{"id":25011,"date":"2021-07-24T11:01:04","date_gmt":"2021-07-24T15:01:04","guid":{"rendered":"https:\/\/www.oxebridge.com\/emma\/?p=25011"},"modified":"2021-08-13T13:41:39","modified_gmt":"2021-08-13T17:41:39","slug":"op-ed-cybersecurity-consultants-need-to-learn-from-iso-history-not-repeat-same-mistakes","status":"publish","type":"post","link":"https:\/\/www.oxebridge.com\/emma\/op-ed-cybersecurity-consultants-need-to-learn-from-iso-history-not-repeat-same-mistakes\/","title":{"rendered":"OP-ED: Cybersecurity Consultants Need to Learn from ISO History, Not Repeat Same Mistakes"},"content":{"rendered":"

American consultants in the cybersecurity space are flush with new powers and enthusiasm, brought on by a raft of certification schemes like CMMC. Unfortunately, they are making the same mistakes as the decades of quality management and ISO consultants before them, setting the stage for a nearly identical result: alienation and frustration of their target audience.<\/p>\n

Let\u2019s agree on one reality: no one grows up to become a consultant<\/strong><\/em>. Students don\u2019t graduate from university on Friday and open their consultancy on the next Monday. Instead, consultants are grown out of one of two conditions: they either quit their last job, or were fired from it.<\/p>\n

The exact circumstances of the consultant\u2019s departure from their prior job would, of course, determine the level of baggage they bring with them on their journey. For some, the departure was friendly enough and had little impact on the consultant\u2019s mindset. For others, the departure was a dumpster fire, and the consultant\u2019s worldview has been permanently tainted.<\/p>\n

This manifests in demonstrable results. ISO 9001 is the world\u2019s most famous ISO standard, and covers the subject of quality management systems. It is based on the 1950\u2019s defense standard MIL-Q-9858, and was first published in 1987. We literally have decades<\/strong> <\/em>of experience with its content and surrounding ecosystem.<\/p>\n

Over many revisions, drafted by quality management consultants who dominate the ISO 9001 technical committee, the standard has changed to reflect the personalities of its authors. Clause 5.1 on \u201cLeadership\u201d has grown into a monstrous list of personal grievances, demanding that \u201ctop management\u201d demonstrate respect and obedience to the QA function. Some of ISO 9001\u2019s authors admitted to me, during the many interviews I made while writing Surviving ISO 9001<\/strong><\/em><\/a>, that yes, they were frustrated and wanted to have the risk of de-certification<\/strong><\/em> weighing over the heads of executives who denied them a seat at the executive table.<\/p>\n

This means that the quality consultants had failed in making the case for their discipline, and were relying instead on brute force \u2013 knowing that government and prime contracts often demand ISO 9001 certification as a condition for bidding \u2013 to get their day in the sun.<\/p>\n

Deming Was An Asshole<\/span><\/strong><\/p>\n

We also see this with the mythology surrounding quality\u2019s foremost \u201cguru,\u201d W. Edwards Deming. The mythology goes that Deming was a genius who developed many modern quality concepts, tried to pitch them to the UK and US, and was snubbed. He then took his ideas to Japan and single-handedly saved that country, turning \u201cMade in Japan\u201d from a 1970\u2019s snide insult to the quality imprimatur we recognize today.<\/p>\n

The reality is not that. Deming was a sullen, irritable, and often angry guy, who alienated his audience by demanding loyalty to his ideas, and then accusing critics of heresy. His publications are replete with pompous attacks against the powers who rejected him. Deming failed to sell his ideas because he was a miserable messenger. In Japan, he had more success, but even some of that was based on him repackaging ideas already present in that country, developed by actual Japanese. Deming benefited from the post-war, racist \u201cwhite savior\u201d myth that only an old British guy could turn around those yellow savages.<\/p>\n

To this day, Deming is mis-worshipped, based on this mythology. Worse, following Deming has turned into a mindless cult, where his acolytes now try to shoehorn in ideas from the 1960s into 21st-century\u00a0technological advances like AI, quantum computing, and continuous automated production.<\/p>\n

