A Death in the Desert

The often-repeated cliché “The devil you know and the devil you don’t know” is used for taking no action in the face of something new, keeping something you understand and foregoing something that has more uncertainty. The question of staying put or changing is a problem all CEOs and executives contend with.  In my youth a much older and wealthier businessman told me that when you are an innovator and you are first to the well, you get a long drink.  And he was right; he just left out the part that most innovators die in the desert before they reach the well.  On my second death in the desert (with apologies to Robert Browning) I realized that successful enterprises walk quickly over the corpses of innovators and hang around the well having a good drink and speaking admiringly of the recently deceased, whose agonizing path made it all possible.  So the market collectively is always smarter then any one individual innovator and all the guesses of all the participants will eventually show the way (if one exists) and others will copy.

Returning to our original problem of which devil – which we can show more concretely with an enterprise risk management example such as upgrade the enterprise software or stay on the current version – what is one to do?  The answer comes down to access to capital and level of pain.  This may not be so obvious if you have spent your entire career in a large enterprise and take capital for granted.  Innovation fails so often that if you can afford to wait then do so.  Some will say “innovate or die” but that truth does not have a time preference nor does it specify the degree of innovation to survive.   In most cases, it’s years longer than the salesman says and good enough is sufficient if the customer is happy.  How long did it take for the Internet bubble to burst under the weight of bad models?  How long was General Motors able to ignore its customers?  It’s always longer than you think.   Those vendor discounts will lower your perceived risks not your actual risk.  The insider clamoring loudest to be first may only want a bullet on his resume or to see his name in the case study.  The small company with little capital must be more aggressive and as statistics show will fail at a higher rate from which we can all learn.

But if, appealing thence, he cower, avouch
He is mere man, and in humility
Neither may know God nor mistake himself;
I point to the immediate consequence
And say, by such confession straight he falls
Into man’s place, a thing nor God nor beast,
Made to know that he can know and not more:
Lower than God who knows all and can all,
Higher than beasts which know and can so far
As each beast’s limit, perfect to an end,
Nor conscious that they know, nor craving more;
While man knows partly but conceives beside,
Creeps ever on from fancies to the fact,
And in this striving, this converting air
Into a solid he may grasp and use,
Finds progress, man’s distinctive mark alone,
Not God’s, and not the beasts’: God is, they are,
Man partly is and wholly hopes to be.

Excerpted from A Death in the Desert

by Robert Browing

The Discipline of Disciplines

Every one of us today is attempting to move from a less desirable state toward a more desirable one.  We are goal directed whether those goals are ignoble or not matters little.  The farmer, the criminal all seek after something more desirable.  This is true of individual behaviour and corporate action.  Along this path we face scarcity of resources and absolute limits on our time.  Eventually we die.  Because of the foregoing, we make daily trade offs in actions we take and don’t take and we approach our goals systematically.  The fool and the wise both have a process.

So when a business fails to address any number of risks are they behaving irrationally?  Any one with in depth knowledge in any field is tuned into the risks.  The Bundesnachrichtendienst knows more about the threat of terrorism to Berlin, than I.  The top security researchers know just how vulnerable our systems are to directed attack by a highly skilled person. Many security researchers carp endlessly that people “don’t get it”, that they are victims waiting to happen.  As a generalization this is true, but I believe the behaviour is not irrational.  The corporate result may appear irrational but the individual activity is not.  Most people access risks based on some degree of its locality and recent occurrence, for example, if you discovered that several of your neighbors had been mugged you would grow more cautious. There have been sufficient numbers of viruses and exploits that most people have some degree of caution now.  Inside corporations we have policies, practices, frameworks and protocols to address the threats but there always be residual risk.

When I found outstandingly bad practices inside a company, it used to be because of ignorance.  This is not a slur; they didn’t know or understand.  In the last five years it has become increasingly due to limited resources.  I believe this is progress.  The goal of security has always been to build reliable and dependable systems in the face of misadventure, malice, and error.   I would add a secondary goal and that would be to accomplish a better result over time at a lower cost*.

You cannot address all risks so you have to divide them into those that can be measured statistically, and probabilities assigned and those whose statistical profile is not known, for example, a terrorist attack or an earthquake.  For those with known probabilities and losses the approaches are well established. For those that occur infrequently with catastrophic consequences, the best we can do now is build resilient systems and set aside financial reserves.  Time and experience aid us in addressing risk;  we will never be fully protected, the purist and idealist in any field is a cynic in training; the discipline of disciplines is balance.

*This must be done even in the face of ossified regulatory burdens.

Thoughts on SAP Risk Management 3.0

“In the economy an act, a habit, an institution, a law, gives birth not only to an effect, but to a series of effects.  Of these effects, the first one only is immediate; it manifests itself simultaneously with its cause-it is seen.  The others unfold in succession- they are not seen; it is well for us if they are forseen.”

— Frédéric Bastiat

Bastiat was rumbling through my mind as I watched the SAP webinar GRC Partner Knowledge Session, “Process Control and Risk Management Enablement Session for Partners”. When it was over I had to look up the quote from his essay That Which is Seen and That Which is Unseen .  As the presenter  showed the risk management process:  Risk Planning –> Risk Identification –> Risk Analysis –> Risk Response –>Risk Monitoring and how the software allows you to execute this process,  what is seen are all the risk management controls available in the software, the compliance to regulatory risk, supply interruptions, all the obvious routine problems that happen with some regularity.  We can even model that risk with Monte Carlo simulation using four very limited distributions, discrete, continuous, lognormal and normal.   What is unseen is the cascade of events under way based on decisions made years ago.  The limits of our knowledge stare us in the face but knowing this is to be prepared.  We live most at risk when we feel comfort by engaging in the process, with misapplied statistical measures of uncertainty, Monte Carlo simulation using distributions more suited for modeling Roulette than real life business.  What is your exposure to rare events whose variance is not known?  We can imagine innumerable disasters but how much money will be spent to survive the rare unexpected event when the quarterly earnings report is just around the corner?  SAP  BuinsessObjects Risk Management 3.0 is fine software but not in the hands of the dilettante and the intellectually lazy.

Directions Ahead!

Before starting out this blog I asked myself the fundamental question: How can I add any value to the huge amounts of information that is already out there on the net? Will I just write about subjects everyone else wrote with just a sligtly different spin? In the last 14 years I spent a significant amount of time on the net searching for information and was amazed by the amount and quality of information even in my fields of expertise: mostly SAP security, internal controls and risk management. Everything from research papers on advanced authorization theories, brilliant risk managament methodologies down to obscure configuration details about SAP. The amount of information out there is simply amazing, how could I add anything significant to it? After years being in the field and trying to bridge the gap between the possible and the doable, accumulating experience in my fields, I observed some obvious gaps in what is usually published. I collected some of these subjects and will talk about them in future posts. Here is a short list of subjects I will write about in the next months:

• The skeleton in the closet: The systematic omission of Human Psychology and Organizational Theory aspects from Authorization Management projects
• Role Mining: The possible, the doable, the understandable
• The growing gap between security research and what is implemented in companies
• Information Ownership and other prerequisites for a sensible Enterprise Role Management approach
• The natural evolution of application security from systems security to architectural security
• Musings on Segregation of Duties: How to explain NP completeness to your auditors

I will start with these subjects and go on from there also based on your feedback.  I will also try to report on the everyday challenges of security and risk management consultants from the trenches: the required skills, the compromises, successes and failures.

See you soon.