SwDIoT

Recently, there was yet another exepelainificationing of ‘software defined networking’, along the lines of separation of the control plane from the data/content plane (here).
Which ties into a core problem, with IoT the subject of this post: Integrity.
Yes, confidentiality may be an issue, but singular raw data points themselves often are too granular to actually steal any information from. And Availability is of course also of the essence, especially in ‘critical’ systems. But te main point of concern is with Integrity, of the system in a wider sense, but also in the smallest sense.

Take Stux … Integrity breach as the vector space, spanned along a great number of dimensions.
Objective: Degradation of the information value; increasing the variance to a level where noise overwhelms the R2 of the signal (however far from log2(n), big if you understand), through degradation of the (well, original) software integrity.
Path: Introduction of intentionally-faulty (?) software. With use of of, probably, penny-wise correct IAM, being pound-foolish at the medium level. I mean, the level where human and other actors are unwitting accomplices in planting da bomb. That’s what you get by simpleton top-down compliance with just about every thinkable rule: To do any work, underlings will devise ways to circumvent them. And, adversaries will find, see, avenues (that wide) for riding on the backs of the faithfully compliant to still achieve the objective.

But OK, back to … separating the control plane from the data plane. Bringing a shift in efforts to disrupt (no, not of the mehhhh!! destructive, economy-impoverishing kind but in the actual signal degradation kind) from just-about any attack plane down to, mostly, the control plane. That may seem like an improvement, de-messing the picture. But it also means shifting from a general, overall view of vulnerabilities to the core, and a core which is less tested or understood, and harder to monitor and correct, than previously. Or is it ..?

So, if we take this Software Defined to IoT, we’ll have to be careful, very careful. But yes, IoT is constructed that way … With signals to actuators that will result in altered sensor data feedback. Know the actuator signals, and the actuator-to-sensor formulas (!), and you’re good to go towards full control, with good or bad (take-over) intent. Know either (or how to get into the sensor data stream), and at least you can destroy integrity and hence reliability. [DoS-blowing the signal away in total blockade or grey noise wipe-out, and your cover is blown as well. Is a single-shot or semi; you may want to have full-auto with the best silencer available…]

Hm, the above from the tinkering with the grand IoTAuditing framework promised… To turn this all into a risk managed approach. Well, for now I’ll leave you with:
DSCN3214
[It has a glass floor up in there, you know. Blue Jays territory, ON – and yes, a very much sufficiently true and fair horizontal/vertical view picture, according to accountants]

Morozov’s no joke

Just a vey few:

“The fear of appearing inauthentic, of being a fake, has propelled nearly as much technological innovation as pornography.”

“But Adorno does have a point: authentic things are not necessarily morally good, and morally good things are not necessarily authentic.”

“In this, the authenticity rhetoric of Facebook is strikingly similar to the public debates in 1950s America over whether uniformity (everyone living in mass society is essentially the same) was a greater sin than conformity (some people adopt ideas, habits, and beliefs only to get along). The latter, the conformists,were seen as phonies who chose to be someone else; the former, those who were uniform by design, were seen as the real phonies – as people who thought they were making choices and being their unique selves, when in fact they were anything but.”

Worrying about usability – the chief concern of many designers today – is like counting calories on the sinking Titanic.”

The goal of privacy is not to protect some stable self from erosion but to create boundaries where this self can emerge, mutate, and stabilize.”
“Digital technology has greatly expanded the windows and doors of our own little rooms for self-experimentation – but we are now at a point where those rooms are on the verge of turning into glass houses.”

“Given the complexity of the self, trying to reduce the privacy concept to a purely utilitarian framework is like steamrolling a statue to capture its essence in the simpler space of the two-dimensional plane.”

Oh how many more such insights are there, to Learn. And weep. For that:
DSCN5410
[Yes, Gettysburg battlefield. Ominously.]

Seamless complacency, rise of the crackers

Yes, seamless integration as, e.g., pursued by the likes of Appl, may polish some edges of the roughness of the world. OMG! I have to turn this plug over to make it fit! The horror! Why didn’t someone fix this!?
Such, to be shipped to the battlefields of the Middle East and Africa, traumatised at the bus ride already.

