Pillars and Values

We believe that the determinants of an organization's success or failure are rooted in its collective values. We understand that the collective is no more than the accumulation of the values of each individual. We know that the strength of these values within an individual is a predictor of their success – and therefore is critically important in the success of our mission.


These values will guide our decision-making; will influence our interactions with each other, our partners, and our clients; and will form the frame that gives our business shape and strength. By integrating these beliefs at every level, we will build a house out of stone that will withstand the tests that will inevitably come with time.



Go to the fight

• There will always be conflict. To the degree that you are able to anticipate where, when and how conflict will occur; you will be able to create your own advantage. As the conflict is forming, take action to dictate the terms. There will always be a fight – go to it. The alternative – whether failure to anticipate, aversion to, or neglect in preparing for conflict – will always result in undue suffering.


Sit in every seat

• Competitors and partners alike will come to the table with goals, just as you will. Each actor has been shaped by different experiences, and is driven by different motivations. Integrate this into your thinking. When you anticipate and understand the opposition's goals, you will enhance your ability to navigate the discourse. Examine all angles, and become familiar with all functions involved. Use this to calculate all possible vectors of approach before the action begins.



Turn directly toward the storm

• There are elements of a fight that are within your control. But there are no such elements to a storm – all you can do is build your vessel to weather the storm, and hope to pass through it as quickly as possible. There is one course of action that is preferred, if you are able. That is to streamline your vessel and face directly into the storm, while collective effort is directed in concert and with sole purpose. This will always be quickest passage through storms.


Expect problems, eliminate surprises

• Things happen when you least expect them. This is a gentle way of saying that bad things happen when you stop paying attention – that when things seem to be at their best, you are at your greatest risk of suffering a nasty surprise. Be vigilant at all times, especially when there seems to be nothing wrong. Never have you been more susceptible to ambush than when you are feeling successful, happy, and content.


Embrace your greatest fears

• It is natural to avoid the things that scare us the most. Unfortunately, that means it is likely that these are the things for which we are least prepared. Admit to yourself the things you fear the most, and make sure to address them in a way that prepares you for their manifest. Your fears will not avoid you, and will be your downfall if they catch you unprepared.



Continuously improve your pathways

• Heavily traveled pathways tend to deteriorate – they become crowded, rutted, and inefficient. Constantly renewing pathways  – including your methods, processes, protocols – will guard against the degradation of a system. Avoid becoming stuck in a routine; always question why things are done a certain way. Do not become beholden to sacred rituals; do not be afraid to do away with an outdated technique, process, or method. Instead be afraid of what will happen to your organization when those pathways deteriorate.


Solve the deepest problem

• The symptom is almost always what we see first, and it is almost never the real problem. Look beyond the symptom – the thing that tips you off to the problem – and dig deeper. Very rarely will the problem itself be a single action... a one-off event. The real problem will be the rules, norms, and momentum that enabled the one-off event. Find the real problem, and solve that.


Deliver everything that you promise; do not ever deviate

• Keep a running record of everything that you owe. It must contain everything, and you must be diligent in order to be certain. Check frequently against this record to ensure that you are meeting your obligations. One broken promise will do more harm than ten perfect deliveries will do good. When you are widely known as reliable and conscientious, you will stand first in line for the opportunities of greatest consequence.



Act in your own self-interest

• Pursue activities, relationships, and outcomes that will bring you the greatest possible good – without harming others. When you act this way, then you are – by definition – creating your maximum potential value. Not only does this benefit you, it benefits all who operate within your sphere.



Maintain the engine

• Identify the critical engines that power your creativity and productivity. How, where, when, and under what circumstances do you work best? Seek out those environments and tailor your day to create the best that you can with your time.


Imagine receiving the work you submit

• Examine your work with new eyes. Is it helpful, insightful, valuable? Is it simple, clean, and readable? Would you – after seeing the work you submit – know how to do something new, be inspired to ask more questions, or feel the need to take action? If your answer to these questions is yes, then submit the work. Otherwise, the work is not finished.


Plan your time

• Days can be lost to meandering – and can easily upend subsequent days and weeks. This impacts other people’s days, and compounds throughout the organization. Plan your time by learning to manage variables that are within your scope, and think at least 3-4 moves ahead: how will your work impact the work of others? Coordinate this regularly with those who work with you.


Keep your tools clean and in good working order

• Not just physical equipment – skills and knowledge are tools as well. Put everything away clean, dry, and organized. Your tools must be in working condition at the instant they are called for again – any delay sets you behind. Take the time to keep them ready. Eat well, sleep well, stay organized, and respect the tools that make you effective, creative, and happy.



There is always a cost

• Whether you pay regularly and voluntarily by subscription, or at random and against your will by penalty, there is a cost to every benefit that comes your way. Nothing is free. Time is a cost. Energy is a cost. Pain is a cost. Very often these costs are hidden, but you can learn to anticipate them. When you learn, you will improve your capacity, your happiness, and your life.


The job is never done

• The measure of a successful project, initiative, meeting, or engagement is whether it creates momentum. If something ends but does not give rise to something new then it is by definition not successful. Let go of the idea that there is an end – we are working to create something that lasts a long time. The goal is to avoid reaching the end.




