A Consultant's View
Prairie Trail Software, Inc. ............................................................. Jan 2007
Given enough time, energy, and motivation, any computer system can be compromised–people can be remarkably creative. For example, most of us don’t worry about our windows (no, not the operating system, the glass things on buildings), but the US Embassy in Moscow had some computer systems compromised by spys shining a laser through the windows of a room to detect which keys were being pressed on a keyboard.
The best way to deal with security is to design it in from the beginning. Jerry Saltzer, professor emeritus at the Massachusetts Institute of Technology says that "the real question is…" not what security needs to be in the system but "...how to keep users from doing stupid things."
Computer systems today are very much like a legendary sports car. People who have owned one talk in depth about the joy of driving, and how well the design fit their ideal of an automobile; however, they can also talk for hours about how it would fail and not be able to be put back together. The design work went into the driving experience not the ownership experience.
Contrast that idea with some GM designs. GM offered more and more combinations of features, making the manufacturing process more and more complicated and thus, likely to fail. Instead of selling the ride, recent commercials mentioned how one model of GM car came in more options than there are people in the country. Their marketing people think that by offering more options, people are more likely to buy their product—never realizing that more options mean more opportunities for manufacturing mistakes.
When we design a computer system to have every sales wish-list item, the system is likely to be fragile and difficult to repair. When we put in more and more options, there are more ways to make mistakes. When we design a system where people can easily comprehend what to do next, then they are less likely to do something stupid and leave tasks undone. Thus, there are many systems still being built on simple operating systems like MS DOS that do only a few things.
Security experts talk about using “containment of failure” as a part of the process. That means figuring out the effects of a failure ahead of time, and making sure that if that security failure happens, damage is limited. For example, if the core of a nuclear power plant should melt, the containment building protects the rest of us. In a database environment, if someone should get at the data, make sure that the data does not make sense by itself. Credit card and bank information can be stored in different places making it more difficult to use any compromised data.
The other major idea is defense in depth. Thus, at home, we lock our doors, and hide jewelry boxes. With data, we use firewalls, passwords, and encryption. By layering, we make it more and more difficult to get to the valuable information.
Security is not an add-on if we want to keep people out of our data. Well over 100 million people have already had their information stolen and the rate of theft is not slowing down. Each of us who have computers on the internet have to plan to keep information secure.
(Parts of this article taken from Linux.com special reports).
For many years, consultants have known that the people who best know how to fix a broken organization are people already inside the organization. 100 years ago, efficiency expert Frank Gilbreth would walk into a factory and ask to see the "laziest" person in the plant. He studied that person to see the best ways of doing the job. The "lazy" worker would have already figured out a lot of the things that would take the efficiency expert weeks to figure out through scientific measurement.
Consultants try to do the same thing today. In almost every case, the person who knows how to improve a situation is not a manager with line responsibility. But, most companies do not have a way of listening to these people. Suggestion boxes have been tried; focus groups have been tried; and the current fad is to use the "wisdom of crowds".
Places like HP Labs, Yahoo Research, Microsoft, and other companies are trying to use the "wisdom of crowds" to break through the problems that management has with new ideas.
This "wisdom of crowds" is based on the Delphi prediction method. In this method, a number of people are asked for their estimates of something. In many cases, averaging those estimates provides a close estimate of the reality. In the "wisdom of crowds" technique, people are asked to provide their predictions and the rest of the group rates those predictions.
The key difference between this method and a standard department/company brain storming meeting is that everything is done anonymously. Traditional meetings work to keep the company in line, and new ideas are neither easily expressed nor heard. By using a technology that offers anonymity, ideas can be evaluated without prejudice about who offered them. Thus, the usual company way of not listening to people out of management’s favor doesn’t work.
Most companies are good collections of fine people. The problem that management has is the lack of time to listen to everyone– especially when fires are burning that need to be put out. The "wisdom of crowds" can offer a way to improve how companies listen to their employees.
If you would like to have such a system implemented in your company, give us a call and we can help you.
.
Dave Randolph,
President, Prairie Trail Software