SlideShare a Scribd company logo

GrrCON 2018: Stop boiling the ocean!

Joel Cardella, profile picture
Joel Cardella

The document discusses the concept of 'boiling the ocean' in the context of information security, emphasizing the importance of focusing on incremental improvements rather than overwhelming data demands. It highlights strategies such as adopting a system-based approach instead of strict goal-setting, utilizing feedback loops, and seeking 1% improvements in various areas, as showcased by Team Sky's success in cycling. The author, Joel Cardella, shares his experience in establishing robust product security processes at Thermo Fisher, demonstrating that consistency and small wins can lead to significant advancements over time.

Internet
Related topics:
Information Security Self-Improvement
1 of 24
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
The world leader in serving science Joel Cardella Director, Product & Software Security & Privacy Stop Boiling The Ocean!
2 • Joel Cardella, Director, Product Software Security and Privacy • 25+ years in IT in various roles: CISO, Consultant, network ops, data centers, service operations, etc • Twitter: @JoelConverses • www.jscardella.com • I love the theatre, have a strong fine arts background, and am interested in anything that makes me a better decision maker Who am I?
3 Boiling The Ocean Effective image, but can be cliché Examples of boiling oceans: • Managers who require mountains of data for reports or presentations which are then unused • Trying to plan for every contingency possible • Constantly revising forecasts • Inspecting or assessing everything in hopes of catching something
4 Boiling The Ocean in Infosec Infosec is an ocean, and all of these are oceans within infosec!
5 James Clear Author, entrepreneur, world photographer and gym rat Motivational writer about habits and human potential Jamesclear.com The rest of this presentation is going to reference material directly from James Clear
6 Goals versus Systems Plan for failure “Planning to fail doesn’t mean that you expect to fail, but rather than you know what you will do and how you will get back on track when things don’t work out. If you’re focused on being perfect, then you’re caught in an all-or-nothing trap.”
7 Goals versus Systems Being Consistent Is Not the Same as Being Perfect Individual failures have little impact on your long-term success
8 Goals versus Systems All or Nothing is a trap!
9 Goals versus Systems If you completely ignored your goals and focused only on your system, would you still get results?
10 Goals versus Systems FORGET ABOUT SETTING GOALS Goals are all or nothing. They are deadlines, not schedules. So if we don’t meet them, we automatically fail…even if we were better off than we were at the start!
11 •Commit to a process, not a goal. •Release the need for immediate results. •Build feedback loops. Systems versus Goals
12 Narrow margins The margin between good and great is narrower than it seems. What begins as a slight edge over the competition compounds with each additional contest.
13 The Story of Team Sky Sir Dave Brailsford, Manager of Team Sky Britain had never won a Tour De France Aggregation of marginal gains - “the 1 percent margin for improvement in everything you do.” They searched for 1 percent improvements in tiny areas that were overlooked by almost everyone else: discovering the pillow that offered the best sleep and taking it with them to hotels, testing for the most effective type of massage gel, and teaching riders the best way to wash their hands to avoid infection. They searched for small improvements everywhere. Brailsford believed that if they could successfully execute this strategy, then Team Sky would be in a position to win the Tour de France in five years time. He was wrong. They won it in three years.
14 The 1% rule In the beginning, there is basically no difference between making a choice that is 1 percent better or 1 percent worse. But over time…the difference is significant!
15 How I would Apply This Learning Process rigor, for robust and repeatable, ongoing processes Precise documentation, internal and external Controls and ongoing validation for both privacy and security Product Security requires three essential components
16 1.Decide the type of person you want to be. 2. Prove it to yourself with small wins. Identity-Based Habits
17 •I want to be the person that puts Thermo Fisher Product Security on the map •I want people to talk about us as a leader in the space, and with constructs to be emulated •I want to expand my own knowledge and understanding of the space, because of its importance to the future, and the fact that my work directly impacts people’s lives My Identity
18 • 3 months ago • No one in charge of product security • No direction for application developers • Bug bounty programs in place with little to no feedback • No defined processes for reporting vulnerabilities • No presence in the community • Today • Me, and a team of 4 people, with 9 open positions in progress or planned • A developer pipeline that includes automatic code scanning for 1 team • Action on bug reports, with a 22% fix rate for reported vulns • A process to report vulns outside the bug bounty, with tracking and follow up • H-ISAC participation in working groups • A successful debut at DEF CON with IoT devices My Feedback Loop
19 •My commitment: • At the end of each work day, my team will scrum for 5-10 minutes and discuss what we did that day that improved us 1% • Capture this information, keep the list publicly available, and report on it regularly My Feedback Loop
20 The 1% Rule and the 80/20 Rule The 1 Percent Rule states that over time the majority of the rewards in a given field will accumulate to the people, teams, and organizations that maintain a 1 percent advantage over the alternatives. “The 1 Percent Rule is not merely a reference to the fact that small differences accumulate into significant advantages, but also to the idea that those who are 1 percent better rule their respective fields and industries. Thus, the process of accumulative advantage is the hidden engine that drives the 80/20 Rule.”
21 The 1% rule You don't need to be twice as good to get twice the results. You just need to be slightly better. Consistently.
22 Speed of average Average speed yields above average results
23 •Keep moving – you don’t need to dash, and in fact may trip and fall if you do •Keep improving just 1% each day – be consistent in your approach Keep In Mind
24 Average Speed for Above Average Results Don’t boil these oceans! Small, consistent steps yield great results over time

