Thursday, July 3, 2008

Avoiding Techno-Psychology

In a highly popular international thriller novel, the villain kills a brilliant physicist and pokes his eye out to get into his highly top secret lab by using the dead physicist’s eye to open the large steel door to the lab by activating the retinal scanner. Why secure the door with a retinal scanner when a simple secret code would have been much more secure? They had it right in the James Bond Movie, Casino Royale, where a hundred million dollars was protected by a password, which they could not get from Bond, despite beating our favorite brave spy hero while he was chained to a chair. Yet biometric technology is widely deployed for security, when in reality it’s more for convenience or the perception of security. Biometrics are only more secure if they also require a password (most systems will accept a password as a backup if the biometric scanner doesn’t work). It doesn’t take an advanced degree in theoretical physics to figure this out, yet most of us don’t see this because we are infected by Techno-Psychology.

The problems that prevent us from achieving excellence and integrity in our technology driven world are those which we all have intuitively known and understood since we were children. The problem is not a lack of knowledge or skill in technology, for this can be learned by one with intelligence, determination, and resources. It is our intuition often being overwhelmed by a strong current of Techno-Psychology in the river of our business life.

In the business of securing information and products, we have a myriad of powerful security technologies available to achieve our objectives. These technologies are very complex, and understood by few. But what is much more complex than these technologies, is understanding how to apply them in practice, the most complicated aspect being at the most senior management levels.

Failure to achieve management excellence in security has lead to security failures that have cost billions of dollars, and in some cases lives. For example the failure of DVD and electronic voting machine security was caused by the sloppy deployment of secure technologies. There was no analysis of failure at the whole system level, focus was on deployment of the technology – much like putting a steel front door and lock on your house while leaving the keys under the doormat or while you still have a sliding glass door in the back. This is clearly not caused by lack of technical skills, these are management problems caused by the way risk is analyzed, communicated, and managed. The cost of failures in security goes on – companies losing over half their revenue from clones and hacks, medical equipment (e.g. defibrillators) being reprogrammed over wireless connections, credit card numbers being skimmed from fake readers, newly issued electronic passports being compromised, tracking of food and drugs, not to mention 911.

Excellence and integrity stop where caring and accountability stop. This is true with baking a cake and is equally true in deploying security. The most important issues in security, in descending order of importance, are understanding the placement of liability, the true objectives of the organization, the impact on the overall system/business processes, and the way success is measured. Understanding the technology is the easiest part of this business, by far.

Traditional management practices can be an impediment to excellence and integrity. For example:

  • The pressure to show quick results and measure success based on money spent or technology deployed
  • The lack of transparency in complex issues
  • The lack of understanding of key drivers for success and how success is defined
  • The lack of resources applied to planning and understanding the impact of solutions on people and processes before deployment begins

.. all while the villains are determined to find a solution to their problem

It is understandable why we are dominated by Technology-Psychology in a global, complex world. Our society has been driven by growth for millennium, caveat emptor. However, we are reaching a cross roads, where our collective DNA which has been growth focused may drive us into a wall.

Excellence and integrity in security start with excellence and integrity in management. This is true in security and is equally true elsewhere. It is especially important in domains that are complex, critical, require significant resources, are hard to measure success, and are long term focused – domains such as Environmental technologies and programs (e.g. Ethanol), Charitable Donations, Safety, and Education. The management skills, or rather culture, required for excellence is similar across these diverse domains.