controls – Maverisk / Étoiles du Nord

Missioning your visioning

Just a repost; hardly anything but the footnotes had to change from that post from over two years ago..:

I was triggered recently[1] about some very common mix-up, and suddenly saw a spark of insight. Since the seeing concerned me, it was at a distance of course (not), so I’ll share it with you to see whether you recognise the somewhat local phenomenon and its ramifications and cures.

This all being about the top-level structure for any organisation, i.e., vision, mission, strategy.

So often mixed up qua priorities and order.
Where a great many do think one starts with the mission, thinking endlessly wrongly that one determines the mission first, then … oh vision how can we define that, then, to cover the actual second step, and strategy oh we will not be able to define that.
Because of the mix-up you can’t. Because vision comes first. First define what and how you think the world will look like in somesomewhat more distant future. ONLY THEN [skipping the boldface] one defines whether and where one’s (organisation’s) place is thought to be within that; mission. Only then does one define how to get from the paltry Today’s position, to where the bright future is, and which path to follow; strategy.
When you begin with the mission, you utterly falsely assume there’s a place for you in the first place which, when you think that way, there is ever more certainly not.
When you start with the vision (which can be grand, being without you in the picture will help to that end…), you would also need to think about what your raison d’être in that world view would be. You have no right to existence [note that we’re discussing organisational rights, not natural persons’ rights for which the opposite does hold; ed.] other than making the future better – than any of your competitors can. If there’s competitors that can, in principle given their today’s capabilities, in fact do better than you, you’ll have to find something else to do as the world, by Pareto’s comparative advantage reasoning [which is one of the few economists’ reasonings of any value at all when without the ‘ceteris paribus’ totalitarian destructive lies; ed.], is better off when you leave it to others – the world better off being your purpose or you have no place on this planet. Anything related to profitability has no, zero, rien du tout, nul, nada, place in a mission statement since it’s a derivative requirement (sic) only, towards some specific but not therefore important, stakeholders known as shareholders or investors that, if your mission is true and virtuous, should be utterly grateful for the opportunity to be allowed to invest in your strategy and would even have to pay rent, not receive it. For organisations, it is only a requirement in as far as reserves are built, for hard times and even there one could insert some evolutionary theory that sometimes extremely improving mutations are wiped out by some unfortunate accident (act of nature) before becoming a species-wide improvement — same, for organisations that are set to become most beneficial to the world already on the road towards fulfilling their mission but fail halfway due to adverse but insufficiently bendable market conditions. Bad luck. Move over. Machiavelli’s Fortuna again. Read his Original to see how sobering he meant that and that you can be (Aristotelian-)virtuous all the way through.

So, first vision, then mission. And only then, strategy of course. Being the course. You need to take; roughly. Bending and shaping as you go along; sailing to an up-wind buoy. Setting the boundary conditions – including the boundaries of means you’ll allow as not all means are allowed for just any ends, no end may be enough for some means, most ends are not worth pursuing in the first place. You get the drift; if the means are not ethical, virtuous, the ends will never be. Excepting only a handful of situations like war/genocide, large-scale natural disaster, et al. where one may have to shoot the bad guys to prevent them shooting the good guys.[2]

But hey, this was just the spark. About the wrong-order its cause(s). The rest … good for PowerPoint presentations on the subject I’d say.
[Edited to add: Next try to understand the utter ridiculousness of the Dutch ‘beleid’ as translation of ‘policy’. Meaning (in both languages, creepingly) not what it has meant over the past decades, centuries, but more like ‘petty micromanagement ruleset’. No more general picket post placement in the distance but rails, shackles…]
Leaving you with:

[The lands you defends, into the fuzziness; (from) Salzburg Castle]

