The Compliance Game: The Enemy of Good

I gave a little talk this weekend at the second Seattle Toorcon.

My presentation is as follows, though as usual, I ad lib when presenting. Video may appear in the future.

Toorcon Seattle 08.001.jpg

The compliance game: The enemy of good

Toorcon Seattle 08.002.jpg

Lots of execs have the idea that technology is a cost center and not the bedrock that enables their business to function.

Toorcon Seattle 08.003.jpg

This leads to reckless activities caused by not treating risks to their information systems as they would other business risks, (and also because of what has become the usual reactions to fraud and appropriate disclosure to investors getting punked)

Toorcon Seattle 08.004.jpg

So, with Sarbanes-Oxley and others, now if you’re an exec and you aren’t doing the job you were hired to do,

Toorcon Seattle 08.005.jpg

they can put you in jail when it all hits the fan.

Toorcon Seattle 08.006.jpg

Wait! I’m an executive! Jail is bad! I don’t want to go to the rape camp!

Toorcon Seattle 08.007.jpg

What should I do?!?

Toorcon Seattle 08.008.jpg

Typically, you can overreact and, instead of doing what you should have been doing in the first place, you can do something that is obviously better; you can dump as much money as you can find at the perceived problem of making sure that your surpass the standard of due care in your industry to be “above average.”

Toorcon Seattle 08.009.jpg

Bring in the consultants! You need to be better than average else you might be going to camp. Since everyone has to be better than average, costs and efforts increase and increase.

This is the same reason that executive compensation is 100s of times greater than the average employee in America.

[ Someone should come up with a better behavioral term for this. ]

So, in much the same way executive compensation is on geometric curve, compliance standards follow.

Toorcon Seattle 08.010.jpg

So are you safe now?

Toorcon Seattle 08.011.jpg

Does this fix problem? Yes!

Toorcon Seattle 08.012.jpg

Well. Kinda… or maybe not at all.

Toorcon Seattle 08.013.jpg

Maybe even worse than before you spent all that money

Toorcon Seattle 08.014.jpg

This will likely give great improvements to those that are way behind, but it can also defeat it’s own efforts.

Toorcon Seattle 08.015.jpg

One of my favorite examples of compliance gone wild is password enforcement:

Since passwords are such a foolproof way to police complicated systems and responsibilities, deploying a system to strengthen authentication isn’t what you should do.  You should really just change passwords a lot.

Toorcon Seattle 08.016.jpg

Oh. They should also be increasingly complicated so that no average worker will remember them. You should also make them change it every week or two on a ton of systems so that your workers spend a lot of time changing and forgetting their passwords…

Toorcon Seattle 08.017.jpg

unless they start writing lists.

Toorcon Seattle 08.018.jpg

But we tell them not to do that! Guess what. Everyone does it. If it’s not in a hard copy hidden under their keyboard or a collection of post-its, then they are cached on their workstation somewhere… or a bunch of enable passwords in their wallet. I’m sure you can find an example of this in the next office of a public company you’re hanging around.

Toorcon Seattle 08.019.jpg

Another great one is segregation of duties. It’s the idea that every role’s responsibility should be paired with another role that will catch them if they’re being shady and vice versa. It’s foolproof! What an awesome plan!

Toorcon Seattle 08.020.jpg

Where it may be the case that it is somewhat effective in prevention or commoditization of their workers, what is assured is that in complex technical environments, no one person or team will be equipped to deal with the interdependent systematic problems.  Unfortunately, those tend to be the really critical ones.

Toorcon Seattle 08.021.jpg

Segregation of duties for audit and risk frameworks when too zealously applied mean that skills become specialized and no individual is allowed to have a complete understanding of operations. If no one retained on staff has a effective holistic understanding of complicated systems, solutions can become piecemeal and unreliable. Staff retention becomes a larger problem as tasks become more repetitive and narrow.

Toorcon Seattle 08.022.jpg

You can always try mind control.

Toorcon Seattle 08.023.jpg

In summary and in short, nothing fixes companies that are doing it wrong. This is because the deterrent of fines is treated as a cost of doing business and the idea of public shaming of bad behavior seems not to be effective. We are left to choose between the threat of jail and fines. Jail is too much of a motivator and leads to over-reaction, and overblown controls which can be (and usually are) counter-productive to what is good. Fines can be ignored as a cost of doing business. Their efforts to be “perfectly compliant” can become the enemy of good business and efficient environments. Look for these behaviors in the future, and attempt to resist more controls to counter the controls that they are there to control.

..or alternatively for this audience, become familiar with their practices and work to exploit their many weaknesses.

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>