Introduction

In my comparatively short time in Security and overextended tenure in IT and Change, I have encountered some weapons grade fuckwits. People so dense that I hold genuine concern that they will collapse into a singularity and my phone will start to orbit around them. I have encountered many massive holes from which the light cannot escape.

I can’t imagine they were always this way, and suspect they have been promoted above their ability. Yes, I have been told that I am cynical, but these suspicions of fuckwittery are well founded. I find it difficult to suffer fools gladly, however they are bloody everywhere! At times I feel it’s easier to name the people who aren’t marked with the indelible stain of stupidity. Restraint has always been my failure coupled with an inability to marshal my ego but that’s a whole other discussion.

Lawrence Peter discusses the concept of incompetence in his book The Peter Principle. This principle can be summarised as follows, people within a hierarchy tend to rise to their level of incompetence. The Peter Principle is predicated around the concept of hierarchies, and this is important. We are different through biological necessity; difference creates comparison and indirectly drives aspiration, and this all contributes to the inevitably of hierarchical structures.

When viewed thorough a Machiavellian lens we determine that a security leader is among the nobility within the organisational hierarchy. But where Machiavelli and Peter differ is of note. One defines hierarchies in terms of power and one in terms of competence. These models are complimentary in some sense, and we can even invoke Ryan Holiday to bridge the gap. Ego is the Enemy by Holiday can be seen as the reconciliation of how the Peter Principle can be avoided by self-sabotage. An out-of-control ego will lead one to take that step to their level of incompetence. But Holiday gives us something else, he focuses our attention back on ourselves and our actions and gives us a way to not feel resentment at the ineptitude in others. But it’s hard, so very hard.

Very few hierarchies are exclusively power or competence, they are somewhere between the two. This means that the definition of competence within an organisation has a relationship to how security practitioners can seek and attain power and influence. A security practitioners perceived competence can be relational to how they have established a network with an organisation. Competence is clearly required and not just in the technical aspects of a security role, but in many other areas. The interplay almost makes competence and power synergistic insofar that power itself can create a perception of competence as it is defined within the hierarchy. Competence can be the mechanism to attain power, and neither can exist in isolation from each other.

Corporate Governance

We are talking about how organisations are governed. This is about how the strategy of the business will achieve the business goals. It is about how the organisation is . . . organised. It’s the top levels of the organisation who are ultimately accountable or responsible (or not as is too often the case). Organisational structure is important and needs to be correct. Conway’s Law gives us an example of how organisational structure and lines of communication permeates into the systems that support that structure. The very structure of an organisation seems to inform how things are done.

We have the strategy, rules, boundaries, and ‘stuff’ being defined at the most senior levels of the organisation. It is typically measured in a way that supports preconceptions already held by those who would want it measured. This gives them false affirmations that are constrained by their own paradigms. It’s a form of confirmation (and optimism) bias that creates an outward perception of confidence within the structure but is better described in terms of ego. Confidence is what ultimately keeps investment coming in and the company afloat, until it doesn’t. This is the false confidence Holiday warns about. There is a short-term aspect here and the concept of ego plays a part. The accumulation of resources, talent, investment will happen in the short term but the problem with writing bad cheques is that they don’t start bouncing immediately. The Peter Principle asserts that people naturally settle at their level of incompetence however when ego is added to the mix then this masks over structural inadequacies that are only tested when something goes wrong. Imagine you are travelling 100 mph, and your brake cable has been cut. It’s only when you need to stop that it’s a problem.

Peter also notes, the incompetent at lower levels of the organisation upholds the senior incompetence. This maintains the hierarchy that supports the basic needs of those at the lower levels to get paid for a job done badly. This would also include upholding competing goals or priorities that maintain the organisational norms. There is no requirement to be consistent and the incompetent are not likely to understand how the governance structure that are defined can be self-contradictory.

Problems with competence definition

A security practitioner will encounter incompetence in their own teams, adjacent to their teams, within their peer group and in their superiors. As much as a security practitioner needs to understand the hierarchy in which they find themselves and must be cognisant of not only the intentions, and movements of the people around them as we would see in a Machiavellian sense, they need to be aware of their levels of competence too.

Peter outlines that competence is defined from within the hierarchy, it is assessed by the employer and other employees at higher ranks. This is problematic as determinations of competence will be made by those who have probably reached their own level of incompetence. This is the same problem as how expectations of governance are set. The problem compounds, we have competence criteria measuring the success of those executing imperfect goals and strategy. As Peter would put, and did put it, ‘incompetence plus incompetence equals incompetence’

A long-term consequence of competence set from within the hierarchy is that a standard and pattern of working is created that sets the expectation of competence. The behaviours and rituals that get established ultimately subvert purpose. An agile start up will quickly become bogged down with accrued incompetence. Holiday refers to stagnation, an inability to innovate. This becomes the inevitable fate of incompetence definition defined as competence.

There could be an optimistic outlook to this, however. If the leadership or senior management are not at their level of incompetence, then they may identify what incompetence looks like and actively take measures to avoid this scenario by calibrating standards of competence that are not permissive of low-quality performance. A consideration for security leaders would be that they are in a position to define competence for their teams, and influence what competence looks like in the wider organisation as Machiavellian strategies could be employed on weak leaders.

As the extremes we have a structure of corporate governance that has been embedded by generational incompetence. Defined by idiots, upheld by idiots, with new entrants trained into being idiots. An example of this would be the audit function. They arrive to audit a team or function in the business. They find perceived problems. They require that these are addressed in a certain way. They set the expectation and pattern of behaviour and adherence to this is expected. But they aren’t experts in any sense and in any context other than the process of auditing. Competency in auditing doesn’t translate to competence in the things they assess, yet they are there to determine the competence of someone else.

