When that (crypto)mine's not mine

Crawlspace cryptomines, crowdsourced meeting notes, and zombie startups

This week’s agenda:

• Leadership Moment: That’s not mine!

• One Minute Pro Tip: Shared meeting notes

• Chapter Teaser: You get what you look for

• Appearances

• Behind the Paywall: Startups and Zombies

Leadership Moment: That’s not mine!

Fourteen months ago, a middle/high school director noticed something which “seemed out of place” – in a crawl space, some electrical wires, temporary duct work, and … computers. It was a routine inspection, and a lot of people, when doing routine inspections, often ignore even very out of place objects. Why? Because followups are time-consuming, and there’s probably a good reason someone stashed computers into an available space. And at least it was well-ventilated, right?

Fortunately, that director started an investigation, and we now know it was an unauthorized crypto-mining setup. A former school employee has been charged with theft of … electricity. All because someone did see something, and then say something.

One Minute Pro Tip: Shared meeting notes

What really happened in that meeting? A lot of meeting organizers struggle with providing clear, actionable meeting notes after a meeting. Often, the organizer is also running the meeting, and participating in the meeting, leaving them limited mental bandwidth to also take coherent notes. Summarizing the meeting after it ends seems like a good stop-gap, except back-to-back-to-back meetings are scheduled all day.

Use a shared document (Google Docs, Office365, your choice) and give everyone in the meeting write access to the document. Get in the practice of letting everyone contribute to the meeting notes. Have four sections: agenda (and the first agenda item is always “edit the agenda”), decisions (as the team decides things, write them down here), action items (whenever work gets assigned to be done offline, let the person who took the work, or their stakeholder, write it down), and a freeform notes section. As a side benefit, the notes section can be used as a sidechannel for quick conversations in the room without distracting from speakers.

Chapter Teaser: You get what you look for

Chapter 44: Expect what you inspect

Almost any organization, once it grows past the size its leader can easily glance around at, begins developing metrics to monitor: Key Performance Indicators being the current popular buzzword. The problem with KPIs is that if they don’t perfectly measure the outcome you need (hint: they rarely do), they’ll slowly subvert your organization to become the outcome you produce.

This subversion usually happens in two ways, which I think of as numerator-focused (maximizing specific “positive” outcomes) and denominator-focused (reducing the counting of specific “negative” inputs). Perhaps you want to reduce the number of customer-impacting incidents, which are “scored” from severity 1 (worst) to severity 4 (least bad). So your KPI might be “number of severity 1 incidents per year.” This is subject to denominator-focused subversion, as you’ve incentivized executives in the organization to reduce the number of severity 1 incidents … which can be done by scoring incidents as severity 2, thus removing them entirely from the count. A KPI that measures your MQLs (marketing-qualified leads) as a raw number is likely to reduce the quality of the leads, as your staff will subvert the process to increase the numerator (total leads), even if the quality takes a hit.

When you do roll out a KPI, think about the ways it could be subverted, and consider (silently) measuring for the side effects of subversion.

Order 1% Leadership now!

Appearances

Last week, I wrote an oped arguing the the National Cybersecurity Strategy’s proposal to modify software liability would do more harm than good.

Giving a slightly longer future view out for folks who might want to join some of these events:

On March 8th, I’ll be joining a webinar on “A CISO’s Guide to Salesforce.” Join me as I learn more about SF security.

On March 14th, I’ll be hosting a webinar on Uncovering Hidden Risks in your cloud environments, based on the first part of the ebook I wrote about last week. There should be pi puns, if we remember.

Also on March 14th, I’ll be hosting a dinner with ISE & Valence Security in New York on Ensuring SaaS Security.

On March 16th, I’ll appear on a panel at TechStrong Con 2023 on “Is AI in Security a Revolution or Just an Evolution?”

On March 22nd, I’ll be hosting an ISE Fireside webinar on Leading the Charge in Managing Cloud Security Risks as a CISO.

On March 28th, I’ll be hosting a webinar on Cloud Cost Optimization.

On March 30th, I’ll be joining a TechExecs Virtual Roundtable.

On April 11th, I’ll be hosting a webinar on Creating a Cloud Security Strategy in your cloud environments, based on the second part of ebook I wrote about last week.

On April 18th, 1% Leadership is released!

Pre-order 1% Leadership now!

Behind the paywall: Startups and Zombies (more alike than you think).