When admitting to an error isn't seen as a failure, improvement easy to achieve:
To improve security, the cybersecurity industry needs to follow the aviation industry's shift from a blame culture to a "just" culture, according to director of the Information Systems Audit and Control Association Serge Christiaans.
Speaking at Singapore's Smart Cybersecurity Summit this week, Christiaans explained that until around 1990, the number of fatal commercial jet accidents was growing alongside a steady increase of commercial flights. But around the turn of the decade, the number of flights continued to rise while the number of fatalities began to drop.
[...] While acknowledging that improved technology, more mature processes and improved leadership all helped to improve aviation safety, the former pilot and field CISO at tech consultancy Sopra Steria said the biggest improvements came from a change to a "just culture" that accepts people will make mistakes and by doing so makes it more likely errors will be reported.
In a just culture, errors are viewed as learning opportunities instead of moral failing, creating transparency and enabling constant improvement.
[...] Christiaans said he is yet to come across a company that had implemented open reporting without punishment in cybersecurity.
He attributed this to the industry working from the top down. The people at the top worked hard to get to leadership roles and become resistant to change. Shifting culture therefore needs to start with new recruits.
[...] Furthermore, not all of the aviation industry has been a beacon of transparent culture. For example, whistleblowers have alleged that culture at Boeing emphasized profit over safety, ultimately leading to engineering decisions that caused the crash of two 737 MAX airplanes.
[...] But Christiaan's analysis may be true at least when it comes to pilots and airlines, especially when culture is changed with small steps.
"So you plant the seeds, some airlines adapt, some don't," said Christiaans. "The ones who adapt, succeed."
(Score: 5, Insightful) by Rosco P. Coltrane on Monday April 17, @10:10AM (6 children)
The IT industry should stop "moving fast and breaking things" and instead focus on properly implemented, tight, standardized QA processes, strict product development reviews, strict code reviews, strict production QC, officially-sanctioned audits and certifications and accountability - including personal jail time - for those found to knowingly bend or break the rules?
Bwahaha! Like that's gonna happen ever. You're talking about an industry that's perfectly comfortable rolling out code that can't even overwrite a file [petapixel.com] correctly to billions of devices, and whose sole answer to that is "Oopsie doo, here's an update maybe".
Not to mention, they have the money to line the pockets of elected official to make sure nobody ever hints are regulating them like that even a little bit.
Otherwise yeah, great idea...
(Score: 4, Insightful) by canopic jug on Monday April 17, @10:32AM (2 children)
No. It's more like the world needs to look at the cause of the problems and stop blaming the victims of m$ products for having used the products as advertised. The end users have done nothing wrong. They've shared floppies^wthumbdrives as they have been marketed they could. They have read e-mails that they were told the program was for reading. They have clicked on links in a program marketed for clicking on links. They have connected desktops and laptops to the net as was marketed as necessary. In short the victims are only using the software as advertised. The problem is that the victim blaming process is being used to hide the fact that none of the m$ products are fit for purpose. This blame-the-victim culture has gone on for decades. And like in aviation it can end, but it means taking on the manufacturer which is much more a major political entity far more than it is a vendor. Yet, simple, existing truth-in-advertising could be used to put an end to all that, should politicians grow the will to enforce those laws.
Money is not free speech. Elections should not be auctions.
(Score: 4, Insightful) by Rosco P. Coltrane on Monday April 17, @11:10AM
I agree with you to a certain extent. But clicking on sketchy links or replying to total strangers who email you sketchy things... Well, the user is squarely at fault here. If you think software should replace common sense and caution and the software manufacturer should be blamed for stupid things naive people do, I have a bridge to sell you.
Having said that, there's one thing that definitely needs to stop: blaming the user for choosing to use this or that product when said product shafts them. As in "Ah! You should have gotten an iPhone. Only morons buy Android phones." That definitely needs to stop. People buy stuff in good faith and within their means, and when the technology fails them, it's definitely not their fault and the manufacturer should be held accountable.
Which, again, will never happen on account of the fact that those companies are now larger than entire countries and pretty much beyond the reach of the law at this point.
(Score: 1, Insightful) by Anonymous Coward on Tuesday April 18, @01:39AM
It's like those people getting scammed and transferring their money. They'd be scammed whatever phone they're using.
