Introduction
In security we must affect change to be effective, yet, we operate in systems that seem engineered to undermine our very purpose within an organisation. How did it come to be this way? And is there anything we can do about it?
There are a lot of us who work in large organisations. Have you ever felt like getting things done can be a nightmarish ordeal? Sometimes it’s like hands from the past are reaching out suffocating novel ideas, like you are fighting against a fever dream of the organisation’s memory.
Think about a time when you had an idea. Your idea was the solution to a real problem that the business needed resolving however it didn’t go anywhere. It might have scuppered by some obscure bureaucratic mechanisms that exists or maybe there was no clear path for your idea to be approved and it died a death in someone’s inbox. No one had the stones to make the decision, it might have been that there was no one who could make the decision and the rigidity of the organisation was inflexible to the novel.
You know that it wasn’t always this way. We assume that a successful company attained its position by being effective, and efficient . . . perhaps the revenue was strong enough to mask inefficiencies. As the cost base of operations increases these inefficiencies become more pronounced. The requirements for governance increased over time, more reports, more compliance, more approvals boards.
The company wasn’t born as a hopeless tangle of self contradiction, it became contorted over time by competing ideas into this ungodly mess.
Structures and processes that were implemented with the best of intentions become the impediments to affecting change. Risk, audit, and compliance become standards required conformance. Various committees and boards infiltrated the superstructure of an organisation. And none of these point to effective decision makers. Those within these structures will only agree to something that is already written down. A heterodox perspective is a heretical perspective and sits uncomfortably.
Bureaucratic Entropy
Let’s define the problem and confect a new term to describe the problem. We can consider an increase in entropy to be an increase in uselessness, or a decrease in energy. So we might define Bureaucratic Entropy as follows.
The gradual decline in organisational efficiency caused by excessive complexity in bureaucratic, rigid procedures. It is the accumulation of vestigial administrative processes. The consequences of this leads to decreased adaptability to change, accountability, and overall effectiveness.
There is a strong connection to entropy as defined in the Thermodynamics and also within Information Theory however we are talking about an organisational context. The Second Law of Thermodynamics states that entropy in an isolated system always increases over time. An organisation does not exist as an isolated system but can often function as if it does. This means that although the principle of the Second Law carries it does not necessarily have to share the same fate. Claude Shannon made a similar observation in respect of Information Theory carrying the consequence that as entropy increases the ability for organisations to make effective decisions becomes impaired through unpredictable decision making. There is also less usable energy within the organisation for productive work because of this inefficiency.
In The Unaccountability Machine, Dan Davies defines and accountability sink and outlines its features as it has to prevent the feedback of the person affected by the decision from affecting the operation of the system. This extends on Shannon’s conceptualisation and compliments it. If the feedback mechanism is impaired then any self correction is also impaired. This is related to Bureaucratic Entropy but Davies’ describes a different aspect of it.
Bureaucratic Entropy can be considered a form of fragility further extending from Shannon and Davies. Fragility is discussed by Naseem Taleb. An Antifragile organisation improves when it experiences disruptive events but this requires effective means of feedback within the system to act upon. Where accountability sinks and broken feedback mechanisms exist then an organisation is exhibiting fragility.
The definition on Fragile is not a binary with Antifragile and can take many forms. A system can be Fragile but remain highly structured failing when faced with unexpected shocks, they can be viewed as Robust meaning they are durable but cannot improve, or they can be Artificially Stable meaning they are over engineered to conceal hidden fragility which can also be concealed by significantly higher revenue relative to their cost base. Enron, or Lehman Brothers are strong examples for Artificial Stability. Both ended in catastrophic failure. All of these types of system will decay over time as the external factors change. They aren’t isolated systems and exist within a societal context and need feedback mechanisms to respond to those changes.
Bureaucratic Entropy can manifest in several forms but in all cases the emergent structures prevent improvements and corrective feedback through the constraints it has imposed upon itself. As entropy increases then the outcomes become more unpredictable. Bureaucratic Entropy is a description of the additional structures put in place within an organisation which then becomes less orderly and unpredictable.
Let’s look at what specifically contributes to Bureaucratic Entropy.
Vestigial structures
As organisations change and evolve what came before gets left behind. Structures remain in place that no longer serve a purpose and in some cases hinder us. Organisations retain vestigial elements that no one can explain but are venerated to some degree, just enough so that no one dare touch them. Perhaps a reverence towards tradition, a long held perception about how things ought to be. Have you ever heard “this is the way we have always done it”?
Examples of this might include significant overlap or even outright duplication in approvals or governance. It could be defunct processes that have no clear owners, leading nowhere which contain steps that serve no purpose. All of this creates delays, creates waste in time and resource and generates inefficiency.
We consider the evolution of an organisation to be an ongoing process but does it have a natural terminus? Kodak or Blockbuster could be held as examples where their existing business model prevented them from responding to external change. Further iterations were precluded because a change would unpick a necessary component. We see this in the internal mechanisms within an organisation as much as the composition of its product set.
Is it possible for an organisation to evolve to a point where it has painted itself into a corner and where its own superstructure becomes too heavy to move forward. This is one of the reasons why accountability sinks as described by Dan Davies exist. There is a way out and the introduction of effective feedback mechanisms is a path to achieve this. Toyota’s lean transformation can be held as an example in this respect.
