“There is no such thing as 100% inspection.”
According to Dr. Jim Stewart of Northern Illinois University in DeKalb, IL “While working on my dissertation, I was reviewing some trade magazines from the 50’s. There were a number of case studies showing 50-75% efficiency and a breakage rate (visual inspections of wire wraps with pics) of 10-15%. Giving an effectiveness of 40-65%.”
The problem is, many IT departments do not understand this concept and are deluding themselves into a false sense of security that they are in control.
When you are manufacturing widgets, your goal is for zero defects. From the start of the industrial revolution until relatively recently, it was a firmly held belief that you could hire inspectors to look at every single part coming off of the final assembly line and determine whether or not it sufficiently conformed to the requirements; whatever those may be. This was a great plan except for one minor detail; it doesn’t work very well. As it turns out, there are not enough hours in the day, not enough test equipment available, and not enough technical skill to inspect every single widget and catch every single defective part. Some will always slip through. Many companies may have discovered this fact, but typically adopted the “close enough” strategy.
As it turns out, over time manufacturers discovered much more reliable methods for producing widgets of superior quality. They understood that the best way to avoid shipping defective widgets was to prevent defects from happening in the first place, not simply scrapping the defective part when it was found at final inspection. How did they do this? There were two main components of the strategy.
It can be mathematically demonstrated that taking a “statistically relevant” sampling of parts from an assembly line and measuring critical control parameters to ensure that the process is “in control” can result in far better overall quality than 100% inspection. It also has two additional benefits. First, because you are only inspecting a sampling of the overall production stream, it requires fewer resources and costs less. Second, this step can be performed at each step in the production process, which can catch problems earlier on and reduce scrap losses.
The challenges here are in a) determining statistical relevance and b) identifying critical control parameters. The equivalents in the world of IT security are not necessarily apparent but, the principals are still relevant in some areas such as intrusion detection and Internet usage.
The factor that makes the most significant difference and is also the most directly applicable to IT security is training. In most Japanese manufacturing facilities, assemblers are responsible for the maintenance of the machines they use. There are two reasons for this. The first is to establish a sense of ownership of the process. Operators who are responsible for repairing their own machines will generally treat them with greater care and respect. The second reason is to give the operator a much deeper understanding of the process and an innate ability to sense when something is not quite right. This approach obviously involves a significant amount of training. However, in the long run it saves money by significantly reducing defects and producing more efficient workers.
The equivalent in the IT world is to train and empower users to be the mechanics for their own production tools; their computers. This does not mean turning them all into PC technicians. It does, however, mean training them in its proper use and preventative maintenance and making them responsible for ensuring that their tool is in good working order. By giving them a sense of ownership, you incent them to treat the machine (computer) with more care and respect. By training them in its proper use and maintenance, you empower them to use the computer as a tool and become true innovators, not simply trained chimps tapping the same series of keys in their cages.
When you treat people like adults and professionals, you are bound to be disappointed from time to time. However, it has been my experience that the numbers of humans who will exceed expectations far outweigh those who fall short. Far too many IT departments view it as no coincidence that “user” is a four letter word. That’s unfortunate because when you stop viewing users as an inconvenience and start viewing them as an asset, wonderful things can happen.
There is no such thing as 100% inspection, just like there is no such thing as an impenetrable firewall, an unhackable password policy, an infallible virus protection program, or a memory stick that can’t be lost. Each and every IT security tactic comes at a price in terms of both cash outlay and diminished efficiency. Furthermore, the most common tactic employed by deliberate hackers is social engineering. There are still no hardware or software solutions to that vulnerability
Incidentally, I have never seen an IT department measure, much less justify, the cost and impact of many security measures in reduced worker productivity. But much more dangerous than that, too many companies have sold themselves on the lie that 100% inspection is “good enough.”