Systemic Management Not Management Systems

E RADAR's Head of Research Dr Daniel Dresner suggests that merely following IT standards doesn't remove the need for board directors to take responsibility or provide relevant expertise. 

Back in the days of working with source code escrow (www.nccgroup.com) I wrote about a secret society.

No contortions required to shake hands, just some relieving group therapy that you are (a) not alone in a problem and (b) someone might just have written down the problem. Point (c) is where that writing has some alphanumeric label like ISO yada yada yada that you're rather glad of because it suggests respectability. (d) is where you lose the ability to adapt the knowledge and think more about pleasing the regulator is the business rather than inducing a Crosby 'quality is free' mantra because you wouldn't buy a product to broken to meet your objectives.

Going down this route means that a quality defect is being found out and has nothing to do with the appropriateness of the product or service - see Cavanagh's Second Order Project Management (Advances in Project Management) 2012. So blaming ISO/IEC 27001 - as has been done - for skulduggery surrounding LIBOR was rather like blaming my neat little plastic card for my driving ability. In much the same way that other neat little plastic cards were going to save us from international terrorism.

The problem with standards is not that there are so many to choose from (reference your comments sometime back mentioning the Matelot's prayer) but rather the bipolar situation of the following of a standard's clauses in the expectation that following instructions abrogates responsibility (I was only obeying orders) or that it removes the need for expertise in the matter at hand. As I've said before when the IASME Consortium set out the information security standard for small businesses as a route map to get them towards ISO/IEC 27001, it was bound to feel a bit like 27001 itself (www.iasme.co.uk).

The concepts they encompass so basic any good model of security is indistinguishable from the set of controls that we are all hoping we won't need (In much the same way that Messrs Pratchett and Gaiman suggest that any tape left in a car for long enough will turn into Queen's greatest hits).The inherent risk in risk management is that if we don't get the trust model right (Ahem! Lead me not into temptation...) then the risk treatment decisions fit a less than honest assessment. When I hear words such as 'based on 27001' I would reach for my gun if I had one. It is the word 'culture' that would make sure that I kept it holstered. It's never just a people problem but the culture of the organisation or the community tells all. The benevolent security standard is based on the logic that risks, threats, and vulnerabilities must be treated by controls. But "logic... allows one to be wrong authority" (Holmes).

How much more so the logic is skewed by personal ambition and desire? You need both the spirit and the letter applied in the right balance of appetite and attitude to risk. In this sea of complexity, the standards and their check lists are still signposts to the right behaviours (see 'The Checklist Manifesto: How To Get Things Right ' by Atul Gawande). Please don't sully good work by those who misappropriate it to hide or prove their behaviour.

Management systems?

And while I'm at it, I feel duty bound to point out that although we may mourn the thickness of the standards catalogues (after all what is a standards body but a publishing house), if you approach the problem with the half-empty breakout box, you'll suffer the same fate as those who go it alone during risk discovery: missing the right tools for the job. So when we look at the risk management standard 27001, we must remember that it's a standard for information security and needs to be held aloft with (such as) ISO/IEC 38500 for IT Governance (splendid, short, neat, and truthful) and the wider philosophy of BS 31100 for Risk Management. They are all explicit codifications of knowledge which need to be released back into the sociotechnical and economic framework by the idiosyncrasies that make us prefer one organisation over another.

Trust (Sasse et al.) is simply that positive expectation that our vulnerabilities will not be exploited. Let's divorce the bad behaviours from the guidance of standards and keep those standards up to date with what works. Models attenuate (Beer, 1993) so you'd better keep an eye on all that variety that you've chopped off to make the facts fit the views.

 

Leave a Reply

Be the First to Comment!

Notify of
wpDiscuz