PRODUCTHEAD: A red team mindset
PRODUCTHEAD is a regular newsletter of product management goodness,
curated by Jock Busuttil.
a product at the door #
every PRODUCTHEAD edition is online for you to refer back to
A red team mindset benefits information gathering, sense-making, decision-taking and planning
Red teaming is similar to ethical hacking, in which a simulated attack uncovers flaws
Consquence scanning is a technique for clarifying intended and unintended effects of your product
Whenever new enabling technologies are reshaping the world around us, it opens up a wealth of new possibilities for our products. Suddenly everything becomes a lot easier and quicker to achieve. However, because we’re in uncharted territory, the decisions we are taking now in the design of our products could end up inadvertently harming our users later on. New tech also opens up a myriad of new techniques with which a bad actor could creatively abuse our products.
It’s too early in the new tech cycle to have the benefit of hindsight or stories of high profile fails from elsewhere in the industry to learn from, so it’s time to tear a page out of the bad actors’ script.
In defence simulations, the effectiveness of a particular strategy or set of tactics can be evaluated by setting up two teams: a blue team and a red team. The blue team enacts the desired plan, while the red team is set up in opposition to exploit any flaws in the design or execution of the blue team’s plan.
A dedicated red team #
When this approach is applied to technology, some larger organisations have a dedicated team whose role is to test the robustness and security of their own products and infrastructure. The red team’s objective is not to cause actual damage, but to uncover and exploit weaknesses or flaws in the product and surrounding business processes as an external bad actor would, so that the service design can be improved before that happens.
A friend who used to work at Google told me of an unusually successful red team there in the mid 2010s. Through some creative combinations of exploits, they had managed to take down a noticable proportion of Google’s online services before they received a phone call from Sergey Brin politely asking them to stop.
As you can imagine, the confrontational nature of a red team can cause problems. Red teams are typically external to the organisation, and some stakeholders may think it wasteful to pay outsiders to break or disrupt business as usual. Using a red team can also really piss off your development team if they’re overly protective of their work and don’t see the benefits of the approach.
Other organisations use automation to test specific aspects of their systems, such as resilience to infrastructure failure. One example of this is Netflix’s Chaos Monkey software that would shut down parts of their production systems at random to see whether the overall system would continue working.
A red team mindset #
We can take the concept of red teaming a little further, though. Before we get to the point of having a product, processes and infrastructure to test with an actual red team, we can apply the way of thinking to the decisions we take along the path.
By adopting a red team mindset, we force ourselves to take the perspective of an external adversary in a structured way. This can help to overcome our hidden cognitive errors, such as groupthink or confirmation bias, or to uncover flaws in the logic of our thought processes. It can also open us up to alternative approaches that we otherwise would not have considered. Better for you to find these out before someone else does.
For you this week #
My selection of articles for you this week covers various aspects of red teaming. If you only have time to read one, I would recommend the Red Teaming Handbook published by the UK’s Ministry of Defence. This defied my own expectations. I was expecting it to focus solely on military applications of the concept (it doesn’t). Instead I found it very relevant to creating user-focused technology products, and written clearly and concisely.
Speak to you soon,
what to think about this week
This handbook is a practical guide that sets out two different types of analytical techniques. The first set of techniques, the red team mindset, can be used in time-pressured situations that need quick assessments. The second set of red teaming techniques can be applied to more complex problems that require more deliberate judgements. In either case, the techniques described are essentially critical thinking skills that involve an unbiased analysis of information to overcome the
natural biases that human beings possess.
[Development, Concepts and Doctrine Centre (DCDC) / Ministry of Defence]
It may seem counterintuitive to pay someone to tell you your shortcomings, but smart companies today are shelling out dollars and resources to do just that, in the form of red teaming.
Red teaming is the practice of testing the security of an organization’s systems by emulating a malicious actor and hacking into secure systems or data.
[David Harrington / Varonis]
In a Consequence Scanning event you will answer the following three questions about your product:
1. What are the intended and unintended consequences of this product or feature?
2. What are the positive consequences we want to focus on?
3. What are the consequences we want to mitigate?
[doteveryone / Open Data Institute]
Do you have any advice on productivity tools for tracking product metrics? I’m seeking guidance on streamlining feedback and metrics management. Juggling continuous discovery insights, team feedback, and metric tracking has become increasingly overwhelming.
[I Manage Products]
Job adverts present a chicken-and-egg problem: they all need you to have product management experience to secure a job, but you don’t yet have a product management job to gain that experience.
Don’t let this discourage you!
[I Manage Products]
Recently I was explaining to a client why I focus my efforts on finding “force multipliers”. These are what I call activities that allow us to extract multiple benefits from a single piece of work. You could think of it a little like a workplace fusion reaction, where the output ends up far greater than the input effort.
[I Manage Products]
can we help you?
Product People is a product management services company. We can help you through consultancy, training and coaching. Just contact us if you need our help!
Helping people build better products, more successfully, since 2012.
PRODUCTHEAD is a newsletter for product people of all varieties, and is lovingly crafted from a bit of superglue to hold my thumb together.
Read more from Jock
The Practitioner's Guide To Product Management
by Jock Busuttil
“This is a great book for Product Managers or those considering a career in Product Management.”— Lyndsay Denton