Author: Maverisk

Should be: Charity for a long time; let’s all help make the time shorter…
This: https://facestograves.nl/

By which I mean
a. The architects that deal with any organisations’ data, systems, IT architectures, that align with the business. Ideally
b. The mess being the übercomplexity of the current, actual architecture that many organisations have ended up with
c. The cleaning, or Augias‘ [not his ass] wipe.

The latter seems to be problematic everywhere; ones just don’t know where to start or how to beat the head start of the chaos, that continues to deepen, Mandelbrot-set style, at ever increasing speeds [sort of, let’s not overly FUD here].
Which made me think of a Giant’s ideas when it came to coping with complexity of organisations. Four directions of coping mechanisms. May be translatable (! that will have to be done in deep, deep style, not just find&replace some terms) to the ‘architecture’ world. Just have a look at the summary here, or delve up the original. And study. And study some more. And study hard. Then, maybe see what I was aiming for.

Then, you’ll be ready for:

[What a monument; the Aubette, Nancy]

When dreamt up, the Three Lines of Defense model was a Program ….! Yes it was or you missed the inception.
Now, 3LoD is a scam. Like, here, remembering this and a partial solution here. Just browse around on LinkedIn and other environments, and you’ll see your favourite thought leaders agree [if they aren’t, you have some updating to do in your ‘favourite thought leader’ department, too], and eggheads disagree.

But then, one can return to the Program idea, being one that is Finite. If that is too difficult: It has an end date.

Which means you can do away with at least one line of def [more deaf than def].

The second, I propose.

Almost all of it was intended, and should have been designed, to be in the first line anyway [see the above link on vertical, and here]; the second line being there for initial build and then transfer to the first.
And the rest, can easily be moved to the ‘third’ line.
Not only by using ‘agility’ ‘only’ as here, and here [nice ripoff of your competitors’ ideas …], and here, but also by taking the following into account:

Agile and waterfall style approaches are not competing methodologies; they exist at opposite ends of the production lifecycle.

They are both usually necessary in a large organisation.

Try waterfalling a new product idea, or agiling mass production and you’ll get it.

— Jon Ayre (@EnterprisingA) February 12, 2019

Which, when you think of it, leads to the 3rd Estate doing all these things, resulting in

The third line being the Intelligence Unit on Controls. Like the G2 is in the military. But then, for Controls only, very only the lonely. Running in circles of controls monitoring, at any scales, and recommending improvements [also at any scale which does include risk tooling, control, and management in the 1^st line]

I think I’ll expound on this one a little [a huge little I guess], in a short while. Oh, and in the mean time, don’t forget to update yourself with the latest, clearest thinking on the 1^st line here (again-link).
For now, I’ll leave you with:

[The style of tower you’ll need to lock them up in; Figueres]

Oh, re yesterday’s post; on how flawed risk models are not a problem or so [since it’s all we have etc.etc.] the following:

[Courtesy of Alexei Sidorenko for remembering this]

Besides, this post also needs much, much, much more attention.

Need more convincing? Happy landings!
… For all those that want to see a tram, not something else …:

In preparation for a post later this month, about the ‘usefulness’ of risk heat maps …

Against the most basic of common sense, some people [most of the ones working in the areas where this should matter a lot, near life-or-death levels of a lot, e.g., banking supervision and compliance] still hold onto ‘heat maps’ and similar outright oversimplicity.
Even when pointed out over and over again where the errors are, these people seem not to see the latter, and cling onto what they had received from … some other ones, equally flawed in their prefrontal cortex but with apparent authority for no detectable reason. The argumentam ad baculum… Just because someone has a big stick, doesn’t make that person right – look at all the dictators around the world; almost all the continents have at least one (and I don’t mean Mexico or Canada).
David Freedman (in Nassim Taleb’s Black Swan) listed their standard arguments for using the flawed model(s) still, despite their stupidity. Typically, your (?) standard arguments. I’ve added some rebuttals:

