All Posts in Strategy and Tactics

|In: Industry Commentary|Last Updated:

 

What should we do when the experts change their minds?

Last week, KJR talked about NIST changing (or is it “updating”?) its recommendation regarding its longstanding advice to change passwords frequently.

The question of the hour is, does NIST changing its recommendation make it a more trustworthy source of expertise, or less?

The two obvious and most popular answers boil down to:

More worthwhile: I’d rather take advice from someone who’s constantly learning more about their field, than from someone who learned something once and decided that’s all they need to know.

Less worthwhile: Why should I rely on advice that’s constantly changing? I’d rather rely on positions that don’t change with the time of day, phase of the moon, and the sun’s position in the zodiac.

Before continuing down this path on the information security front, let’s explore a better-known subject of ongoing controversy — the role of dietary fat in personal health.

There’s been a lot written on all sides of this question, so much so that it’s easy to figure that with no medical consensus, what the hell, I’m in the mood for a cheeseburger!

Me, I take a different position: I’m in the mood for a cheeseburger! Isn’t that what pills are for?

No, say the skeptics. There’s published research showing that statins don’t provide much medical benefit and, for that matter, that saturated fats aren’t at all toxic.

As my pre-statin LDLs were way out of whack, I have a personal stake in this, and so here are my personal guidelines for making sense of personal health, information security, or pretty much any other highly technical subject:

Ignore the divisive. Divisive language is easy to spot. Phrases like “The x crowd,” with x = a position you disagree with (“The first amendment crowd,” or, adding 1, “The second amendment crowd” are easy examples.

This sort of ridicule might be fun (strike that — it is fun) but it isn’t illuminating. Quite the opposite, it’s one of the many ways of dividing the world into us and them, and defining the “right answer” as the one “we” endorse.

Fools vs the informed vs experts. Fools believe what’s convenient. The informed read widely. Experts read original sources.

Fools … perhaps a better designation would be “the easily fooled” … have made confirmation bias a lifestyle choice. Faced with two opposing points of view they’ll accept without question the one they find agreeable while nitpicking the opposing perspective to death.

Those of us who try to remain informed read widely. We choose sources without obvious and extreme biases; that go beyond quoting experts to explaining the evidence and logic they cite; and that provide links or citations to the original sources they drew on.

Especially, we deliberately counter our own confirmation biases by looking skeptically at any material that tells us what we want to believe.

Experts? They don’t form opinions from secondary sources. They read and evaluate the original works to understand their quality and reliability in detail.

There’s always an expert. Want to believe the earth is flat? There’s an “expert” out there with impressive credentials who will attest to it. Likewise the proposition that cigarettes are good for you, and, for that matter, that Wisconsin has jurisdiction over the moon on the grounds that the moon is made of cheese.

Just because someone is able to cite a lone expert is no reason to accept nonsense … see “confirmation bias,” above.

Preliminary studies are interesting, not definitive. For research purposes, statistical significance at the .05 level is sufficient for publication. But statistically, one in every 20 results significant at that level is due to random chance.

Desire to learn vs fondness for squirrels. Ignoring new ideas and information is a sign of ossification, not expertise. But being distracted by every squirrel — changing metaphors, jumping on every new bandwagon because it’s new and exciting — isn’t all that smart either. Automatic rejection and bandwagoning have a lot in common, especially when the rejection or bandwagon appeals to your … yes, you know what’s coming … confirmation bias.

Ignoring changing conditions. No matter what opinion you hold and what policies you advocate, they’re contextual. Situations change. When they do they make the answers we worked so hard to master wrong.

The world has no shortage of people who refuse to acknowledge change because of this. But relying on answers designed for the world as it used to be leads to the well-known military mistake known as “fighting the last war.”

Except that nobody ever fights the last war. They prepare to fight the last war. That’s why they lose the next war.

These are my guidelines. Use them as you like, but please remember:

I’m no expert.

