Deming image and quote from Henrik Giæve’s website

As we look at the father of quality management and see if he’s got any relevance to what we’re doing (after all, security could be said to be a key aspect of IT Quality of Service), we come across what Deming calls the Seven Deadly Diseases.  These are things that cause business to perform poorly.   I’ve been thinking about analogues for us as I’ve read them, and some of my comparisons might be a stretch of interpretation, but I think these are not unimportant for us to meditate on a little.

DEMING’S SEVEN DEADLY DISEASES

1.  Lack of constancy of purpose to plan product and service that will have a market and keep the company in business and provide jobs.

There’s a reason this is probably Deming’s #1.  Speaking from the angle of priority, it is the most important, no - “house divided can stand” and whatnot, right?

I won’t bore you by writing more than a couple of sentences to serve as a reminder about how IRM should be aligned with the business, serve as an enabler, whatever.  There are still challenges (especially in how we talk about our value to the rest of the organization) to be overcome, but they are not the most significant way in which we can interpret what Deming is saying here.

I think that there is a more disturbing way we can meditate on this: I would offer that  we need constancy of purpose as an industry.   Ours is a big, hairy, complex problem.  We’ve just started to see programs rolled out of higher education on how to approach development of an IRM program.  But basically, we’re building programs at the whim of vendor sales pitches, regulators and standards bodies far removed from the political and real world challenges we face, and most disturbingly, without a real understanding of what effects our efforts have aside from some amorphous “well, we haven’t been hacked (too bad) yet” statement.

Does it feel like you’re on a Road to Nowhere?  Do you really believe that PCI/FIMSA/ISO standards give you the map you need?  They all feel wanting to me.

2.  Emphasis on short-term profits: short term thinking, fed by fear of unfriendly takeover, and by plush from bankers and owners, for dividends.

How about “Emphasis on short-term compliance commitments, fed by fear of unfriendly audit?”   Or maybe we have so many issues with multiple changing landscapes (technology, threat innovation, governance and compliance) that we simply can’t think beyond short-term?  We don’t have a federal vision so we have to focus on the tactical?  You tell me which one you like here in comments…

3.  Personal review system, or evaluation of performance, merit rating, annual review, or annual appraisal, by whatever name, for people in management, the effects of which are devastating.  Management by fear would be better,  than management by objective without a method for accomplishment.

Whoo boy.  Read that last sentence again.  I’m not sure I need to elaborate here, but I’ll ask - do we really have a method for accomplishment?  Can we have management by objective beyond compliance?  Let me offer that without a mature understanding of risk management, we can not.

4.  Mobility of management: job hopping.

So, um, what’s the turnover like for your department?  This is a weird time to ask (esp. for those in the financial services industries), but this is a problem.  Not just in our industry, but in the current US market.  Does anyone stay at a job for more than a few years?   Do we value the catalog of organizational experience our employees gather?

5.  Use of visible figures only for management, with little or no consideration of figures that are unknown or unknowable.

What wonderful criticism we can cast upon ourselves.  Accounting for uncertainty is critical.  Not to belabor the point concerning those who wish to measure only in the concrete comfort of a closed system, but accounting for uncertainty is more intellectually honest than ignoring the unknown because you’re personally not comfortable with the precision of the numbers you have.   Much more roughly to elicit thought (and not comment on inaccuracy) - take off the engineering role and don the tools of science.  ’nuff said.

6.  Excessive medical costs.

The most difficult for me to think about in context of Security Services when authoring this blog post.  But in the case of Deming, I believe he was talking about industrial accidents that not only delayed production but caused extra expense.  My thoughts on the subject might be:

• Excessive technology costs (buying yet another box).  Deming was the first person to offer that technology is not going to be anyone’s saviour.
• Excessive security measures that frustrate business processes.  We certainly have the double cost - productivity is hurt, and then on top of that the security measures are operational expenses.

Pick your poison.  Like I said, it wasn’t easy for me to draw a direct comparison.  It’s not like firewall admins have a tendency to tear their ACL or need Tommy John surgery.  Let me know if you have a better comparison.

7.  Excessive costs of warranty, fueled by lawyers that work contingency fees.

Excessive losses in an incident due to excessive fines/judgements from regulatory compliance?  Sounds good to me.

IN CONCLUSION

What’s amazing is that Deming’s thoughts were really kind of pre-Internet computing, but very applicable.  That’s because the nature of our problems are that they are business problems caused by technology, not technology problems that cause business.  Is there anything new under the sun?

Posted on March 3