[1] Yes, in a conversation to establish whether I’d want to work somewhere, and they’d have me. Both ways, the result was Unsure But Let’s Keep On Talking. They had a Mission on their glass door, and a Vision, and Values – you understand that Mission and Vision were a jumble of Calimero-aspirational buzz, and Values were a big fat Mehhh. If you have to post them on your door in the hall to remind any employee coming to work day in, day out, you’re .. well, not quite living them, are you ..?
[2] Tell-tale, this [1] club had Values there, not Strategy. The latter, didn’t even surface in a second conversation at all. As if one bumped into a fluffy ceiling when trying to raise the level, before being pulled back to mundane hire-warm-body work descriptions. Some sparks of want to move forward and some slight claim of record there but hardly any self-volunteered methodology hints or so…

‘corn down, times 10

After the many lists of wat went well this year, with AI, bitcoin, etc.etc., we wonder: How much of that is plugged fake news or ditto overblown ..?
When still, we have the likes of this: A list of some 10 unicorns that went down (or -soon) despite funding to dream of. When you look into it, we seem to be back in, 2001, and somewhat later, when the idea of drafting a two-pager business plan seemed to be enough to get VC / angel / whathavewe funding. OK, maybe this time around (and for the co’s mentioned) it’s more like a ten-pager requirement but hey, why wait to throw money into a wormhole, right ..?
To remind us that maybe, not all went so well in ’17.

And maybe despite all the hopes we have for 17++, we should again, still, reckon with downside risks a little bit more, please?
But you’re not gonna listen to me, are you?

Mewwy Cwistmas & happy new year anyway! Plus:
[Heck, this has nothing to do with festive fireworks or so but is pretty still; Valencia]

In Controllusion

After a good receipt of this, I kept on receiving nudge-pointers about a related issue. Being, that so many are, have become, control freaks. Micro-managers with such enormous blind spots, blinkers/blinders.
With a thesis developing that this is caused by sheer frustration of not being able to shake off the being controlled. Since individualism, the societal buddy of pure neo-capitalism the fascist kind intertwined with consumerism and the blow-out of traditional social group cohesion(s), demands we are Free. Or so. And find ourselves [well, not me] still tied up tight in (whether private or public) corporate dictats. Having to let off all the steam, it explodes (short of detonation) through the escape vent of downward bullying – in perception from all sides.

Hope I’m overstating this. But a fuzzy-logic sort of partial acceptance of the point only, will point the point towards resolution of at least one contributing part of the stifle that is so rife in modern (not) organisations. Capice? Capisco..?

And:
[Apparently not when this of course is Dyon.]

Small Mob Rule

Dat is dus grote onzin: De @telegraaf zit er (weer) dik naast, in dit stuk. “DOKKUM – Er gaapt een reusachtige kloof tussen de provincie en de Randstad. Thema’s als genderneutrale toiletten, de nadruk op ’diversiteit’ en vooral het debat over de kleur van Zwarte Piet worden door een kleine culturele elite in met name Amsterdam aan de rest van Nederland opgedrongen, terwijl de meeste burgers in de regio’s hier helemaal niet op zitten te wachten.”
Nee Telegraaf, dit is volslagen onzin, over de rand van leugen.
Want het is slechts een miniem klein-handjevol (inderdaad) bewoners van de Randstad – die oh zo sosialisties nog een tweede huis op het platteland hebben omdat ze alles en iedereen zo lang hebben getreiterd dat ze nauwelijks belasting betalen ‐ die de landelijke stemming bepaalt. Terwijl de andere 99,995% van de Randstedelingen ‘ook’ gewoon normaal is, hoor.

Dus stop ff die terreur van het klootjesvolk i.e. T-“journalisten” quod non, die inkt verspillen met zulke grove onzinkoppen. Of, om hen in hun eigen moreel vermogen aan te spreken: Bek houwe.

[Geen plaatje vandaag. Té boos over zulke idiotie.]

The dullness of infosec ..?

