First Post: Defending Bureaucracy, Metrics, and Process Monkeys

The brilliant and prolific Michal Zalewsky suffers from a mild bout of werther-fever, arguing against bureaucracy and for anarchy:

Many frameworks also promise to advance one’s adaptability and agility, but that outcome is very seldom true. These two attributes depend entirely on having bright, inquisitive security engineers thriving in a healthy corporate culture. A dysfunctional organization, or a security team with no technical insight, will find false comfort in a checklist and a set of indicators[…] A healthy team is no better off: they risk being lulled into complacency by linking their apparent performance to the result of a recurring numerical measurement.

I share his pain. But we are all under the heels of the law of large numbers, crushing our youth and filling our inbox with endless meeting requests. I’m a big believer in processes, checklists, and yes, metrics.

For large organizations checklists, process monkeys, metrics — all of it — is crucial to the security of your firm. It is the only defense you have against important things slipping through the cracks. HBGary would certainly have wished that they kept their servers patched, that they had rules about sending passwords via email, etc. They are a poster child for the necessity of the most basic of security checklists.

Now you can argue that they were dumb — just hire a bunch of smart people who never forget to do anything important and who are always on top of what’s going on. The people making commercial jets don’t need checklists or processes either — they shouldn’t have to fill out all those forms — just make sure that all the employees doing critical tasks are really smart.

But that doesn’t scale, which is why everyone keeps saying that security is a process. They are only saying it because it’s true. A process may not always work, but it is the only thing that can possibly work. Security from the anarchy of a group of exceptionally talented people is accidental security. Accidental security is a bit like accidental safety. There is no such thing. Security is fundamentally an ex-ante state, it cannot be a fortuitous outcome.

When used properly, the bureaucratic processes are attempts to mine the inner mental model of a top team and push out checklists, processes, and metrics (checks that the checklists are checked) in an attempt to scale when the law of large numbers kicks in and most employees are just average. You need the bureaucracy/process monkeys who are executing the processes designed and monitored by the (small) group of top talent. If a firm is large enough, then the same law that says the average employee is just average will also guarantee that you do have a core of smart people somewhere in your organization. That’s the group that should determine the process. They are the ones who adapt, who understand threats, and your bureaucracy should enable them to impose their gut sense on everyone else like an iron fist, spitting out bytecode in the form of simple tasks that everyone can do, and then hiring some other people to measure how many of those tasks were actually completed and whether signatures of the attacks that were expected to be thwarted appear in the expected ways. Then go back and tweak the process again.

The cold law applies to all. It forces the top security talent to sit around all day in meetings when deep in their gut they *know* that security comes from their own mental agility and not from the dumb process.  They remember how much more productive they were when they were younger and breaking protocols, whereas now they’re giving a powerpoint presentation, and reviewing quarterly metrics. What happened? The law of large numbers. So to the retro-anarchist, I say grow up. You are the only one who can give that presentation. When you help create the bureaucracy, then you are providing security in the only way that it can be provided. Look at the security landscape, review the quarterly metrics and update your checklist. Be creative within, and bureaucratic without. Call in the winged monkeys to disseminate your brainless checklists, knowing that this cold bureaucracy is the only tool you have to protect your firm.


6 comments on “First Post: Defending Bureaucracy, Metrics, and Process Monkeys

  1. anon says:

    So how do you explain the phenomenon of Apple?

    Apple was all about breaking established processes – inside and outside of the company.

    It also appears that process can kill a once rapidly growing company’s – see Microsoft.

    So one could say that process is a tool to seek and maximize rents – but it is absolutely lethal if your company has no sources of rent yet: in the startup phase.

    • rsj says:

      The context was security processes — e.g. patching software, updates, change controls, running regular dynamic and static tests, code reviews, etc.

      With regards to Apple, I have never worked there, but some friends are employees. My understanding is that they are a process heavy company at least as far as the engineering team is concerned. Which is not to say that they do not innovate. Apple is really amazing, and I have great respect for what they’ve managed to accomplish. But I wouldn’t say that they are typical.

      • TC says:

        Innovation and creativity can be enhanced by process and procedure if done correctly. 100% sure of this in my daily life. The addition of processes have allowed me to become more productive and arguably more creative and innovative.

  2. Ragweed says:

    RSJ –

    There is also an application of Stiglitz-style information assymetries and search involved in this. How do you know who the really smart people are? How do you insure that the people you are hiring are really the smart ones, as opposed to the ones that just look smart on a resume? And how do you identify the smart people whose brains are aligned with the best interest of the organization (as opposed to smart looters)? You can identify the ones you know once they work for you and fire the ones that turn out to be not-so-smart, but by that point it may be too late.

    At scale, this is a serious problem.


  3. rsj says:


    You are absolutely right, but the question is — what is the alternative? Suppose you need to build an aircraft carrier or a national cable network. You need schedules, checklists, change control, bureaucracy, etc. There is no other way to do it. The issue is the huge economies of scale that allow massively inefficient firms to nevertheless outcompete smaller, nimbler firms. If you assume diminishing marginal “competency” while at the same time increasing marginal revenue, then the best firm size may still well be a bloated, massively incompetent firm that nevertheless delivers a standardized product on a massive scale much more cheaply than the boutique firm filled with incredibly talented people who always make the right choices.

  4. […] First Post: Defending Bureaucracy, Metrics, and Process Monkeys « Windy Katabasis […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s