All Posts by Bob Lewis

|In: Office Politics|Last Updated:

I didn’t have time to write anything original this weekend. Instead, a cautionary re-run from November of 2003 about information security and how not to go about ensuring it. – Bob

# # #

Students of corporate behavior, attempting to account for the seemingly incomprehensible level of self-destruction evident everywhere in the business world, often find themselves at a loss. Why, they ask, would a business do something like this, whatever “this” is this time?

The answer is usually easy to find, if you know where to look: Businesses can’t be self-destructive, for the simple reason that businesses aren’t selves. Human beings make the decisions, either individually or in groups.

Some of these individuals and groups make their decisions with the good of the company in mind, even though “The Company” is a fictional beastie that lacks any actual intent, consciousness, or independent reality. Others focus on “shareholder value,” showing an admirable, albeit misguided altruism toward their employer’s legal owners — misguided because their altruism is rarely returned by the shareholders whose interests they hold paramount.

The majority of decision-makers do neither. They base their decisions on exactly the criteria they’re supposed to use in a capitalist society: They look out for their own best interests. Often, their best interests have nothing at all to do with what’s best for the company.

How else to explain the following event:

A character arrives from corporate headquarters. Looking in the mirror, he sees a secret agent looking back. Or maybe he thinks he lives in The Matrix. Hard to tell.

“Why are you here?” the head of security asks him.

“I can’t tell you.”

“What are you planning to do?”

“I can’t tell you that, either.”

“What can you tell us?”

“I need a work space with a network connection, telephone, desk and chair. And please don’t interfere with what I’m doing.”

He’s from the holding company’s headquarters. A quick check confirms he has the authority and the right to ask for this, and so it is done. A few weeks later, he packs up and leaves, having downloaded a number of security intrusion tools used to … keep in mind, this is a true story, not paranoid fiction … break into and damage several production servers, thereby proving, I guess, that the network is vulnerable to someone from headquarters connected inside the firewall, with no oversight or supervision, no responsibilities other than breaking into the network, and the authority to insist on being ignored regardless of his actions.

From a security audit perspective, his behavior is unprofessional on at least two counts. The first, of course, is that he did actual damage instead of simply leaving evidence of his successful entry.

But that’s the lesser example of the complete worthlessness of his efforts. The greater is that he ignored the basics. The test of an organization’s security isn’t whether it can be hacked, let alone whether it can be hacked from inside its firewall. The test … actually, the two tests of any organization’s security are (1) Does the organization’s security policy fit its needs? and (2) Does the organization’s actual security implement its security policy?

Since Mr. Bond never bothered to read the security policy, he’ll never know. All he knows is that it’s possible to penetrate his subsidiary’s firewall from inside the firewall.

An impressive performance.

How does one go about explaining behavior this bizarre? It requires neither a conspiracy theory nor a temporary shortage of Thorazine.

All it requires is an understanding that everyone in every company acts solely in their own best interests. It’s up to the company’s leaders to ensure their best interests line up with those of the company, and that they understand this alignment.

At a guess, HQ’s secret agent saw a possibility of career advantage from showing up the subsidiary’s IT staff. Viewed in this light, his behavior makes perfect sense: By engineering a situation in which he couldn’t fail to successfully intrude, he can claim to have revealed serious security deficiencies. And because he works at corporate headquarters, he figured he could use his superior access to decision-makers to paint any objections to his behavior by the subsidiary’s IT staff as nothing more than a defensive attempt to cover up incompetence.

I’m speculating, but at least this explains this odd event. Viewed from any other perspective, the behavior of this strange visitor from another city would be incomprehensible.

I take that back. There is one other perspective that would explain it.

Maybe he’s just stupid.

Comments

|In: Industry Commentary|Last Updated:

Another reason the world won’t go Digital on schedule, heavily redacted and anonymized:

My wife is the {unspecified position} for a small, boutique {unspecified services} firm. As such, she has to process {unspecified business transactions} constantly. To help with all the needed {non-generic due diligence} (they do a lot of government work), they use a {non-generic screening service] from a fairly well known company in that space.

A few weeks ago, the screening company pushed out a new version of its software and portal.

It was a shambles! What had been a quick, routine part of my wife’s day had become a nightmarish game of frozen screens, endless time on hold, being shuffled around from one support person to another, and STILL not getting the needed {non-generic due diligence} done.

Of course, her sales department was yelling at her too, for being slow in performing the {non-generic due diligence} needed to perform the services they’d sold their customers.

About a week after the rollout, she received the following email, ostensibly from the {non-generic screening service} firm’s CEO:

============================================ 

From: {Name of CEO}

Sent: {sometime this summer}, 2018

To: {Helpless Customers}

Subject: {Our Flagship Product} Technology Update

Good afternoon,

On {date}, we released our all-new {clever acronym} screening technology. From development through implementation, our goal has always been the same — to deliver the best experience for you, our customers.

Last week’s release was the culmination of more than two years of development. It would be an understatement to say we’re excited. But with that excitement comes an awareness that this platform is far from perfect.

We fully understand that a release this ambitious and of this magnitude is bound to have issues, and you’re likely experiencing some of those issues first-hand. After the first week of wide release, many of the reported bugs have been minor. We are fixing and improving every day.

This initial launch is just the beginning of a new chapter for {company name}. We’re playing the long game — working constantly to fine-tune the technology through your feedback. We hope you already see the power and speed behind this incredible new platform. It’s only the beginning.

As we have for the past {number of years}, we’re here to help. Helpful tutorials and videos {link provided} are available in the resource center {link provided} of the {clever acronym} dashboard. And our friendly team is here to assist you in any way they’re able. Please don’t hesitate to reach out.

Thank you for your patience with us during this transition, as we work aggressively to fix bugs and improve the platform. 

Thank you for your trust in us to be your screening partner. We never take your partnership for granted and work every day to redefine value in {non-generic screening services}.

Sincerely,

{First name of CEO}

{Company logo, address and contact info}

{Inspiring quote from an old NFL football coach}

============================================

Where to start …

Communication: Groucho Marx once asked, “Who are you going to believe, me or your own eyes?” That was supposed to be comedy, not a serious business message. Don’t send spin to the people with direct experience. Send it to everyone else, to convince them the people experiencing the problem are exaggerating.

Software Quality Assurance: The first rule of SQA is that you always test. Sometimes you test before you put software into production. Sometimes you test by putting it into production.

Before is better.

Your customers’ SQA matters too. Just because you’re a cloud provider, that doesn’t mean you’re providing an “island of automation.” Quite the opposite, as SaaS becomes more important, integrating SaaS applications into the rest of the applications portfolio becomes exponentially more important (actually, polynomially more important, but let’s not quibble).

The consequence: A SaaS provider’s internal testing should be just the beginning. After that its customers should have a chance to regression test new releases to make sure they don’t break internal IT’s integrations.

Along the way, its customers’ end-users would be in a position to discover whether the new release is a turkey, before it’s inflicted on everyone.

The Cloud doesn’t change the rules. It makes them more important. For example, well-run internal IT follows a simply stated rule when it comes to implementing software changes: Always have a back-out plan. If, in spite of SQA’s best efforts, the software turns out to be unusable, internal IT restores the previous version to minimize business disruption.

Just because you’re a SaaS provider that doesn’t mean you get to ignore the basics.

You have to master them.

Comments