About Us | Contact Us
View Cart

Simplicity

By Dan Hadaway | Thursday, February 20, 2014 - One Comment

Another Dan’s New Leaf Post


I want to write an article about Simplicity; but where do you start with such a complicated subject? 

—–

Maybe the reason I’m writing this article is because one way to learn about something is to write about it.  And we all need to learn about Simplicity.  Nothing has made that more clear to me than the new policy set we’re developing based on our work with one-person Insurance Trusts.  Meanwhile, we’re knee-deep in learning TRAC, and comparing their risk analysis approach to the “old spreadsheet method” has me thinking a lot about Simplicity and what makes things simple.

—–

So I decided to start my article by trying to define:  “What do we even mean by ‘simple?’”

And what the heck, let’s use a dictionary for this.  As many of you may already know, the dictionary I use is dictionary.com, so here’s another plug for them.  I wish I’d remember to buy some of their stock the next time I talk to my broker.

definition_of_simplicity

So here we see there are five definitions, all of which seem to be very good quality control considerations for anything, but especially for documentation of policies, procedures, standards, guidelines, and instructions.

——

You could say I’m highly motivated to make our next release,
the Social Media Guidance Response Kit, an example of Simplicity.
Maybe that’s why I’m writing this article . . .

——

I laugh at the first definition, (easy to understand), because to me Simplicity is one of the hardest things for an auditor to understand and therefore achieve.  We see things in terms of what we can check for . . . . lists . . . and lists simply do not lend themselves to simplicity.

 Unless they are very short!

—–

(But do short lists make for thorough audits?)

——

The subject of Simplicity has no beginning, because it also has no end.  Just like many other qualities of an excellent IT Governance Program, we’ll never finish simplifying it, and like Security we should always keep Simplicity in mind.  First iterations will start out too complex and become more simplified as we learn, and thus the iterative process of development leads to excellence.  We will go through the Capability Maturity Model levels zero through four, from initial iteration straight through to optimized iteration.

And those who know me understand that Simplicity is one of my own greatest struggles, that I’m probably in iteration 5 billion by now and still not optimized, because I apparently have a hard time not presenting everything.  So, of course, my program for simplifying things is simply to decide what to eliminate from the equation. 

But that can’t be the only approach.

 And since our customers want our deliverables . . . . not only our boilerplates but also our audit reports and our managed services reporting . . . . to be as simple as they can get, the question of how do we approach Simplicity is an important one for us!

Can we audit for Simplicity?

My initial thoughts are that maybe we can make a matrix out of the definitions of “simple.”

1) Easy to understand, deal with, use, etc.: a simple matter; simple tools.

2) Not elaborate or artificial; plain: a simple style.

3) Not ornate or luxurious; unadorned: a simple gown.

4) Unaffected; unassuming; modest: a simple manner.

5) Not complicated: a simple design.

So, now I have my list of five things we can check everything against to determine if it’s simple.

Let’s apply this to my article so far:

1)      Is it easy to understand?  Probably not, and my initial reaction is:  but wait, it’s supposed to inspire thought!  But I do hope our blog site is easy to read.  (If not, let us know!)

2)      Is it “not elaborate or artificial; plain?”   Hmmm.  I’ll have to leave that to you.  I guess as a writer I might adorn articles with humor.  But I try hard to be genuine.  And the nature of Dan’s New Leaf . . . . ah heck, I’m just making up excuses, aren’t I?

3)      Is it “not ornate or luxurious, unadorned?”   Well hey, isn’t this the same as #2?  I guess something can be adorned with genuine luxury.  So maybe adorning my articles with humor is okay on question #2, but is a deficiency for question #3?

4)      Is it “unaffected; unassuming; modest?”   Well now I’m starting to regret writing it!!

5)      Is it “not complicated?”  Gee, it was until I put this min-audit in here.

Okay, I either just flunked that audit, or I agree that using Dictionary.com as an audit framework does not work very well. 

Here’s my answer: 

Thank goodness for the FFIEC!

 ——

Hey wait, the Social Media Guidance Response Kit, geez . . . that’s
a long title for something we’re going to try to sell. 

Could we just call it the Social Media Guidance Kit?

——

Could it just be that some things are simply not simple? 

As an industry, we have tried to address the number one complaint with IT risk assessing since we first started hearing it, back in about 1999.

    • “The process is too complicated.”
    • “The documentation is too detailed.”
    • “The complexity is too complex.”

And we ARE getting better.  We’ve really taken a leap in the right direction by replacing spreadsheets and databases with applications, and the benchmarking capabilities alone will improve the value in the deliverables.

But let’s face it, the reason there’s risk in information technology is indeed because of Complexity.  The many moving parts are why patch management procedures must be developed.  The permeation of technology in everything we do is the reason risk assessments must be continually conducted with multidisciplinary teams that think this is all way too complicated.  The constantly changing nature of technology gives birth to change management.  If you need a program for the management of change, it can’t be very simple. 

IT Governance is a response to this complexity, not a cause.  And though we must try to simplify, as much as possible, the way we control risk, we will never control the existence of risk.

For without risk, aren’t you dead?


Original article by Dan Hadaway CRISC CISA CISM.
Founder and Managing Partner, infotex

Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 

One Response to “Simplicity”

Comment from Dan Hadaway
Time 06/26/2014 at 6:02 pm

This is way too complicated!

Latest News
    Today we present a special BONUS awareness poster for YOUR customers (and users).  This update to the April 2022 Awareness Poster takes some cues from the Dan’s New Leaf article: Why Local? Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the […]
    Awareness is 9/11’s of the battle, if we use it! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . One of my old college buddies hates banks.  He was turned down for a loan a long time ago and just can’t let go.  I actually […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE SERVICE NEWS Dateline: Dayton, IN, June 22, 2022 We are proud to announce that infotex will now be supporting Endpoint Detection and Response (XDR/MDR)! We can manage/monitor solutions you already have or offer one as part of our service while still maintaining a segregated response posture. In recent years […]
    Over 85 percent of surveyed companies report having no  centralized monitoring of networked industrial devices… An article review. If you are involved in IT within your organization, you’re probably aware of the importance of being able to monitor relevant activity from your networked devices, especially if your organization is involved in healthcare, finance, or government.  […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    We always strive to bring you the best content that we possibly can. Your opinion on any content, presentation, service, or anything else you have received from us is important! Please click the button below to let us know how we are doing!  
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]