More Related Content

PDF
Where are your project saboteurs? webinar, 2 March 2020
Association for Project Management
 
PDF
Product Strategy and Jobs to be Done - kickoff 30th March 2017
Castle
 
PDF
Automated decision making using Predictive Applications – Big Data Paris
Lars Trieloff
 
PPTX
YES WE CAN: Innovating out of a recession (Dr. Norman Lewis)
LSx Festival of Technology
 
PDF
Automated decision making with predictive applications – Big Data Frankfurt
Lars Trieloff
 
PPTX
SXSW Workshop on Designing for Behavior Change (2014)
Stephen Wendel
 
PPTX
Uncertainty and your brain
Wayne Hetherington
 
PDF
iHT² Health IT Summit Fort Lauderdale 2013 – Kim Sassaman, Chief Information ...
Health IT Conference – iHT2
 
Where are your project saboteurs? webinar, 2 March 2020
Association for Project Management
 
Product Strategy and Jobs to be Done - kickoff 30th March 2017
Castle
 
Automated decision making using Predictive Applications – Big Data Paris
Lars Trieloff
 
YES WE CAN: Innovating out of a recession (Dr. Norman Lewis)
LSx Festival of Technology
 
Automated decision making with predictive applications – Big Data Frankfurt
Lars Trieloff
 
SXSW Workshop on Designing for Behavior Change (2014)
Stephen Wendel
 
Uncertainty and your brain
Wayne Hetherington
 
iHT² Health IT Summit Fort Lauderdale 2013 – Kim Sassaman, Chief Information ...
Health IT Conference – iHT2
 

What's hot (19)

PDF
Digital Experiments - Action Design DC 10 Sept 15
Stephen Wendel
 
PPTX
TDAmeritrade Holiday Spending and Behavioral Econ
Stephen Wendel
 
PDF
Building collaboration through cloud
The Economist Media Businesses
 
PDF
ALEX Con 2015 -- Jellyvision
Stephen Wendel
 
PPTX
Behavioral Econ 101 for Product Design - Action Design DC 12 August 2014
Stephen Wendel
 
PPTX
Safety Gamification
Stephen Knightly
 
PPTX
It’s a world of bugs after all
Thessaloniki Software Testing and QA meetup
 
PPT
Geek Night Manchester
frankmt
 
PPTX
Personal recovery and social innovation in new dust bowl times
Paul Komarek
 
PDF
9 Principles for Navigating Change
Matt Ray
 
PPT
Five Whys Lessons Learned
Tony Ford
 
PDF
Illusions vs Reality - BSIDES SF
Jason Truppi
 
PDF
SCALE12X DevOps Day LA: 9 Principles for Navigating Change
Matt Ray
 
PPTX
Legal Aspects of Openness
JISC Legal
 
ODP
Tools and Talent
Rowan Merewood
 
PPTX
What is Kaizen
Kira Greer
 
PDF
You wear it well - Wearable Technology Show 2015, London 11th March 2015
martinjgale
 
