|
By Chris Blask
In the wake of Siemens', Cisco's and Sony's recent experience with
Incident Management, the question of diligence comes clearly to the
fore.
Diligence is the nebulous factor that is key in
demonstrating that others should put their trust in you, whether it is a
matter of investing in your company or measuring your compliance or
just deciding if it is safe to get in your car with you late on a
Saturday night.
We all make judgments on the diligence of others
every day in myriad ways. It could be easily argued that displaying due
diligence is the most fundamental foundation of human interaction.
The
moment we walk into a grocery store our nose will tell us if the owners
have been diligent in cleaning under the freezers and behind the
shelves. We will or will not return to that establishment based as much
on our impression of the care taken by the proprietors as by the quality
or price of the commodities offered for sale.
So, what diligence
is due when a security problem with the products or services you have
provided to the world rears its ugly head? How much is too little? Is it
possible to display too much?
Let's take those in reverse order. Can you be too diligent?
Surprisingly
perhaps, the answer is "Yes". Many great ideas and wonderful products
never serve any purpose in the real world because the people behind them
spend too much energy trying to forecast everything that could possibly
go wrong and addressing each possible point in advance.
In 1990 I
was working at GE Power Generation in Greenville, SC. On the day that
the first 9000F turbine was undergoing the most critical part of final
assembly - lowering the 150-ton rotor into the lower half of the casing -
the piece stuck just before making it safely onto its bearings.
A
small group consisting of the lead architect, engineer, operator and a
few others gathered and discussed the problem for a few minutes.
Apparently having reached a consensus, the lead operator - a strapping
gentleman of Paul Bunyan proportion - approached the offending
assemblage and proceeded to beat the living tar out of the rotor with a
massive wooden sledge hammer that Wiley E. Coyote could have found in an
oversized Acme crate.
Satisfied, he signaled the crane operators
and the rotor nestled successfully in its berth. Vacuum welding due to
the tight tolerances was the culprit; a little harmonic vibration was
enough to break the bond.
My boss - the incomparable Walt Wren -
and I discussed this afterwards. He explained that our competitor in
Japan would have dealt with this entirely differently. Sending everyone
home, convening an executive meeting the next day, and setting off a
chain of events that would see the entire design and manufacturing
process reviewed and dismantled until the fatal error was identified.
We
beat our Japanese competitor for the first 9000F deal and sold $1B of
gear to Tokyo Electric Power Company. Today the 9000F is the de facto
standard in fuel turbines for power stations.
Similarly, Siemens
or Sony or Cisco taking apart their entire infrastructures at a cost
that would put them out of business would likely be taking diligence to
an extreme that negates its purpose.
How much diligence is too little?
As
has been infamously said about pxxnography: "I know it when I see it."
Over the decades I have taken no little pleasure in tweaking my peers by
saying that, in security, Comfort Levels are more important than actual
security.
Expanding on that I will note that your customers will
not be able to achieve their desired comfort level if your product or
solution is not actually secure, but that it is also possible to create
wonderfully secure products while simultaneously failing to make anyone
comfortable enough to actually use them.
There are lots of good
products and services and solutions created and offered to the market.
Quite often the "best" of them are not the ones that become widely
adopted, to the endless consternation of experts in the field.
For
those who are willing to look beyond the technical aspects of their
area of expertise to the broader economic and sociological implications
of their work, displaying the appropriate amount of diligence to allow
other people to adopt the fruits of their labor is at least as important
as building the better mousetrap.
History is littered with the
carcasses of great ideas that have expired on the bench due to a lack of
commitment to the demonstration of diligence to those outside the lab.
In
the three examples on the table, it seems that Sony is trying hard to
make up for diligence lapses in the past, Cisco only begrudgingly
decided to display a dab of diligence and Siemens seems to imply that
all this diligence stuff is highly overrated.
All other factors
aside, linear logic would indicate that each will experience success in
their endeavors in direct relation to the diligence they are displaying
if they each follow their current apparent paths.
Where popular
consensus continues to view the diligence of a vendor as too little,
commercial success may well steal away silently like a thief in the
night.
So, finally: What diligence is due when your product or
services are shown to have security flaws that place your customers at
risk?
Look to sociology for your answer, not technology. Ask your
pastor or father or favorite English teacher. Find the person who makes
you the most uncomfortable when you try to dazzle them with brilliance,
and ask them what diligence means.
These people will recognize
your diligence when you display it and just as quickly burn through your
balderdash just by the looks on their faces.
I have real sympathy
with each of the companies mentioned. But I have been in their shoes -
quite literally in my time running the Cisco PIX team - and my response
was:
"This is not your problem, it is ours. It isn't even 'ours', it is mine,
personally. I will not rest and I will not prevaricate and I will not
lie to you or hide from my responsibility until that debt of trust you
put in me is honored. The reason you can trust us, despite this real
flaw found in our products, is that when we say we care about what we do
we mean it to the very pits of our souls."
Behind all the
technology and corporations and globe-spanning markets and networks
there are individual human beings. The actions and intent of those
individuals shines through the layers between them and the rest of us
like arc lights through kleenex. There is no replacement for intent.
What
many who live too far removed from their customers forget is that their
brand and their power is based entirely on the ongoing personal
relationship they have established with the individuals who choose to
adopt their wares.
The diligence that is the dues paid to
maintain those relationships does not come from bank balances or market
share. It comes from each of the people behind the thin veneer of brick
and plastic that face their corporate campuses.
Those who choose to seek Due Diligence within themselves will find it.
Cross posted from infosecisland.com
Only registered users can write comments.
Please login or register. |
