I gave a little talk this weekend at the second Seattle Toorcon.
Lots of execs have the idea that technology is a cost center and not the bedrock that enables their business to function.
This leads to reckless activities caused by not treating risks to their information systems as they would other business risks, (and also because of what has become the usual reactions to fraud and appropriate disclosure to investors getting punked)
So, with Sarbanes-Oxley and others, now if you’re an exec and you aren’t doing the job you were hired to do,
they can put you in jail when it all hits the fan.
Wait! I’m an executive! Jail is bad! I don’t want to go to the rape camp!
What should I do?!?
Typically, you can overreact and, instead of doing what you should have been doing in the first place, you can do something that is obviously better; you can dump as much money as you can find at the perceived problem of making sure that your surpass the standard of due care in your industry to be “above average.”
Bring in the consultants! You need to be better than average else you might be going to camp. Since everyone has to be better than average, costs and efforts increase and increase.
This is the same reason that executive compensation is 100s of times greater than the average employee in America.
[ Someone should come up with a better behavioral term for this. ]
So, in much the same way executive compensation is on geometric curve, compliance standards follow.
So are you safe now?
Does this fix problem? Yes!
Well. Kinda… or maybe not at all.
Maybe even worse than before you spent all that money
This will likely give great improvements to those that are way behind, but it can also defeat it’s own efforts.
One of my favorite examples of compliance gone wild is password enforcement:
Since passwords are such a foolproof way to police complicated systems and responsibilities, deploying a system to strengthen authentication isn’t what you should do. You should really just change passwords a lot.
Oh. They should also be increasingly complicated so that no average worker will remember them. You should also make them change it every week or two on a ton of systems so that your workers spend a lot of time changing and forgetting their passwords…
…unless they start writing lists.
But we tell them not to do that! Guess what. Everyone does it. If it’s not in a hard copy hidden under their keyboard or a collection of post-its, then they are cached on their workstation somewhere… or a bunch of enable passwords in their wallet. I’m sure you can find an example of this in the next office of a public company you’re hanging around.
Another great one is segregation of duties. It’s the idea that every role’s responsibility should be paired with another role that will catch them if they’re being shady and vice versa. It’s foolproof! What an awesome plan!
Where it may be the case that it is somewhat effective in prevention or commoditization of their workers, what is assured is that in complex technical environments, no one person or team will be equipped to deal with the interdependent systematic problems. Unfortunately, those tend to be the really critical ones.
Segregation of duties for audit and risk frameworks when too zealously applied mean that skills become specialized and no individual is allowed to have a complete understanding of operations. If no one retained on staff has a effective holistic understanding of complicated systems, solutions can become piecemeal and unreliable. Staff retention becomes a larger problem as tasks become more repetitive and narrow.
You can always try mind control.
In summary and in short, nothing fixes companies that are doing it wrong. This is because the deterrent of fines is treated as a cost of doing business and the idea of public shaming of bad behavior seems not to be effective. We are left to choose between the threat of jail and fines. Jail is too much of a motivator and leads to over-reaction, and overblown controls which can be (and usually are) counter-productive to what is good. Fines can be ignored as a cost of doing business. Their efforts to be “perfectly compliant” can become the enemy of good business and efficient environments. Look for these behaviors in the future, and attempt to resist more controls to counter the controls that they are there to control.
..or alternatively for this audience, become familiar with their practices and work to exploit their many weaknesses.