On Fair Winds
A ship without a port will find no winds favorable
Grit-as-a-Service
There is a passage in the Stormlight Archives Book 3, Oathbringer by Brandon Sanderson, that changed how I view the word “grit”. The quote is:
"What's the most important step a man can take? It's not the first one, is it? It's the next one. Always the next step..."
To me philosophy is the possibility to find wisdom anywhere and in all things. Rugged Code concepts state that anything we make or create will be used, interpreted, and repackaged in ways that we no way could have intended. And so by applying the wisdom from Oathbringer to the realm of cybersecurity, am I practicing “Rugged Philosophy?”
Both in the fictional world of Oathbringer and in real life, taking the next step always requires grit. Grit gives us the power to try again, and again, and again. Grit lets us grow through our failures, and iterate forward from our successes.
Grit is the key ingredient for growth. But grit can only take us so far.
Offensive Iteration
Iterating requires that a person has the courage to try something, knowing that the first attempt often fails. Success or some measure of success comes much later as we recover from repeated failures.
Failures like during red team operations when tools and tactics are getting blocked. Failures like cyber incidents where our friends are under direct attack and we can’t figure out how to stop them from being harmed.
I call the area where discomfort seeps in and grit is required to see ourselves through the ordeal “The Danger Zone”.
The ability to remain in the danger zone has more growth potential for our character than the ability to survive the danger.
The ability to remain in the danger zone has more growth potential for our character than the ability to survive the danger. Remaining in the danger zone means that we are willing to stay put, observe, make a plan, and figure it out. We are willing to iterate through our failures as we come to terms with what is happening and make attempts to achieve an outcome that is more preferable than letting the adversary dictate an outcome.
Iteration gets us out of danger. Grit gives us the opportunity to do so.
Danger Zone
Grit, or nerve as it's called often, can be summarized as: obstinance in the face of obstacles. Like Marcus Aeurileus says, "What stands in the way becomes the way." [1]
We as leaders must be dispassionate about our failures, expecting them to come and to be used as an opportunity to be one step closer to the best version of ourselves.
We have to be obstinate in the face of the biggest obstacle: ourselves. We remain in the danger zone of our own failure, determined to keep walking forward until we have found an acceptable path for growth.
…be obstinate in the face of the biggest obstacle: ourselves
Examples of iterative grit (dubbed - the Danger Zone) can be seen throughout history, oftentimes to a confusing dichotomy: too much time in the danger zone gives us tunnel vision and we miss out on chances to move forward and exit the danger. Too little iterative grit leads to stagnation, forcing us to stand fast in our current comfort.
How are we as leaders expected to strike the correct balance?
The answer is: we can’t.
Good Captain, Bad Commander
Sometimes we will tunnel, and sometimes we will stagnate. But by trying, by taking that next step, we are always moving forward. Forward is the only direction worthy of travel and balance will come as long as we travel in the right direction.
…forward is the only direction worthy of travel
It is often said that a "good captain may make a terrible commander", interpreted as: people break under pressure, and the only way to discover the breaking point is to place pressure on them.
Without putting ourselves in uncomfortable situations to test our grit, we never will know our potential growth. Growth is always in front of us, never to the side or behind us. We reach it by taking one step forward. And then another.
And then another.
Red Team Grit
Iterative Grit in the field of offensive security could be something like red team atomic testing, or unit testing. Red Team atomic testing is methodical, probing defenses for reactions and making note of what works and what doesn’t.
The most successful offensive security engineers, hackers, and red teamers all have both the desire to iterate, and the grit to keep trying. They live in the danger zone long enough to find a way out.
They stay in the danger zone until they grow their way out.
Hacker Mindset
Adversarial iteration is conducting the same attack even if it fails repeatedly to test and measure change in defensive responses. Adversarial iteration is not blind iteration, which can be considered walking in the dark.