And, the consumerism, the ultimate ideal of marketeers and Silicon Valley alike, will bring both down crashing. Because the ideal of consumerism everywhere, will also, does already also, pervade education, leaving (achieving its goal at) numb drone consumers – that have no means of income as they’re too mediocre at far too low a level to have any differentiating value (of potential (work)); a vicious circle – that will not be able to see value in services offered but moreover are incapable of building the Next Thing of even maintaining the old.

That will be left to
a. The ever shrinking (!) money(sic)-mostupper class. Not true class!
b. Crackers.
a. This of course, till the exponentially spiraling competition of the money hierarchy will result in < 1 slot, in the end.
b. This of course, since there will be renegades, outcasts, that go their own way. And will be legion. As they drop out, are brute- nuclear-force pushed out of the consumerist lowest classes. Suddenly, have to be resourceful – and (t)hence go after the resources… Only outcasts will see the porous base of the systems stack and hack their way into it. Cultural abandonment leading to … this, you know.

Ah, lessons …? Don’t Be Evil, and Be Prepared. To abandon. ..?
Whatever, there’s still:
DSCN1118
[Metropolis… La Défense, many years back]

Span (out) of Control

How is it that for a long time we were used to managerial spans of control being in the 5‑to‑10, optimal (sic) 8 range, whereas what we had in the past couple of decades so often was spans of control in the 2‑3 range ..? [Duh, exceptions and successful organizations aside…]
Because I came across some post on Forbes where there’s an early simple statement that a span of control of 10 would not only be normal, but outdated as well, as the span could be at 30. Well, I doubt the latter, as this would conflict with a lower ‘Dunbar’ number which indeed is about 8, with ramifications for informal control as outlined in Bruce Schneier’s Liars and Outliers.

Oh yes now it springs to mind the 8 figure was developed by the military, the ultimate built‑for‑survival organization, through the ages to be the optimal span of control, aligning with the apparently natural Dunbar number. It was then taken over to business for its apparent effectiveness, and its apparently attractive all‑business‑is‑war metaphor – where the attraction is there only for those not really exposed to the gore of war, I guess. From which the fearful, the accidentally pushed into management roles clueless managers, tried to do what they thought was the gist of managerial literature: fight all uncertainty that might threaten your career. Through micromanagement, through requiring all data to be reported. Not to use it wisely, but to just pretend to be in control. And, if you don’t understand, just do with less direct reports to shrink what’s coming at you.

[Intermission:
DSCN2260
That man on the pole was quite a good leader it seems.]

But whether it’s 8, 10 or 30, the optimal span of control clearly is larger than the common today’s practice. Which has implications:

  • Too low a number will inevitably lead managers to seek to have something to do. Busywork, in their role leading to excessive micromanagement (yes pleonasm but on purpose) and/or excessive meeting behavior, in particular with their underlings and/or likewise trapped colleagues. A bit like an AA group. Which burdens the underlings by taking time away from actual content work and creating the need for action item lists and reporting blub. Thus losing time off colleagues with all sorts of, what actually is, whining.
  • Too low a number and the micromanagement leads to extreme (far overextended) controls burdens on the ones who’d actually produce anything of value. Instead of producing (net) negative value with all their externalities that managers may commonly do. This burdening then leads to ‘process’, ‘procedures’ etc., to ‘standardize’ (otherwise, understanding of actual content would be required; the horror for petty middle managers!). Thus hollowing out even further the value of any work done. As in the abovementioned Forbes article; the Peter Principle will reign.
  • Too low a number and the standardization will drive out the creativity (required in customer service and in product/service design, production and delivery). Where that is ever more essential than before to counter the ever more changing environment. As I typed this, this article arrived…
  • Colleagues (or rather, underling staff) will be demotivated due to having less and less time to do the work they’re assessed and valued for by the organization, and having to produce ever more TPS reports for overhead purposes. This will bring down performance, both directly and indirectly. And by the way, all the controls will also suffer by staff demotivation leading to less effectiveness or even full evasion. With equally rising risks for performance.

An extension to ten, or even twenty or thirty would be very well possible as well, in these times of massively improved information and reporting options. The latter aligns quite well with the increased need to at least have a little oversight left.