1. Yes we know all that. Nothing’s perfect.
   But if something is completely bonkers, built on quicksand, you will sink with it.
2. The assumptions are reasonable.
   No they’re not. And as if that’s enough. The model is still nonsense and has nothing to do with reason let alone reasonableness.
3. The assumptions don’t really matter.
   [Ah, the flip side of the previous; so you acknowledge that one was nonsense] So, why have them, then? Or admit they do matter and you better have the right assumptions, and have them right and met.
4. The assumptions are conservative.
   Conservative to which side? Why not use best estimate assumptions?
5. You cannot prove the assumptions are wrong.
   No, you prove they are right … Ah, you fail systemically there. For a reason. And I don’t need to prove anything about assumptions, just show that they’re the wrong ones.
6. We only do what everyone else does.
   ‘Everyone’ it isn’t, and a lot of people [way too many as it is > 0] commit suicide – I don’t encourage it but if that is your wish… ‘Everyone else’ is no guarantee for reasonableness, you don’t even know what everyone else is doing, and when you know they’re doing the wrong thing, why follow? You jump off a cliff if they do? And then find out they prepared with parachutes, maybe.
7. The decision maker is better off with us than without us.
   No. You actually mislead the decision maker, which is an offense and may constitute fraud.
8. The models are not completely useless.
   Yes they are. Otherwise, you could pick the parts that are not-useless, and glue them together while adding not-useless parts as needed. Since you don’t, you have models that are useless.
9. You gotta make the best of the data you’ve got.
   When that’s not enough, it’s simply not enough. When the decision maker jumps off the cliff as you propose (s)he should, having a handkerchief doesn’t substitute for a parachute, even if (s)he’s making the best of what (s)he has available. And the error is yours; see item 7.
10. You need assumptions to make progress.
    You need valid assumptions. That would completely obliterate your models (‘ validity). You don’t need to make progress, neither in a Wrong direction that you take when using flawed assumptions, nor at all after you’ve crafted a valid model (which you didn’t).
11. The models deserve the benefit of the doubt.
    No. Why? If is demonstrably False, it deserves no life.
12. Models and assumptions don’t do any harm so why bother …?
    Oh they do do harm, a lot! They wreck organisations, hence they wreck the lives of countless employees and their families, for at least two generations.

So, let’s not pretend like procrastination is a good thing or so. At best, you are stumbling along. Change, or fall.
On the positive side:

[You may end up as a piece of Art; Zuid-As Ams]

And I don’t even mean one of those that think descriptive science can turn into normative science in a twitch.
I actually mean an Economist article. This one.
[Edited to add a week later: vindict]

Q: Why was oil so valuable? A: Because it took money to produce, and supply was limited – both at any moment and in total global possible availability; even if almost all of the earth consisted of oil, it would still be a finite physical amount with exponential production costs. The oil you burn, is lost forever so even your current stock perishes – though the value is maintained in the stock you have, so not (intrinsically) lower in time.
Q: Why is data considered valuable? A: Because some stupid didn’t see that supply is endless, and any physical limits hardly apply – data is losslessly [nice word] copyable and producable into infinity, at costs that decrease over time, too. And the value of data decreases exponentially with time, against which ‘enrichment’ only helps in the short term. Who cares what you did some little while ago? [Any criminal act of yours lapses in due time, and that same category of acts by politicians (i.e., many of their acts), too. Just give it enough time and their acts might even turn into heroic acts – the few ones that aren’t forgotten that is.] Even for advertisers, the great paycheck writers qua ‘data’ when discussing value, will hardly care what you did last Summer. It’s like money with presses at full speed, plus ever more presses being put into production – like here.

So, …
Either work on value retention, or on the decrease of production [Hey, you know, privacy ..!? Yes data minimisation will increase the value of what you do keep],
or …
Go out and create as much data as you can, as quickly as possible, and take care to inject sufficient amounts of random noise. Bury the profilers.

Oh well; let’s enjoy:
[Even in the midst of Haut Koenigsbourg, one finds pumpkin spice latte’s godmother. Oh wait.]

Oh yeah, in addition to this [and many others], this:

‘Because’ that’s not a word yet. But one might miss this presentation here, at one’s loss – if only for the return of this little gem:
It is difficult to get a man to understand something when his salary is dependent on his not understanding it. [Upton Sinclair Jr]

If only, not only, semantics [i.e., the things that actually matter, not syntax as much – excepting code where things seem to be in the inverse!], we have many important talking points. Like, nudging solutions [on a scale from true nudges, small and isolated, all the way to supernudges, big blows on many dimensions as society is so complex little local nudges will meet resilience], and the above
that is oh so very true for all sorts of situations in organisationland. Like risk management, that is in its so very required overhaul it seems. Maybe make full and all salaries dependent on change, then you may achieve a little. Privacy, the same [though it is but a subset of infosec that needs the changes anyhow] – nudging, or making the wanted behaviour the easiest [creating resistance against the less-wanted behaviour] already played a sideline role there but wasn’t operationalised enough yet.