PDF
PopcornFlow: Continuous Evolution Through Ultra-Rapid Experimentation
Claudio Perrone
 
PPTX
Effectively Manage your Time
Aziah Thompson
 
Digital Experiments - Action Design DC 10 Sept 15
Stephen Wendel
 
TDAmeritrade Holiday Spending and Behavioral Econ
Stephen Wendel
 
Building collaboration through cloud
The Economist Media Businesses
 
ALEX Con 2015 -- Jellyvision
Stephen Wendel
 
Behavioral Econ 101 for Product Design - Action Design DC 12 August 2014
Stephen Wendel
 
Safety Gamification
Stephen Knightly
 
It’s a world of bugs after all
Thessaloniki Software Testing and QA meetup
 
Geek Night Manchester
frankmt
 
Personal recovery and social innovation in new dust bowl times
Paul Komarek
 
9 Principles for Navigating Change
Matt Ray
 
Five Whys Lessons Learned
Tony Ford
 
Illusions vs Reality - BSIDES SF
Jason Truppi
 
SCALE12X DevOps Day LA: 9 Principles for Navigating Change
Matt Ray
 
Legal Aspects of Openness
JISC Legal
 
Tools and Talent
Rowan Merewood
 
What is Kaizen
Kira Greer
 
You wear it well - Wearable Technology Show 2015, London 11th March 2015
martinjgale
 
PopcornFlow: Continuous Evolution Through Ultra-Rapid Experimentation
Claudio Perrone
 
Effectively Manage your Time
Aziah Thompson
 
Ad

Similar to GrrCON 2018: Stop boiling the ocean! (20)

PPTX
Safeabilty: Analyzing the Relationship between Safety and Reliability
PlantEngineering
 
PDF
Virtual Health + Care Design School - Week 7: Bring it all Together
Design Lab
 
PPTX
Are You Making These 7 'Testing Metric' Mistakes? Webinar - Mark Bentsen, Phi...
XBOSoft
 
PDF
Speaker Slides: Bringing Agile Management to International Development
Morgan Johnson
 
PDF
Business Reasons for Predictive Applications
Lars Trieloff
 
PDF
2015 Houston CHIME Lead Forum
Health IT Conference – iHT2
 
PPTX
OKR - Measure What Matters
Fiona Lin
 
PDF
Strategic Portfolio Management With Kanban
CGI Québec Formation
 
PPTX
Iconuk 2016 - IBM Connections adoption Worst practices!
Femke Goedhart
 
PDF
Ten Ways To Doom Your DevOps
Gene Gotimer
 
PDF
Smartcon 2015 – Automated Decisions in the Supply Chain
Lars Trieloff
 
PPTX
Guide introduction
Kerry Richardson
 
PPTX
The Journey to DevSecOps
Shannon Lietz
 
PPTX
The Journey to DevSecOps
SeniorStoryteller
 
PPTX
Translating the value of IT - The Ten Commandments of Innovation in IT
Michael Mathews
 
PPTX
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Case IQ
 
PDF
How Four Cognitive Biases Deceive Analysts and Destroy Actionability
Eric Garland
 
PDF
DRIVING STRATEGY: HOW TO AVOID THE TOP THREE MISTAKES
Human Capital Media
 
PPTX
Future of software development - Danger of Oversimplification
Jon Ruby
 
PDF
Being a Cultural Warrior: 3 Proven Practices for Driving Engagement and Effic...
Snag
 
Safeabilty: Analyzing the Relationship between Safety and Reliability
PlantEngineering
 
Virtual Health + Care Design School - Week 7: Bring it all Together
Design Lab
 
Are You Making These 7 'Testing Metric' Mistakes? Webinar - Mark Bentsen, Phi...
XBOSoft
 
Speaker Slides: Bringing Agile Management to International Development
Morgan Johnson
 
