Monday, 22 October 2012

Sometimes the best response is just say 'YES'

One of the most damaging things that can be done to somebody who is playing around with new idea (and have asked for some) support is to not say YES immediately!

Ideas are very fragile, and just like Jonathan Ive said about Jobs "...just as Steve loved ideas, and loved making stuff, he treated the process of creativity with a rare and a wonderful reverence. You see, I think he better than anyone understood that while ideas ultimately can be so powerful, they begin as fragile, barely formed thoughts, so easily missed, so easily compromised, so easily just squished...."

This means that when somebody asks for an opinion or some financial support (like Mark did with Investing in Developing Software Security Talent ), if we believe in the 'core values of the idea',  our default answer should be YES!!!

If anything, throw a couple more ideas to the mix and try to evolve the thinking behind the core idea, like I did with Let's make this happen: "Investing in Developing Software Security Talent" (this could backfire since it is important for the person with the idea not to fully realize how complex and hard it will be, but I also believe that one should capture the ideas/thinking that we have (even if an raw state since usually there are some really good nuggets in there))

Now of course that ideas at this stage are still in a very raw state, and in 99.9% of the cases the final model (the one that actually works) will be very different (from an operational/implementation point of view).

Another very important thing is that the person with the idea is going to be in a powerful 'self delusion state' which is actually VERY important. When I look back at my best ideas (i.e. the ones that actually created something), there were always a moment that my faith, focus and value-analysis of that idea was WAY off the chart. BUT if I wasn't for that 'delusion state', the idea would had never happened (for example the O2 Platform or the  2008 and 2011 OWASP Summits). I now know that 'self delusion states' are very important (and even something that can be practiced, improved and managed)

It is  at the early stages of the idea (when the 'self delusion state' is on maximum effect) that putting any roadblocks can be very damaging.

And if somebody says "Hey!!  I have an idea, would you be able to support it with 1k, 5k or 10k", if the money is kinda available, then the right answer is "YES, sure, in principle count me in". This is the best of the both worlds , since it will give support to the original idea while asking the author to clarify its view and come up with an operational model. Note that no money is going to be spend NOW, this is just a promise of future support.

When I was an OWASP board member, for a while it used to drive me crazy how nobody couldn't do quick decisions for amounts less than 1 USD to 5k USD (they still can't :) ). So at for a while there was an item on the budget that said 'Board Funds' which was an amount that any Board Member could commit at any time for anything. In practice this meant that I was able to provide 'theoretical' financial support to a number of OWASP initiatives (namely chapters, conferences and educational activities). It usually went sometime like "...Hey Dinis, we would like to do XYZ, and at the moment we have a shortfall of $xyz USD, can you give us cover for that amount, in case we don't get $abc USD in sponsors/revenue..". And since a lot of these ideas/activities are Self-fulfiling Prophecies , in most cases the amount needed (if any at all) was much smaller than the one originally asked for.

This is why my default answer to ideas (that make sense to me) and people with energy is YES, Go and Do it!

If they pull-it-off, great!

If they don't, we will be a step closer.

And sometimes we have to do this, even when we know that the idea is wrong and will not work. See, sometimes it is better to just have some movement (even if not 100% on the right direction) then to have no movement at all. This actually means that we also have to be careful when providing (too much) feedback at the early stages, since that might reduce the energy of the other side (an important part of the 'self delusion state' is to be able to ignore the real complexity of the problem at hand, which if fully understood too early, will in most cases be very demoralizing (i.e. it is easy to climb a big mountain in small milestones, without looking too much at how far the top is)

Another myth that also happens is that there is this feeling that 'if supported this will succeed very fast'. Nah, in the real world, the cases where something happens very fast are very small. What I found is that even when there are 'none or very small roadblocks/procedures' (for example with budgets pre-approved), it still takes a lot of effort to make something happen. It also helps to have a culture of proactive-encouragement and an operational machine to support it (the like the OWASP OpsTeam)

Finally, when Ofer Shezar in his The Science in Ideation blog post makes the point that we have to be careful in supporting 'ideas' like the one Mark had, he misses the points that I've tried to make on this post. Because if Ofer also believes that we need more 'developers with security knowledge' (like I do) then he should realize that Mark's idea is a step in that direction.

Now I happen to agree that Mark is not addressing the root cause of the problem, BUT, that is not relevant to this thread :)

And unless we (me and Ofer in this case) are prepared to spend some time on what we think are the 'root causes of the problem' , then we should support the ones that are going on the right direction, like Mark :)