Life in a Zero Defects World
Posted November 27th, 2007 by rybolovLet’s introduce people to a manufacturing concept: that of zero defects and the zero-defects mentality.
See, life in the army during peacetime (and rarely during wartime) sometimes means that you are always “inspection-ready”. In some of the units I’ve seen, they were big on inspections. They would have a formal barracks inspection every week and informal inspections daily. If this seems a little obsessive, then you are right.
So what happens in units like this? Well, people start working around the system: they live out of their cars! If you’re going to do that, why don’t you skip the barracks altogether and just issue people cars to live in? Well, because obviously then the management would expect to inspect the cars for orderliness.
Of course, what does this have to do with security? Well, in most companies and the government in particular, you’re trying to project a zero-defects image to your customers. That’s the way the business and marketing side works. Marketing and security don’t mix precisely for this reason: one is trying to project an image of perfection, the other needs understanding of flaws and risks in order to make informed decisions. I won’t even go into security vendors, but you should be able to extrapolate now what I feel about some of them.
But in security, we’re not doing ourselves any favors by presenting a zero-defect facade to the rest of the world. Sometimes you need disclosure if you want to change the world. That’s why Adam Shostack is so gung-ho on breach disclosure, and I think disclosure is working to the extent that the public gradually is getting over the stigma attached to a breach at least enough to differentiate the “typical breach” with the “holy sh*t that’s an obscene breach!”
Looking at FISMA report cards in particular, it’s turned somewhat into a “management via public disgrace” activity. Not bad in some cases, but then again, it’s not exactly the kind of information you put out there when you’re expecting positive change–you’re encouraging everybody to show a zero defects face out of self-preservation.
Adam has a phenomenal idea that he presents in his breach research: using the public health model for IT security. We have to be able to track breaches back to the root cause in order to prevent it further. If I take my network and connect it to your network, I have a right to know what vulnerabilities you have. Carry this public health model maybe a bit too far, I’m now sleeping with all the people you’ve slept with, and if you come down with an STD, I have a right/need to know.
The good news is that this is where the Government is headed: disclosure with business partners. I’m not sure how it will all work out in the end and if even culturally the Government can make it work, but it has potential to be a good thing.
Similar Posts:
Posted in Army, FISMA, Rants, What Doesn't Work | 4 Comments »
November 28th, 2007 at 1:11 am
I’ve seen cases like this as well in software development where we have internal gates and defect rates and we measure to those without ever accounting for efficiency. I’ve seen development teams doing a whole separate round of QA testing prior to releasing to QA, because there were incented for fewer defects, not for the efficiency of achieving it.
You get what you measure. When you incent people incorrectly, you get the wrong behavior.
November 28th, 2007 at 8:59 am
Hi Andy
hat last line is a good quote for all the psychology and organizational behavior people out there: “You get what you measure. When you incent people incorrectly, you get the wrong behavior.”
May 14th, 2008 at 10:46 am
[…] we need to change the culture of the people doing it. IT and specifically security require a zero-defects approach, and this is counter to survivability in a political environment. The only way we can do that is […]
July 7th, 2010 at 10:13 am
[…] want to keep my job and help my {company|agency|group} stay out of trouble by showing my zero-defects face and by demonstrating my due-diligence in protecting what has been given to me. While the assessor […]