able to respond to it. However, if cyber incidents cover more than one system or a large service, it will in fact impact up

 

on the business. Once the business is impacted. This becomes a strategic issue and requires. Senior leadership intervention through a crisis management team. Traditionally. This has all been thought of in the enterprise, as business continuity planning. The coordination of business continuity planning is done through Business Continuity Management, which manifests itself through Enterprise level Contingency plans. A contingency plan is a plan which addresses a specific issue. 

 

Enterprise level business continuity plans are generally speaking, generic. However, a contingency plan is specific. For instance. A contingency plan could deal with the loss of a building, be that a headquarters, a town hall or a head office. Obviously. If such a building was lost or unavailable for a period of time, all of the process is services and systems that rely on that building for their delivery. would also potentially become unavailable. 

 

This becomes a serious problem. As we've moved on, through the information technology journey over the years. The proliferation of cloud based systems, and integrated hybrid systems, which are partly on premise and partly in the cloud, bring a different set of challenges. The loss of a building may not mean the loss of a service. However, contingency plans need to cater for the loss of services and specific systems. 

 

As the computer world has moved more towards the agile approach to software development and delivery of services, so too must agile be taken into account, in the way in which we respond to cyber incidents. We propose the best way of doing this is just like in agile, is through playbooks, often called runbooks. C-TAG have developed a cyber instant response primer which itself supports a number of playbooks. The other components which support Playbooks in their invocation and their ability to remediate a specific problem. Is the use of break glass policies.

 

Break Glass Policies

A break glass policy as the name describes. A Break Glass being the type of button that you have to set a fire alarm off when you break the glass.  A break glass policy will enable a certain set of preauthorised. Delegated actions, empowering individuals to carry out tasks, incur expenditure and to deploy resources, in an autonomous fashion to act in a very quick and timely manner. 

 

One of the key things moving forward for cyber incident response, is the availability and deployment of a crisis management team.  A Cyber Incident Coordination cell should be established  internally, which is different to the ICT team that may be resolving the actual problem. Cyber Incident coordination requires Situation Awareness, Strategic Decision Support, Intelligence Assessment and Analysis as well as Situational Awareness, to feed back t the Crisis Response Team.  

 

Working through playbooks, which are in fact delegated contingency plans enacted through break glass policies and reporting back into the crisis management team. A break glass policy may have a predetermined initial time span. With delegated authority, this could be 1224 or 48 hours. The point being that once the crisis response team (in ICT)  is stood up it reports it’s initial actions to the Crisis Management Team. The crisis response team and the crisis management team are both supported by the Cyber Coordination Cell. The Critis Management Team, will take back control, the role of the Break Glass Policy and it’s delegation having concluded.

 

But the break glass policy, once enacted, means that immediate tactical response can take place to deal with the situation through the predefined playbook. 

 

Golden Hour Guide 

There is also a Golden Hour Guide, which starts to describe how you would actually do this. For crisis Management teams, there are various approaches, including one called the “Four Boards Approach”. The four board approach gives a cadence to each of the meetings that the crisis management team holds, so they're very rigid, very structured time boxed. They have specific tasks, responsibilities and outcomes. In crisis management. You don't always determine or dictate how something will be carried out. The focus needs to be on outcomes and effects. This is the exact approach by the UK Government in how they run their COBR/A operations room. COBR/A will always talk about an effect that it wants to achieve. Rather than the actual method to get there.

References: 

https://guidance.ctag.org.uk

https://www.theguardian.com/government-computing-network/2011/jun/13/local-cio-council-information-assurance-strategy-mark-brett

https://guidance.ctag.org.uk/local-authority-cyber-resilience-planning-guide

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/192425/CONOPs_incl_revised_chapter_24_Apr-13.pdf

https://www.researchgate.net/profile/Mark-Brett/publication/342898805_Cyber_Incident_Response_-Working_Paper/links/5f0c7c9792851c38a519c080/Cyber-Incident-Response-Working-Paper.pdf

 

 

The Need for Cyber Collaboration

 

 

Organisations that are more cyber resilient are better able to cope with cyber attacks.

The benefits of collaboration 

Given the significant consequences of a cyber security breach, many organisations are calling for greater collaboration — the benefits of which include greater intelligence sharing, a cohesive response to threats and robust international infrastructure. Cyber-resilience is the ability to recover from cyber-attacks and cyber-attacks are on the rise.