(Score: 4, Insightful) by Anonymous Coward on Monday April 17, @10:55AM (1 child)
The IT industry loves to change platforms every 18 months. Obviously stuff will break.
The construction industry doesn't move malls, skyscrapers and factories to new often slightly incompatible foundations every 18 months either.
(Score: 3, Insightful) by Anonymous Coward on Monday April 17, @11:47AM
> The construction industry doesn't move malls, ... to new often slightly incompatible foundations every 18 months either.
This. I want my OS to be like a solid foundation and not change (very often). Maybe the software equivalent of a uniform building code could define this? Same for other frequently used applications, I could care less about fashion statements, I just want tools to get my work done.
(Score: 3, Touché) by Beryllium Sphere (r) on Tuesday April 18, @04:34PM
But is that the right quality bar for Excel or libcurl or a website where "try again later" works fine as a failure mode?
(Score: 4, Insightful) by Anonymous Coward on Monday April 17, @01:21PM (12 children)
Well, sort of a car analogy...
From tfs:
> In a just culture, errors are viewed as learning opportunities instead of moral failing, creating transparency and enabling constant improvement.
The winning teams in NASCAR follow this management style. If someone makes a mistake on these teams, it's studied and the management tries to make changes to solve the problem. For example, maybe that job requires the person to keep too many balls in the air and they need a second or a backup. Or, maybe more training/practice is required, or another team member would be better at that job. With this style of management, it's usually possible to get most of the big egos out of the picture and have everyone pull together for the success of the team as a whole.
On the other hand, I've also worked with teams where every error results in finger pointing and back stabbing--these teams are no fun to work for and usually lose their best people from the toxic workplace. They continue to perform poorly until the bad manager(s) are replaced.
(Score: 5, Interesting) by JoeMerchant on Monday April 17, @03:07PM (1 child)
> usually lose their best people from the toxic workplace
Which contributes to the "death spiral" of poor product quality.
Transparency is always the answer.
However, the most successful code review I ever conducted accomplished many things:
1. we found a 100x speedup in the code by restructuring a 5 deep nested loop into a 4 deep nested loop with an addressed operation in the innermost section
2. while the code review was conducted in an open, blameless, supportive manner - and the "bad code" was actually inherited from outside the team - the team member who did the translation from Matlab to C++, retaining the nesting structure faithfully as implemented in Matlab, was a PhD with a thin-blown-glass ego and acted as though the team had conducted a witch hunt and found him to blame. He then proceeded to demand a 60% pay increase, and when he was informed that no such thing was remotely possible for anyone at the time he tendered his resignation - relieving me of having to decide who to let go within the next few months as we came to a low point in our funding...
3. The PhD from whom the slow Matlab algorithm was inherited had his dreams of a super-computer in the system dashed by this speedup in the algorithm. While his ego more resembled a chromed Sherman tank begging for constant polishing, his subsequent mudslinging tantrums saved me from any agony over the decision to not relocate with his little venture to some armpit of the midwest.
So, while code reviews aren't for everyone, getting those fragile egos off the team is actually a net-win for the overall product quality.
Now, earlier today, I was reminded of a quality auditor who came to our med-device company from aviation and proceeded to brutalize every single design she was permitted to review - applying the highest standards she could find, or sometimes imagine, regardless of whether they came from the (appropriate, applicable) medical device standards, the (inappropriate, not applicable) aviation standards of her previous employer, or the (imaginary, ludicrous) crooked corners of her sadistic mind, the sad reality of "working with" her was: her management wouldn't reign her in without extreme efforts to get his attention (he was busy with his new love-affair interest while his current wife lay in hospital dying of cancer - and his one-over management was actually cackling with glee that the R&D team was bogged down, unable to introduce any new-improved products that might impact sales of the current model which was generating millions per year of bonuses for him...) and, so, like negotiating with terrorists, some R&D engineers found it easier to just do what she asked rather than fight it - even when she was asking for things completely inappropriate for the circumstances, sometimes negatively impacting actual quality but not badly enough to violate any of the applicable standards. That quality auditor actually followed me to a later (larger) employer where she continued to terrorize when she could, but with closer oversight from upper management they eventually promoted her to somewhere she couldn't do as much damage.
