Tuesday, March 13, 2007

The Elves and the Shoemaker ( Part 1 )

Q. When is your reality not your reality?
A. When it's somebody else's?

So excuse the existentialism for a moment and permit me if you will, to step back from the issue to elaborate more clearly my opinion of the forces at work at a deeper level. At no time in history has the rate of change, the terms of reference and the paradigms been so extraordinarily different as they are currently, especially for knowledge based/information economies, or other businesses and organisations that rely upon or use Information Technology.

As William Gibson said, "the future is already here , it's just unevenly distributed".

For some this creates an exciting, ever-changing, ever-learning environment in which one can in some ways actively contribute and watch the future unfold in 'realtime' like never before. In no other discipline (I use the term 'discipline' lightly ...) is this rate of change as pronounced as it is in Information Security/Protection/Assurance ... where one must be constantly abreast of new technologies and engaged in a never-ending cyber arms race in an effort to help defend an organisation's assets from malicious attack or unintended breaches in data and service integrity, confidentiality or availability. A mammoth task even in smaller organisations.

EDS may have tried to herd cats, but we in Infosec try to repel alien invasions, uncover national conspiracies, protect and serve, and offer matrix style A-team vigilantism served up with a side order of business acumen and a portion of savoir faire. Fun until you realise your noble pursuit of protecting the weak and innocent, fighting the forces of evil and saving the world from itself isn't necessarily shared by all elves. Funny that ... the naivety in thinking that there were no lazy, apathetic IT elves ... the realisation that all the IT elves must do their work to a certain level of quality and assurance for your work to even begin to be worthwhile, measurable, or at least have the other elves believe you when you tell them of the 'dark magic' that counteracts the good elven magic they are so used to (this of course without demonstrating 'dark magic' on production or development systems as we meanwhile wait for the 'dark elves' to try all manner of 'dark magic' until they install 'dark doors' that are practically untraceable ...)

For many in business, even in IT itself, it is easier to allow the elves to get on with their daily magic and then work with the ensuing results, embracing without question the supposed increases in productivity and efficiency.

Most beings work on a macro layer and let the elves create and dabble in even more elven magic to ensure the lower level elves and base magics behave themselves. What we don't know can't and shouldn't hurt us right?

Let's take an administrator, management entity or executive in the Grimm Brothers Ltd. shoe business as a potential test subject. They are constantly worried about profit, share value, productivity and efficiency (as they might be in any business). They don't actually need to fully grasp how the increases in output and efficiency are achieved by the latest and greatest elves and magic, just that they work and work well. Unfortunately conveying and measuring the potential pitfalls and complexity of using this magic is extremely hard to explain to anyone who doesn't have a grasp of the most basic and rudimentary tenets of elven magic. Problems are compounded by the outsourcing of elven work to other cheaper elven lands, or insisting upon the use of increasingly complex and esoteric elven magic - without keeping some local elves in reserve to do quality assurance, vendor management or governance. Somehow all elves should be trusted with all magic and unfortunately unmanageable and unmeasurable SLA's (Service Level Agreements) cannot and do not incur penalties. Increasingly and understandably management want to connect their business directly to 'other' realms in the hope of increased sales and access to more B2E (Business-to-Elf) services ...

Unfortunately these realms also contain both good and bad elves, dark magic ... and all number of mythical and mysterious self replicating evil beasties and other magical creatures.

One mis-spoken elven incantation (depending upon the situation and circumstance) can cause terrible horrors and cripple a shoe business, reducing them back to cobblers. Rumour has it that a certain shoe business continued to make a full month's worth of shoes in the wrong realm without anyone noticing, while the offending bad elf pocketed the money and sold the incantation to other bad elves to use on other similarly connected shoe businesses for fun and profit.

In what I will call 'standard industries', people, resources, inputs/outputs, and the processes in between have, for centuries, been producing products and services with ever more efficient physical world means. Problems were addressed with mainly conventional wisdom and experience was garnered slowly but surely. Information's potential for utility was dictated by its storage, processing, quantity and speed of access. There was time to learn and slowly adapt to changing markets and conditions. Knowledge was passed on and people generally knew what was going on (or at least you could look under the hood and somewhat infer the mechanism and physics of the system). There was no need for knowledge of the other 'realms' or of extra sneaky elven escapades. In fact way back then there were no elves and no magic!

I think society is now approaching the Shoe Event Horizon?

Hopefully this goes some way to highlighting the levels of abstraction, complexity and lack of care in use of even the most basic elven magic ... the fact that elven magic is almost ubiquitous in every aspect of modern society and becoming even more so, should be a warning flag of sorts. I am still a little iffy on how my fridge works ... thermodynamics and all that, but I'm damned sure no other realm's dark elven magic will leak in through my freezer box, monitor me and empty my online bank account.

a) Forest from the trees: Micro vs Macro

Where do IT Security managers/analysts/admins really sit in the hierarchy of the business? Are they perceived as generating value or just scaremongering? Do they actually understand the business themselves? How many cowboys are there currently in this business and do these professionals still have an active foot in the 'real' business generation of value? Are the security vendors only interested in selling more kit? Is it worth building robust products and services with longevity that won't necessarily generate repeat business, entail a support contract or restrict usage and try to enforce over zealous licensing requirements?

Are we generating more complexity every second, introducing more nodes and depth of code rather than reducing it and improving the quality? Is this really an increase in efficiency and manageability? How many layers of abstraction and protocols before one gets to the data object?

b) Understanding the business: Bottom lines and risk management?

