Some final cursory thoughts on Deming today, although if it’s ok with you I’ll reserve the right to blog about him again as I study the man more.  I’m excited about today’s topic, as what he says here were some of the things that attracted me to Deming in the first place.

In addition to his 14 points and 7 deadly diseases, he has 4 “Lesser Category of Obstacles” that organizations must overcome if they are going to reach a decent solution to the problems they face. However, whereas Deming wrote these for individual businesses, I think of these in context of our general industry.  My comments are generalizations, to be sure, but I think these characterizations are not without merit.

In no small way, we do collectively operate as an ad-hoc organization.  We’re not unionized or otherwise federated, but there is a certain brotherhood even among the disparate personality types in our industry (despite how snarkily we deal with each other at times).  If we can allow ourselves to think with a federal vision for the industry - acknowledging that the answers we seek are neither simple nor apparent - then I believe the Lesser Category of Obstacles can serve as guidelines from which to operate as we move forward.

DEMING’S LESSER CATEGORY OF OBSTACLES:

1. Neglecting long-range planning.

Despite the best efforts of many very smart people in our industry (Read or Listen to Ranum on the future of the industry), this is an issue that those with the power and ability to shape the direction and future of InfoSec (i.e. standards bodies and governments) seem to need address.  The balance between prescriptive ISMS and flexible governance is a grey area that needs more separation of hue, more direct study of how and why Governance, Risk and Compliance can and should work together to protect not just consumer data, but the interests of the data owners.

2. Relying on technology to solve problems.

I don’t think I need to write a ton about this one.  If you’re confused and think that technology will solve your InfoSec issues - I’ll refer you to Richard Bejtlich on the subject.

3. Seeking examples to follow rather than developing solutions.

Too many professionals seem to suggest we take the lazy way out.   “Just give me a prescriptive ISMS and allow me to transfer my risk to the checklist.  Whatever you do, don’t make me think about the best way to secure my data because the uncertainty involved makes my stomach all knot up.”

Let me offer that this mode of thinking is not only an offense against Deming proverb #3 here, it’s also a sin against #1, 2, and 4.

4. Excuses, such as “Our problems are different.”

*ding*ding*ding*ding*ding*

We *have* to get over ourselves.  I would offer that we must humbly view ourselves as just are another area of operational risk, without pretense for our perceived intelligence.  They say a little knowledge can be a dangerous thing.  I would offer that just because we’ve lost our innocence concerning the level of sophistication needed to utterly destroy a corporate body using “cyber-warfare” doesn’t mean we’ve got any claim to intellectual superiority concerning risk and the decisions our organizations make (despite our recommendations to the contrary).

Once we realize that, fundamentally, we’re not as unique as we think we are - we can stop pretending we’re an island and start looking to what other disciplines do and learn from them.

Posted on March 6