Intelligence sharing

According to a study by the for IBM by the Ponemon Institute, organisations with high cyber-resilience were more likely to participate in some form of threat-sharing program (e.g., open source, commercial sources, threat intelligence platforms). Sharing intelligence allows organisations to identify likely threats in their industry and develop appropriate responses based on what similar organisations have tried. Intelligence sharing between public and private sectors as researched by RUSI, is vital because of the distinct perspectives each sector has. For example, government agencies can conduct cyber espionage operations and, therefore, have insight into adversary networks. In contrast, business providers often have greater understanding of cyber-attack victims. 

Increased cross-sector talk could vastly improve cybersecurity responses, and even prevent attacks before they occur. Microsoft’s new initiative, The Asia Pacific Public Sector Cyber Security Executive Council, aims to facilitate private-public partnerships, to share information and strengthen government cyber defences. The council plans to meet quarterly going forward. 

each sector has. For example, a public sector organisation may have a strong interest in knowing the activity of private sector organisations, whereas a private sector organisation may be concerned about the potential for misuse of their own data by the public sector.

The NIST Cybersecurity Strategy Framework was designed to be a framework that organisations can use to address cybersecurity issues and be compliant with the relevant laws. It is a step-by-step process that organisations can use to identify, assess, and respond to cybersecurity threats. 

 

 

Consistent threat response

Having a clear response to cybersecurity incidents helps to protect organisations against cyber threats — particularly for smaller organisations that may lack expertise and/or resources. IBM have often emphasised the importance of having an incident response process that is consistent, repeatable and measurable, and has worked with organisations across sectors to help develop resilient solutions. 

However, there is still remarkable variation in the cybersecurity industry because of the lack of professional regulation. The UK Cyber Security Council plans to correct this issue, bringing private and public sectors together to create regulatory standards in cybersecurity, similar to what already exists in industries such as accounting and finance. This hope is that this will create a set of standards that improves the quality of cyber defence strategies and the efficiency of incident responses.

Next steps in the process will include the establishment of a new regulatory body, the National Cyber Security Centre, and the development of a new UK Cyber Security Strategy.

In the absence of a regulatory body, it is left to individual organisations to create their own incident response processes. A UK government report found that the majority of UK organisations (69%) were not prepared for a cyber incident, and that only one in three (30%) had a well-developed plan in place. In fact, one in five (20%) had not yet started developing a plan. In order to create a consistent incident response process, organisations should look to examples of best practice, including those provided by the National Cyber Security Centre.

Responsibility and liability

Organisations need to have clear ownership of their cybersecurity strategy, and it is the responsibility of every individual to work to develop and maintain the organisation's cybersecurity strategy.

To demonstrate that the organisation has a strong and effective cybersecurity strategy, the organisation should implement and maintain a cybersecurity strategy in line with the requirements of the CISO. The CISO should be responsible for the organisation's overall cybersecurity strategy and should have the authority to manage and control the implementation of the strategy.

The CISO should have a strong and effective cybersecurity strategy, this is also relevant for SMEs and micro businesses.  in place and be responsible for the development and implementation of the strategy. The CISO should be the first line of defence and should ensure that the organisation has appropriate cybersecurity measures in place.

To demonstrate this, an organisation's cybersecurity strategy should be integrated into its strategy, organisational and IT policies, and processes.

All organisations should have a strategy that describes their cybersecurity stance and provides a basis for cybersecurity risk management. A strategy provides a way of aligning cybersecurity with the organisation's strategy, provides a clear picture of the organisation's current cybersecurity stance, and helps to ensure that the organisation's cybersecurity risk management practices are aligned with its strategy.

The organisation's strategy should be informed by the organisation's mission, vision, and values. The cybersecurity strategy should also align with the organisation's governance and legal frameworks.

To demonstrate ownership of cybersecurity strategy, organisations need to establish a clear vision and strategy, and demonstrate alignment across the business and the C-suite.

IT Security

IT Security is a critical component of any business’s cybersecurity strategy. IT Security is more than just network and endpoint security, it includes securing cloud services, data, mobile devices and more. An organisation's cybersecurity strategy should have a clearly defined IT Security strategy, including:

·      A clearly defined scope of IT Security.

