Reflecting, Connecting, Affecting

When it comes to challenging work problems, on my own, I've never been clever enough to have a fully formed idea or grasp of a problem, much less a complete solution. And I've found that it usually takes a convergence of ideas, people, and circumstances for the fog to lift and to make progress.

Here's one of the ways that convergence can happen.

Several times in my career, a friend has approached me and said something like, "I know someone who talks a lot like you and is focused on the same ideas. I think you two should meet."

The first example that comes to mind: in about 2000, I was a technical manager in the NSA System and Network Attack Center (yes, the acronym was "SNAC"), part of the Information Assurance Directorate (IAD, now "cyber defense") at NSA. The SNAC's mission was to find vulnerabilities in DoD and Intelligence Community networking technologies and operations. I was just starting to grapple with some weighty questions, primarily "why do we keep finding the same problems over and over?" And "how can we capture information in a way that empowers defenders instead of overwhelming them?"

Mike F was an old friend, a senior manager, who then worked in the neighboring IAD organization that developed cryptographic devices and secure systems. He had attended a meeting hosted by the MITRE Corporation and afterward sent word to me that "these folks seem to be interested in the things that you are interested in." MITRE had offered IAD an opportunity to be part of an advisory board for something called Common Vulnerabilities and Exposures (CVE), a standard naming scheme for software flaws. Based on our prior informal conversations, Mike thought it was a "Tony topic," not something for his group, and he made the connection. I'll talk later about how this shaped the rest of my government career (and beyond), but for now, I'll just say that I was immediately "all in" as a sponsor and advocate. And double-bonus! The experience opened up new friendships and partnerships with folks like Margie, Penny, Steve, Bob M, and many others.

https://www.cve.org/About/History

Just a couple of years later, I started to think about things like standardization of security data, security automation, and integration of IT operations with security. Dick S, another IAD Senior Executive, called me out of the blue. He had just attended a meeting of the NIST ISPAB (https://csrc.nist.gov/projects/ispab) and said, "you need to meet this guy; he talks about the same things that you talk about." And so he connected me to the late Wyatt Starnes, one of the co-founders of Tripwire and later CEO of SignaCert. He and I became fast friends, and his views on security automation and enterprise management were always well-formed and influenced my thinking on these and other topics. Wyatt deserves to be remembered as one of the unsung heroes of our industry, and I know that some of his ideas and influence continue.

https://obits.oregonlive.com/us/obituaries/oregon/name/william-starnes-obituary?pid=171052560

A few years later, Ed G, a retired NSA executive and friend, reached out to me with his variation of "you need to meet this person," who turned out to be Ehab Al-Shaer. Ehab was running a series of formal workshops - ACM/IEEE SafeConfig – which focused on establishing, managing, and analyzing the value of trusted security configurations for IT components and systems. Ehab's work brought academic rigor and insight into this problem, and we worked together for several years to establish a closed loop of security configuration development, management, and measurement to this vital but underappreciated challenge.

https://engineering.cmu.edu/directory/bios/al-shaer-ehab.html

Here are the lessons I've taken from this.

• If I am thinking hard about a work problem, many others are inevitably thinking about the same problem. The challenge is to find those people.

• When I share my challenges and ideas, I often get richer input, relationships, and outcomes.

• I truly appreciate the friends who have listened to me well enough to understand my interests and make the time to create these connections. And I've tried to do the same in my circle of influence.

Is this too obvious? Then why does it seem rare?

The connection is just the starting point, and the potential “connector” should have enough understanding to work beyond the well-intended but noisy buzzword-matching level (“Oh, you’re interested in Zero-Trust, Supply Chain Security, AND Next-Gen Something-or-Other. Great! So is my friend, let me introduce you!”) And the “connectees” need enough confidence, purpose, and humility to find common ground and take action.

As one of my favorite communicators has said, this connection starts from people willing to risk a little “spinach in their teeth” – to put their challenges and ideas out there for discussion, improvement, and maybe even correction – despite noisy bystanders or cranky critics. Sometimes thought leadership is about following - connecting with people so that both can follow a journey to a destination that neither could have pictured alone.