- Time saving
- Commute – 1 to 3 hours a day, depending on where you are, that’s between 5 to 15 hours a week saving per employee
- Can work anywhere that you feel comfortable; don’t need to stick to an office, or a home office
- Productivity improvement
- Less interruption than working in the office (interruption factory) – possible to get work done only before or after others have arrived or left
- Interruption disrupt flow and rhythm of work
- True productivity happens only with uninterrupted span of time is made available for quality work to be done
- Work-life Balance
- Improve quality of life of individuals
- Have time for your hobby, interest (don’t need to wait for retirement) – music, biking, etc
- Have more time with family
- Improve employees’ loyalty and satisfaction
- Employees are adults, don’t treat them like children – respect them and trust them to do their best work in their career
- When people are respected and able to do their best work, they would stay with the organization
- Urge to have physical daily oversights
- Shift to ensure people are working on meaningful work rather than seems working on something
- Meetings can be toxic and disruptive to productive work
- An hour meeting involving five people is 5 hours of productive work loss.
- Use email and IM in productive ways to replace need for meetings
- Involve least number of people in a meeting wherever possible (a short chat will be more productive)
- Should be like the library, a place to learn and focus
- Create separate private space for collaborative discussions
- If you are going to have an office, it has to be inspirational – this is not possible for everyone; Remote gives people option to choose where they can be most comfortable to get the most done
- Implement a “no-talk day” (NTD) in the office – tremendous amount of work can be done when there’s no interruption for a day; this would make the office a productive place, a go-to place when need to get things done (on the NTD).
- Respect peoples space
- Slow down to get more – use the email or other communication tool effectively. Again, use of collaborative workspace such as WebEx Social allows one to read, comments, feedback, and updates project status at their own convenient time.
- Time zone overlap – 4 to 5 hours overlap the best.
- Great for creative and knowledge works
- “Why work does not happen at work” – Jason Fried at TEDxMidwest
- “David Heinemeier Hanson – REMOTE: Office Not Required“
- “Remote Work at 37signals“
- Jason Fried & James Warren: World of Work
Last week at the 14th RAISE Forum meeting in Bangkok, the hotel served breakfast every morning. Among the wonderful selection of western and eastern dishes were two choices of bacon, crispy (hard), or soft, arranged in a specially shaped Yin-Yang Taoist design plate (see picture below). As shown in the picture below, the crispy bacon looks hard and slightly burnt, whereas the soft bacon looks tender and seems delicious. Most hotels serve crispy bacon but not the soft ones as part of the breakfast buffet menu. I took two slices of each, which perhaps nullified the five kilometer run I just had early that morning. I have not taken soft bacon for quite some time now so I went for it first, thinking that it would be more delicious and an easy start, since it must be soft and tender. On first bite, I then realized that it was actually neither tender nor soft. It’s texture was rather rubbery, and kind of hard to chew. Strange. It was a bit more salty than I liked as well. Not a good experience after all. On the other hand, the crispy bacon was neither hard nor tough to eat. A soft bite and it cracked in the mouth, releasing the juiciness of the bacon, and the slight burnt was indeed fragrant. The verdict – crispy bacon was delicious.
At that moment, it reminded me of the notion of “hard” versus “soft” problems. Hard problems are such as those technical or engineering problems. They often seemed hard in the sense of difficult, or complicated, but normally can be solved if one put in the time, thinking, and efforts to work on them. On the other hand, soft problems are often not straight forward or as tender as they may sound like. Soft problems are problems relating to people, and group, the so-called “Human Activity Systems” (HAS). Every human being is different, and sees problems and challenges differently. Many personal and psychological factors could influence an individual’s decision, non-decision, action, non-action, and related behaviors, and often time a solution cannot be guaranteed. When people comes together forming groups, large or small, the problems become even “softer”, more complex to navigate, dissect and understand.
As I discussed in chapter 2 of “Responsive Security“, “information security risk management problems are considered ‘hard’ (difficult and complex) but are not ‘hard’ from a research perspective. Instead, information security risk management systems are essentially parts of human activities systems (HAS) and therefore classified as “soft” problems.” Just like the soft bacon, such problems are often harder to chew than the crispy ones, requiring more research efforts to understand the complexity and devise suitable solutions that address them. As the nature of our information environment are very much embedded and integrated with technology these days, we must also consider two other critical aspects of information risk that fall under the technical research paradigm: (a) the close relationship of information risks and information technology; and (b) the constantly changing nature of the technology, business systems, and environment. These two aspects, social-technical aspects in short, are but two of the many facets that we need to consider and address. For a more in-depth discussion on how we may approach this in the practice environment, and the issues and dilemmas that were surfaced as part of the research, check out chapter 3 of the book on “Responsive Security“.
Meanwhile, enjoy the good taste of the bacon, whichever you prefer :-)
Today marks the start of a new year on the Lunar calendar. As the Chinese saying goes, as the spring season arrives, happiness and prosperity follow. I would like to wish everyone a happy and prosperous lunar new year.
The Year of the Horse, according to the Chinese geomancy (feugshui) system, it’s a Wooden Year, which means a Wooden Horse Year. That immediately calls to our attention the well known Trojan Horse. Perhaps an important reminder of the many facets of security threats, which often leverage the surface appeal of beauty, innocence, or relevance of a subject to lure one into a hidden trap. Think Spear Phishing, Spam mails. Be prepared for the Trojan, be ready to deal with the many hidden challenges.
This year is also the “Jia Wu” year (甲午年) in the lunar calendar (more accurately, the sexagenary system, 六十花甲) that marks the 120th anniversary of the first Sino-Japanese war (甲午战争,1894-1895). The current political tension between China and Japan over various territorial and historical issues doesn’t give much comfort when we read about the historical conflict. Certainly, today’s situation differs vastly from that of 120 years ago. But again, we never know if the leaders will learn from the lessons of history. Perspectives of war often differ between the agressor and the defender. They get more complex as more parties are involved. The stakeholders are many, solution is never easy.
Similarly, perspective on Cybersecurity, Cybercrimes, Cyberwar, and for that matter, everything Cyber, often differs as well. Unlike the conflicts of nations or competition, which leaders and stakeholders can have a choice of actions or inactions, in the Cyberspace, we often don’t even know that we have been targeted or who or what the enemy is. As such, what really matter to an individual or an organisation on the Internet is whether do we know what’s at stake if something bad happens, have we thought about our potential exposure, and are we ready to respond? A few questions that may appear simple, but often, we don’t have the answers, or simply put, not ready.
Once again, wishing everyone a happy new year! 祝大家马年吉祥，身体健康！
After much anticipation, my new book, “Responsive Security – Be Ready to Be Secure“, is finally published today. Thanks to Prof Pauline Reich of Waseda University, and Chuan Wei Hoo, who helped to proof read the earlier drafts, my publisher, Ruijun He, my editor, Iris Fahrer, and many friends and family members for all the supports and assistance rendered throughout the long process to make this possible.
The book is based on my thesis on a Piezoelectric Approach on Information Security Risk Management, which captures the past decade of my experience and learning from my practice and fellow practitioners whom I have the opportunity to work with. The book walks through our current knowledge and principles of practice in information security risk management, with discourses on the underlying issues and dilemmas in a constantly changing risk environment. It introduces the concepts of responsiveness, and highlights the importance of readiness and preparedness in face of changes that we may not always able to anticipate, and lest unable to predict. Responsive Security focuses on events that could lead to systems failures rather than the current industry’s focus on the search for vulnerabilities and learning how perpetrators exploit and attack.
If you are interested to find out more about the Responsive Security concepts and approach, the book is now available at CRC Press (http://www.crcpress.com/product/isbn/9781466584303) and also Amazon, where an e-book version has also been published.