Competence refugees

I am going to revisit a subject the in retrospect I don’t think I went far enough. Frameworks, I previously argued, are a crutch that is used to cover incompetence. I described those who are shackled to that mast as the Competence Refugees of Information Security. The truth is that it is far worse than that. Frameworks are an overt way to substitute original thinking for a scapegoat. It is a variant of an appeal to authority fallacy which bypasses critique through the invocation of a higher authority. It’s as common as it is reprehensible.

This is touched on by Peter who describes the professional automatons. In Peter’s conceptualisation the means are more important than the outcome. What is the impact for the business here? Their aspirations become the thing that feeds the process. Measurement of adherence becomes their measure for competence. A more natural term for professional automatons would be . . . jobsworths.

Entry level security isn’t an ‘entry level’ job

Security is complex, there is the technical, the legal, the phycological, the political, the social, the procedural, and everything else in between and beyond. I have seen it many times where the point of entry becomes the point incompetence for many. This is the tragedy of the first line fuckwit.

Now this presents a problem for security leaders. They should know all too bloody well that our practice when executed correctly is one that is predicated on skill, experience, and diligence. There is, or at least should be a high barrier to entry and it’s a damning indictment that we can’t even protect our own practice.

The long-term impact of not having robust hiring policies is that you will occupy your entry level roles with people who are inept, who will never be able to move onwards. The incompetent become, well, not gatekeepers but the lorry that has broken down in the entrance to the car park. This means that new blood into the system becomes hard to realise as the security structures within an organisation stagnates.

In the short term to make these people effective, a security leader might be tempted to apply some highly structured ways of working, perhaps processes predicated on a seemingly authoritative framework. But this would be a mistake, it would codify mediocrity.

Profile incompetence

Peter defines four areas of incompetence.

1. Physical

2. Social

3. Emotional

4. Mental

These area of incompetence can give some insight as to why someone who is competent in a role becomes incompetent in another. Incompetence relates to job role responsibilities; it is contextual and relates to the required areas of competence. Peter argues how people reach their level of incompetence, but notes they inevitably have come from a place of competence. This is in part due to how a promotional job role may require more aspects of social and emotional competence rather than mental acuity.

It’s reasonable that incompetence would be identified early into tenure by an observant security leader. The short-term impact of incompetence is likely to be localised within a team or function. As Peter points out, those who have reached their level of incompetence will seek to blame others for their shortcomings which can cause friction. They will also become a resource drain reducing the effectiveness of other team members who need to work hard to support their incompetence.

There is something to be done here for a security leader. Perhaps a re-profile of the responsibilities or redeployment within the team functions to maximise competence. There are a number of ways this can be achieved. It would be reasonable that a capable security leader would want to build resilience into the team. Security teams are typically small, and it would be expected that a security leader will ensure that the functions, capabilities, and responsibilities the team undertakes will be fulfilled if a person is on leave or while a vacant position is waiting to be filled. You get my point. With the right framing and the breadth of Security as a practice, it is possible to manoeuvre people within teams to a place of incompetence to competence whilst seeming to promote a culture of development or cross skilling or whatever corporate bullshit takes your fancy.

Security leaders and practitioners have an ideal opportunity afforded to few disciplines. The lateral arabesque towards an alternate hierarchy. They have the skill set to excel in other areas of security or even within other disciplines (assuming they have a level of competence). Those that can, do, those that can’t . . . I’m sure could audit.

Long term

What happens to an organisation over a protracted timeline? Well, people will tend to reach their level of incompetence and reside in the same role as they won’t be further promoted. Essentially it would be the accumulation of dead wood, or perhaps ‘competence debt’ (you heard that phrase here first!). Ultimately this leads to a reduction in agility, a reduction in creativity, and the formalisation of mediocrity within the organisation. How many times have you heard that changing anything is like changing direction in an oil tanker? This can be taken as an indicator of endemic incompetence.

The needs of the business still need to be met though. And where there are incompetent people occupying roles withing the organisation, additional roles need to be created to meet the need. Incompetence fundamentally impacts on a business’ profitability, either by things being done badly, or by the emergence of inefficient structures that tie a proverbial noose of red tape around the organisations neck.

Conclusion

Incompetence is like a plague. Dealing with this may become more difficult within a legacy organisation due to how much incompetence it will have accumulated. Security Leaders will likely encounter this in more mature and highly regulated organisations.

This is a problem that will always manifest itself due to the hierarchical nature of our social structures combined with aspiration. It is a consequence of the human condition and the dumbass industrial complex is a by-product of that.

There will always be incompetence, and the level of competence can change over time as conditions change. The situation certainly isn’t alleviated by industry bodies and prominent voices regurgitating the same incorrect information decade after decade. A useful heuristic might be to consider any self described ‘thought leader’ as having reached their level of incompetence.

A novel approach might consider how self regulating and learning systems can be implemented in such a way as to reduce the fragility within security teams. Although this is a subject in its own right and one I have previously discussed in an article Security Fragility. By approaching incompetence as a product as fragility we might see the prognosis might not be so bleak as to be irrecoverable.

The interplay of so many considerations for Security leaders makes it a challenge for them to not reach their own level of incompetence. Security leaders need to become an exemplar of sorts. Correcting the wrong, in a restrained and magnanimous way. Keeping themselves measured, focusing on execution, and executing with excellence.