Business Reasons for Predictive Applications
Lars Trieloff
 
2015 Houston CHIME Lead Forum
Health IT Conference – iHT2
 
OKR - Measure What Matters
Fiona Lin
 
Strategic Portfolio Management With Kanban
CGI Québec Formation
 
Iconuk 2016 - IBM Connections adoption Worst practices!
Femke Goedhart
 
Ten Ways To Doom Your DevOps
Gene Gotimer
 
Smartcon 2015 – Automated Decisions in the Supply Chain
Lars Trieloff
 
Guide introduction
Kerry Richardson
 
The Journey to DevSecOps
Shannon Lietz
 
The Journey to DevSecOps
SeniorStoryteller
 
Translating the value of IT - The Ten Commandments of Innovation in IT
Michael Mathews
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Case IQ
 
How Four Cognitive Biases Deceive Analysts and Destroy Actionability
Eric Garland
 
DRIVING STRATEGY: HOW TO AVOID THE TOP THREE MISTAKES
Human Capital Media
 
Future of software development - Danger of Oversimplification
Jon Ruby
 
Being a Cultural Warrior: 3 Proven Practices for Driving Engagement and Effic...
Snag
 
Ad

More from Joel Cardella (10)

PDF
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
Joel Cardella
 
PPTX
BSIDES DETROIT 2015: Data breaches cost of doing business
Joel Cardella
 
PPTX
TACOM 2014: Back To Basics
Joel Cardella
 
PPTX
GrrCon 2014: Security On the Cheap
Joel Cardella
 
PPTX
WCC 2014: Globalization and cloud services for the enterprise
Joel Cardella
 
PPTX
GRRCON 2013: Imparting security awareness to all levels of users
Joel Cardella
 
PPTX
WCC 2013: The internet of everything
Joel Cardella
 
PPTX
WCC 2012: General security introduction for non-security students
Joel Cardella
 
PPTX
2nd FACTOR: The Story of Mat Honan
Joel Cardella
 
PPTX
INFRAGARD 2014: Back to basics security
Joel Cardella
 
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
Joel Cardella
 
BSIDES DETROIT 2015: Data breaches cost of doing business
Joel Cardella
 
TACOM 2014: Back To Basics
Joel Cardella
 
GrrCon 2014: Security On the Cheap
Joel Cardella
 
WCC 2014: Globalization and cloud services for the enterprise
Joel Cardella
 
GRRCON 2013: Imparting security awareness to all levels of users
Joel Cardella
 
WCC 2013: The internet of everything
Joel Cardella
 
WCC 2012: General security introduction for non-security students
Joel Cardella
 
2nd FACTOR: The Story of Mat Honan
Joel Cardella
 
INFRAGARD 2014: Back to basics security
Joel Cardella
 

Recently uploaded (20)

PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PDF
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
PDF
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
PDF
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
PDF
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PPTX
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
Internet___Basics___Styled_ presentation
poonam62133
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
artificial intelligence overview of it and more
yafotin445
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
 
Digital Literacy And Online Safety on internet
riksa rifqi
 

GrrCON 2018: Stop boiling the ocean!

