PirOps: What 18th-Century Piracy can Teach Us about SecOps

so uh don't worry this talk is actually not going to be at all about AI security it's really going to be predominantly about Pirates y um and uh I just want to say before we get started I have to get this off my chest this is the same movie theater where I saw Dark Knight 16 years ago so this is very trippy for me um but without you know further Ado let's talk about Pirates so uh first by way of introduction how did I come up with this topic um I noticed um during my time at Google and before but especially working with sres and looking at how security teams were adopting some SRE practices that there was this

remarkable similarity to what I'd read about 18th century Pirates and I'm really specifically focused on 18th C 18th century Atlantic Pirates right the ones in the Caribbean and in um the southern what is today the Southern United States um and in um western Africa these Pirates are very different from just about any other of the many many hundreds that existed throughout history um so and there are some unique things about them about their time and place that I think led to some of the operational practices that we're going to look at today uh but before I get into that I do have to do a little bit of demystifying because a lot of what we

think about Pirates comes from probably one of these um and from video games and popular culture and um they're fun right they drink they steal stuff Stu it's cool it happened 300 years ago so you know long enough ago that it's that it's safe to enjoy that but still there's something about pirates that draws us the sense of Freedom that they have and the sense of kind of being out in this Frontier and not having to worry about the rules anymore that that just kind of maintains their their cultural relevance throughout the generations right um and some of that is true but I want to demystify some of I think the negative aspects that that they're portrayed as

having um so that we can really see kind of what makes them tick how they work you know what's special about them so before I get started though um at least in the time period I'm talking about which is about 1690 to 1725 the Golden Age of piracy um there's more or less peace between the major Empires right the British and the Spanish had their big Wars and now you know things things have settled uh but you also have this group of people that have this unique exceptional technical skill if you think about ships back then uh this was The Cutting Edge technology these things are just incredibly complex compared to really most other things in the world at

the time and a very small percentage of the population knew how to use them right so there's a broader sailor culture that pirates are are taking from here um and you know you may see some analogies today to people working in technology you know and specifically in some of the emerging Technologies um likewise so there's this representation in movies and video games that pirates are incredibly violent right they get into a lot of pirate battles um that certainly did happen but typically they were not using violence to accomplish their aims instead they're using psychological intimidation right and if you even look at one of the most famous pirates Black Beard what he's known for is really his special ways of

intimidating um the the Target that he's going at after right so um what about this is interesting that they have to maintain this reputation and we'll look at you know some of the ways that they do that um but another interesting point is that Sailors chose to join pirate Crews right they weren't kind of forced to do this um and they overwhelmingly chose to become Pirates as opposed to staying on a merchant vessel or staying on a military ship if they had a choice even if they left a life of piracy they would often say you that was those were the best years of my life if you want freedom being a pirate is the way to do

it so the people who participated in this overwhelmingly seem to like it that's that's pretty interesting too um big misconception about pirate captains now there's a reason for this right Pirates did not keep very good logs people are typically not going to take notes on a criminal conspiracy but um pirate captains so logging and the way Pirates did it not something for us to learn from but um pirate captains were not people who owned a ship right the way that a captain of a merchant vessel was they were not some higher social class um you know that made 100 times as much as the crew they were typically of the crew right they were really integrated and

we're going to see some examples of that that I think are interesting um but because of that because they were part of the crew if the crew didn't like a captain on a pirate ship it was far less likely to be a bloody Mutiny the way it would be on a merchant ship so I think that's one really important difference um and then finally yeah I mean with one exception I think I mentioned they didn't own the ships there's one exception Steed Bonnet he actually bought a pirate ship and he's he's kind of a goofy pirate for a lot of other reasons but um but they didn't own the ships the crew owned it right so this is

