By user701213 on Jan 09, 2009
When I look back on my career, particularly my educational background, I find it interesting to consider what has stuck with me, what I have forgotten, and what continues to be useful. I have sort of a strange background for a security weenie – an undergraduate mechanical engineering degree and an MBA. I don’t talk about the MBA all that much, partly because I know plenty of overblown egos who can’t wait to trot out the fact they have an MBA from Harvard, Wharton, Stanford, (insert name of prestigious MBA program here). Second, someone who worked for me awhile ago got an MBA and proceeded to treat his directs really poorly with newly-minted MBA hubris that was astonishing (I recognize the disease because I had a bad case of it once, myself). He thought that MBA stood for Me Before All and everyone who worked for him was there to advance his career. Third, but mostly first, Impressive Academic Credentials are increasingly unimportant the longer you are in the working world; what you actually accomplish is far more important than how well educated you are.
That said, I do think that the education I got in my MBA program gave me some “tricks of the trade” I still find inordinately useful. Now, not everything one learns at universities is timeless. Particularly in the liberal arts area, there are reinterpretations and revisions of widely held knowledge going on all the time. I guess that especially for academic areas that have been strip mined more than Appalachia, the way you create academic street creds for yourself is by regularly throwing out babies after drowning your colleagues in the bathwater. My father (who has a PhD in civil engineering and has been a university professor and administrator) liked to tell the joke about an engineering professor and an economics professor conversing on a campus. “I hear you give the same exam each semester in the economics department,” says the engineering guy. “Our students get hold of the old exams. So, how on earth do you get away with it in the econ department?” “Easy, “ says the economics professor. “We just change the answers.” Now, it’s not totally true that economics changes all that fast (although I hope we have driven a stake through John Maynard Keynes* and all his sycophants once and for all). But economic theories do change.
That said, among the most useful classes I took at business school, and one of the areas I refer to often in my work, are the economics classes. It’s just timeless, whether we are talking about micro- or macroeconomics. It’s particularly important in talking about public policy issues (yes, even around security). For example, I have talked about (and there are many who have) whether there is a market failure in information security. The discussion becomes (if there is a market failure) how to correct it? How do you make markets work efficiently (e.g., to remove externalities or “social costs?”) There are also a lot of offshoots of economics that have applications in other areas (game theory, for example, which was tremendously influential in Cold War strategy). I have thought about game theory in various security discussions (in particular, discussions in which industry can maximize our collective best interests or “payoff” by hanging together, like the prisoners of the prisoners’ dilemma, and yet one “defector” can achieve a higher individual payoff by selling other vendors down the game theory river. Alas, I have seen one vendor do just that and now everybody is worse off than if the vendor had not "defected.").
Financial theory is pretty useful, too. For example, the idea that you should disregard sunk costs in future decision making, a fancy way of saying ignore how much money you’ve already thrown at a problem in analyzing whether to go forward with it. I use that all the time, especially when someone starts in with “we’ve worked so long/hard/whatever on project X.” You have to look at the expectation of success going forward and what it will cost to get there (and other options for those resources) because sunk costs are by definition non-recoverable no matter what you do. You’ve spent the money, you can’t get it back: now what?
Some of those economic and financial market lessons have been reiterated in spades in looking at the current financial market meltdown. One of them is that “diversification reduces risk” in terms of a portfolio – the financial market theory of not having all your financial eggs in one basket. The corollary is that some kinds of risk are not diversifiable (e.g., if the entire market craps out, everything sinks together and diversification doesn’t help you, as many of us who’ve opened our 401K statements recently are all too painfully aware). You really wish, when reading about people who became stupidly overleveraged (fancy term for living way beyond your means and all on credit) that they had some basic comprehension of economics. Not merely for their own financial well-being, but so that people have realistic expectations of personal responsibility and the limits of government. (Hint: governments cannot create wealth, though they can print money. If they print enough money with no actual wealth behind it devalues the money you have. Getting someone else besides you to pay for your lifestyle is nice work if you can get it, but if you keep robbing Peter to give lazy bones Paul a free ride, Peter will find ways to work less or otherwise revolt.) None of this is rocket science yet so many people never learned basic financial or economic principles. There really is no such thing as a free lunch.
Business law is another area I find incredibly useful. Granted, a lot of my pragmatic understanding of contract law in particular I learned as a contract administrator in the Navy (nothing like having a $200,000 claim over the meaning of the word “automatic” or the performance of a contract hinge on a misplaced comma, both of which I have experienced). One of the big lessons I learned is the legal equivalent of RTFM: let’s call it RTFC or “Read the Friggin’ Contract.” In particular, if you are negotiating a contract, realize that what you agree to with your counterpart has to survive the participants who drew up the contract (that’s why things are written down). The words “well, everybody knows what we meant by that” absolutely never enter into legal parlance. The legal equivalent of Murphy’s Law is that if something in a contract is ambiguous, it will be misinterpreted by at least one party to the contract. You need to read it (over and over and over) through all revisions to avoid expensive mistakes. (It took me a year to negotiate a licensing agreement with a partner, but at the end of the year, we had a deal and there were no disputes over the terms during the life of the contract. My counterpart at the other company is still a great gal pal to this day.)
The other lesson I learned is that contracts also are not good vehicles for creating trust between parties. If someone is a slimy so-and-so, you cannot write a contract that will make them less of a slimy so-and-so. A contract will not create trust; it will tell you who has to do what under the terms of the contract, and possibly spell out remedies if parties do not perform under the contract. That assumes that you can actually get a remedy out of someone that is timely or meaningful. I am always astonished at someone whose going in position is “if it doesn’t work, we can sue.” (Kind of like people who get married with the expectation, “if it doesn’t work out, we can get a divorce.” The formulation of an exit strategy on the day you ink a deal does not bode well for it, so why are you signing on the dotted line?) If someone rips off your intellectual property (for example, in a geographic area with not a whole lot of respect for intellectual property rights), good luck on a “remedy” that will make you whole. “Don’t take that bet” is sometimes a better strategy than counting on a contract to make you whole if something goes wrong, especially if you have a high expectation that you are going to have a problem.
