Too Much Deference to Blind Compliance
Andy Ellis
Author, Hall of Fame CSO, Director, Leadership Advisor | YL Ventures Operating Partner | Duha CEO | Orca Security Advisory CISO |
Just following some rule is often going to end up with you doing more harm than good, as vexatious actors subvert your intent. This newsletter originally appeared on the Duha One substack.
Leadership Moment: Choice isn’t Frozen
There are times when an organization wants to demonstrate bold leadership on as issue, as the Paris Olympic Committee did when it decided to use geothermal cooling systems instead of more effective air conditioners. Unfortunately for the POC, they didn’t anticipate the entirely predictable consequence: that many countries would bring their own air conditioning. I suspect that the net effect will be worse than if the POC had provided air conditioning for all athletes; instead, we’ll have a larger carbon footprint (shipping A/C, economies of scale, and the cost of the now-unused cooling system), while also disadvantaging countries that can’t afford to bring in A/C.
The failure is one common in leaders driving change. Having observed a system (no one brings their own A/C when the host country provides it), changes are proposed, and no one asks how participants might also change their behaviors. Compliance is assumed, rather than asking how reasonable actors might adapt to the new system.
Recommended by LinkedIn
One Minute Pro Tip: Threat Model Malicious Compliance
Malicious compliance, if you’ve never run into it, is when someone complies with the letter of a rule, but in a way that violates the spirit of the rule. My personal favorite is people who shred their mail, and stuff it in the pre-paid return letter envelopes that often are part of junk mail. It’s technically okay, and it’s intentionally raising the cost on the other party.
Before rolling out a policy change, it’s worth identifying how someone affected could maliciously comply: in what way can their action, while technically in compliance, entirely subvert our goals. Identifying those methods might give us insight into how our change might be suboptimal, and will certainly give us ways to identify how to notice when our change isn’t universally popular.
Appearances
Recent
June 25, 1330 IL: Cyberweek Tel Aviv Main Plenary: The Immeasurable Challenges of Risk Measurement
June 25: CISO Series Podcast: How About This? Only Attack the Endpoints We Configured
Upcoming
July 2, IL: Cyber over Breakfast: Nine Truths Your Buyer Needs
July 16, NYC: CISO Dinner with Valence and AIM Security
Aug 5-8: (tentative) Black Hat
September 24: HOU.SEC.CON