another kind of interesting um difference so with that out of the way you know I think I've done about two books worth in I don't know about five minutes so uh let's get into pirate culture right because this is really the root to to a lot of what I want to talk about um so one concept of a good work culture is that it's inspiring not mandated right you can't really force people to have a culture the way that you can force them to follow certain policies um culture is something else it's it's emergent people volunteer to do it um and so if you're going to design one or change one it's got to be

in a way that draws people in not in a way that that you force them to behave a certain way um and pirate culture is a great example of this right there was no real ideology with pirates it just happened so how did it happen um well one is that pirates as Sailors understood the risks inherent to operating a ship right there are million ways that you could get injured that you could get sick in a battle you know that you could die so there's all these different risks to being a sailor and engaging in you know conflicts in general Pirates are aware of these um but because they're voluntarily coming together to form this unit to form a

ship and a crew and they're the ones choosing to do it right it's not being forced on them by a state or a company it's something that they're willingly doing they acknowledge this risk together and they're able to plan ahead for these risks together um and if you look at how are organized right what what kind of keeps them together what are the Articles the articles of Faith um they have something called oh closer to the microphone all right um they have something called The Articles which is kind of the Constitution of the ship and it outlines everything from why are we operating together to if you get injured if there's an incident if we lose all of

our money if someone loses a lake what is the reimbursement going to be who's going to pay for it so Pirates think about this in advance and just about any other type of ship really didn't care what happened to most of the people on the crew there was none of this like Advanced um risk planning um so on a merchant ship what would happen well if a sailor were to get sick or disabled they would just very often be abandoned right um and whereas on pirate ships so one part of the popular conception that is accurate is that people who lost a leg or a hand would still stay on the crew right so you have

you have people who are not doing as much as they did before but they're still considered an important part of the crew and that that's kind of an interesting um you know aspect of of what they maintained right so what I want to get to is a crew still has a sense of shared fate right it's not as if you have this absolute freedom where you don't care about consequences anymore um so you still have an aversion to failure right there's still the possibility of a ship sinking but um failure that is outside of your control is safer there's more assurance that there's going to be support in spite of failure and you did not have this on a merchant vessel now

what this maps to and what we see in site reliability engineering and in kind security teams that are trying to adopt some of those practices also from devops you know Dora these these types of new ways of thinking about about organization um boils down to wests three different cultures generative bureaucratic and pathological so in a pathological culture that's power oriented where people are kind of driven by fear and where uh there's a tendency for people as a result of not trusting each other uh to to kind of blame each other when things go wrong really this is the the type of ship philosophy if you will that pirates are trying to get away from right when they leave a

merchant ship or a military ship it's to get away from from this this is the antithesis of their freedom um and then you know in the middle there's the bureaucratic one which if you heard the talk just before this one it's a great talk but um there is a description of larger organizations typically having all these rules and siloing um and this is a this is a hard problem to to get out of because people um will will go to the lower accountability it's not my job when there's a lack of of mission right it's easy to say that's not my job that's some other department when no one really cares about the organization's Central mission right when you're only

focused on a specific Department um but then on you know on a smaller scale like the scale of a pirate ship where you've got a intimate crew they all know each other at a Max we're talking 300 people right and typically much smaller um and there it's very performance oriented right of course you know if they fail typically didn't end well for pirates but um but that threat is external right internally there's good information flow there's high levels of collaboration they're all willingly there um so the generative model um is is really exemplified in how Pirates operated their ships as opposed to you know to the merchant and military ships and there are some you know

definite kind of benefits to doing this in an organization today uh so this is from Dora's 2023 uh research so you can get that report online uh but in terms of there's there's three things I want to point out here generative culture flexibility and work distribution um you'll notice that there's not just gains to job satisfaction right you don't just want to be a part of this crew there's also gains to productivity right you have a generally an easier time of shipping things shipping them well um so that that is to say you know this isn't just about kind of an IDE ology of the best work culture there's also um direct benefits to this in terms