Though that would require much more empowerment (again) of your employees. That are the knowledge workers par excellence, right? If you don’t have those yet, you may have an entirely different but even more pressing problem… Have the real knowledge workers left, don’t they want to join anymore, or have you unconsciously but actively numbed them into sully drones? Whatever the cause, the real knowledge workers know better than their manager how to do their work – that’s why they do it and not the manager. If it were the other way around, it would be beneficial for the organization to have the manager do the grunt work. And no, micro management is something else.

The empowerment should go hand in hand with different styles of leadership, direction and oversight. Not based on ‘objectives’, made ‘smart’(not) for Pete’s sake, but based on truly smart KPI’s that leave employees room to do their business in ways they see best fit. Not rails, but guiding rails, and no yard-by-yard route directions but some A and B and a road (?) map. Or, well, a good navi system – or would you the manager want to pull the steering wheel for every correction? Reporting can similarly be made smarter anyway, or is that wishful thinking. In times of smart analysis with big data or not, this should be feasible.

And keeping just a little oversight is enough already for a good manager, and quite different from total(itarian) ‘control’. The former is needed to lead and direct, the latter is paralysis through total suppression and denial of a capricious reality.

And oh, for the record, some form of hierarchy will always be needed, even in fully horizontal network organizations with 360° feedback and what have we. Just re-read Flat Army by Dan Pontefract; without collapsing to a free‑for‑all hippie group, there are quite many ways to manage more humanlike. There just are so many ways to flex- and telework from home or anywhere, and a mature manager and her/his organization will pay for performance not mere attendance over performance.

So yes, we all need to focus on upping the number. To counter stalemates. To counter bureaucracy heavens. To regain flexibility. Still, still, this could only work IF, very very big if, ‘managers’ (not to address actual managers, that I value enormously!) can loosen their frantic, fear‑of‑death‑like Totalitarian Control and compliance attitude. Which I doubt. Maybe we should start to let such managers pursue other careers elsewhere, those that are specialists in sticking to their own chair by sacrificing all capacity and performance in times of cost savings. Then, the ones that are not good at that because they really try to achieve something for their organization wouldn’t have to be let go by the numbers and restore some positive balance of managerial capabilities.

But then, organizations relying on the control freak managers (whether already or after they will have crowded out the actual managers via the Peter Principle and acolyte behavior) will lose out to the upstarts that do keep the mold out. There’s hope.

Total priv’stalking

Errrm, would anyone have pointers to literature (of the serious kind, not the NSFW kind you only understand) regarding comparison of real physical-world stalking versus on-line total data collection ..?
No, not as some rant against TLAs but rather against commercial enterprise than not only collects, but actively circles around you, wherever you go. Giving you the creeps.

Because the psychological first response is so similar, can it be that the secondary behavioural response / adaptation is similar, in self-censorship and distortion of actual free movement around … the web and free choice of information ..?

And also, whether current anti-stalking laws of the physical world, would actually work, or need strengthening anyway, and/or would/could work or need translation/extension, to cover liberty of movement and privacy-as-being-the-right-to-be-left-alone i.e., privacy as the right to not be tracked, privacy as the right to anonymity everywhere but the very very select very place- and time(!!)-restricted cases one’s personal info is actually required. Privacy as in: companies might have the right to have their own information but not the right to collect information of or on me (on Being or Behavioural) as that is in the end always information produced by me, through being or behaving. The (European) principle still is that copyright can be granted, transferred, shared out in common parlance by payment for use (or getting paid for transferring the right to collect such payments) i.e., economically, but not legally; the actual ownership of the copyright remains with the author!

See why I excluded the TLAs ..? They may collect all they would want but not use unless on suspicion after normal-legal specific a priori proof; that’s their job. No officially (…) they may not step outside their confined remit box, but they do have a box to work within.
Now, back to the question: Please reply with other than the purely legal mumbo-jumbo that not even peers could truly understand but just babble along with.