A security function that is providing advisory services is uniquely placed to serve as a feedback mechanism in this respect. If our purpose is to protect the organisation then we need to consider redundant elements of the organisation that are a form of corporate self harm. “Stay in your lane-ism” is rife in security practice but if you consider that time and effort is a resource worth protecting then the cause of the harm to those resources does fall within the scope of a protective discipline for commentary, advice, and guidance.
Accumulated resistance
A quick note, the inverse of Vestigial Structures is also true. New requirements can be foisted upon an organisation. These might be due to mergers and acquisitions, regulations, legal changes, technology changes, or a whole raft of other reasons.
Where adoption of these changes is rapid they are rarely considered in the context of the existing superstructure which creates further overheads in addition to making vestigial structures through removal of purpose in them. The friction of these accumulated changes can atrophy even the best of intentions over time.
One of the great crimes of technology and security functions is their dedication to myopic scope. Coupled with bereft creativity and artificial boundaries what already exists is rarely addressed. It’s a kind of debt that has to be repaid in the future but with a significant interest payment. But that’s why we have risk management isn’t it? To kick the can down the road in a formal capacity.
Well meaning nit-wits
Many of the bureaucratic structures imposed on organisations as they mature relates to GRC functions. As an organisation matures it want to exert greater control over its operations which is an understandable and reasonable thing to do. It’s just that there is a problem with the tools they are using. Governance is a broader topic if we are looking at it properly and compliance is generally a check box exercise unworthy of comment.
But let’s give risk management a kicking down the road much like it does with the problems we should be addressing right now. Risk management conceptualises problems the business face through it’s own taxonomies, ontologies, and frameworks. It tells the business what it must be concerned about through the lens of received conventional wisdom. NIST, COBIT, ISO, ITIL all tell Risk Management what they must tell the business to prioritise. This is a problem as these frameworks lack context. The real world implementation becomes a compliance exercise. They ask have you implemented this control, or that control? What is the residual risk of not having that control. The question is never asked, what adverse consequence are we trying to prevent or how much control do we wish to exert to prevent that consequence. Do you see the problem with how risk management operates from within it’s own paradigm?
Now the slippery among them will probably reach for some impressive mental gymnastics to rationalise and reframe what they do in a sympathetic light but we are left with the conclusion that there is an unhelpful inversion in roles. Risk management should be the recipient of business concerns and not the specifier.
Risk asserts that it reduces uncertainty within an organisation but this is objectively untrue if we take the industry reports of annual failure on face value. Risk give justifications to not resolve problems by leaning on probabilities and optimism bias. With it an industrial complex is created, risk assessment, treatment, management, owners, boards, committees, each with a retarding factor and negative impacts on the ability of an organisation to realise the benefits of change. It’s structures abstract and obfuscate problems which are presented using pseudoscientific framing (borrowing credibility from actually useful function). Scoring a risk is rarely more scientific than a game of Bruce’s Play Your Cards Right.
There is an irony that if a risk function exists to decrease uncertainty however it very construct introduces fragility and increases structural uncertainty (risk) within organisations. Through the industrialisation of accountability sinks and decision making paralysis, risk management is a self fulfilling suicide note signed by the CRO.
A security function can have significant benefit to the business if it approaches the situation correctly. If we analyse the business problem in the context of the organisation we can reduce or remove the conditions that lead to undesirable consequences. This is something that can be done right now and not in 12 months when the risk remediation date is extended again. As the consequences are elicited through an analytical process they originate from the business so there is a motivation to resolve the problem. It relates to them and not an abstract spreadsheet of checkboxes.
Peter Principle
Risk management as a practice neatly segues into the Peter Principle as that discusses incompetence. As well as structural issues introduced by Bureaucratic Entropy a long standing organisation will accumulate incompetent people. This is a separate issue but related to Bureaucratic Entropy as effective decision making and effective feedback mechanisms require competence to execute.
It’s worth noting here however I have discussed this before several times.
Conclusion
There are many reasons why an organisation’s structure changes over time and becomes it’s own hindrance. I’ve outlines a few of these reasons but I don’t necessarily think it has to be the inevitable fate for all organisations.
As security practitioners we have unique visibility into the business across technology, business process, regulatory consideration, contractual responsibilities, change, and operations. We can, and should seek to influence the business in its own interests. We need to find a balance where the business makes its own informed decisions and we are situated to give them both the information and the guidance relative to their context. The information we analyse and hold has utility beyond protection and we can use that to ensure that the right people are informed in the right way to protect the existence of the business.
Business time and effort are resources worth protecting and optimising. Of course, this is hard for those wedded to asset based security to accept. Stay in your lane-ism often touts the mantra of enablement, taking a holistic approach, embedding security, shifting left, security is everybody’s responsibility, or spouting off about multi disciplinary this or that . . . but when the going gets tough its “not me guv.”
The talk in the security industry is hollow. If the purpose of something is what it does then security as a practice has become a shovelware industry, pumping out the same tools and services ad infinitum (or ad nauseam, I can’t decide).
Maybe we embrace the insight we have to elevate those who can improve the situation.
Maybe we do what we can so they have security in executing those improvements.
Maybe we change the way we interact with the business to optimise how they perform and how they think about the adverse consequences that truly concern them.
Or maybe we stay in our lane and perform another phishing campaign, commission another pen test, check some stuff off a list, wax lyrical about AI and Quantum, and take our place in the bureaucratic structure awaiting the slow heat death of our cognitive faculties like every other dumb cunt on the internet telling the world about their latest revelation about the difference between a VM and a container.
Fuck . . . I need to find a new job . . .