Photo by cottonbro studio
Introduction
We meet a new anti-design pattern: BlindLeadingTheBlind.
Giganet exploits the BlindLeadingTheBlind with their first large account, LA County.
Alice is ready to shoot her ex.
Inspiration
Iris felt sleepy and was in a bad mood.
Bob and Barry walked into the Venice studio apartment to show her their plan. “Get a corkscrew”, Bob said, and pulled a bottle of wine out of his backpack. “This is a time to celebrate! I know how we can deliver the system on time to LA County. This is the real thing. Let’s drink to it!”
Bob looks over at Barry, Italian gangster look, polo shirt, slacks, tasseled loafers. Barry poured them some wine and raised his glass - “Alla vita, alle ricchezze e al buon vino”. Bob’s face was lit up, “Happiness is inspiration. Let’s drink to it! This is a turning point for Giganet”.
Pesya, their jolly hacker matriarch, slightly overweight, always laughing, always thinking about going to the gym; had discovered vulnerabilities in the Giganet system with $25M in exposure to fines for CCPA privacy violations.
Iris thinks back to their conversation last week:
Pesya, “Iris, You cannot release the system like this to LA County.
In addition to the DDOS vulnerabilities, there are XSS vulnerabilities. Attackers may be able to extract contract information about the gig workers and conduct a side-channel attack to identify people. You will be in violation of CCPA.
CCPA penalties have an upper cap of $7,500 per intentional violation or $2,500 per non-intentional violation. It may seem like a small penalty, but it can eventually grow massive. The penalties can quickly add up because one consumer equals one violation.
Pesya, “How many users will LA County have?” Iris replies, “About 10,000 users”.
Pesya, “You have $25M in exposure”. She deliberately uses the word exposure with Iris so that Iris will understand financial impact.
“We’ll need another 4 weeks for security testing and validation after Lena and Justin finish. Yasmin’s back end module is not affected and the rest of the front-end is fine. You need to allow 12-13 weeks to fix this problem”.
Giganet has a delivery milestone in a week with LA County, their first large account. The revenue and reputation are critical to Giganet survival. They don’t have 12-13 weeks. They need the cash.
Iris, “OK, guys, what’s the plan?”
Barry, “Bob, it’s your idea, so go ahead”.
Bob, “Pesya knows their security consultant. Noah Cheng was one of her hacker apprentices. She’ll talk to him, and that will be enough”.
Iris poured herself some more wine and drank. She had remarkably beautiful hands - slim, white and smooth, fingers delicately pointed.
Iris, “Is this legal?”
Bob, “Totally. Remember how I told you that the best defense is a good offense?
We release the software to the customer on time, get the milestone payment and find a way for the customer to not actually use the software. We’ll do that with their own bureaucracy.
Noah will explain to the customer project manager that even though Giganet is CCPA compliant, they need to set up application firewall rules to limit internal network access for HR”..
Iris, “That doesn’t sound like a lot of work to me, maybe 2-3 days”.
Bob, “You’re right, it’s 3 days work but it will take them 4 months. Watch”.
ISD - Internal Services Department Information Technology Service
Todd Jameson is project manager for rolling out new Web applications in LA County.
Todd works for Dell Technologies Services and is onsite with ISD Information Technology Service. He came up through the ranks as an analyst and project manager at Perot Data Services and after the acquisition and name change, stayed with Dell.
He’s been with LA County for 12 years.
If you were to ask Todd, he would say he is a “technology leader”.
A technology leader that spends his time in meetings and tracking projects.
A technocrat dedicated to budgets and vendor management.
He likes reading Gartner reports to follow broad tech trends. Lately, with the outburst of AI, he’s started talking to vendors. Talking to vendors on the Gartner hype list can turn into a full time job but it’s more interesting than meetings with his change control board.
He has a 9:00 meeting with Noah Cheng, their cybersecurity consultant for web application development.
Todd, “Hey, Noah. I wanted to touch base with you regarding our upcoming deployment of the new Giganet SaaS application. How's everything going on the security front?”
Noah, “Security is Dope, man. You know their engineering team are ex-Google executives and their CSO is Pesya Eichbaum. She’s number 1 in the world for browser security.
However, as I dive deeper into the Giganet architecture and potential vulnerabilities, I believe that having an application firewall for HR access is a proactive measure to mitigate potential risks to your network. It'll add an extra layer of protection against any unforeseen threats. You can use your existing F5 firewall”.
Todd, “I don’t understand the technical side but I don't want to compromise on security. Can you give me a plan?”
Noah, “Of course, Todd. I'll prepare a comprehensive proposal with time estimates, potential benefits, and a deployment plan. I'll make sure to highlight the added security and potential risk reduction it brings to the table”.
Todd, “ Great, Noah. Please keep me in the loop as you work on this proposal. We want to make sure we're making informed decisions about our security measures”.
Noah, “Will do, Todd. I'll get started on that right away and will keep you updated as I make progress. If you have any immediate questions or concerns, don't hesitate to reach out.
Todd, “Thanks, Noah. I appreciate your dedication to our project's security”.
After the meeting Noah calls Pesya.
Pesya, “How did it go?”
Noah, “Nailed it, I just bought you 4 months. It’ll take me a month to prepare the proposal, it’ll take Todd another month to get it past his internal review committee, it’ll take them another 2 months to implement. In the meantime, you’re good to go with HR for the delivery milestone”.
The Blind Leading The Blind Anti-Pattern
Anti-pattern
A non-technical person leads a project with technical people.
This anti-pattern is created by a project manager who leads with laundry lists, turf management and organizational politics. She’s often regarded as a nuisance by the technical people. Even though her intentions are good, the results are often negative as the team gets bogged down in details and changes, causing additional problems.
The organization moves slowly, often without a sense of strategic direction that is integrated with business strategy.
Laundry lists are not an integrated technology investment plan.
Even worse, the organization loses observability to actual project status, since project signals are often lost in the organizational politics and blinded by lack of technical understanding from below and lack of strategic alignment from above.
This double-blind is why it's called BlindLeadingTheBlind.
Solution
Flip the pyramid.
People who actually understand and develop technology work best in small autonomous teams creating things.
Let your teams create. Give them business context.
Create a new role - ”project bumblebee”.
The ”project bumblebee” listens to the small teams, collects signals and provides business requirements to the small teams for implementation.
The LA County example works in an inverted way: Todd, the project manager, provides technical requirements to his internal information security team for implementation. His internal infosec team doesn't have the business context or understanding that the Giganet system can save millions of dollars. They don’t care, and given competing priorities, they may keep the project back.
On a park bench in Venice CA
Mark was the one who began.
Mark, “Bob, tell me what’s happening at Giganet, and what’s new with Alice?”.
Mark remained silent as they sat on the park bench.
In front of them there was the green calm of the park.
A man hungry for an answer, must stock up on patience.
A man in possession of analytical skills needs to listen.
That is why Mark remained silent.
Mark listened carefully to Bob's story for about 15 minutes.
Bob, “Alice muttered something last week about wanting to shoot him. Something is bothering her”.
Mark, “Hmm. Use the SelfCare pattern with Alice. Ask questions and be a good listener. Don’t push.
At Giganet, I liked how you used the BlindLeadingTheBlind anti-pattern like a judo move to mitigate the threat to your company.