And you thought fraud detection was about bank transactions or even counterfeiting physical stuff. Boh-ring, when you read this. Takes it to another level, eh?
Which brings me to an important issue: Are we not still studying and practising infosec from the wrong angle, doing a middle-out sort of development in many directions but starting at a very mundane ‘CIA’ sort of point. Which is of course core, but there is so much to cover that some outside-onto view(point) might be beneficial. We’re in the thick of the fight, and no matter in which direction you go, when you wade through the thicket with your control measures machete, you achieve little – when you then turn around to try to clear some area in another direction, all has grown dense with state-of-the-art arms’ race bush again already.
And yes, of course one can educate, etc. in some form of hierarchical approach, top-down. But that leaves us with many, all too many that float comfortably on the canopy where the view … isn’t that great as one’s very certainly in thick fog of the monsoon rain. And nothing is being directed (ugch) deeper down. Or controlled (?). Just more, most partial world views unconnected and behaving erratically.

The e.g. in this is that link above. A tiny subset of situational scenario. Not solved pervasively, once and for all. Now think about the hugely, vastly, enormously wider scope of ‘all’ of infosec that would need to be covered to a. arrive at sub-universes of control, b. overview.

The latter remains Open.
Me not happy.

Solutions, anyone ..?

Oh, plus:
[Ah! The days when this sort of ‘defence’ was enough to conquer! Alésie of course]

Trust ⊻ Verify

You get that. Since Verify → ¬Trust. When you verify, you engender the loss of trust. And since Trust is a two-way street (either both sides trust each other, or one will loose initial trust and both will end up in distrust), verification leads to distrust all around – linked to individualism and experience [we’re on the slope to less-than-formal-logic semantics here] this will result in fear all around. And Michael Porter’s two books, not to mention Ulrich Beck in his important one. So, if you’d still come across any type that hoots ‘Trust, but verify’, you know you’ve met him.

Since the above is so dense I’ll lighten up a bit with:
Part of the $10 million I spent on gambling, part on booze and part on women. The rest I spent foolishly. (George Raft)

Which is exactly the sort of response we need against the totalitarian bureaucracy (i.e., complete dehumanisation of totalitarian control – which approaches a pleonasm) that the world is sliding into. Where previously, humanity had escapes, like emigrating to lands far far away, but that option is no more. Hopefully, ASI will come in time to not be coopted by the One Superpower but then, two avenues remain: a. ASI itself is worse, and undoes humanity for its stubborn stupidity and malevolence (the latter two being a fact); b. ASI will bring the eternal Elyseum.
Why would it b. ..?
And if it doesn’t arrive in time, a. will prevail since the inner circle will shrink asymptotically which is unsustainable biologically.

Anyway, on this bleak note I’ll leave you with:

[Escape from the bureacrats; you-know-where]

Arms / race coming to an end ..?

When this is still necessary and (counter)^x-measures will continu to be developed, for sure, how will this little nugget of WP29 change things?
Because it has power. That may lead to a throwback. For how long? The harder the throwback, the longer to recover. But the more powerful will be that rebound ..? We’ll see. For now, canvas blockers are still the way forward, so implement them, right?

This post was brought to you as a public service announcement from the sanity of browsing for information security and privacy blog you’re reading.
But seriously, why is there so little analysis of the WP29-on-Profiling stuff ..!? And:

It doesn’t matter

A great many before me have discussed the merits pro and contra using contractors instead of perm contracted staff.
I will still give it one more go. Since lately, there has been some back and forth again about motivational issues and how certain is one in one legal contract situation compared to the other hence how motivated can one be and why the need to cater to so different audiences as ‘manager’.
The thing is
It doesn’t matter:

When investigating the differential motivators, one invariably ends up with the same motivators, and much the same demotivators (nicely depicted here of course still going strong, since tout a continué).
This, coupled with:

Financially, you’ll have to pay for income taxes (buy side yes), holidays, sick days, etc.etc. (welcome to Europe!) and all of the administration surrounding that when you hire someone on a perm contract. If you hire a contractor, not so much; all costs are for the contractor
You’ll also have to pay for continued education and a company car for perm contracters. For contractors, not so much; all costs are for the contractor
Add in a ton for pension contributions (we’re still in Europe). For contractors: Nope.
How about severance packages? (Oh, shouldn’t differ much…)
Going through the calculation motions, it is little wonder that fully loaded costwise, a perm contractor will cost you 2,5-to-3,5 times per hour what a contractor bills you
And your perm contractor is scientific reasearch confirmed actually productive for four (upper bound) to two (lower bound) of any eight-hour working day. Your contractor can only bill you for two hours slippage per day, at most
You can even expect to pay more for the above motivators when dealing with perm staff. Contractors behave more mature and don’t need as much of everything

clearly leads in one direction. Isn’t there a catch ..? No, only if you’re Mr Tax Man; then, you’re the one losing out. Otherwise, you as an employer can gain seriously even when paying out ‘huge’ hourly rates to contractors.

Remember that.

Your comments, please.

Norm over substance of risk management

Overheard: A major company in a relevant industry re infosec – and well-known for their good and even so recently much improved infosec posture – doesn’t follow the mantra of “risk management first, policy/standards second” but first sets some quite rigid standards and then, when vendors can’t deliver (even when the standards are strict but quite reasonable and doable), do some form of risk analysis plus compensating controls / acceptance or what have we.
Because otherwise, everything gets so mushy (hey, normal (?) risk analysis is business driven, what do ‘they’ know ..!?) that the end result is a chaos of quasi-accepted risk all on one huge unmanageable infra heap of backdoors and byways (those in particular) which results in zero security. And because this way, standardisation is encouraged and security plus manageability hugely increased i.e. big bucks are saved.

So, it’s an interesting High Baseline Minus approach. Though I guess you may have some comments, so take it away …:

Oh, and already:

[Maybe green, but not fond of blaugrana ..? M’drid]

The logic of automated decisions;
ransparency through audits ..?

Not bashing, nor FUDhyping…
Was triggered by various treads, e.g., The Book on the subject (or, het boek in Dutch), and scores of elucidation (yes. be happy finally there is some truly) from the legal perspective, on GDPR article 15.1h and article 22.

The latter two not being conclusive, however. They are about requirements of transparency on the logic underlying automated decisionmaking. But there is no clarity about how deep that should go. Will “Hey your data is processed by some AI system [literally, factually incorrect statement because it’s only Machine Learning at max, today; does that construe a false statement i.e. fraud ..? ed.] and even we the builders ourselves have no clue what goes on in there – that’s the whole point of using it besides being able to fire a great many inherently expensive humans and we don’t care the least about the biases and other grave errors of the system it works fine for us!” be acceptable? Hint: No. Will “Oh it’s so intricate that we, let alone you, have no clue when looking at the audit trails that the system generates” fly? Same hint.

Because here, we see a new area developing for IS auditors: Auditing ‘AI’ [quod non but read ‘ML’ and you’re good; ed.]. As IS auditors are (supposed to be, I happen to know a fair share of peers … etc.) the experts in gauging systems functioning qua .. reliability overall, too. Which goes way beyond mere C-I-A but still, has Always been part and parcel of IS auditors’ education, right ..? I will come back to you soon, with more definitive info on how IS auditors should go about this all.

Oh by the way yes I did already notice that the more the system in scope behaves, and is constructed to behave, intelligently like the average (sic! statistically you have zero reason to put yourself above that! oh wait you read my blog so you are definitely, way off the right end of the scale) human, the more the audit will have to be like we audit humans today. Uniting psychoanalysis and explicit rules on paper (in procedures, algorithms et al.), very dogue much fun.

Plus:
[Though a flat, and has iron, legally misidentified as flatiron …; NY – Pic tilted to fit in the pic frame of course]