The relationship between information security and corporate ethics…
…with, perhaps, some lessons for most everything else.
I went to the launch of my old dean Colin Mayer’s new book Firm Commitment a few days ago. I’ve just dipped into the book briefly but the associated lecture (and this article) got me thinking.
The brief version of the lecture says, in essence, “The corporation and limited liability is overall a good thing, and has many benefits for us as a whole – both in innovaiton and in creating productive goods and services efficiently, but we’re doing it wrong. We need to balance the needs of shareholders with employees, customers, the communities in which companies operate, and other stakeholders. There’s a ten point list of how to do it right.
So, so far so good.
Then I started thinking about how the corporation relates to information security. Me, I’m a die-hard Schneier-ist. Bruce Schneier wrote the book and the algorithms and papers, then realised that security is actually a human problem.
Regulation and cryptography
There are a lot of arguments that regulations stifle innovation and investment. Whether or not this is true, however, Mayer makes an excellent and interesting point: when we regulate heavily, businesses move to invest in other, less-regulated areas. Case in point: the financial crisis. If business lending is difficult, then investors will move to more and more complex derivatives, hedge funds, etc.
On the cryptography side, we keep making faster and faster computers which can, eventually, crack passwords. The fundamental security of that cryptography, however, doesn’t matter at all when your password is “password”. Now, of course, there’s OpenID, but I don’t want to give up all my Twitter/Facebook/Google/whatever data.
The problem is one of user behaviour. Regulation (and cryptography) have their place, but how can we get humans behaving better?
PEBKAC and morality
There’s a joke in IT support ticketing systems – you used to not be able to put in “user error”, because managers & CEOs didn’t like it, so along with acronyms came PEBKAC: Problem Exists Between Keyboard and Chair”. Same thing, different words.
Just as there’s no substute for having good passwords, not writing them on post-its under keyboards, not using your ATM PIN as your network password (something a CFO of mine once did, until a password audit an a quiet word), there’s also no subsitute for having – and using – morality.
Of course, we still do the above. We use post-it notes and everything. And when Barclay’s pays a massive LIBOR-fixing fine, their share price bounces up. Notably, the same happens (After an initial drop around 15th Jan) with Tesco following the horse meat scandal.
Complexity versus FUD
In Information Security, there’s a term known as FUD. That stands for Fear, Uncertainty, and Doubt. It’s what causes us to take our shoes off in American airports and why we can’t take containers over 100ml on aeroplanes with us. There’s no rational basis for either, or, if the rational basis did exist, they’d take away our pencils, too.
Complexity in financial markets kind of works the same way. The narrative, broadly, goes something like: “We’re too big to fail. We’re too big to jail. No one understands this stuff except us. We’re the captains of industry. So many people will be out of a job if something happens to us.”
Both of these are ridiculous assertions. Security technology should be used to make us more secure, period. TSA full body scanners miss metal. Profiling is immoral, possibly illegal, and doesn’t work. Pat-downs are hard to do properly as well.
Seriously, do we think that it’s that hard to manage finance and big companies well? There are loads of people who do it. You don’t need to pay massive salaries – there’s little correllation between well-managed companies and executive pay, except sometimes a negative correllation.
The cathedral (shareholders) versus the bazaar (stakeholders)
Eric Raymond wrote a seminal paper on the history of software development, and why open source was good. Fundamentally, it was a discussion of using command-and-control system versus bottom-up development, where users who understand problems deeply solve them.
All shareholders are not equal in a company: often, shareholders exist for days, hours, or even seconds, yet those shareholders are equal in corporate governance to shareholders who stick around for years, leaving their capital tied up in the company. This raises the cost of capital and due diligence to the company, and means the company becomes more short-term oriented, focussing on quarterly numbers rather than focussing on industry lifecycles.
Getting companies closer to the employees, the communities in which they work, their management teams, and doing these things in an open fashion will create more productive labour, more resilient companies, and stronger societies, just in the way that open source software tends to be more secure, have fewer bugs, and has robust interfaced built in.