·      A clearly defined risk assessment methodology and process.

·      A clearly defined strategy for the identification and prioritisation of vulnerabilities.

International collaboration

Many organisations operate internationally and therefore, so are the attacks. For example, while the impact of the SolarWinds attack was the most severe in the US, at least seven additional countries were impacted (including the UK, Belgium, Spain, Canada, Mexico, Israel and the UAE). However, the response from US allies was far from cohesive, and none matched the impact of the sanctions the US imposed on Russia for their suspected role in the attack.

It’s crucial that private-public partnerships are not only encouraged on a national scale, but globally. Participating in global forums, like FIRST, sharing intelligence and developed global frameworks will inevitably improve cyber-resilience. Finally, co-ordinated global responses may deter nation state attacks, and increase trust between co-operating countries.

Clearly, many are working hard to facilitate cross-sector collaboration. However, there is much further to go. Cybersecurity is no longer optional — protected digital environments are crucial for organisations of all kinds, so they must work together to secure a cyber-resilient future. The ability to cope with cyber-attacks is critical to organisations' survival. A resilient organisation is more likely to survive an attack than a less resilient one.

 

 

Writing things down 

Remembering the necessity to write things down. Notes will get forgotten quickly. it is also important

to make notes. My first drafts I call "Raw notes", you can even put that in the file name! Meaningful file names are also very important. Also critical is to put a date and a version number helps greatly later. Regardless of the thing I always put a date first, it is so important. You look back on ideas in years to come, no date! You'll be annoyed with your past self for not putting a date!

If your not able to scan in important notes, use an app like Evernote (There is a free version), from there you can photograph the note. Never underestimate the value of capturing written notes for later. Tagging is very important to effective storage. A good electronic filing system is also very important.

Back in the 80's and 90's I loved my paper organizer, called Time Manager, it was a Filofax basically, but had two functions, one the diary and organizer, the second to organize your projects and work  through Key Areas, thirty years later, my brain still works that way. 

My go to method for todo lists is the ATD list [Action This Day] a phrased coined and used by Winston Churchill. My work always starts with the dated ATD list. 

I'm a convert to distraction free typing. the use of plain text is also to be commended. there are some very good apps and websites. Most if not all computers come with a basic notetaking app and these get overlooked most of the time. Think markdown apps in the current genre.

Sometimes putting the date and time in can help you when drafting notes. The ZettleKasten approach,

I've already written an article on the method in an earlier blog post here. It gives a simple referencing system to put on index cards and even scraps. A meta tagged scrap note with a date and time gives you a pretty good way to tie notes and thoughts together.

If your like me, you'll have a work diary, a personal journal, working note books and maybe a research journal as well. my point being tie those sources together when referring back and it gives a rich context to remember what you were doing and why. I love index cards for notes. I also like to re-cycle the brown paper in Amazon delivery boxes. I guess I just love writing notes and scribbling models on brown paper!

It also becomes obvious as time goes on, that there is simply too much information in the world, you simply can't capture everything. A simple way to publish your thoughts is via a blog post like this one or through something like Gitbook which I love. The use of markdown language can also give you the ability to augment text with bold/italic and underlining. I really love Gitbook for publishing work type stuff, so easy to use. 

Latterly, do not be embarrassed to use the voice note capability built into most mobile phones. It is really exciting to now know that Office 365 and similar apps can not only support dictation straight in, supporting speech to text, but also transcription, where an MP3 file is loaded in and then converted to text. These common features use to cost a fortune and are now either freely or available at low cost. 

I've also taken a liking to the distraction free work processors like the Alphasmart NEO2 and especially the Dana, which is very similar to the wonderful Amstrad NC100 and NC200. The difference being the Alphasmart has a USB connection for simple text transfer. The Amstrad NC200 relies on a 3 1/2" floppy. I still miss my Cambridge Z88, I still have it, but data transfer is a bind as is the Psion organizer. The Planet  Gemini PDA is a great modern version of the Psion 5.

I'll write further about all of these lost technologies in due course. 

The main take always are 1) Put a date on it. 2) Get the text captured somehow, then copy it to a safe place for further editing and publishing. There are different stages to the knowledge and writing journey.