of what it is that you're producing um so with that in mind I want to look a little bit more at okay with this culture with this generative culture in mind um how did that affect kind of day-to-day operations on a pirate ship and the way that pirates looked at toil and redundancy um and before I jump into that I want to quickly just kind of clarify what I mean by toil in the SRE sense as opposed to you know what what the term kind of might mean in everyday uh conversation so an everyday conversation toil is that's stuff that we don't really want to do right it's boring um but in the sense that I mean

there are some types of work that you have to do no matter what like you know doing a weekly report or just kind of capturing the work that you've done over a month that's that's overhead right that is work that is just meant to kind of help with the administrative flow of things um like wise there are some types of toil that are actually enjoyable right so toil is repetitive manual work that you can kind of predict ahead of time and the the notion that people don't like toil is often is often Incorrect and because of that toil has this way of uh sticking around in in the way that A Team Works um so doing manual operations

for some people is very fun they like getting their hands on the keyboard they like directly administering things right manually analyzing logs Etc um but really toil hurts an organization above all right because it's repetitive it's it's not efficient and that's the key way to think about this right um so let's look at a pirate ship and how it's different so pirate ships typically are small they they are not these huge uh gallons that you see in the movies there were one or two examples of that um but for the most part we're talking mediumsized FRS um but they had an overabundance of crew right they had far more crew than a typical ship and there's a good reason

for this one is that a typical ship has a specific time bound mission right we're going to leave from this port in Europe go to the Caribbean pick some things up go back home and so the more people we have aboard the more that costs and so it is ultimately in our interests for our margins to have a really small crew there's a pirate ship completely opposite mission right their mission is to intercept ships in a very small range and to do that as I mentioned earlier they're really relying more on psychological intimidation there's 10 of us for every one of you so you don't have to fight just give up um so because of that it benefited them to

have these large Crews and they were able to sustain these large Crews right they're not taking these huge voyages typically um another thing is that they're using redundancy as a strategy right they don't want the crew to get tired or sick or injured so they actually have very small work shifts with all these extra people on the ship what is usually an eight or 10 hour day for you know a person on a merchant vessel is maybe 4 hours on a pirate ship right so they're they're able to reduce the amount of work per person which means people are happier they're you know ready to board an enemy vessel right they're um they typically are able

to kind of keep their spirits up for a longer time uh so what can we learn from this right I'm not I'm not suggesting that uh everyone should just kind of slack off and you know not really not really work hard but um in terms of having slack as a feature in the system there are some other ways that we can think about this and the one that comes to mind the most is automation right and and focusing much more on being able to automate and spending people's time automating than spending people's time manually doing work right that's that's kind of the the overall view now the SRE take on this is that manual operations any manual

operation should be viewed as a bug oh you had to do that to fix that problem yourself okay that's a bug we want to find a way to make it so that if this thing happens again you don't have to go through those steps and so the excess capacity to do that type of thinking planning Project work is a feature it's no longer the case that oh you know this security team or the operations team they're just sitting around they have nothing to do they have no tickets on the quite the contrary they're spending their time thinking in advance oh if you know if we have this type of situation come up again what's the best way to

approach it um if we can anticipate certain risks um how do we take that on in advance instead of just waiting for them to happen right um and so work primarily turns into Project work and reduction of Toil and not it's kind of standardized it ticket work where you're just fixing things that are broken so then if you have these other two components that I mentioned right you have a culture where failures that are out of your control are typically safe a crew trusts each other right there's this um sense of a shared Mission and also you have this desire to reduce toil and to find ways to scale out and prepare in advance um for

incidents as opposed to just reacting all the time uh what does leadership look like in this kind of this kind of setup on a pirate ship um so a good way to talk about this is to just look at how Pirates uh structurally organize their ships right so if you look at a typical ship you can probably tell I used to be a grade school teacher by my artistic abilities um but the Captain's Quarters took up this prominent place on the deck right it was convenient for the captain they had a nice view took up a lot of space but remember what I said that was so different about pirate ships that the captain doesn't own the ship they're a