In return, in advance:
DSCN0535
[Foggy (eyes), since in the olden days, probably never to be seen again; Bélem]

Non-Dunbarian compliance

Just a note that the world is in great need for more on Dunbar’s numbers in antidote to totalitarian-bureaucratic compliance efforts.

go-on-gif
Nah, wanted to, but have more urgent issues to discuss. E.g., tomorrow. See you then!

The beauty of variance

Oh why did we think that mere straightforward compliance with one definitive set of rules (however principled, or detailed) would achieve anything worthwhile ..?

Why didn’t we consider the inherent, innate beauty of variance and variation, beyond mere secondary usefulness in resilience/robustness ..?

Because reasons. The perennial one being Fear, probably. Fear of uncertainty. As there’s downside risk in that. Where all the risk management still focuses on. Yes, no, no denying that; all models still have any ‘impact’ of any ‘event’ as a single negative number. If (in the every-part-but-when sense) we would inculde positive, good possibilities and outcomes to count as well, wouldn’t we end up with zero average impacts in many places ..? Like the great many places where non-compliance is conscious just because the enterpreneur wants to achieve something worthwhile hence other than compliance ..?

But what if we turn risk management into the brushing off of the rough edges of beautiful sculpturing that enterpreneurs and true managers do ..? Chiseling away grey/gray unusable material to keep the beuatiful statue that was in the stone already to be released ..?

Those that want nothing to bloom may await nothing but their ignomous and insignificant death. In the mean time, don’t bother the one sthat want to achieve something, please.

After which I remind you: That’s all secondary talk. Primarily, seek the beauty of variation for its own richness. Hence:
000021 (9)
[The view from my field office, once. Y2K was a party on St. Lucia…]

Partially compliant: as a solution

I was recently informed by a respected colleague in a peer-to-peer discussion (see; they’re useful!) about a development of his in the Compliance arena.
About not having just one single Statement of Compliance that all too often wipes deficiencies under the rug for the sake of agreement everywhere. But having two, one on (first-lines’) management awareness of deficiencies as things to actively manage and actively discuss with second and third lines, and one on abstract, ‘anonymous’ no-blame control effectiveness.

So, when the Three Lines of Defense would actually work (yes I’ve ranted against that on this blog frequently as the simpleton approach inherently can’t work!), first-line management can provide their own list of control deficiencies, and the second and third lines can only confirm and not add much of at all. Then, the first line is in control (all is well and/or known-and-WIP), over their own stuff. Hence, awareness ✓ effectiveness X. When the first line doesn’t have much but the 2nd/3rd lines add quite some (other) things, awareness is X and effectiveness is undetermined. Only when the first line doesn’t have much and the second/third lines cannot add quite a few things, will awareness be ✓ and control effectiveness be ✓

Which sounds like a far better, and in practice far better palatable approach than just one messy jumble-together undetermined opinion. For which I leave you with:
DSC_0030
[The bus buck stops here at this chaotic (?) shelter; Aachen. In Control statement: similar]

Effectiveness or Compliance

In assessing ‘compliance’ of your … [fill in the blanks and then colour the picture], do you actually go for correct set-up and design, and operating effectiveness ..?
If so, you’d be ready when the design is suitable.

Though a great many of you would still consider operating effectiveness proven by repeated measurement and establishing everything runs smoothly according to procedures, including the capture and re-alignment of exceptions.

But you would be wrong. That’s just verification in the weakest form.

Actual operating effectiveness would have been dictated (meant literally, not ‘literally’-figuratively) by an appropriate design. The design should be such that there is no way in which, e.g., any transaction could escape procedures, ever.

Which would require very careful study of procedures, the result of design. Which would fail when the design wasn’t aimed for totalitarian control. Which is the case; the design almost always is focused on obtaining the most basic of functionalities of a system – that includes catering for some exceptions, the bulk of the foreseeable ones; at most – not capture all and everything as that would indeed be impossible ex ante. Hence, the inherent impossibility of total operating effectiveness. There’s always unheard-of, thought to be impossible exceptions at the lowest levels of detail. (Let alone in the infrastructure on which any system would have to run, at about all abstraction layers of ‘system’ that one can study.) And there’s Class Breaks, and penny-wise but pound-foolish type of ‘exceptions’ at higher abstraction layers (all the way up to ‘the CEO wishes this. He (sic) only has to wish for it to be done already’).
So, already in the design phase, you know to fail at Operating Effectiveness later, however perfect you think you’re doing. And you delude yourself further if you’d think that the design will be implemented perfectly. On the contrary, in the implementation the very reality will have to be dealt with, where the nitty-gritty will derail your ideas and something that is a bit workable at all, will be the most you can achieve. Always, ever.
Hence there too, you lose a lot of ‘perfection’.