I agree that the technically orientated need to understand the business more, but the business guys need to understand the technical aspects of the platforms and systems they employ also. Maybe the security guys need to have security relationship managers facing off to other parts of IT and the business, or would this just complicate matters? Must each security dude/manager be a CSO and CTO in their own right? Are we asking too much or too little?

How can one employ risk management techniques without first understanding the flows and business processes, rather than just the distinct packets and security posture of systems in isolation. How does one map a business that is changing at such a fast pace 'under the hood' as it relates to operating systems, custom code, new rollouts, decomissioning etc. How up-to-date and intergal is your DNS, logging, NTP, routing, host database and asset management? How integrated and aware are your change management and operational monitoring systems? How much confidence do you have in all this information and the dudes, dudettes or elves performing the changes? And is this all required across the board from SME's and up?

c) Culture and generational: Youth vs. Age and wisdom of both?

Who wants the equivalent of a spotty youth or young buck trying to convey a different paradigm of the world to a well established businessperson who has made their mark and 'understands' the business fully? Many questions abound here ... how long has one been in their role, are they keeping up-to-date, do they actually care, is it all too much and how often is 'the changing of the guard' occurring in the higher echelons of a business?

d) Communication and quantification: Describing and conveying risk?

You can't manage what you can't measure. What metrics are available or employed to convey meaning and progress? How do you value your data, systems, IP flows and business systems other than the physical asset values? How do you translate these abstract concepts and systems to other business decision makers? Are analogies a poor substitute for direct real evidence? So at the end of the day, what you are going to communicate precedes the how.

“Some day, on the corporate balance sheet, there will be an entry which reads, 'Information'; for in most cases, the information is more valuable than the hardware which processes it.”
Grace Murray Hopper

Metrics, metrics, metrics ... what, how, where and when to measure? How do you enumerate the risks? Some progress is being made, but we are at a very early stage. Definitions are still somewhat wishy washy, frameworks are like standards... 'the beauty is that there are so many to choose from'.

When IT products and commercial code are more regulated and built with greater tolerances we'll all be in a better place.... see here!

e) Rate of Change and Future Shock: Telescoping, new paradigms and new physics?

A while back on the Security Metrics mailing list I started a debate on the new world physics employed when dealing with Information Security/Protection. Dan Geer had a great paper on the issue of time and the geographic, physical and technical issues faced in cyberspace versus the physical world. I highly recommend it.

Executives, managers and all aspects of business (including elves) are experiencing 'Future Shock'; which is basically a 'culture shock' in our own society and time, where the rate of change constantly removes our terms of reference and leaves us alienated. Are you still trying to ride the wave of information overload and how do you hope to address it? Or are you starved of the quality of data you require to make effective and critical judgements for your life, liberty and the pursuit of business/happiness?

Do we really need more elves and magic right now?

4 comments:

Anonymous said...

Mate, write a book in the style of Orwell's "Animal Farm" - it could be a best seller. :-)

Rock Ape

Wade M | The Middle Way said...

Interesting watching Kevin Kelly talking about technology is growing into complexity, the same as biology, both are moving to more complex structures, and here we are in security/IT continually trying to bring it back to pure simplicity.

Argh?

George said...

Your point is well taken. We don't need more elven magic, we need more well behaved elves and a society that values them properly.

It has always been the case that too much was expected of the latest magic. When computers came along originally they were expected to replace everything, including human discretion and decision making, while at the same time there was no understanding of the extent they needed to be fed (data input) and maintained (degunged etc.).

We haven't really got beyond that stage yet, for the most part. We still think of IT as a replacement rather than an enhancement to life and business. That is why we neglect the underlying systems (personal, social and business) and assume IT will take care of it all. Imagine an IT professional who is given a job of "automating" an existing system and who has the wit to question the effectiveness, and suitability for automation, of the system itself - he would be seen as grossly impertinent, to say the least. It has happened and people have spent millions on automating inefficient systems which are pickled with discretionary inputs. They then spent more millions patching the result until the whole thing finally breaks down and they have to start from scratch anyway, leaving a trail of disillusioned and disaffected staff, IT professionals and managers not to mention the customers who should have been the point of the exercise in the first place.

Anyway, that is all just to say I empathise with your post. It all needs saying and reflection upon.

Metrics are important insofar as we should not be afraid to measure things and take decisions based on evidence. Nevertheless we have to remember that metrics are a tool. Yes, measure where you can or want to. Don't make the mistake of thinking you have, or can, measure everything. And remember, behaviour will be tailored to deliver only measured outputs - this is a sort of biofeedback into the system which can very easily close it. You don't want that. You need to keep it open.

Just like Microsoft, life is a permanent BETA so we just have to keep hacking at it without losing our serenity. Microsoft reminds me of a good motto: Jesus was God's patch. Now that's a concept to conjure with.

You use the analogy of the elves. The story has a few loose ends. I hope the couple had reached a happy retirement before they sent the elves on their way. Many businesses collapse when the IT professional departs with his black box = no technology transfer.

A final observation on cobblers. I have a great-grandfather who was a shoemaker and lived in the following numbered houses (to my present knowledge): 1, 2, 10, 19, 43, 44, 45, 46, 48, 118, 121. He avoided the magic 42, but, if you add the numbers, divide by the magic seven, subtract the resulting digits from one another and multiply the result by the magic seven, what do you get. There is no escaping it. It is definitely the answer. Look no further.

Nora said...

"He avoided the magic 42, but, if you add the numbers, divide by the magic seven, subtract the resulting digits from one another and multiply the result by the magic seven, what do you get."

George, you've been drinking - again.