member of the crew on a pirate ship they would turn the Captain's Quarters of a captured vessel into extra storage space um or they would just get rid of it alt together to have more room to operate and the captain in both cases would sleep in the lower decks with the rest of the crew um so how do you think of a security leader in in this particular um kind of framing well one thing you know I'd point out is that in Sr there's there's a concept of an Incident Commander that we adopted from um 1960s emergency response which is a person of a team you know this person does not have a permanent leadership position uh but whenever

there's incident if they're The Specialist if they're the one who knows the most about this type of incident uh they temporarily take kind of the central role and it's really a role to help communicate and coordinate and help all these other teams figure out what what the other team is doing right it's for information flow primarily occasionally it's for decision making but again you're picking someone qualified in this specific area to do the decision- making and then once the incident starts to die down and things start to return to normal that person re integrates into the crew and so this is very different from having permanent leadership that is assigned to to these posts um now out of this we started to wonder

right we being s Dora is professional management an anti- pattern right um is is having a permanent position something that can actually work against an organization over time especially if you get out of touch with how individual contributors are doing things especially if you're not the specialist and what I'd say is it's actually you know especially given most of the people in this room probably work for companies or the government or an organization with some sort of external stakeholder we actually still do need you know professional managers uh we need some way to respond to those stakeholders but this idea that leadership is a status as opposed to a function I think the way that pirate

captains work is is an interesting kind of counter example to the notion of of leadership as a status um and so if you take a pirate Captain as an Exemplar right for leadership it's more desirable for the crew uh but like I said also in in our research in Dora and in other cases where you have a leader who only steps in when that's their specialty we see lower recidivism of incidents of that type right we see an awareness of kind of the problem um specific to their skill set so how successful ultimately were these Pirates right if we're saying what we can learn from them we should we should see how effective they were and

obviously they don't exist anymore and they were really only around for about 35 years at their Peak so like like what happened what are the boundaries here uh well it did take the Imperial Powers 35 years to respond to the threat of Atlantic Pirates right for 35 years they basically didn't face that much resistance um and we can see in the numbers in 1690 there were only two uh British Imperial Navy ships that were permanently patrolling the Caribbean but by 1725 there are two dozen right so clearly over time uh this this grew into enough of a problem to Warrant a response um some other limitations right piracy is inherently parasitic it doesn't produce anything it's just kind of

depending on the rest of the economy working and it takes from that uh but in general if you're a cost center that doesn't you know primarily produce profit in a company whatever that might be um you know you have to think how do I fit into the broader economy right and Pirates did find a way to do so positively right they found a way to be tolerated by the local population by selling things to them by minding their manners a bit more with locals um so there was a way that pirates still were able to integrate and in fact they were an important part of this local economy um and finally you know one thing about

Pirates over time is that people you know realized that the risk was really great in doing it um but they were able to reintegrate into the rest of society right so a lot of pirates did not end up you know dying or captured they they became parts of society again and I point out that the Golden Age of piracy ends in 1725 but what happens 50 years later right it's you know part of what made this country possible right um and and you actually have something very similar going on um both in this pirate culture and in the colonies where people realize hey you know we're we're pretty far away from the central Imperial power we're

good at doing things on our own um and we just have a smarter fairer way of doing things why why don't we just abandon the old way and and commit to this um so I think that's an interesting take come especially if you're starting a new team or going to a new team or kind of have this fresh space to work with um that maybe inheriting you know those those older ways of doing things um may not be the best way right so as a concept yeah piracy you know we still use the term in non-literal cases too um but the Legacy that I think we a lot of us take on from it today right it's

on the swag that you'll see in the expo hall it's it's in some of the other conferences we go to right why does this stick around um one thing that I want you to just remember and think about is that these again these are technical people who are escaping from a bad older way of doing things and trying to create something that's more desirable more practical more open right um and so with that thank you for listening we have about five minutes for questions and comments but uh I certainly love

