Reprogram Your Brain

Are you using your brain right? As Daniel Kahneman showed, our brains have two thinking systems: A fast system and a slow system. The slow system is for carefully considering situations, and it uses a lot of energy. The fast system provides quick answers in routine situations and uses much less energy.

Our brains have evolved over thousands of years to automatically select which system to use. In every situation, the fast system gets the first try. In 98% of all cases, the fast system comes up with what it thinks is a good answer, and doesn’t even ask the slow system.

Fortunately, you can use the slow system to re-program the fast system. To change your behavior, think about a situation in advance and tell yourself what you want to happen. Your fast system might automatically say yes when your boss asks you to handle one more ticket today. Tell yourself that next time, you will say that you will do it tomorrow. Simply stating your goal reprograms your fast thinking system to select another response next time.

Are Security Issues Ignored in your Organization?

Delete production database, go to jail, do not pass GO, do not collect $200.

A disgruntled Chinese sysadmin wiped his company’s servers after feeling ignored. He had complained about a lack of basic IT security, but found no understanding from his boss. He then wiped out most of their infrastructure, paralyzing a $6 billion company with 120,000 real estate brokers. He did prove his point. He was rewarded with a 7-year jail sentence.

The person with the most detailed knowledge of the vulnerabilities in your IT landscape is not the CISO. It is the database administrator or the network engineer. Do you have a process to ensure that potential security issues can be raised anonymously and will come to the attention of the CIO?

Talk Nicely to Yourself

How do you talk to yourself? When our actions lead to bad outcomes, we blame ourselves. That is OK if it leads us to reflect on our behavior and do better next time.

But the language we use when we blame ourselves is sometimes much worse than we would ever use with other people. If a colleague breaks the build or drops a production table, we don’t call him stupid. But we might call ourselves stupid. Don’t do that. Talk to yourself at least as politely as you talk to others.

Are You Still Building Things That Don’t Scale Automatically?

There is no excuse for a modern system to be slow. I’m at a 5,000-people conference this week, and their official networking app is totally overloaded and almost unresponsive.

You might still have legacy systems with scalability issues, but everything you build today should be cloud-native. As a first-class citizen of the cloud, a modern app has access to automatic scaling, monitoring, robustness, and many other features.

Ask the architects building new systems in your organization about how the application will scale. If the answer is that it will scale automatically, good. If the answer is that somebody has to notice response time increasing and manually do anything, you are still building to the old paradigm.

Do You Understand What You are Running?

Don’t run systems you don’t understand. Some people had placed billions of dollars into a cryptocurrency called TerraUSD. They were told this was a “stablecoin” that would keep a value of $1. Underlying this claim was a clever algorithm that interacted with investors and another cryptocurrency in complex ways. Until its magic no longer worked and the supposedly stable TerraUSD dropped 80%. Trading in it is now halted.

In the global financial crisis of 2008, people had invested in complex financial instruments that they didn’t understand. Many billions were lost and large institutions went bankrupt. The banks who came out of the crisis unscathed were those who had stuck to simple banking products that everyone could understand.

Take a look at your IT landscape. Can you find somebody who understands your operating infrastructure? Or have generations of DevOps engineers just googled problems and tweaked your Kafka and Kubernetes configuration until it somehow seemed to work?

You Can Do More Than You Think

Could you land a plane? Unless you are a flight simulator enthusiast, you probably think you can’t. But if you were in the air and your pilot fell unconscious, you would be able to land the plane. A passenger with no flying experience found himself in that situation above Florida yesterday. With assistance from an air traffic controller, he successfully landed the small aircraft.

Many things we think are impossible really aren’t. Once we start, we find that we can do more than we thought. The important thing is to take action towards the goal. If you take no action today, you are not likely to take any action tomorrow. But if you take one small step today, you are likely to take another tomorrow. The difference between zero actions and one action is huge. Take that one action today.

Perimeter Defense is Dead

Yet again, a critical vulnerability in commercial, high-end network equipment. This time, BIG-IP gear offers any hacker the ability to remotely access the management interface. The intruder doesn’t need authentication and can run any command. It’s rated a scary 9.8 (CRITICAL) on the CVSS scale, and it is being actively exploited.

If you still needed convincing that your network needs micro-segmenting or a zero-trust architecture, here is another piece of proof. This is not cheap consumer-grade gear. This is a highly reputable vendor of expensive equipment used by most large companies around the world. They can’t keep their devices secure, even though they are supposed to implement best practices in secure software development.

Depending on perimeter defense today is like being France in 1939 believing in the Maginot line. If you are a CIO, today would be a good day to chat with your network team about just how securely segmented your network is.   

Add Some Control to Your Life

Are you in control of your life? Many people feel that life is coming at them faster than they can respond. That leaves you with a feeling of being stressed and overwhelmed. That decreases your happiness, negatively impacts your health, and causes you to make worse decisions.

One way to add some control to your life is to start each day by deciding on one task you want to complete that day. If your most important task is one that cannot be solved in a day, you can decide that your task for the day is to work on the larger task for one hour. Agile teams start their day with a stand-up because it works. You can do your own personal stand-up, too.

Why Employee Surveillance Doesn’t Work

Do you know what a “mouse jiggler” is? Your most innovative employees do. It is not a device to shake a rodent in a cage. It is a small USB device that sends random mouse movements to a computer.

Who would want such a thing? Employees subjected to tracking software, that’s who. With the mouse moving, the software will record “productivity.” The pandemic led to a boom in surveillance tech, euphemistically called “employee productivity software.” As workers return to the office, that tech is not removed from corporate laptops. But workers are pushing back, in accordance with Newton’s Third Law of IT systems: Whenever the organization implements a policy, the employees will implement an equal and opposite workaround.

Techno-optimists keep trying to replace humans with technology. There are some places where that works. Replacing human leadership with surveillance technology is one of the places where this strategy doesn’t work.

Security is Somebody Else’s Problem

There is good reason security is invisible: It is Somebody Else’s Problem (SEP). In his geek classic “The Hitchhiker’s Guide to the Universe,” author Douglas Adams describes how the secret to making something invisible is to surround it with an SEP field.

Security is not actually invisible – I’m at an event in Copenhagen with 3000 security professionals this week. But it is still considered Somebody Else’s Problem by the rest of IT. Except for basic Authentication and Authorization, security is not on the minds of developers and system administrators.

We cannot magically make people care. We already know that to get good testing, we have to add professional testers to each team. To get a good User Experience, we need to add UX professionals to each team. We won’t get improved security until we also add security professionals to each team.