Always ask why

• Learn to look for and understand the broader effects of the work you are doing – the shape of things being built around you. If you can’t find the answer, ask somebody else. Ask until you see where this is all going. Then, with that understanding, you will be able to contribute the best possible solution.


Always be changing

• Constantly tinker with processes and methods. Ask every day whether they are useful, or whether they are simply habit. If they are only habit and provide no value, destroy them immediately and build something useful. This must be continuous – your new methods will one day wane in utility and degrade into a simple habit. Destroy the habits, and create something new.




We are free to act only upon what is given

• Our plans are at the mercy of a future unknown. The world changes form continuously, taking what is given and transforming it into what will be. Because of this and not despite it, we must strive to create the very best of everything in all that we do – to supply the best possible inputs for the world of the future. They will only have what we are able to give them.


Writing on the Wall

Once every so often, there comes a time when it can be said that “the writing is on the wall.” Those times are invariably followed by a day on which the multitudes declare that “we should have seen this coming.”

“… insurers are failing to identify high-risk clients, because they are not undertaking sufficiently rigorous security evaluations before writing cyber policies …”

That time is now.

When I write on the topic, I like to assume that the audience is not a panel of experts – that they are not cybersecurity professionals, privacy lawyers, or seasoned hackers. I’m safe in that assumption. The truth is, the vast majority of the computer literate population in this country rarely changes their passwords. And that, in their world, is the final line of defense. Those anointed few who would qualify for the panel are in an alarming state of disarray – often at odds with each other – regarding rules, thresholds, and best practices regarding network security and privacy.

So you see, when I make a conjecture like, “cybersecurity is dangerously misunderstood,” I’m actually saying two things: 1) that what we know of the field is fragmented and the source of much disagreement, and 2) that a vast majority of the stakeholders in this equation receive a vanishingly small amount of education, skimmed from the headlines covering what amounts to a very large disagreement.

Because of this, we find ourselves operating within a system that is riddled with gaps and inconsistencies. Nobody will be surprised to learn that those gaps and inconsistencies represent opportunity – both for improvement, and for malice. Unfortunately, as we are in the early days, the churn of tools that are marketed with the purest of intentions has contributed to those gaps. As a result, we must also accept that even those who come in peace may in fact be unwitting agents of malice.

Into this environment, insurance companies are tumbling over one another, keen to ride the 2x growth wave of cyber liability policies.

And so you see why there may be cause for concern.


Certain Uncertainties – Cyber Insurance and the Race to the Unknown

Shortly before I went to bed on the night of Sunday Jun 8, the New York Times published an article on a topic that I had spent the last 6 months explaining to anybody who cared to listen – cyber security insurance. By the time I woke up Monday morning, 4 people had sent me the link to make sure I had seen it, and to ask my thoughts. The answer is that NYT got it right – and they did a great job making it understandable.


Cyber security is a hot topic. Every day there is news of a big hack that, for the most part, affects all of us in a very personal way. We’ve all spent the better part of a decade broadcasting ourselves and our lives onto the internet, and are beginning to experience the blowback – our nearly naked exposure to theft, fraud, and spying. It will get worse before it gets better – and it will only get better when people start learning how to protect themselves. That’s what Scalar Security aims to do.


But the topic of the NYT article – cyber security liability insurance – is less well known. Insurance is like that. It lurks in the shadows and steps forward only when a problem occurs, hopefully to ease the pain of the problem. Cyber insurance is designed to help pay for forensics (determining the cause of a breach), remediation (reconstructing damaged systems), and liabilities (purchasing credit fraud protection for customers.)


But a funny thing is happening – they are getting it wrong. It turns out that companies, for the most part, do not understand their risk. The Target breach, perhaps the favorite case study in the media, has revealed a company that was under-insured by a factor of 10 – $100M in coverage for what ended up being a $1B breach. This will hurt Target, badly, but it will not hurt their insurer – this time.


What’s frightening is the thought that Target might be the rule rather than the exception; that most companies are under protected and under insured. When the gap between the actual and perceived risks is this wide, there is likely to be more damage. Consider the insurance companies, who have aggregated dozens or hundreds of policies like that of Target, operating under the assumption that their risk is diversified.


We are suggesting that insurers may unwittingly hold large portfolios of companies who have 1) underestimated their assets at risk, and 2) placed those assets under inadequate protections.


It may be the case that our digital infrastructure is flapping in the breeze, not only at risk, but without backstops to minimize damage. In the case of an individual firm, a breach could topple that firm. But in the case of a systemic breach – like a takedown of payment card systems or telecoms – it could upend the entire economy. This is why the government has mobilized by developing and launching the NIST Cybersecurity framework.


We believe that frameworks like this will be essential in mapping the road forward. These fundamentals are the building blocks of not only an effective security program, but a resilient organization with a strong risk management ethos. We believe that these frameworks will be invaluable to companies of all sizes, as well as the insurers who back their systems.


We are currently developing an easy questionnaire that will help you assess your organization’s security posture, and give you some concrete feedback about what works, and what needs work. Submit your email to receive updates on the tool when it becomes available.