Blog

Or, how your average compliance isn’t any good.

Y’all understand that compliance has a purpose. IAOI (this, not this) you comply with Principles. Anything you need as guidance nay hard requirements in detail ‘below’ that, means you have no clue about the principles, and hence cannot comply with them [consciously; but otherwise it’s an unnoticed accidental accordance, happenstance gotten, easily lost]. IAOI you can discourse at the principles’ level of moral reasoning, in your explanations too, do you have a chance of doing it right.

Otherwise, the very penny-wise and pound-foolish compliance with trivial rule’lets will deliver any effort to /dev/null sigh if you need this explanation you’re doomed, squared.
And, if you’re in Compliance (i.e., in Audit – NO if you live in this world, that is not different!) and push for the penny-wise, you are not only part of the problem, but also fighting symptoms not (root) causes — being the malformed morality. The latter like here – hintspoiler it’s about money.

Just read nay study Musil, and Aristotle, plus Power and so many others, and you might just Get It. Oh, [Edited to add post-schedule–pre-post], this story. Worth the somewhat-longread ..!
For the time being, …:

[At the Zuid-As, you’ll fit right in – the picture isn’t edited even, it’s no collage but the original ..!]

Hey yeah you know, it’s still a quite (too) popular thing to talk about People – Process – Technology when it comes to control(s) types in the IS risk management / audit corner of the universe.
If you think about it … keep in mind that these factors are almost always presented as nearly disjunct things. With maybe an overlap, but not too much. In terms of Venn diagrams, almost three separate circles. Sometimes three completely, and deliberately, separate circles; joined by many-point wide edges with borders, like pipes.

Because pipe dreams. Of the legal kind now, in Canada. Keeping the three corner spheres with P-P-T text on them, separate. Think PPT indeed – boring outdated graphics and useful content, not so much.

But then, when sober, one realises that in fact, such pictures don’t say much since the overlap is huge, near-complete. If one thinks of controls, utterly-most often, all three factor apply in one way or another. …

So, only when controls towards certain control objectives cover all three aspects of P-P-T, can, even theoretically, eventual effectiveness be achieved.
Edited to add: Seek to mitigate weaknesses in one aspect of any control, with controls that are stronger in others. Otherwise, Swiss cheese model [however critiquable that has become… more on that later.]

Leaving the circles idea to:

Should be: Charity for a long time; let’s all help make the time shorter…
This: https://facestograves.nl/

By which I mean
a. The architects that deal with any organisations’ data, systems, IT architectures, that align with the business. Ideally
b. The mess being the übercomplexity of the current, actual architecture that many organisations have ended up with
c. The cleaning, or Augias‘ [not his ass] wipe.

The latter seems to be problematic everywhere; ones just don’t know where to start or how to beat the head start of the chaos, that continues to deepen, Mandelbrot-set style, at ever increasing speeds [sort of, let’s not overly FUD here].
Which made me think of a Giant’s ideas when it came to coping with complexity of organisations. Four directions of coping mechanisms. May be translatable (! that will have to be done in deep, deep style, not just find&replace some terms) to the ‘architecture’ world. Just have a look at the summary here, or delve up the original. And study. And study some more. And study hard. Then, maybe see what I was aiming for.

Then, you’ll be ready for:

[What a monument; the Aubette, Nancy]

When dreamt up, the Three Lines of Defense model was a Program ….! Yes it was or you missed the inception.
Now, 3LoD is a scam. Like, here, remembering this and a partial solution here. Just browse around on LinkedIn and other environments, and you’ll see your favourite thought leaders agree [if they aren’t, you have some updating to do in your ‘favourite thought leader’ department, too], and eggheads disagree.

But then, one can return to the Program idea, being one that is Finite. If that is too difficult: It has an end date.

Which means you can do away with at least one line of def [more deaf than def].

The second, I propose.

Almost all of it was intended, and should have been designed, to be in the first line anyway [see the above link on vertical, and here]; the second line being there for initial build and then transfer to the first.
And the rest, can easily be moved to the ‘third’ line.
Not only by using ‘agility’ ‘only’ as here, and here [nice ripoff of your competitors’ ideas …], and here, but also by taking the following into account:

Agile and waterfall style approaches are not competing methodologies; they exist at opposite ends of the production lifecycle.

They are both usually necessary in a large organisation.

Try waterfalling a new product idea, or agiling mass production and you’ll get it.

— Jon Ayre (@EnterprisingA) February 12, 2019

Which, when you think of it, leads to the 3rd Estate doing all these things, resulting in

The third line being the Intelligence Unit on Controls. Like the G2 is in the military. But then, for Controls only, very only the lonely. Running in circles of controls monitoring, at any scales, and recommending improvements [also at any scale which does include risk tooling, control, and management in the 1^st line]

I think I’ll expound on this one a little [a huge little I guess], in a short while. Oh, and in the mean time, don’t forget to update yourself with the latest, clearest thinking on the 1^st line here (again-link).
For now, I’ll leave you with:

[The style of tower you’ll need to lock them up in; Figueres]

Oh, re yesterday’s post; on how flawed risk models are not a problem or so [since it’s all we have etc.etc.] the following:

[Courtesy of Alexei Sidorenko for remembering this]

Besides, this post also needs much, much, much more attention.