Comments

|In: Architecture|Last Updated:

Help! I’m desperate!

Not really. To be more accurate I’m minorly inconvenienced.

As mentioned a few months ago, I’m looking for an alternative to Quicken (“Plausibility rules,” 3/12/2018), because it deprecated a feature I rely on, presumably to force me to buy an upgrade.

Not to be bullied into an unwanted expenditure I’ve been on the hunt for an alternative. Thus far, with just one exception, every other personal finance package I’ve found is cloud-based.

Which leads to the question, WHAT????

Look, I’m an open-minded sort, so maybe I’m missing something. Yes, I realize my personal financial data is already in the cloud, assuming we’re all willing to redefine “cloud” to mean “on the web.”

But it’s scattered among a bunch of providers and accounts. If I use any of the non-Quicken personal finance management alternatives I’ve found so far, I’ll be putting it all in one place, just waiting for the next data breach to happen.

There is an exception — a package called GnuCash. I’d use it and be happy, except that the instructions for automatically downloading transactions into it are both impenetrable and, as far as I can tell, don’t … what’s the word I’m looking for? … work.

All of which puts me dead-center in the ongoing debate as to whether data stored behind your corporation’s firewalls are more secure than data stored in a SaaS provider’s data farms.

Now I’m far from an authority on the subject, but I do know what the correct answer to the question isn’t: Yes. I also know it isn’t No.

I know this because I know that in addition to all the well-known information-security basics, the accurate answer depends in part on whether you push your own information security failings onto your SaaS providers.

Here’s what I mean: If I decide to use a cloud-based personal financial management solution, and if I don’t change my password on a regular basis, properly protect myself from Trojans, phishing attacks, and keystroke loggers, and keep my OS properly patched and up to date, it won’t be the solution provider’s fault if someone borrows my data.

This all scales up to the enterprise: If you use, say, Salesforce.com and do a lousy job of key rotation, or your administrators share a super-user login, or you don’t conduct regular white-hat phishing attacks, or you don’t properly protect PCs from invasive keystroke loggers and all the other prevalent intrusion techniques, it really won’t matter what level of security excellence Salesforce.com has achieved.

Also, “secure” means more than “protected from intrusion and misuse. With Quicken (or GnuCash) I can easily backup my data to a backpack drive, knowing how I’d restore it if I need to.

With a cloud-based service provider I’m willing to take it on faith that they backup their customers’ data in case of some form of catastrophic failure. Recovering to the state just before my most recent transaction download, on the other hand, is something I strongly suspect isn’t part of the service.

For the enterprise equivalent, Salesforce.com is always the SaaS touchstone. It recommends customers make use of their own backup and recovery tools, or else rely on third-party services.

But of course, your own backup and recovery tools are exactly as vulnerable as anything else inside your firewall, while third-party alternatives add yet another potential point of security failure you can’t directly control.

KJR first mentioned the cloud more than ten years ago (“Carr-ied away,” 2/4/2008), and yet the cloud continues to perplex CIOs.

From business cases that are always either more nuanced than “the cloud saves money” or else are wrong … to an impact on application development that’s much more significant than “recompile your applications in the cloud and you’re done” … to COTS and SaaS-based application portfolios whose integration challenges put the lie to cloud nativity as the uniform goal of all IT architects … to the ever-harder-to-untangle questions surrounding cloud-level vs internal-firewall-based information security …

If you’re looking for simplicity inside all of this complexity, good luck with that. You’re unlikely to find it for the simplest of reasons: An organization’s applications portfolio and its integration are direct reflections of the complexity of the organization itself.

Modern businesses have a lot of moving parts, all of which interact with each other in complex ways. Inevitably this means the applications that support these moving parts are numerous and require significant integration.

Which in turn means it’s unlikely the underlying technology can be simple and uniform.

And yet, when I need an application that can automatically download transactions into a personal financial database, there’s a depressing uniformity of vision:

“Put it in the cloud.”

Sigh.

Comments