Repeating History<\/strong><\/span><\/p>\n

The cybersecurity and CMMC crowd are now repeating history. Once again, the standard and certification scheme has been handed over to the private consultants for stewardship. Once again, those same consultants are willing to make the standards complicated in order to sell \u201cdeciphering\u201d services afterward. Once again, those consultants are failing to win over the hearts and minds of their intended audience, failing in their messaging, and instead relying on the \u201cstandards bully pulpit\u201d to beat companies into submission.<\/p>\n

There is a troubling \u2013 and noisy \u2013 caucus of consultants who demand CMMC compliance, for example, on the argument that \u201cyou have been legally required to be NIST compliant already, so if you\u2019re not ready for CMMC, that\u2019s your own fault.\u201d<\/p>\n

To which the Defense Industrial Base says, \u201chey, you\u2019re kind of a dick<\/em>.\u201d<\/p>\n

The ISO quality folks did the same thing, pointing back to contractual requirements for MIL-Q-9858 compliance. Over the past 30+ years, the argument only backfired. ISO 9001 adoption in the US has dropped off to all-time lows, with the intended user base rejecting the argument and, frankly, getting pissed off at those saying it.<\/p>\n

\"\"<\/a>

Totals for ISO 9001 certification, 1993 through 2019.<\/p><\/div>\n

The ISO 27001 certificate scheme, for information security management systems, suffers the same fate: sure, there were contractual obligations and laws demanding minimal IS controls, but ISO 27001 certifications remain dismally low in the United States anyway. The IS crowd hasn\u2019t learned yet that using threats to win contracts doesn\u2019t work.<\/p>\n

Worse, this argument ignores the fact that the US government is filled to the gill-holes with regulations that go unenforced. ITAR, HIPAA, ADA, heck, even seat belt laws, are enforced only sporadically, and typically through an occasional case where a government body picks on one person or company to “make an example of them.”<\/p>\n

Suddenly calling for 100% compliance to “the DFARS” is disingenuous. (It’s also hilarious coming from members of the CMMC Accreditation Body which, itself, is in violation of the Americans with Disabilities Act, and a host of other Federal laws.)<\/p>\n

Arrington & the Privatization of National Defense<\/span><\/strong><\/p>\n

Katie Arrington \u2013 whose background was in the sales departments of cybersecurity consulting firms \u2013 launched CMMC based on this threat model. She demanded loyalty to her program, and declared \u2013 without any grounding in reality \u2013 that CMMC would become the law of the land yesterday, and anyone not adopting it would eventually be prohibited from selling anything to the US Federal government. \u00a0And not just the DOD, mind you: CMMC was going to be adopted across all of government, so even if you sold a 3-hour training session to the Department of Education, you were going to need CMMC certification.<\/p>\n

Arrington then surrounded herself with cybersecurity consultants, because that was the world she knew and the friends she had. The results have been predictable. A monstrous overnight cottage industry \u2013 no, let\u2019s call it what it is: a dystopian multinational industry<\/strong><\/em> \u2013 popped up overnight, happy to parrot Arrington\u2019s false claims in order to sell their wares. That was quickly coupled with a now-meme-worthy trope that \u201cyou should have been doing this all along anyway, so quit griping and buy our stuff.<\/em>\u201d<\/p>\n

As expected, it\u2019s going over like a lead balloon filled with more lead.<\/p>\n

The cyber guys aren\u2019t paying attention to history. They don\u2019t care that this tactic was responsible for the US losing ISO 9001 certifications so that our totals are now in line with what we had back in 1997, and dropping fast. Within the ISO scheme, entire US certification bodies went out of business, tens of thousands of auditors were dropped from the work, and the survivors have had to eke out remaining business in third world countries where selling ISO certs is cheap and easy (and without that pesky conflict of interest oversight.)<\/p>\n

Much of this falls in the lap of the US government itself. If Russia bombs an Alaskan pipeline with a drone, the DOD will treat this as an act of war, and apply a military response. The DOD wouldn\u2019t demand the pipeline company build its own private military and buy its own anti-aircraft weapons to defend itself.<\/p>\n

But if Russia destroys an Alaskan pipeline using some code sent from a dude\u2019s basement in Ukraine, the DOD will instead demand the pipeline company mount \u2013 and pay for \u2013 its own defense<\/strong><\/em>. The DOD will then get indignant that the private company didn’t have its own national defense policies and procedures in place all along.<\/p>\n