Talking about Shandong in the previous blog (“Before the ashes turn cold“) yesterday, in fact, I just came back from our 12th RAISE Forum meeting which was held at Jinan, the capital city of Shandong province in China on March 27 and 28, 2013. The meeting was co-sponsored and jointly organized by Beijing Powertime (北京时代新威) and Timesure, supported by the Association of China Information Security Industry (ACISI), and co-sponsored by (ISC)2.
Bruce Schneier wrote an interesting piece recently about the use of technology for political purposes and suggests that we need “more research into how to circumvent these technologies”: https://www.schneier.com/blog/archives/2013/04/it_for_oppressi.html
Technology is like a knife (in fact, a knife is also a technology). It is double-edged. It depends on the user more than the provider in terms of its application. If a user uses a knife to kill a human being, it is against the law, it is even considered barbaric, animal, etc. We know its danger, but that alone will not stop its use. If we look at the history of technology, explosive was discovered in China many years ago. The emperor then was worried about its negative effects and forbid further research and use. But its utility is far beyond the fear of the imperial order or the negative effects of an explosion. In the hands of the inquisitive minded scientists and the powerful politicians, it has since evolved and today it is not just gunpowder explosive that we are worried about anymore.
Finding ways to circumvent technology would reveal weaknesses that help the provider to strengthen it. It may even create a market selling the idea of its “safe use”. Even if a technology provider decided to discard it, another may acquire or reinvent it, as long as there’s a demand.
Beneath technology is intellectual, knowledge, and information. Knowledge is power. Information flows.
In the Qin (秦) dynasty period, the first emperor of China understood that knowledge is power, and was therefore fearful of the potential threats of scholars and their teachings to his rule of the country. As a result, the Qin emperor ordered the burning of books in an attempt to stop people from learning. Nevertheless, the dynasty was overthrown by two rebels who were illiterates. A poet in the late Tang dynasty summarizes this elegantly, “坑灰未冷山东乱，刘项原来不读书”, which roughly translates, “Before the ashes (of the books) turn cold, Shandong has already rebelled; Liu and Xian (the two leaders of the rebels) were in fact illiterate.” A few emperors in subsequent dynasties did the same thing and again failed badly.
Today, we thought that China and many others would have learned from history that censorship is not an effective tool for maintaining control of information and power (based on the historical lessons learnt). But they don’t. Control gives the perception of power. Power blinds one from seeing things clearly. Letting go (detachment), as we learn in Buddhism, is not a simple thing.
Our office at the new business park is an attraction in many regards. There are massage chairs in the lobby area, free flow of coffee and tea in the open pantry, and various forms of open and semi-open areas for local on-site collaboration as well as video-on-demand, telepresence collaboration with remote sites. As in many other companies’ offices, badge access is a norm, and so do ours.
Interestingly, the washrooms at our floors, which are situated outside the badged area, near the lift lobby of each floor, have their own access controls. Each has a mechanical number lock installed on the door. As the washroom is a shared facility, with many people using it, the “secret” number to unlock the lock has to be known to all employees, contractors, and visitors. If however you belong to one of these groups, but still don’t know the number, there’s no need to worry or do a brute force attack to crack the secret numbers. You can simply follow someone in, or wait for someone to come out and hold the door to get in. Alternatively, you can go to the mail room nearby and ask the folks there cordially, and they will give you the number. In fact, if you ask anyone who happen to walk by, cordially, they will also happily reveal to you the secret to the valuable rest room.
The question is, why do “someone” decided to have such a lock that provides a real sense of insecurity and a false sense of safety to people in the building?
I found out later that the requirement was raised (by “someone”) as those washrooms have shower facilities in them, and the access control is to provide as a form of safety to people taking shower as well as prevent some other people from taking shower. Seems like a reasonable requirement. Clearly, the security solution implemented has not met the requirements, and everyone else just “follow the flows”.
At another floor in the same building, another “someone” somehow decided to use a badge access control for the washrooms access, inline with those for the normal office access. This provides better consistency, and serves its purpose, i.e., meeting the requirements. Furthermore, with an electronic badge access system, if the shower gets overused, someone can turn on the logging and start monitoring the usage of the facility to find out who have been showering all the time.