First Post: Defending Bureaucracy, Metrics, and Process Monkeys

The brilliant and prolific Michal Zalewsky suffers from a mild bout of werther-fever, arguing against bureaucracy and for anarchy:

Many frameworks also promise to advance one’s adaptability and agility, but that outcome is very seldom true. These two attributes depend entirely on having bright, inquisitive security engineers thriving in a healthy corporate culture. A dysfunctional organization, or a security team with no technical insight, will find false comfort in a checklist and a set of indicators[…] A healthy team is no better off: they risk being lulled into complacency by linking their apparent performance to the result of a recurring numerical measurement.

I share his pain. But we are all under the heels of the law of large numbers, crushing our youth and filling our inbox with endless meeting requests. I’m a big believer in processes, checklists, and yes, metrics.

For large organizations checklists, process monkeys, metrics — all of it — is crucial to the security of your firm. It is the only defense you have against important things slipping through the cracks. HBGary would certainly have wished that they kept their servers patched, that they had rules about sending passwords via email, etc. They are a poster child for the necessity of the most basic of security checklists.

Now you can argue that they were dumb — just hire a bunch of smart people who never forget to do anything important and who are always on top of what’s going on. The people making commercial jets don’t need checklists or processes either — they shouldn’t have to fill out all those forms — just make sure that all the employees doing critical tasks are really smart.

But that doesn’t scale, which is why everyone keeps saying that security is a process. They are only saying it because it’s true. A process may not always work, but it is the only thing that can possibly work. Security from the anarchy of a group of exceptionally talented people is accidental security. Accidental security is a bit like accidental safety. There is no such thing. Security is fundamentally an ex-ante state, it cannot be a fortuitous outcome.

When used properly, the bureaucratic processes are attempts to mine the inner mental model of a top team and push out checklists, processes, and metrics (checks that the checklists are checked) in an attempt to scale when the law of large numbers kicks in and most employees are just average. You need the bureaucracy/process monkeys who are executing the processes designed and monitored by the (small) group of top talent. If a firm is large enough, then the same law that says the average employee is just average will also guarantee that you do have a core of smart people somewhere in your organization. That’s the group that should determine the process. They are the ones who adapt, who understand threats, and your bureaucracy should enable them to impose their gut sense on everyone else like an iron fist, spitting out bytecode in the form of simple tasks that everyone can do, and then hiring some other people to measure how many of those tasks were actually completed and whether signatures of the attacks that were expected to be thwarted appear in the expected ways. Then go back and tweak the process again.

The cold law applies to all. It forces the top security talent to sit around all day in meetings when deep in their gut they *know* that security comes from their own mental agility and not from the dumb process.  They remember how much more productive they were when they were younger and breaking protocols, whereas now they’re giving a powerpoint presentation, and reviewing quarterly metrics. What happened? The law of large numbers. So to the retro-anarchist, I say grow up. You are the only one who can give that presentation. When you help create the bureaucracy, then you are providing security in the only way that it can be provided. Look at the security landscape, review the quarterly metrics and update your checklist. Be creative within, and bureaucratic without. Call in the winged monkeys to disseminate your brainless checklists, knowing that this cold bureaucracy is the only tool you have to protect your firm.