An interesting and thought provoking observation was made by Richard Rumelt in McKinsey Quarterly. He says “There’s been a dramatic failure in management governance. And so our basic doctrines of how we manage things are in question and need revision.” At the heart of this failure is what I call the “smooth sailing” fallacy.
Here is what Rumelt says, “Back in the 1930s, the Graf Zeppelin and the Hindenburg were the largest aircraft that had ever flown. The Hindenburg was as big as the Titanic. Together these vehicles had made 620-odd successful flights when one evening the Hindenburg suddenly burst into flames and fell to the ground in New Jersey. That was May 1937.”
Years ago, I had a chance to chat with a guy who had actually flown over Europe in the Hindenburg. He had this wistful memory of it being a wonderful ride. He said, “It seemed so safe. It was smooth, not like the bumpy rides you get in airplanes today.” Well, the ride in the Hindenburg was smooth, until it exploded.
The risk that passengers took wasn’t related to the bumps in the ride or to its smoothness. If you had a modern econometrician on board, no matter how hard he studied those bumps and wiggles in the ride, he wouldn’t have been able to predict the disaster. The fallacy is the idea that you can predict disaster by looking at the bumps and wiggles in current results.”
To see the disaster coming, you had to have looked beyond the data about flight bumpiness—beyond the professionalism of the staff—and really think, “Does it make any sense to have people riding in a gondola, strapped to a giant sack of flammable hydrogen gas?” There’s just not a data series that lets you think about that. The history of bumps and wiggles—and of GDP and prices—didn’t predict economic disaster. That is the fallacy most people fall into when they talk about security, Tail risk or Black Swan events.
If we apply this logic to any ERP – I find many ERP customers suffer from the smooth sailing fallacy.
- “Well – we implemented SAP 10 years back, IBM is managing the support and we have no problems!”
- “Our security incidents are insignificant.”
- “Oh we have installed SAP GRC solutions but no one uses them! And so we are secure!”
This smooth-sailing fallacy in security arises when we mistake a measure for reality. Mature managers always look deeper than the numbers, deeper than the current measures. Others just focus on the metrics that are based on past reality. That’s how we get into trouble.
This lesson is fundamental: you cannot manage by just looking at the results. You have to have a big picture view of security by applying constant changes in security issues, technology, protocols and metrics. That means your security policy which may be 3 years old is useless and you have no security in place. CEOs and CFOs will use the smooth sailing argument – Hey! We never had a security issue in the past 2 years? So why worry now?
You have to show them what Rumelt said about Hindenburg! A small design flaw can blow them out of business since the ERP system is the business backbone in many companies.
So it is important to focus on three things:
- Critically question your IT systems & the Security design – are they relevant? Are they bullet proof & future proof? Is there a hidden flaw?
- Hope is not a strategy! So create a Security Team to redesign the IT Security Framework based on a thorough and annual Risk Assessment (mere adherence to ISO 27001 or ITIL will not do!). Use professional help if needed.
- Execute your plans in a phased manner – first time right. Do not try to boil the ocean. Keep this as a continuous improvement process.
Author:
Dr. Jagan Nathan Vaman PhD CGEIT CISA
Chief Consulting Officer
Aujas Risk Management Services