  • 1. The world leader in serving science Joel Cardella Director, Product & Software Security & Privacy Stop Boiling The Ocean!
  • 2. 2 • Joel Cardella, Director, Product Software Security and Privacy • 25+ years in IT in various roles: CISO, Consultant, network ops, data centers, service operations, etc • Twitter: @JoelConverses • www.jscardella.com • I love the theatre, have a strong fine arts background, and am interested in anything that makes me a better decision maker Who am I?
  • 3. 3 Boiling The Ocean Effective image, but can be cliché Examples of boiling oceans: • Managers who require mountains of data for reports or presentations which are then unused • Trying to plan for every contingency possible • Constantly revising forecasts • Inspecting or assessing everything in hopes of catching something
  • 4. 4 Boiling The Ocean in Infosec Infosec is an ocean, and all of these are oceans within infosec!
  • 5. 5 James Clear Author, entrepreneur, world photographer and gym rat Motivational writer about habits and human potential Jamesclear.com The rest of this presentation is going to reference material directly from James Clear
  • 6. 6 Goals versus Systems Plan for failure “Planning to fail doesn’t mean that you expect to fail, but rather than you know what you will do and how you will get back on track when things don’t work out. If you’re focused on being perfect, then you’re caught in an all-or-nothing trap.”
  • 7. 7 Goals versus Systems Being Consistent Is Not the Same as Being Perfect Individual failures have little impact on your long-term success
  • 8. 8 Goals versus Systems All or Nothing is a trap!
  • 9. 9 Goals versus Systems If you completely ignored your goals and focused only on your system, would you still get results?
  • 10. 10 Goals versus Systems FORGET ABOUT SETTING GOALS Goals are all or nothing. They are deadlines, not schedules. So if we don’t meet them, we automatically fail…even if we were better off than we were at the start!
  • 11. 11 •Commit to a process, not a goal. •Release the need for immediate results. •Build feedback loops. Systems versus Goals
  • 12. 12 Narrow margins The margin between good and great is narrower than it seems. What begins as a slight edge over the competition compounds with each additional contest.
  • 13. 13 The Story of Team Sky Sir Dave Brailsford, Manager of Team Sky Britain had never won a Tour De France Aggregation of marginal gains - “the 1 percent margin for improvement in everything you do.” They searched for 1 percent improvements in tiny areas that were overlooked by almost everyone else: discovering the pillow that offered the best sleep and taking it with them to hotels, testing for the most effective type of massage gel, and teaching riders the best way to wash their hands to avoid infection. They searched for small improvements everywhere. Brailsford believed that if they could successfully execute this strategy, then Team Sky would be in a position to win the Tour de France in five years time. He was wrong. They won it in three years.
  • 14. 14 The 1% rule In the beginning, there is basically no difference between making a choice that is 1 percent better or 1 percent worse. But over time…the difference is significant!
  • 15. 15 How I would Apply This Learning Process rigor, for robust and repeatable, ongoing processes Precise documentation, internal and external Controls and ongoing validation for both privacy and security Product Security requires three essential components
  • 16. 16 1.Decide the type of person you want to be. 2. Prove it to yourself with small wins. Identity-Based Habits
  • 17. 17 •I want to be the person that puts Thermo Fisher Product Security on the map •I want people to talk about us as a leader in the space, and with constructs to be emulated •I want to expand my own knowledge and understanding of the space, because of its importance to the future, and the fact that my work directly impacts people’s lives My Identity
  • 18. 18 • 3 months ago • No one in charge of product security • No direction for application developers • Bug bounty programs in place with little to no feedback • No defined processes for reporting vulnerabilities • No presence in the community • Today • Me, and a team of 4 people, with 9 open positions in progress or planned • A developer pipeline that includes automatic code scanning for 1 team • Action on bug reports, with a 22% fix rate for reported vulns • A process to report vulns outside the bug bounty, with tracking and follow up • H-ISAC participation in working groups • A successful debut at DEF CON with IoT devices My Feedback Loop
  • 19. 19 •My commitment: • At the end of each work day, my team will scrum for 5-10 minutes and discuss what we did that day that improved us 1% • Capture this information, keep the list publicly available, and report on it regularly My Feedback Loop
  • 20. 20 The 1% Rule and the 80/20 Rule The 1 Percent Rule states that over time the majority of the rewards in a given field will accumulate to the people, teams, and organizations that maintain a 1 percent advantage over the alternatives. “The 1 Percent Rule is not merely a reference to the fact that small differences accumulate into significant advantages, but also to the idea that those who are 1 percent better rule their respective fields and industries. Thus, the process of accumulative advantage is the hidden engine that drives the 80/20 Rule.”
  • 21. 21 The 1% rule You don't need to be twice as good to get twice the results. You just need to be slightly better. Consistently.
  • 22. 22 Speed of average Average speed yields above average results
  • 23. 23 •Keep moving – you don’t need to dash, and in fact may trip and fall if you do •Keep improving just 1% each day – be consistent in your approach Keep In Mind
  • 24. 24 Average Speed for Above Average Results Don’t boil these oceans! Small, consistent steps yield great results over time