To be clear, the US Constitution creates only one mandatory function<\/strong><\/em> for the Federal government: the preservation of the national defense. All other duties in the Constitution are, according to Jim Talent<\/a> of the Heritage Foundation, \u201cpermissive in nature\u201d (emphasis added):<\/p>\n

Congress is given certain authorities but not required by the Constitution to exercise them. For example, Article One, Section Eight gives Congress power to pass a bankruptcy code, but Congress actually did not enact bankruptcy laws until well into the 19th century.<\/p>\n

But the Constitution does require the federal government to protect the nation. Article Four, Section Four states that the \u201cUnited States shall guarantee to every State a republican form of government and shall protect each of them against invasion.\u201d In other words, even if the federal government chose to exercise no other power, it must, under the Constitution, provide for the common defense.<\/strong><\/p><\/blockquote>\n

Naturally, privatizing national cybersecurity defense won\u2019t work, and no nation has ever been able to properly defend itself by demanding the victims do their own military. That\u2019s not how nations work. But it is how the current US policy approaches cybersecurity, because we have a government that does not understand any technology invented after the rotary dial telephone.<\/p>\n

But consultants are more than willing to go along with this, because ka-ching.<\/p>\n

Let\u2019s be clear, though: this will not shore up the nation\u2019s cybersecurity footing. This will not make us safer.<\/strong><\/em> It will make the Arrington Gang a lot of money in the short term, but will weaken us as a nation. \u00a0If China and Russia see that they can mount far more successful attacks on the US without spending money on building tanks and airplanes and submarines, and that the US will simply shrug off defense responsibilities back on the victims, it\u2019s win-win for the bad guys.<\/p>\n

The Fixes<\/span><\/strong><\/p>\n

So how to fix this? First, the US government needs to take cyber attacks seriously, and use the world\u2019s largest military budget to shift towards cyber defense. Instead of a \u201cSpace Force\u201d to address attacks that may never happen, there should be a \u201cCyber Force\u201d since those threats are already here, and having real and effective impact. A country like Nigeria will never have the tech to launch attacks from space, but they will have some college grads who can take down a water treatment facility via an internet connection.<\/p>\n

Like the Space Force. Heck, do both. Shift some of the funding that currently goes to Lockheed and Raytheon for hardware programs that never actually come to light, and put them into the Cyber Force budget instead, where they can have an actual impact on Day One.<\/p>\n

Next, cybersecurity consultants need to learn from history, and stop being Deming-like irritable, abrasive assholes. They need to sell programs like CMMC on their merits.<\/strong><\/em> That means presenting a vision for what CMMC will achieve, how it will do so, and why this is important. People will understand that it\u2019s new, and that its advocates cannot provide decades of \u201cpast performance\u201d \u2013 we all get that. But instead of lying and threatening, tell us how this will work. Win the hearts and minds.<\/p>\n

Finally, the cybersecurity folks need to learn to read the room. Despite an imagined (and entirely fabricated) illusion that cybersecurity certifications are in demand right now, this is not the time for price gouging<\/strong><\/em>. You don’t get to call yourself a patriot and then jack up your rates so you can buy a new boat. Costs must allow the most companies possible to pursue the certifications. This should not be yet another program that only allows the Lockheeds and Raytheons to succeed, and which puts small defense contractors out of business. That’s not patriotism, that adherence to totalitarian plutocracy.<\/p>","protected":false},"excerpt":{"rendered":"

CMMC and other industry consultants are making their case based on threats and fear; quality management consultants tried that for decades, and were rejected.<\/p>","protected":false},"author":2,"featured_media":25014,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","mc4wp_mailchimp_campaign":[],"footnotes":""},"categories":[7774,5],"tags":[7679,7680,7703,938,159,855,14],"class_list":["post-25011","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cmmc","category-opinion","tag-cmmc","tag-cmmc-ab","tag-cyber","tag-cybersecurity","tag-deming","tag-information-security","tag-iso-9001","et-has-post-format-content","et_post_format-et-post-format-standard"],"_links":{"self":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/25011","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/comments?post=25011"}],"version-history":[{"count":2,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/25011\/revisions"}],"predecessor-version":[{"id":25013,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/25011\/revisions\/25013"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/media\/25014"}],"wp:attachment":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/media?parent=25011"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/categories?post=25011"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/tags?post=25011"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}