The Waning Age of Compliance

[Madrid; danger exites even if quite balanced, safety kills with boredom]

All raise your hands; who thinks we have reached the end of the Age of Compliance …?
Hmmm, not too many hands. Must be because you’re a totalitarian-bureaucratic lot with the illusion that your underling creeping back into the corner approach is equal to being powerful. Ah, power, the one thing you craved so much, out of uncertainty and frustration!

To be true, the Age of Compliance, in ascendance since before the turn of the Millennium and having had such a nice boost from an utter misreading of completely unnecessary (if not for common law) SOx legislation, has refined itself into all sorts of directions and common cultures in a way that Ortega y Gasset wouldn’t have dreamt of.
Which is how the 1% of power wanted it (read Seth Godin’s blog on Bullies). To subdue the 96% of drones. To corner the 3% of Defectors (read Bruce Schneier’s book Liars and Outliers). To enlist the ethically corrupt that follow orders without thinking, to suppress freedom. To standardize, to capture in process and procedure, to choose the open labor camp over the wilderness of freedom.

Now I’m ranting. But not by too much.

Luckily, like any empire so the empire of top-down control will subside, crumble, deteriorate, degenerate in its corner of bureacratic stall and standstill. The ones that escape(d), the ones that are on their own way to actual newness and developemnt, innovation, will build their next thing.

Yes, the Age of Compliance is waning. Some utopian new societal structure will appear. We still have a chance to let it build alongside the Old without the need for violence and revolution, but it’s a difficult route to navigate between Scylla and Charibdis. Will we manage? Only if we pay attention, to content and development-as-a-project of this New.

Hey, would anyone know of a research institute or research program that keeps track of this all, from a sociological perspective ..?

Interlude: Sing ularity / along

The thought just popped up: What if we’re all already beyond the singularity point, and the transient intelligence of human life has already taken over ..?
No-one is capable of changing the world’s affairs anymore, and it would take all people together to get that done, but getting all people together (including motivating them to band together, to their advantage) will result in all people just doing what they already do.
Since the first 90% of human behaviour is already determined by ultimately (!) self-interest, uncosciously deciding what’s best as fits with the world’s turning as it is today, and the last 10% would then also be captured in conscious deliberation towards rational contribution towards whatever purpose the world’s turning leaves us – which is exactly the play room that the autonomous transient intelligence would leave us.
Just look at how we behave in society; following rules that put us down, queueing up in traffic, standing in line at the shops, working in offices, etc., all tagging along stuck in a rut.
Now, we let algorithms take over the boring work stuff, leaving ever less for us to do or excel in. Even ‘creative’ work is cornered by developments of understanding creativity and shrinking it ever more.

[Ronda, Spain]

So, the current world can already be interpreted as going along its own course and direction, only leaving some wiggle room for the sully us. At least there we have a semi-happy scenario for past the Singularity – but the transient intelligence might improve itself unnoticably to a state where humans are no longer required and (as they already are: l’enfer, c’est les autres; les humains) a nuisance to be gotten rid of. Be warned. Be creative or offed.

The P (part 1, too)

Now then, for the grand Part 1 of the People of Information Security. À la the triangle I posted on earlier (see somewhere below) where the People aspect floats around the triangle like a dense cloud; obscuring your clear view and posing a foggy unclarity threat.
To jot down, there are many aspects of People that we have to deal with, but let’s start with some random unstructured angles:
[Generalife, Granada]

People are a Threat. Externally, they are the actors, not random Acts of nature. No, they, they! the people, the masses (even in Ortega y Gasset style), they exist only to attack us!
How nice if you believe such, how nice to all those that have a sense of community and either don’t care to attack you even if it could be to their (risk-weighted) profit, or even help you, tacitly or visibly, explicitly. How hard do you work to alienate all those, too? Notwithstanding that there are indeed some out there that want to attack you: Have you ever stepped into their shoes to figure out why ..? If (very big if) you really stepped into their mindset, wouldn’t you do the same because by their reasoning, you ‘deserved’ it?

People are Vulnerabilities, on the inside. They are frail, failing their duty-above-all to follow your procedures, excuse me the word F.ck the contributions to the organizational success; your procedures are sacred of course?

People are Means in information security. That’s actually what they are in the People, Process, Technology trio. Vulnerability, and Threat by the way, if they deviate from how you wanted to deploy the resource, but they can also be very powerful ‘allies’ as resource to deploy in information security, information safety [nice idea, to defuse the old phrase], information asset protection. People are the thing (sic) that might follow Process using Technology to achieve protection. People are the ones to task doing to safeguard your information assets. They may not be perfect, but they will for a long time to come be the actual actors and re-actors.

People are psychological constructs acting in sociological environments. I cannot write this often enough: Read and re-read Bruce Schneier’s Liars and Outliers, to understand how these People may operate in your artificial society called organization (oh the wishful thinking in that word…).