Need more convincing? Happy landings!
… For all those that want to see a tram, not something else …:

In preparation for a post later this month, about the ‘usefulness’ of risk heat maps …

Against the most basic of common sense, some people [most of the ones working in the areas where this should matter a lot, near life-or-death levels of a lot, e.g., banking supervision and compliance] still hold onto ‘heat maps’ and similar outright oversimplicity.
Even when pointed out over and over again where the errors are, these people seem not to see the latter, and cling onto what they had received from … some other ones, equally flawed in their prefrontal cortex but with apparent authority for no detectable reason. The argumentam ad baculum… Just because someone has a big stick, doesn’t make that person right – look at all the dictators around the world; almost all the continents have at least one (and I don’t mean Mexico or Canada).
David Freedman (in Nassim Taleb’s Black Swan) listed their standard arguments for using the flawed model(s) still, despite their stupidity. Typically, your (?) standard arguments. I’ve added some rebuttals:

1. Yes we know all that. Nothing’s perfect.
   But if something is completely bonkers, built on quicksand, you will sink with it.
2. The assumptions are reasonable.
   No they’re not. And as if that’s enough. The model is still nonsense and has nothing to do with reason let alone reasonableness.
3. The assumptions don’t really matter.
   [Ah, the flip side of the previous; so you acknowledge that one was nonsense] So, why have them, then? Or admit they do matter and you better have the right assumptions, and have them right and met.
4. The assumptions are conservative.
   Conservative to which side? Why not use best estimate assumptions?
5. You cannot prove the assumptions are wrong.
   No, you prove they are right … Ah, you fail systemically there. For a reason. And I don’t need to prove anything about assumptions, just show that they’re the wrong ones.
6. We only do what everyone else does.
   ‘Everyone’ it isn’t, and a lot of people [way too many as it is > 0] commit suicide – I don’t encourage it but if that is your wish… ‘Everyone else’ is no guarantee for reasonableness, you don’t even know what everyone else is doing, and when you know they’re doing the wrong thing, why follow? You jump off a cliff if they do? And then find out they prepared with parachutes, maybe.
7. The decision maker is better off with us than without us.
   No. You actually mislead the decision maker, which is an offense and may constitute fraud.
8. The models are not completely useless.
   Yes they are. Otherwise, you could pick the parts that are not-useless, and glue them together while adding not-useless parts as needed. Since you don’t, you have models that are useless.
9. You gotta make the best of the data you’ve got.
   When that’s not enough, it’s simply not enough. When the decision maker jumps off the cliff as you propose (s)he should, having a handkerchief doesn’t substitute for a parachute, even if (s)he’s making the best of what (s)he has available. And the error is yours; see item 7.
10. You need assumptions to make progress.
    You need valid assumptions. That would completely obliterate your models (‘ validity). You don’t need to make progress, neither in a Wrong direction that you take when using flawed assumptions, nor at all after you’ve crafted a valid model (which you didn’t).
11. The models deserve the benefit of the doubt.
    No. Why? If is demonstrably False, it deserves no life.
12. Models and assumptions don’t do any harm so why bother …?
    Oh they do do harm, a lot! They wreck organisations, hence they wreck the lives of countless employees and their families, for at least two generations.

So, let’s not pretend like procrastination is a good thing or so. At best, you are stumbling along. Change, or fall.
On the positive side:

[You may end up as a piece of Art; Zuid-As Ams]

And I don’t even mean one of those that think descriptive science can turn into normative science in a twitch.
I actually mean an Economist article. This one.
[Edited to add a week later: vindict]

Q: Why was oil so valuable? A: Because it took money to produce, and supply was limited – both at any moment and in total global possible availability; even if almost all of the earth consisted of oil, it would still be a finite physical amount with exponential production costs. The oil you burn, is lost forever so even your current stock perishes – though the value is maintained in the stock you have, so not (intrinsically) lower in time.
Q: Why is data considered valuable? A: Because some stupid didn’t see that supply is endless, and any physical limits hardly apply – data is losslessly [nice word] copyable and producable into infinity, at costs that decrease over time, too. And the value of data decreases exponentially with time, against which ‘enrichment’ only helps in the short term. Who cares what you did some little while ago? [Any criminal act of yours lapses in due time, and that same category of acts by politicians (i.e., many of their acts), too. Just give it enough time and their acts might even turn into heroic acts – the few ones that aren’t forgotten that is.] Even for advertisers, the great paycheck writers qua ‘data’ when discussing value, will hardly care what you did last Summer. It’s like money with presses at full speed, plus ever more presses being put into production – like here.

So, …
Either work on value retention, or on the decrease of production [Hey, you know, privacy ..!? Yes data minimisation will increase the value of what you do keep],
or …
Go out and create as much data as you can, as quickly as possible, and take care to inject sufficient amounts of random noise. Bury the profilers.

Oh well; let’s enjoy:
[Even in the midst of Haut Koenigsbourg, one finds pumpkin spice latte’s godmother. Oh wait.]

Oh yeah, in addition to this [and many others], this:

‘Because’ that’s not a word yet. But one might miss this presentation here, at one’s loss – if only for the return of this little gem:
It is difficult to get a man to understand something when his salary is dependent on his not understanding it. [Upton Sinclair Jr]

If only, not only, semantics [i.e., the things that actually matter, not syntax as much – excepting code where things seem to be in the inverse!], we have many important talking points. Like, nudging solutions [on a scale from true nudges, small and isolated, all the way to supernudges, big blows on many dimensions as society is so complex little local nudges will meet resilience], and the above
that is oh so very true for all sorts of situations in organisationland. Like risk management, that is in its so very required overhaul it seems. Maybe make full and all salaries dependent on change, then you may achieve a little. Privacy, the same [though it is but a subset of infosec that needs the changes anyhow] – nudging, or making the wanted behaviour the easiest [creating resistance against the less-wanted behaviour] already played a sideline role there but wasn’t operationalised enough yet.

Yes one feels a sledgehammer is needed against the incumbents, the crazy ones.

Oh well. Check out the pres, and:

[Great for a museum, to protect the inside. Organisations need to go out, not stay in; Vienna]