by Erik T. Heidt | September 19, 2013 | Comments Off on Relativistic Control Theory
A few weeks ago I had the pleasure of attending a roundtable of IT Risk Managers. Most of the participants were folks involved in day-to-day risk and governance in financial institutions. During one of the presentations there was an exchange that occurred between one of the speakers and myself, that has helped me to understand that “Relativistic Control Theory” isn’t well understood – something that has been a theme for me over the past few months.
During a presentation about risk assessment, the speaker wanted to establish as an assumption that there are always controls present – an assumption I take issues with. The exchange went something like this:
Speaker: “In in my earlier career – as an auditor – I never encountered an environment without controls.”
Erik: Raised hand! “Oh, I am sure you did.”
Speaker: “No, there were always some controls present.”
Erik: “I think what you mean is that there was always something on the checklist that was present, but controls are relative to specific risks or threats. A locked door may protect against theft, but has no value in protecting a computer system from a logical attack over a network.”
Speaker: “But the locked door is a control!”
Erik: “But it has not no impact on protecting the system from network based threats. If the system were attached to the internet, the locked door has no impact on protecting it from being exploited from a network based attacker. Furthermore, the locked door has no bearing on a number of other risks, such as the stability or availability of the system.”
At this point, in occurred to me that continuing this line of dialog was going to be (more) disruptive and I dropped it. The conversation continued to disturb me, because I knew I had hear the platitude “There are always controls present” used time and again before – and that this was a symptom of a larger problem. That problem being that a lack of understanding that controls are designed to address risks – there is an essential relationship between a particular control and a particular risk. Furthermore, there is an hypothesis that presence of a particular control reduces the risk (either through a preventative, detective or corrective mechanism).
My colleague Ben Tomhave touched on this in his recent blog posting “Understanding “Why” Aids Policy Conformance“. There he discussed how linking policy statements with the “why” has a profound impact on effecting awareness, acceptance and compliance. The point I want to make here is that for every control there is also a “why”, and it is critical to understand it in order to make appropriate decisions about control effectiveness, as well as the design of controls and compensating controls.
I think that this challenge may stem from the culture of many of the large firms concerned with audit as a primary business. The dominant model for such firms is to heir large numbers of freshly milted auditors to perform fieldwork. In the “up or out” performance management culture of these organizations many of these individuals do not progress to the point of designing the audit processes but only with using the fieldwork processes designed by others. This is the origins of the dreaded “audit checklist”.
To compound the issue, many regulatory or commercial compliance programs are very checklist heavy. Examiners are often testing for the presence of a control without understand under what circumstances the control is meaningful or the limits of its effectiveness. The use of encryption as a Silver Bullet is a great example of this. Often the presence of encryption is sufficient to reduce the scope or address large portions of an examination without the examiner or auditor ever understating what risks or threat vectors are and (more importantly) are-not addressed.
Discussion of these relationships, between controls, and the risks or threats they do and do-not effect, are common on client calls and at some point I coined the phrase “Relativistic Control Theory” or “Theory of Relativity of Controls” – only to provide people with an anchor to the concept.
So, the thing I wish I had been articulate enough to close that exchange that inspired this with is: “Determining if controls are present, of if they are appropriate, must always begin with an understand of the control objective. That being, to begin with the risks and threats and then to evaluate effectiveness. This is the only way you can find out if meaningful controls are present.”
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.