People then, will have to be included in security design in the prominent role they have not as an afterthough. They will have to take center stage indeed, as alpha and omega of information security organization.
We’ll have to find ways to really start with People and see how their work may be structured, and how their work may be supported (not the other way around!!) by Process and Technology. Process as a little handy tool, not as the raison d’être – an uphill struggle it will indeed be, but also sign of the times already! Totalitarian bureaucrats beware; the Age of Compliance is waning. See a future blog. Technology as a little handy tool (in big plural), not as the first to arrive and to bolt a bit of Process and very maybe even People onto here and there.
But we haven’t explored such a design direction at all, yet! We have no clue, no metholodogy, no vocabulary, to describe such a ‘design’ …

That’s where you come in; through your comments I propose to crowdsource such a methodology. Be part of it!

First Predictions 2014

[Unfamiliarly, from the West]

What’s up, 2014?

The end is nigh, of 2013. Can we predict what the big business / infosec hype of 2014 will be ..?
No. There’s no predicting the unknown. The somewhat-known will not stand out enough. The known… boring!

The knows are the fall of Fubbuck, maybe Tvitter (both to be replaced by the WeChat’s and hopefully Tumblr’s of this world; will Vine and Snapchat take over?), cloud, BYOD/flexwork, etc.
SMAC: Social, Mobile, Analytics, Cloud. ViNT by Sogeti adds a T of Things.

The Things part, I’m unsure about. Yes, for the long run (i.e., 2-5 years) we will definitely see an explosion. But next year already? It’s the infancy of a sine wave, taking off slowly.

So, my prediction is that the thing we’ll all be talking about as the next thing in 2014, would be … People versus Algorithms.
This was pointed out by some #Coney guy(s), with some lead links elsewhere. But algorithms will not conquer the world in one swallow. Rather, we will see both an increase in the use of algorithms for partial (at most!) data analytics, to support TLA-style use of ‘big’ data both in public and private environments – but also a major development of the People component in tha analysis, a wave of development of specialized functions, methodology and tools, re the human pattern detection and interpretation parts of analytics.

Plus, then a more clear picture of how people and algorithms fit together, as function, profession(s), etc., with spin-off everywhere e.g., the development of a better understanding of how the brain works, how humans work (produce / operate), how to describe the purpose of life. On our way to the Singularity, and Beyond!

In the cave, not hunting

60% of any group of people are conservative. They just want a job, any job, and want to do simple, predictable work. The want to stay in the cave, because it’s dangerous out there; you never know where and when a bear or sabletooth tiger may attack.

40% of people understand that one can be safe by staying in the cave, but one will starve. Food is not in the cave, it’s out there. So, for self-preservation (strategic risk management) one has to go out, well equipped and sober to handle the environment (tactical risk management: listen and look carefully, and Be Prepared) and do some foraging (incl operational risk management; don’t be stupid and taste rotten stuff, etc.).

Nowadays, staying in the cave will not make you safe. Bears may hide in the back of the cave already: no matter how still you sit, headcount cuts are coming and may hit you regardless of your conformity. Or your better-adapted colleague-caveman may prey on you for the little comfort that (performance-contribution-)skinny you may bring to hold out another day. If you’d still have flesh, that would be muscle and you would (could) be the one holding out. Either all in the cave die, or through cannibalism at least a more lean and mean gathering of people (i.e., organization) may survive.
And the world outside changes faster than ever, so the cave entrance is besieged (or walled off!) by enemies taking your turf and starving or enslaving you.

[Toronto, but you knew that]

So, join the 40% and be even better at exploring, be better at being safe without a cave. Be better at risk management. Go out, dare; not running around stupidly but with due care. Enjoy the ever (faster) changing view!

On assumed guilt, innocence to be proven

An interesting piece (in Dutch) on documentation and the requirement to prove innocence under totalitairan presumed guilt: http://www.accountant.nl/Accountant/Opinie/Meningen/Naar+de+bliksem.aspx
How true, the story. Now go apply the gist to your auditees as well! They‘re the ones under presuure, that accountants et al are only starting to feel in the past couple of years..!

And here’s another picture for your viewing pleasure:

IHRM

On the integration of IRM into regular business management just the way HR is (was?).
[Some future blog will be about the Three Lines of (NO!) Defense. Now, about a bit more practical stuff.]

It struck me that information security, lately expanded into information risk management as (peer) part of operational risk management, as part of enterprise risk management sometimes fuzzied into ‘COSO ERM’ babble, still has difficulty to be understood to not be a separate function that can function apart from the rest of the business (‘their infosec corner to take care of their things’) but be an integral part of everyday management (and operations) just like e.g., HR.

Yes, HR is also still a separate function – for the parts that can be handled separately from the business as usual in other departments. Payrolls can be processed (almost) without knowledge of any primary business processes, or secondary processes for that matter. Apart of course from entry/leavers, etc., but that’s detail.
But HR is also very much integrated, the way it has always been. Optimising (sic; not maximising) the performance of the resources that are human (are they; are they considered such ..?) has since the inception of the idea of organizations, always been with management. Through target setting, through performance evaluations, through facilitative management. Not through micromanagement as you rightfully point out; that has no place in any organization.
All the core, direct HR tasks that are performed, are performed directly by (‘line’) managers. The less separately recognised as such, the better. Just manage!

