Fundamentalism and Speed-dieting: IT Compliance Anti-patterns
During the last couple of years I’ve been involved in implementing information security and IT Service Management controls and processes in a supercomputing environment. There’s not much precedent in this type of work in academic High-Performance Computing environments, and thus it’s been a very educational experience.
One of the things I’ve learned is what not to do. Here are a couple of key anti-patterns with nice real-world analogies:
Fundamentalism means strict adherence to any set of basic ideas or principles. While typically associated with religion some uncanny parallels can be made with compliance.
One of the key characteristics of fundamentalism is a literalist interpretation and unquestionable adherence to some sort of scripture or manifest.
Similarly, it’s very tempting to take specifications from best practices documents, for example the ITIL library, and follow them by letter in order to be virtuous… sorry, I mean compliant, even in cases where the recommendations may be outdated, illogical or even harmful.
Furthermore this type of compliance fundamentalism manifests itself in:
- Focus on compliance controls without thinking about how effective they are in practice, add complexity or impact business outcomes
- Fear of the audit (“The Inquisition is coming!”)
- Inability to weigh risks (Even small detractions are mortal sins)
These days religious fundamentalism has been largely supplanted by more moderate schools of thought, which take typically a more allegorical approach to scriptures, using them as basis for core values and adapting the practices to the modern society.
In a similar way, the ITSM compliance recommendations and best practices should be read by trying to understand the spirit and intent behind the specifications and how to best meet those in your current context.
This is especially relevant right now due to the move to cloud and software defined infrastructure: Many old best practices which assume static physical infrastructure are becoming quickly obsoleted and, at the very least, need some rethinking.
Just focusing at the implementation is not sufficient either: You must also be able to “preach”, or sell the interpretation of how the adapted practices meet the compliance in a smart way, both to different stakeholders within the company and to the auditors.
There’s a whole industry built around the people wanting to get in shape for the summer at pretty much any cost, regardless of the long term sustainability of the approach. Looks matter, forget everything else. Typically the “get fit fast” pattern repeats for these people every year which causes a lot of stress and can be extremely unhealthy.
The struggles of an organisation singularly focused on meeting a compliance standard can exhibit a similar pattern. A lot of shortcuts can be taken to “get compliant fast”, for example:
- Dreaming up extra processes with little thought on how they add complexity to daily work
- Writing a lot of complicated documentation that no one will read (except the auditors, maybe)
- Not taking the time to invest in automating repetitive and/or error prone tasks
- Not bothering to create a good set of tools and templates for managing the compliance work itself
- Engaging in security theatre
The list goes on and on. A lot of the things will be implemented using the fundamentalist anti-pattern because there is no time to be more creative. Ultimately one ends up with a nice looking facade for the audit. However the next round of audits will require a lot of work again to make everything look good.
For weight loss, it is pretty much a given that taking up better lifestyle habits and maintaining them year-round is better than speed-dieting. In order to do this in a sustainable way, the motivation should be more about feeling good and being healthy, not just being fit for the beach season.
In similar fashion, the IT environment should be developed in a sustainable way with focus on long-term results and quality. Ideally the motivation for the work should not be about “meeting the compliance”. It should be more about developing capabilities that improve the IT environment with having the positive side effect of meeting the compliance requirements.
The true compliance-maturity should not really measured if a audit is initially passed but rather how much of a pandemonium is caused the next time the audit comes around. In an immature organization, every audit results in a lot of panicky speed-dieting. In a mature one it will be pretty much business as usual.
Here are some pointers which I’ve found useful for avoiding these anti-patterns:
- How To Adapt ITIL This blog post really covers very well the key points on how to be compliant in a smart way. While it mentions ITIL by name, the same principles are applicable to other standards as well.
- FitSM standard A fairly new, lightweight, ITIL/ISO20k compatible standard for IT Service Management. A sort of minimum viable ITSM framework which is very non-prescriptive.
- Visible Ops and Visible Ops Security Excellent guides on how develop ITSM in a sustainable and smart way.
- Waltzing With Bears Essential reading on risk management. Helpful in taking a more risk-mitigation based approach to meeting compliance.