Security Experts:

1.92 Seconds, On Repeatability

The Williams Grand Prix Engineering team currently owns the record for the fastest pit stop in Formula One at 1.92 seconds. Think about that. In the time it takes you to blink twice, a car pulls in, has 4 wheels taken off and a fresh set put on and drives away. That’s mind-blowingly fast.

When NBC Sports interviewed the pit crew that set that record and asked them how they got to be so blazingly fast, the answer was quite simple. Repeatable motions and practice.

In order to get to 1.92s for a pit stop the Williams crew practiced. And practiced. And practiced until they had it down to muscle memory. Hundreds maybe even thousands of times. Each of the crew team had a role to play and they knew exactly what to do and how and when to do it. One person’s job was to use the air tool to loosen the lug. Another’s job was to pull the old tire off. Another’s job to put the new tire on. Then the person with the air tool would bolt the tire back in.

There is a lesson to be learned here for security professionals and leaders. That lesson is really three-fold.

First, there is the lesson of specialization. The person who operates the air tool, while they are familiar with the “tire off” operation, doesn’t perform that role. They have one role to play, and they specialize in it. That’s all they train for. That’s all they do.

In our field, you specialize, too. But realistically you’re never just going to be a forensics acquisition specialist – and that’s all you’ll ever do. Most companies aren’t big enough to have such deep specialists only doing one job. Instead you’ll train and get amazingly good at one thing, but you’ll also learn others at which you’ll be OK. The point is to specialize. Know your strength and your passion, and study it. Live it.

The second lesson is repeatability through process. Yes, that sounds complicated – but it’s actually quite simple. Develop a process that is as simple as possible to accomplish the task at hand. Then take that process apart and find efficiency gains you can get by making adjustments. After that, what’s left is automation. Automate using whatever you have available – commercial and open source tools included.

Repeatability is so critical, I urge you to spend a lot of your energy and time here. As much as you need to do. Don’t overlook the importance of having something that’s repeatable. To be repeatable, a process must be well-documented, well-understood and well-practiced. I’ll focus on that last part in a second. Documentation is critical. Pretend like you’re writing up instructions for someone who has never done this before. Process flow diagrams are always preferable in the heat of the moment because no one wants to have to skim through a 40-page manual to figure out what to do when any particular thing goes wrong. Trust me. This is a topic for a whole other article in the future, but I’ll leave it at that. Document like you’re doing it for an eighth grader.

Finally, the last lesson is practice. No one on that Williams team was at 1.92s on their first try. In fact, I’m willing to bet that the first few times that person with the air tool tried to unbolt and bolt they maybe even got the direction of the tool wrong. Meaning that they had it set to right (tighten) when they needed it left (loosen). But after practicing a thousand times the likelihood of getting it wrong drops off a cliff. Not to say that they won’t ever get it wrong, but the likelihood is dramatically lower.

Practice is one of those things people say we can’t really do. How do you really practice for a situation when your CEO is compromised and the board memos are being leaked to the Internet? Simulations are nice, but they don’t simulate the pressure of real-life. There is no substitute for real-life situations. So, to that I say, practice in real-life.

Once you have some confidence (and not a moment before) had someone from one of the many red teams out there hit you with what they’ve got. Then go into battle mode. Practice,  find your failures and have someone write them down. Then practice those pieces until you’ve got it right, without thinking. Then do the whole thing again and identify more broken stuff. Rinse and repeat until you’re perfect. Then do it again because you’re delusional—no one’s perfect.

There you have it. You too can get down to your 1.92s. Whether it’s changing a Formula One car’s tires or responding to a ransomware attack against your medical device IoTs. The key is to find a way to be repeatable by developing the process, establishing repeatability and then practicing until it becomes muscle memory.

Good luck out there!

view counter
Rafal Los is Managing Director, Solutions R&D within the Office of the CISO for Optiv, which was created in 2015 from the merger of Accuvant and FishNet Security. Los leads a team developing research-backed guidance addressing key program challenges for enterprise security leaders. Prior to joining Optiv, Los served as principal, strategic security services at HP Enterprise Security Services. Previously at HP, Los served several diverse roles including security strategist of enterprise security products where he advised customers on implementing practical solutions. Los also held various positions at GE entities and various other start-ups. Follow Rafal on Twitter: @Wh1t3rabbit.