How come, then, that IRM doesn’t take the same approach ..? The major part of simple information risk management (as is the major part of all risk management!) can and should be performed by those actually dealing with the information; employees and their management. How is it that managers generally understand that part (*) of their role consists of various HR chores, but information asset protection (and information asset performance optimalization..!) doesn’t, yet?
(*) Depending on how your organization works; when dealing with knowledge workers, the facilitative part of HR may form the core of managerial work altogether.

Yes, well, indeed managers may on the average be insufficiently educated to be able to deal with information risk management within their normal duties. But ‘we’ should solve that. And almost no manager whatsoever was trained to be a manager in the first place! No, certainly also not the business school types. They learn a few bits and pieces of administration, which is something very different. The military (cadres), they learn something (little, simple things, but apparently sufficient to work with many subordinates in life-threatening situations – don’t insult by assuming your organization can even compare to that kind of managerial challenge). But in general: No. That’s why military cadre finds it difficult to settle back into management positions in civilian society: The level of incompetence (they have to work with) is staggering.

And they our common managers may not have been provided with the appropriate methodologies and tools to do that. But ‘we’ should provide those. Work In Progress, but the distance to cover is so enormous.

And here’s a picture for your delight:Madrid, perspectives: where you stand, where you look at.

So, by education and methodology/tool provision, we can indeed bring information risk management back into the main line of management.
But so much work to be done! and rest assured that for decades to come, IRM will have its place as a (staff) department. HR hasn’t gone away quite yet, has it ..?

Comments appreciated.

Interlude: A Mistake made Policy


How a mistake made it to governmental policy…
[Though the above Toronto skyline’s just for your viewing pleasure, unrelated to this blog]

These has been quite some discussion about a thing called the Plan-Do-Check-Act cycle. Rightly so, since ever since Deming’s groundbreaking work on quality control WITHIN small shop floor level work groups, the understanding of the practical trade of small-group (self!)management has flourished.
But alas! So many sorcerer’s apprentices have ran around like lemmings. And have followed the ill-guided amongst them, over the cliffs edge. They have mixed up Deming’s quality improvement cycle with the generic process control cycle, later applied to administrative management ..!

The disastrous consequences we still have to work with. The demise of management as a craft, the attempts, failed by default from the start, to scientifise management, the blindness for the utter contraproductivity, all can be traced to this error of application out of an error of understanding.

Know your history: The control cycle has its origin in (chemical plant) process control, or even in generic control as elaborated in applied cybernetic systems methodology. Inputs, (mathematical!) transformation function, outputs, and a (mathematical!) first derivative control (signal) function; feed-forwards, feed-backs, input- and output-based signals, multiple levels of these control cycles, it should all be familiar but isn’t, on a pervasive scale.
Which is a pity because it leads to dumb, stupid, design of control cycles and the inclusion of Deming’s quality (improvement) cycle as the name-giver of the resulting management control efforts. Which in turn has led to the stupidest efforts to fit management control actions and controls into the Plan (feasible; most ‘control’-related work stays there, luckily given the dumb and dumber practitioners around), the Do (awkward! managers don’t Do anything at all in Deming’s Do sense!), the Check (auditors’ delight but NOT what Deming intended), and the Act (not understood at all, in the mix-up it’ll be wiped under the Plan carpet!) phases.

But so many wrongs don’t make a right.

Putting the two models together into this atrocious mix, leads to heaps of management babble and a destruction of sound management practices at the hands of culpable consultants (external or internal). The utter waste of money, the utter demise of anything actually productive!

And now the mistke [not intended but I’ll leave it there] reaches its peak: PDCA will be required by government directive as a design principle for (management) control! [In the Netherlands, always preaching against someone else’s sins]
What a failure of administration: To unknowingly admit so publicly one’s incapacity at the scale of an outright sackable offence (by the many that go along with this, too!).
Now, can we all please move forward the consequences of the pervasive sackabillity ..?

Trust statistics

“Never trust any statistic that you haven’t forged yourself” as Winston Churchill put it.

With today’s tools, computing capabilities and speed, why wouldn’t accountants draft their own annual accounts statement of their clients’ accounts ..? These could then be published alongside the ones of the clients themselves. The differences would be transparent to investors, and when (not if I guess) the clients can explain the differences to their stakeholders, there’s no pain in anything.

When accountanst would complain that it would be impossible to re-do the annual accounts, they only claim their incompetence. If they truly understand what’s on the books, really understand the underlying processes in every detail required (and note, this would be a very, very hard requirement already!), they would have no problem at all to recreate the sum total of it all. Or they end up with apparently differing interpretations of the processes, and may explain to stakeholders.

So, either the accountants go do this or they declare to not know nearly well enough what they’re signing off. There’s no in between.

Double blind

Just a question: Would anyone know some definitive source, or pointers, to discussions either formal or informal, on the logic behind double secrets i.e. situations where it is a secret that some secret exists ..?

Yerah, it’s relevant in particular now that some countries’ government seems to have failed to keep that double secret completely, but should be more systematically dealt with, I think, also re regular business-to-business (and -to-consumer) interactions.

So, if you have some neat write-ups of formal logic systems approaches, I’d be grateful. TIA!

Maverisk / Étoiles du Nord