Yes one feels a sledgehammer is needed against the incumbents, the crazy ones.

Oh well. Check out the pres, and:

[Great for a museum, to protect the inside. Organisations need to go out, not stay in; Vienna]

After the generic-AI hype will have slowed, and actual generic AI of the Normal kind gets integrated into society big time / you ain’t seen nothin’ yet time, what ..?

Apart from a huge spread of more ML algo’s than the mere Bayesian and non-linear regression (e.g., this one that I tested in a thesis already back in 1994 – it worked even when I had the feeble cpu power of the day),
And apart from the return of Expert Systems, since when the above start to become analysed everyone realises that is what ML does, on a big scale but still,
let me propose:

Evolutionary (genetic) algorithms.

Which is mentioned in this overview, I believe to recall – I’m human, and perfection is boring.
But not enough. Strange, when one considers how effective these are, and how e.g., ‘quantum computing’ actually is only a massively-parallel implementation of this.

To Be Continued …
[Already post-schedule, pre-release: this]
Plus:

[Ah, as designed by evolutionary Nature… was temporarily my Martinique off-site working office… (cabin just off the beach there)]

Since you don’t have the real chapters in place. Not even on paper.

Since those initial chapters of just any standard you can dream of (Alptraum, you know) have the essence, the principle-based stuff. Whereas the latter ‘chapters’ of any standard regard guidelines or even-mere examples for the lazy, of what needs to be done after those initial chapters are working effectively.
Yes, a lot of you may jump directly past the fluff to the annex that has some of the things you understand. The penny-wise stuff. ISO 27001 as a prime example I happen to work with every now and then. Others apply, certainly.

Since for very sure, it is the first few chapters that describe the processes that you need to have (sine qua non), to even be able in the most basic form, to move from unconsciously inept, past consciously inept [I can certainly help with that part!] and consciously able, to … well maybe not unconsciously able – the ideal, but then you lose control, of the ‘provable’ type – but semi-consciously able then.
Only then may you be compliant.

 
The processes involved, revolve around risk management of the real type – for now – in which business decisions on what to do or not are based on the risks present, mitigated or not. Only if that is done, can one select from the annex those controls that make sense. Yes, there’s tons of non-linearity in that, since the selection also requires to inculcate the costs involved.
Proof that one has implemented all this, is in pertinent records that such weighing has taken place, decisions have been made on the business side and have been signed off by … not some scapegoat like the CISO or so, but the Board themselves. Yes, they might need to know about some nitty-gritty stuff. Bad luck for them, or they’re simply incompetent! They are the ones ultimately and immediately accountable, their heads are on the block – that’s what they are paid for or they get way too much; enormous insurance premiums they fetch? Yes. But not heads I win tails you lose.
(Yes such proof is of the pre-pared kind; can’t be produced on the spot sometimes long after the fact and hence needs to be tested in detail.)

Only when such proof exists, does one follow on via testing of Design, to some sampling of effective implementation (Existence) of the annex-controls. Testing of Design will lead to two things: 1. establishing whether the requirements from the risk business have been translated properly to frameworks of controls and the controls selection was fitting, 2. establishing the very possibility that the controls selected, if implemented to the max of their efficiency, might in principle lead to appropriate risk reduction (Effectiveness, Working Effectively). Or already, one can point out that the controls selected are (only) fighting yesterday’s war and will fail against today’s and tomorrow’s circumstances – most often, this is the case; certainly when one started at this wrong end by having jumped to the annex too early.
Oh how often [infinitesimal off ALWAYS] does one have no trace of this effectiveness testing of the design. I.e., the auditor does something but not his work according to her own standards! When this were characterised as Fraud, one couldn’t argue against that period

With Existence testing as a final closure thing, and proof produced on the spot. If not producible, not provable. Note that one needs repeat this only sparingly, the maintenance of controls deisgn and implementation should have been built into the design otherwise the design is a failure.

TL;DR Yes I’m serious. When the Board doesn’t understand the first couple of chapters of some standard, compliance efforts as resistance against change in the Board and business culture are futile. Auditors involved cannot move onward unless this is fixed.

On the bright side:

[“Hey, the sun’s out so who cares we’re running after the emperor’s new clothes compliance standards?” – yes that’s putting it mildly]