Bright Stove

Reflecting information risk journey

Archive for the ‘Organizations’ Category

Blog series on Responsive Security

with one comment

I have recently published a five parts series on the captioned topic, based on my book of the same title, at Cisco’s Security Blog site. For convenience of the readers of this blog, I have the links to the five parts consolidated here for quick access:

Enjoy the series (if you haven’t read it at the Cisco site ;-)).


Written by mengchow

January 16, 2015 at 12:12 pm

REMOTE – Office not required – a brief review

leave a comment »

Working remotely is a practice that is familiar to many, especially in where I work today, so much so that we often take for granted its benefits, without even realizing their significance. I happened to come across this book recently, and enjoyed a new understanding and realization of what working remotely really has to offer, and how to make it work even better for us who often work from remote sites.

Remote – Office Not Required“, written by Jason Fried and David Heinemeier Hansson, co-founders of 37Signals (recently has its name changed to Basecamp) is a highly successful company that developed the online project management tool, Basecamp. In “Remote”, Fried and Heinemeier shared their philosophy of “free to live and work wherever you want”. I found their articulation of the pros and cons, and how to deal with the cons while leveraging the pros refreshing. As such, I’m listing here what I have jotted down while going through the book; some of the key benefits, and suggestions on how to make remote work arrangement works effectively, both from the manager, and individuals’ perspectives. If anyone is interested to get a copy, the book is available at

Benefits of Remote Work arrangement:
  1. Time saving
    • Commute – 1 to 3 hours a day, depending on where you are, that’s between 5 to 15 hours a week saving per employee
    • Can work anywhere that you feel comfortable; don’t need to stick to an office, or a home office
  2. Productivity improvement
    • Less interruption than working in the office (interruption factory) – possible to get work done only before or after others have arrived or left
    • Interruption disrupt flow and rhythm of work
    • True productivity happens only with uninterrupted span of time is made available for quality work to be done
  3. Work-life Balance
    • Improve quality of life of individuals
    • Have time for your hobby, interest (don’t need to wait for retirement) – music, biking, etc
    • Have more time with family
    • Improve employees’ loyalty and satisfaction
For it to work effectively, managers need to change mindset:
  • Trust
    • Employees are adults, don’t treat them like children – respect them and trust them to do their best work in their career
    • When people are respected and able to do their best work, they would stay with the organization
  • Control
    • Urge to have physical daily oversights
    • Shift to ensure people are working on meaningful work rather than seems working on something
  • Meetings
    • Meetings can be toxic and disruptive to productive work
    • An hour meeting involving five people is 5 hours of productive work loss.
    • Use email and IM in productive ways to replace need for meetings
    • Involve least number of people in a meeting wherever possible (a short chat will be more productive)
  • Office
    • Should be like the library, a place to learn and focus
    • Create separate private space for collaborative discussions
    • If you are going to have an office, it has to be inspirational – this is not possible for everyone; Remote gives people option to choose where they can be most comfortable to get the most done
    • Implement a “no-talk day” (NTD) in the office – tremendous amount of work can be done when there’s no interruption for a day; this would make the office a productive place, a go-to place when need to get things done (on the NTD).
  • Respect peoples space
    • Slow down to get more – use the email or other communication tool effectively. Again, use of collaborative workspace such as WebEx Social allows one to read, comments, feedback, and updates project status at their own convenient time.
Some other important considerations:
  • Time zone overlap – 4 to 5 hours overlap the best.
  • Great for creative and knowledge works
Face to face and social connection are still important – organize regular gatherings and offsites for such connections to get everyone closer will be more meaningful.

In addition to the book, I have found a number of Youtube videos, which Fried and Heinemeier shared some of their thoughts. Those videos should come in handy if you don’t have time to read the book:
Have a good time working remotely!

Written by mengchow

August 10, 2014 at 10:00 am

A real sense of insecurity

leave a comment »

Our office at the new business park is an attraction in many regards. There are massage chairs in the lobby area, free flow of coffee and tea in the open pantry, and various forms of open and semi-open areas for local on-site collaboration as well as video-on-demand, telepresence collaboration with remote sites. As in many other companies’ offices, badge access is a norm, and so do ours.

Toilet door with Mechanical Lock Mechanical Lock
Interestingly, the washrooms at our floors, which are situated outside the badged area, near the lift lobby of each floor, have their own access controls. Each has a mechanical number lock installed on the door. As the washroom is a shared facility, with many people using it, the “secret” number to unlock the lock has to be known to all employees, contractors, and visitors. If however you belong to one of these groups, but still don’t know the number, there’s no need to worry or do a brute force attack to crack the secret numbers. You can simply follow someone in, or wait for someone to come out and hold the door to get in. Alternatively, you can go to the mail room nearby and ask the folks there cordially, and they will give you the number. In fact, if you ask anyone who happen to walk by, cordially, they will also happily reveal to you the secret to the valuable rest room.

The question is, why do “someone” decided to have such a lock that provides a real sense of insecurity and a false sense of safety to people in the building?

I found out later that the requirement was raised (by “someone”) as those washrooms have shower facilities in them, and the access control is to provide as a form of safety to people taking shower as well as prevent some other people from taking shower. Seems like a reasonable requirement. Clearly, the security solution implemented has not met the requirements, and everyone else just “follow the flows”.

At another floor in the same building, another “someone” somehow decided to use a badge access control for the washrooms access, inline with those for the normal office access. This provides better consistency, and serves its purpose, i.e., meeting the requirements. Furthermore, with an electronic badge access system, if the shower gets overused, someone can turn on the logging and start monitoring the usage of the facility to find out who have been showering all the time.

Written by mengchow

February 7, 2013 at 5:44 pm

Talking about Slashdot | How to Cheat at Managing Information Security

leave a comment »

Written by mengchow

September 30, 2006 at 4:30 am

Posted in Organizations

%d bloggers like this: