soccer goal security, risk analysis, and more from an auditor

I hesitate to post this link which I gleaned from Anton Chuvakin’s blog, because it has a lot of hard sentences to read and rambles a bit, but it has enough stuff to be a bit thought-provoking. Anton Aylward’s post deals with soccer goal security, but touches on a ton of things involving security.

In his marvelous 1992 novel “Snow Crash“. Neal Stephenson describes a franchising system and makes reference to the “three ring manual”. This manual is the set of operating procedures for the franchise, who does what and how, down to the smallest detail. I mention this in contrast to, for example, some of the businesses that failed after 9/11. These businesses did not have any ‘plant’ – desks, computers, software, even data – that could not be replaced. They failed because their real assets were not documented – the business processes existed solely “in the heads” of the people carrying them out.

The real assets of a company are not the COTS components. This is a mistake that technical people make. The ex-IBM consultant, Gerry Weinberg, the guy who came up with the term “egoless programming“, also pointed out that people with strong technical backgrounds can convert any task into a technical task, thus avoiding work they don’t want to do. Once upon a time I excelled in the technical side of things, but I found that limited my ability to influence change with management.

Interesting stuff. Anton A. is an auditor, and as such has a unique perspective on the industry. It is easy (maddeningly easy) to point out the flaws in other people or businesses or processes, and no one does it better than auditors. Kinda like IT journalists who can spout off best practices and “told ya so’s” but don’t know anything about IT beyond their home office 10-in-1 fax printer. Ok, that’s unfair for the auditors, as they do have more usefulness and knowledge, in my books. 🙂