Another of the other really useful constructs I got from B-school was my quantitative methods class. Quantitative methods are a way of putting more numeric rigor around decision making, whether it is analyzing a business strategy or problem solving. For example, you may have an optimization problem you are working on, like “the truck routing problem.” You have so many trucks, they need to make deliveries, you want to find out the most efficient route but without delaying deliveries too long, and so on. You have a number of constraints you have to work with – you only have so many trucks, so many deliveries, so much distance, and time limits within which you have to deliver things. If nothing else, you learn that while sometimes you can add resource (more trucks can make more deliveries in shorter time), you still have constraints you can’t necessarily move (houses are not going to move closer together for your convenience, and you can’t make time go faster).
Particularly when I find myself dealing with (and they mean well) academics, think-tankers or government wonks who want to create public policy, I sometimes need to remind them of quantitative methods 101: resources are always constrained. Sometimes, people who don’t actually have to earn a profit or make tradeoffs or implement their own public policies find lots of “really important” ways for other people to spend money in pursuit of A Noble Purpose. The reality is that sometimes you don’t have any more resource, and even if you did, there might be a better way to use the resource that would lead to a public policy (or other) good, like better return for investors. In discussing public policy I try to talk about what the real-world constraints are, and inevitably I ask some of the government folks questions like, “do you want absolute perfection, or do you want to give industry a way to say Yes, where they can make progress, improve what they are doing in a cost effective way that actually makes the problem better?” Something is almost always better than nothing. You can either listen, understand what people’s constraints are and allow for them, or create a problem statement that says, ‘I want to have my cake, eat it too, have it be organic, sustainable, biodegradable, delicious, rich, and have zero calories: in fact, I want to lose weight while eating it.” People who understand optimization problems know you’d do well if you got three of those conditions satisfied. You cannot satisfy all of them.
I even use the quantitative methods approach (finally!) in asking for more headcount. I am embarrassed to admit that it took me years at Oracle to figure out how to get more headcount, and the method I finally hit on (more accurately, that I finally embraced after enough people told me the best way to do it, I ignored the advice and learned the hard way that they were right), is a simple exercise. I collate, in an organized way, “what we are doing now, what we are not doing now, and what we can do with more resource.” “What we get with more resource” is along the lines of (in priority order) additional work my team could take on and the value to the company of us doing that (sometimes the value is cost avoidance or something tangible we can (roughly) quantify). I am hardnosed in that, if people who work for me who run various areas do not make a good enough case to me for their headcount requests, I draw the “wish list” line above their headcount requests. In going to my boss, I will say, “here is what we get with more resource (in priority order), meaning if I got one headcount, I’d add one person to do A, if another person, I would put them on B, then a third person to do C, here is the value to the company for adding those bodies, and any headcount beyond that should go to someone else in your organization who can spend the resource better.” Meaning, my goal is not empire building, it is adding enough resource to use it to add value (or reduce cost), and no more.
There is always a lot more to learn. In writing this blog entry, I realized I had forgotten a whole lot about economics and game theory (and I didn’t relearn them in the time it took to write the blog). But, one of my absolutely favorite hangouts – the Ketchum Community Library (they say I am their best customer) is right down the hill, and I will be trotting down there later today to see what books they have on economics and game theory.
The beginning of a new year is a bright and shiny opportunity to do things differently. While time is one of our most constrained resources (I may stay up late reading myself blind, but I still need some sleep), I always set a New Year’s resolution or two around learning a new skill, or beefing up a knowledge area. It doesn’t always have to be in computer security, either. Sometimes learning something new (or revisiting something old) can give a fresh perspective to your day job.
Hau’oli Makahiki Hou (Happy New Year!)
* FDR, in my opinion, did bubkes to get us out of the Great Depression and should not get credit for it; there was double digit unemployment into 1942. On the contrary, the Second World War ended the Great Depression, and we can thank James Forrestal (who architected the unprecedented industrial gear shifting to war production) for helping end the Great Depression far more than FDR.
Book of the Week
A Roof Against the Rain by JoEllen Collins
This is a public service announcement: I know JoEllen – she is a friend of mine. She also happens to be a cracking good writer. I loved the book – which is about loss of a loved one - and am recommending it broadly. I think it would be a particularly good “book group book” ( I recommended it to my book group). Her characters are believable and there is a moral center (so few dreary modern works of fiction have one). It’s also just a fun read and it takes place in Sun Valley; Idaho another reason I liked the book.
Other good reads:
Why the Allies Won by Richard Overy
We forget that the victory of the Allies over the Axis in WWII was not a done deal at all but quite a close thing. This book describes the factors involve in that victory – leadership, economies, technology, among others.
The New Dealer’s War: FDR and the War Within World War II by Thomas Fleming
A very different “take” on FDR and an eye-opening one. Between FDR’s (likely) leaking of the Rainbow Plan to ignoring the Katyn Massacre, FDR hagiography is quite deftly shattered by this book.
For more information
I am completely stoked that my favorite Hawaiian music group Maunalua (together with Grammy winner John Cruz) is playing at an inaugural lu’au at the Hotel Monaco in DC on January 20. Nā mele no ka ‘oi!
The Prisoner’s Dilemma is an interesting book on the influence of game theory on the Cold War.