Whihc may show in operations or not. If you don’t look careful enough, you might arrive at a positive conclusion about somewhat-effective control operations. That has little to do with effective operations by the way; the latter (client service) being greatly disturbed by your ….. (insert expletive describing subpar quality) controls.
If you look careful enough … you don’t even have to; just point out where controls didn’t operate effectively and qualify that as total SNAFU.

Oh yes, in theory (contrasting practice) it just might work, by having all sorts of perfectly stacked control loops on top of control loops (as detailed here) but these have their leakage and imperfections as well and would have to be infinitely stacked to achieve anything approaching closure so nice try but no cigar.

Conclusion:
Set-up/Design and Implementation are everything, Operating Effectiveness follows: OE fails logically.
ISAx Statements Type I or II: Logically inherently deficient hence superfluous money- and paper waste.
Revert to Understanding and opining on your guts. It takes guts, yes, as risky as that is, but pretension of logical reasoning and/or sufficiently extensive proof-of-the-pudding auditing (on the paper-based pudding …) cannot but fail: Non-compliance found: negative rating; no non-compliance found: failed at the task.

I’m done now. For you:
DSC_0016
[Just a side corridor, neatly controlled (for!) decoration]

Middle secretaries

Two points to make:
* Middle management will be.
* Secretaries should be.

The discussion regarding middle managers being superfluous or not had a slight uptick the past couple of months. With the latter voice having been a bit too quiet. Yes, middle management is under threat. It has always been; only the (history-)ignorant will have missed that. And Yes, all the Disruption things and similar empty barrel half-baked air by a lot of folks who have hands-on experience in the slim to none bin with (real) management altogether let alone this kind, have predicted over and over again that the disruption by Server-with-algorithm-app-that-schedules-day-laborers will make middle management redundant, as the believed task was only that.

Quod non. And as if just an algorithm will capture the full complexity (and incoherence, inconsistency, internally and externally contradictory ..!) of the requirements and work of the middle manager.
OK, we’re not discussing the drone administrative clerk that has Manager on his card (huh?) and sits in an office passing top-down orders and bottom-up reports back and forth. We’re talking the real, 24/7 problem firefighter here. The coordinator of chaos. The translator of lofty (other would say, ‘airhead’) ‘governance’ (quod non) mumbo jumbo into actual work structure and tasks, and translatereporting back. That survives and in doing so, shows great performance. The other ones, will be weeded out anyway, every time there’s an economic cycle downturn. [If the right ones would be kept, and the wrong ones ‘given growth opportunities elsewhere’. Seldomly the case; offing is by the fte numbers, and the wrong ones have being glued to their seats as their core competence, through sucking up or otherwise.]
So, the middle manager stays for a long time to come as (s)he does the kind of non-predictable work that will remain longest. If start-ups don’t have them, see them grow: They will.

Secretaries deserve a come-back. In similar vein as above, the vast majority of managers office clerks (from the shop floor (even if of knowledge workers…) all the way to near the top) these days have to do their own typing, scheduling, and setting up socializing things. Whereas before, economies of scale were many, and there were additional benefits because the good (sic, again) secretaries would e.g., know the best, unrenown restaurants all around and could get you a table even when they would be fully booked, and they would manage (massage away) some internal friction as well, often very discreetly and efficiently. Now, vastly more expensive (by hourly rate, productivity (think switching costs in the managers minds …, and utilisation), cost of ineffectiveness (sic again) and opportunity costs re their actual objectives (if these would be achieved; good/bad manager discussion again)) managers must manage their way around. An impoverished world it is indeed.

To bring back some joy:
DSCN8592
[Some colour, but it’s down there… Zuid-As]

Maverisk / Étoiles du Nord