to sure so I can't really see anyone but yeah uh there no questions in slider yet so either you can shout out your question or put it in slider

oh sure yeah well I don't know enough about blockchain too sure I'm just generally wondering what other Technologies this applies to so blockchain comes to mind as you're talking sure yeah I mean it really applies to to any where the people doing the manual operations today could potentially do the Automation in the future so from the the tech standpoint I think that's the the key

one um I really like the interesting concept with uh professional managers um do you ever see a team composition where there's no managers but as you said you know there's concept of incident commanders rising up and and reintegrating into the team and and rising up and the do you see that um practice absolutely and so the point about professional managers too you know I've actually discussed this exact topic predominantly with professional managers right um and they've come to a point of realization that excuse me that especially on highly technical teams being able to entrust a member of the team with ins is one of the best ways to ensure career growth maintain cohesion but also get

the best person for the job and so preparing for that in advance is is a part of their role um again I mentioned that you you still need professional managers for other things right HR related fiduciary responsibility and so um representing representing the team to the broader organization right but in terms of the incident component absolutely you you can have these two coexist

right you

see mhm great question so some of the other areas that I didn't talk about so much so sorry I'm going to take another sip water

some things I didn't talk about as much are um iterative approaches to change right and funny enough Pirates offer a another good example if you look at those very rare logs that I mentioned you'll notice that um Merchant ships have a very specific Port they're traveling to and from right and they plan this months in advance so this is kind of the old waterfall approach if you will um whereas a pirate ship if you look at its trajectory it bounces around all over the place right Pirates are looking for a safe Port the crew is voting on where to go next it's kind of chaotic but it works for them and they they the key with any of this with SRE

Dora you know anything is small iterative steps so in a large organization the biggest challenge is how do you earn the trust of the larger orc and the leadership there to do this experimenting one way that I've seen this very clearly is with um with teams that are especially trying to go through a de se Ops type transformation or trying to shift security left so to speak um they very often have leadership that expects that adding security left is not going to create any friction at all or it's just going to magically improve things so the biggest way for them to succeed is to say you know manage those expectations right if we're adding all of this vulnerability

scanning earlier if we're doing SCA and SAS all of a sudden abruptly with no configuration whatsoever we're going to have false positives through the roof we're going to have developers who don't know how to do the analysis um we're going to have security teams that are overburdened and and can't do you know the false positive bit so the time that it will take to get to a point where we start to benefit is going to be much much further past this point um but prepping the larger organizational leadership for that experimentation that's that's probably the most important part in saying look we're going to be taking small steps failing fast but that's what that's what

this team needs in order to try this out right there's a question in the back can you shout out your question yeah wondering

oh cool yeah um can you repeat the question for absolutely yeah so the question was um Merchant ships also had to respond to the threat of pirates right and so given given that we're talking about security um you know typically we may see ourselves as the one fighting against the Pirates in some respects um so Merchant ships typically insured their uh their cargo right and so I I wanted to avoid this but now I'm going to say that uh that getting insurance is is a solution to this problem uh but really what what happened over time was that uh merchants started to see that piracy is inevitable um and that the cost of protecting a

ship is actually not worth what the loss would be uh given how you know how rare some of these incidents were and how uh disperate the pirate groups were so there was some risk calculation but ultimately you know I I would say the other take-home is that the merchants kept going back to the Imperial powers and saying we need the Navy here this is not something that we can handle on our own it's getting too expensive for us ultimately it's going to affect the economy if we don't um if we don't stop this so I think industrywide kind of enlisting um you know government and and working a little bit more with the people who are really tasked with

preventing this uh would would be the step that we need to take right individual organizations shouldn't be thinking of themselves as like single-handedly fighting against these threats um all right uh unfortunately we out of time um thank you for I will be walking around for the next two hours or so so happy to to chat with you up there thank you everyone thank you so much Adan