Point? The process is executed by humans, with egos, and egos rarely promote overall better product quality, particularly when the goal is something difficult but clear like: transport X humans from A to B as quickly and inexpensively as possible...
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 1, Insightful) by Anonymous Coward on Monday April 17, @07:50PM
Management always finds jobs that management likes to do, which is very often ego-sating and farming for narcissistic supply at the expense of others. Their discomfort is in fact a large part of the job satisfaction.
“Young people wonder how the adult world can be so boring. The secret is that it is not boring to adults because they have learnt to enjoy simple things like covert malice at one another’s expense.”
— Celia Green
(Score: 2) by aafcac on Monday April 17, @06:07PM
That's what I did at my previous position. Mistakes happen, but I tried to always arrange things to make mistakes and sloppiness less speaking than practices that would deliver
(Score: 1, Interesting) by Anonymous Coward on Monday April 17, @07:19PM (8 children)
I shipped a bug once, and instead of blaming me they agreed it was a bad idea not to test on all versions of the OS that were supported. They even PO'd dedicated hardware for testing, and brought somebody from support to run tests. There were a lot of problems there (big company), but my immediate manager was cool.
(Score: 3, Interesting) by JoeMerchant on Monday April 17, @11:11PM (7 children)
>they agreed it was a bad idea not to test on all versions of the OS that were supported
Yep. We seem to re-learn this every couple of years. Test everything you say it does, or don't say it does that. Our test team keeps getting "leaned" out, and that's a significant source of the problems and expenses we have had post-launch.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by turgid on Tuesday April 18, @06:56AM (6 children)
If you haven't tested something you have no business claiming that it works and no business selling it to a customer. If your company can't afford to do that, your company can't afford to do business. It's broke.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2, Funny) by Anonymous Coward on Tuesday April 18, @08:38AM
(Score: 2) by JoeMerchant on Tuesday April 18, @12:21PM (4 children)
We did "full testing" once, it was time consuming and expensive, so for little changes they justify partial testing for regression and new functionality. Obviously they are still learning how to draw the lines on what does and doesn't need retest.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by turgid on Thursday April 20, @08:29PM (3 children)
Testing should be automated to make it quick and cheap.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by JoeMerchant on Thursday April 20, @08:45PM (2 children)
Been beating the test automation drum the whole 10 years I've been here. Test department is _still_ ignoring products like Rational Robot and Testplant (by Eggplant) which can automate ANYTHING without having specific requirements on the APIs used to implement the GUIs.
The basic response is: "Automation is good, automation is great, setting up automation takes time that we don't have (because we don't have automation setup)" so they are still standing in the way of releases with a 5-6 month test cycle delay.
They have automated a few things. But I'd guess it's well over 50% still manually tested. Now they're adding test manpower in India, which so far is pushing us further into the non-automated arena.
They are ramping up unit test requirements, which is nice because unit tests do tend to be automated, but... I configure the operating system - tell me how you unit test a GNOME desktop configuration again? A lot of my configuration is both done, and verified, by programs that run live while the system is in use, so my program will do things like: read the firewall configuration, if it doesn't match what it's supposed to be it will reset the firewall configuration and rebuild it the way it should be...
Recently, I added a unit that reads ss (netstat replacement) and any processes using network resources which aren't on the whitelist of expected network users will be summarily pkilled.... didn't take test long to pipe up and complain that their tools kept crashing. Nevermind that I announced this change complete with instructions for how to disable the pkill aspects of the monitor before merging it to master... was able to refer them back to the wiki page after they noticed the effects of running with the monitor fully enabled.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by turgid on Thursday April 20, @09:08PM (1 child)
Get your CV out and get a new job. These people sound like losers. Your sanity is valuable.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by JoeMerchant on Thursday April 20, @09:41PM
So very much not my problem, one could argue inefficiency but when sales has a dominant lock on the market this kind of inefficiency is more secure than a highly efficient R&D group with shaky sales....
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 3, Interesting) by Beryllium Sphere (r) on Tuesday April 18, @04:28PM
An example is the Aviation Safety Reporting System.
As I understand, if you see an unsafe situation, you can file an anonymous report and get an anonymous tracking number back.
If the unsafe situation leads to charges or disciplinary actions, you can use the tracking number as a get out of jail free card.
The effect is a strong incentive for coming clean about things and a stream of actionable intelligence.