Without being able to see where we came from, how can we know that where we are going is in front of us? Blind iteration leads to stagnation. We as hackers must always understand the goal we are trying to achieve, and how our current specific actions get us closer to that goal.
Blind iteration leads to stagnation
Threat Iteration, using in threat hunting, is similar to adversarial iteration. Threat Iteration tests the effectiveness of detections to discover ways to make them better either in quality (scaling vertically) or efficiency (scaling horizontally).
Expert threat hunters often have many hunches and theories as it comes as part of their ability to “see the Matrix.” Assessing hunches, which are rough ideas formed by incomplete data, by its nature means that failure is to be expected.
Unless we possess precognitive abilities, our hunches will almost always turn out to be inaccurate. Our grit will keep us searching our hunches for a path that leads us out of the danger zone.
Preparing for Failure
Hunches are not dangerous.
When we start placing our values on top of those hunches however, our vision and goals start to skew in the direction that we want. Our intended direction of travel is always forward, and a skewed direction leads us astray.
It is improbable that the first iteration of a test will have the desired efficiency or effect. Without the ability to assess the results of a test removed from our judgments of the hunch, we no longer move forward, but in a direction that takes us further away from the danger zone that we as hackers thrive in.
Is it that we skew the data because we fear failure? Do we fear the obstacle in front of us and choose the easier path to the side of us? Growth lies in front, not to the side.
Mentally preparing for failure as a stepping stone to success gets us closer to where we prefer to be: aligned with our true nature, unencumbered by our own bias, ready to take the next step.
Journey or Destination?
If failure is to be expected at all stages, when then is a project truly complete? Is it true then that a journey of failure is more important than successfully arriving at our destination?
The journey is complete when it is complete; when we feel compelled to move on, to iterate on another project because it's the next step in front of us. One fork in the road leads to another.
…the journey has been passed to another…
Consider the feeling if, on our own journey, we found someone walking a similar path? As stewards of the path we travel, and at some point we will all have to pass that stewardship to someone else. The path does not belong to us, only the journey does.
When the journey has been passed to another, only then have we reached our destination: the next step.
Naming and Framing
Objectives and Key Results (OKRs) all have a different definition based on what book or article we read.
Here is the truth: I have never fully completed an OKR, closed it out, and marked it done. Why? Because of the iterative process that I go through.
I iterate through the desired end state of the goals and often am led to other related projects that align with or achieve the important goals of the Objective. The journey is passed off to another who whom I have met on the road, traveling in the same direction as I if but for a short time.
"This is just a fancy word for delegation!", you say!
I assure you it is not. It is a natural intersection of two people making progress on a goal that for a short time, aligns.
For OKRs, it means that my goals are constantly evolving and growing
The Stoic in me hears the words of "don't let yourself get attached to external things" echoing in my head. The destination does not belong to me: it belongs to all travelers on the road just as the road does not belong to me. What only belongs to me is the journey I am on.
For a short time, my life intersects with the journey of that project and I become its steward until one day my next step forward takes me down a different path.
For OKRs, it means that my goals are constantly evolving and growing. I keep watch on the path until someone comes along and requires that path.
Favorable Winds
"A ship without a port will find no winds favorable."
How am I to reconcile the fact that my journey will never be complete if my projects will never be fully finished or my OKRs never closed out?
I have a destination. It's just that my destination adapts and grows as I do.
Sailors find winds favorable because they know where they are going and take measures to get there. They know what waits for them at the end of the direction they are traveling, always taking steps forward, never steps backward.
A journey without a destination doesn’t move us forward: it moves us around
Without a destination, or a port to keep with the sailor theme, we can never truly say that we are taking steps forward: only that we are moving.
So: journey or destination?
A journey without a destination doesn't move us forward: it moves us around. A destination without the journey doesn't show us how far we have moved.
Pick a goal and take a step forward. And then another. And then another until you find a fork in the road that requires you to find your next destination. Make your choice, continue with your next step.
All the way until the end.
Farewell, and may fair winds find you.