Mark Curphey - SecurityBuddha.com

Counting What Really Counts

Adapted from an article by Harry Robinson, Six Sigma test productivity program manager at Microsoft and sent to me by Daisy Huss on the ACE Team

The original article was published in Interface in December 2001.

Scene one. You are picnicking by a river. You notice someone in distress in the water. You jump in and pull the person out. The mayor is nearby and pins a medal on you. You return to your picnic.

A few minutes later you spy a second person in the water. You perform a second rescue and receive a second medal.

A few minutes later, a third person, a third rescue, and a third medal. And so on through the day.

By sunset, you are weighed down with medals and honors. You are a hero. Of course, somewhere in the back of your mind there is a sneaking suspicion that you should have walked upriver to find out why people were falling in all day. Then again, that wouldn’t have earned you as many awards.

Scene two. You are sitting at your computer. You find a bug. Your manager is nearby and pins a “bug-finder” award on you. A few minutes later you find a second bug. And so on.

By the end of the day, you are weighed down with “bug-finder” awards and all your colleagues are congratulating you. You are a hero. If the thought pops up in your mind that maybe you should help prevent those bugs from getting into the system, you squash it. Bug prevention doesn’t win nearly as many awards as bug hunting.

What you measure is what you get

B.F. Skinner told us fifty years ago that rats and people tend to perform those actions for which they are rewarded. It is still true today. In our world, as soon as developers find out that a metric is being used to evaluate them, they strive mightily to improve their performance relative to that metric—even if their actions don’t actually help the project. If your testers find out that you value finding bugs, you will end up with a team of bug-finders. If prevention is not valued, prevention will not be practiced.

I am bored of the same old crap coming across my feed reader so I have decided to experiment; be ruthless and un-subscribe from anything that I don’t read (value) regularly and look for new fresh thinking and opinions. Sure the odd gem can be, well a “gem” and I may miss them but I am figuring it will be picked up by someone else I read and in the grand scheme of things my signal to noise ratio will still improve. And of course what’s fresh to me may be staple diet to you so I still want to know.

I’ll publish my feed (OPML file) after I have let it bed in for a few weeks. 

These are the categories I organize things into;

• Kite Surfing
• Para Gliding
• Formula 1
• Lifestyle (LifeHacker etc)
• Science (non computer related)
• Cool Business (Guy Kawasaki, Presentation Zen etc)
• Humour (indexed etc)
• Real News (BBC etc)
• Microsoft
• Product Management
• My Stuff (Google alerts etc)
• Security Management
• Software Security
• Security Tools Development (people building / thinking about security technology)
• Software Development
• BPM
• Artificial Intelligence
• BI / Dashboards / Visualization
• Tech Gossip
• Web 2.0

And yes I know I could / should publish my current OPML but then I would be publicly saying things are crap and this is the new Mark

So what are your recommendations?

My cool security friend JD has done it again (in BETA).

http://www.codeplex.com/WCFSecurityGuide

These things are the definitive guides to the topic. Masterpieces!

Download the Improving Web Services Security Guide(BETA)

http://www.myspace.com/blackkidsrock

All I need to rock my iPod these days is Black Kids,  Beth Ditto (doing the Skins classic (stay with the intro, trust me)) and I can drive home from the airport after a 12 hour flight and just feel alive.

http://www.youtube.com/watch?v=cMFExJzaO1c

Throw in some Jose Gonsalez and the Audi TT purrs like a true beast around the M25….

http://www.youtube.com/watch?v=s4_4abCWw-w

Business Week just published their top ten books that MBA students should read this summer. I digested some of them ages ago (The Tipping Point, The World is Flat (I am living the “flat world” and building software for the flat security world that I think will emerge in then next decade) and I am currently engrossed in the truly excellent The Back of the Napkin.  This book has implications for many security disciplines from Business Process Modelling, Threat Modelling, architecture and metrics and measurement.

I haven’t even read this book but know I am going to love it

http://www.isg.rhul.ac.uk/node/277

http://www.isg.rhul.ac.uk/node/277

Life At Microsoft - The Truth Revealed

For my birthday earlier this year my wife got me a track day at Silverstone. Last Saturday I took out a Lotus Exige and a Ferrari Modena 360 at the home of British Motor Racing, Silverstone. The Exige was OK but barely faster than my Audi, a little too cramp for a 6′3″ guy and having owned a Lotus for a while before I was married nothing special. After the Lotus sessions I got some headaches so was not able to really push the Ferrari but I came out of the afternoon with the highest score from the instructors of twenty off drivers. All A’s and B+’s. It was a lot of fun overtaking other Ferraris on “Hanger Straight” at 160 mph!  That’s me at the wheel in the photos below.

This weekend is one of my favourites of the year, the Monaco Grad Prix. Come on Lewis !