This morning I read yesterdays SANS News Bites (http://www.sans.org/newsletters/newsbites/ retrieved 3/4/2015) and was struck by a comment authored by Stephen Northcutt:  “Every month that goes by I see the similarity of cyber-security and the medical field. Primum non nocere.”  Personally I see more similarities between cyber security and safety, but his point that practicioners of cyber security must primum non nocere is true, and holds up well in the arena of securing industrial control systems too.  As cyber security if often seen as a loss prevention program first, a practicioner’s credibility with decision makers must be strong in order to persuade an organization to tolerate the inconvenience and spend the resources required to achieve the organizations security objectives.  Doing harm is a quick way to destroy credibility.

Moving on, I’d like to record a few latin phrases that I like, and that may prove useful in the day to day life of a controls engineer or a cyber security practicioner.

1.  Primum non nocere – First, do no harm  (https://en.wikipedia.org/wiki/Primum_non_nocere retrieved 3/4/2015).  Carried a bit further from the same source:  Another way to state it is that, “given an existing problem, it may be better not to do something, or even to do nothing, than to risk causing more harm than good.”

2.  Este Paratus – Be prepared (https://en.wikipedia.org/wiki/Scout_Motto#Motto_in_various_languages retrieved 3/4/2015).  I frequently find this in my work with the Boy Scouts of America.  Robert Baden-Powell explains the meaning more fully as “The Scout Motto is: BE PREPARED which means you are always in a state of readiness in mind and body to do your DUTY.”

And last but certainly not least:

3.  Semper Virilis – Always manly (http://www.artofmanliness.com/2014/06/09/semper-virilis-a-roadmap-to-manhood-in-the-21st-century/ retrieved 3/4/2015).  I have to include this simply because its cool.  I have to read the full article, but at the moment I think that a great deal of this concept can be summed up by this quote from the same source: “Some say that only a sucker would try to be his best when it isn’t required of him, when you can get ahead by simply getting by. That trying to be a man these days will simply get you taken advantage of by a system that no longer appreciates the effort.”

In closing I leave with a quote that isn’t in Latin, yet.  There is a rock that sits on my desk which bears a quote ascribed to George S. Patton.  “If a man does his best what else is there?”  Someday I’ll find the Latin.

Today I was reading a review of the book Security Metrics: Replacing Fear, Uncertainty and Doubt (2007, Andrew Jaquith) and found this interesting use of the black swan concept:

The “black swan event” term was made famous by Nassim Nicholas Taleb in his 2007 book “The Black Swan: The Impact of the Highly Improbable.” For some organizations, computer breaches are black swan events that Taleb describes as “outliers that carry extreme impact.” They are outliers because the chances of something like that happening to your network are pretty small, but when it does, the cost to your organization is extreme.  [http://researchcenter.paloaltonetworks.com/2014/01/cybersecurity-canon-security-metrics/#more-4523]

The author of the review brought this concept up to support the larger point that applying statistical risk  analysis to black swan events is pointless at best and misleading at worst because the data about these events is statistically insignificant.  Computer breaches beyond the routine random collateral damage caused by malicious code should best be managed by building robust, resilient systems that are supported by capable incident detection and response programs.

From Scrum: The Art of Doing Twice the Work in Half the Time [Jeff Sutherland, Crown Business, New York 2014  ISBN:978-0-385-34646-7]

“What are the things that actually make people happy?  They’re the same things that make great teams: autonomy, mastery, and purpose.  Or to say it more expansively, it’s the ability to control your own destiny, it’s the feeling that you’re getting better at something, and it’s knowing that you’re serving something bigger than yourself.”

This leads to a pretty short list of things that can define an individual’s happiness on a team at work:

1.  Do you control the outcome of the work?

2.  Are you getting better at the work over time?  Are you learning new skills, or better mastering existing ones?

3.  Is the world a better place because the work is done?  Does the work contribute to something beyond simply making money?

This last point dovetails into another quote I read somewhere, which I don’t entirely remember.  In short, the idea is that businesses exist to make money while people want to do good works.  Businesses which make money while their employees do good works should become powerful and exciting places to work, even Excellent a la Tom Peter’s work in the 1990’s (In Search of Excellence).