Effective Communication is the key
Effective communication is a cornerstone for all professional and interpersonal interaction. People who can not communicate their ideas and intentions effectively will find greater difficulty in achieving tasks and desired results.
In one instance that company staff recently had the benefit of observing, people that were highly effective at communicating and managing personnel and professional tasks allowed a situation to develop where a serious incident resulted from a total breakdown in communication. Parallel sets of operating procedures had been allowed to emerge that, while largely aligned with each other, contained critical differences that trapped an unwary team and led to the incident. In addition to the problem of parallel operating procedures, the key underlying fault was that there was a lack of effective communication between the managers who owned the respective operating procedures and groups, and that lack of effective communication cascaded down to the point that the affected team had a very poor idea of the overall management responsibility in the affected area. The team that caused the incident had identified a potential problem and attempted all reasonable measures to resolve the cause of the difference that they had identified, only to find that having made a decision based on the information provided to them, a different set of managers had overruled the information used to make the decision (the fact that they also owned the competing set of operating procedures was not lost on those observing).
The above incident could be written off as merely internal politics amongst workers, but it highlights how poor information flow can lead to serious incidents taking place. It took nothing more than one or two managers failing to disseminate and communicate their decisions (and make effective decisions based on available information) for an incident to take place, even with seemingly appropriate 'checks and balances' in place.
Within Information Security, being able to effectively identify and describe what a problem is, how it came about, and how to mitigate the effects that the problem causes, is a critical skill that is always in short supply. Generally people find that those who can communicate effectively do not have the breadth of experience or knowledge to package the relevant information, and those who do know the relevant information have difficulty in communicating that information in an appropriate format.
This is not a new problem, and it is not a problem that is faced by Information Security practitioners, alone (as the opening paragraphs identified). Within the field of Information Technology the problem had been well identified as early as the mid-seventies, with Frederick Brooks discussing it in his seminal 'The Mythical Man Month', where he identified the problem faced by 'expert systems' developers. To generate an effective 'expert system', not only do you need an expert of the system that is going to be recreated in software, but you also require an expert who understands how to implement the various components of the original system. Even more rare is being able to have one person who can fill both roles effectively.
Unfortunately for most developers and companies, people like that are in short supply, and making do with what they have is where potential security and functionality shortfalls can enter the system. If you are able to identify where your experience or knowledgebase is lacking, and can communicate that fact effectively, then you can begin to identify potential problem areas.
6 December 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.