|
Top-level
 Checklists are only as useful as the knowledge necessary to know why the checklist exists. Pilots and surgeons train for extensive periods so they learn why they need to go through their checklists. What happens far too often is checklists turning into ritual disconnected from the rationale. Religion often has this problem. Many of the rituals of religion have roots in Something Deep From Back In The Day, but that link, with time, has since worn away. 24 comments
tbh the Adeptus Mechanicus of 40K make too much sense in that framing they don’t know why tech works, they just know to do the rituals and they can make a thing @Aphrodite @cjust @calamari the last paragraph seems to apply to modern day youth using AI to do homework as well. @Aphrodite @cjust @calamari I was about to bring up the techpriests - following the Catechisms of Compliance but often not understanding why. "our PCI scan shows this software is vulnerable" Yes because RHEL security backporting existed and you're only checking the version number and not if the vuln is actually there. @cjust @Aphrodite @calamari That's because the reviewing the checklists can then be - no offence intended - offloaded to cheap workers in 2nd and 3rd world countries who are judged by the checklists they sign off. There is no room for critical thinking or adapting to the particular situation. I see this happening daily. @Aphrodite @calamari They found out of many dozens of entries in the list that it was rare for any of them to actually be done, including the one to double check the patient's name prior to anaesthetic, to make sure they're about to operate on the right person! @Twirrim @Aphrodite @calamari As someone who's had a lot of surgeries & procedures involving anesthetic in the past 5 years, I'm quite thankful that my identity has been checked and re-checked every time.  @Aphrodite @calamari an even more important check box is change management. How can you have effective change management when updates are applied automatically? If compliance frameworks require automatic updates, then they're broken, and given what has just happened, I really hope they'll be fixed. Sure, have EDR etc, but the updates need to be validated, then rolled out by the organisations. Sadly, as the world just discovered, there is no silver bullet when it comes to security. @JessTheUnstill @Aphrodite @calamari Agree and understand the vendors want auto update. They need to be told where to stick that idea. My experience is a lot of that is due to the updates on MS Windows being hard to manage. Interesting to hear about the CrowdStrike release cadence. I've never used it. In my world, we manage what is released to servers and when.  You can do similar with Windows. They have "update rings". It lets you keep your systems on auto-update so IT doesn't have to manually faf with it, but you can have canaries before prod borks. https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-update-rings @JessTheUnstill @Aphrodite @calamari Excellent! However, that is for the software (incl drivers) that Microsoft supply. What about all the other random software you need to install? I can't remember about Office or Adobe or Chrome whether they have things like that. It's been a few years since I worked at a Windows corp and interacted with endpoint engineering. @JessTheUnstill @Aphrodite @calamari Fair enough, I don't work in one either (thankfully). Interesting discussion though! Thank you. @puck My management didn't like the idea as they were happy to transfer responsibility to zscaler as then it wouldn't be their fault if it broke. I won though... @puck @hmhackmaster Excellent to hear about your success, and that you've been vindicated (yeah, different tool, but same context)! And agreed, many orgs will try to transfer responsibility. Will be interesting to see how well that goes. @puck I care more about uptime and reliability than the blame game. But I am also the kind of person who has a reputation for making reasonable decisions and assuming responsibility when this things go wrong. If taking responsibility (and not dodging accountability) costs me my job then that's clearly a sign the org has lost confidence in me and it was time to move on anyways. Hasn't happened to me yet though, and I have made some pretty big mistakes! @hmhackmaster @puck @JessTheUnstill @Aphrodite @calamari @nonnihil I think you are completely right from a business point of view, but from some upper-management person's viewpoint the "it's the vendors responsibility" is the path to ensure their decision can't come back to bite them.  @Aphrodite @calamari When a company gets hacked and sued, they have to answer to "were you negligent in protecting against this or were you just unlucky?". Courts are incompetent in determining this, and companies are mostly actually negligent (because they don't want to pay for it), so we get these "best practices" checklists instead. How do you legislate competence? Most companies can't even determine if the people they hire are competent! |
Gregory's Server
@Aphrodite @calamari we've progressed from "cargo cult" to "checklist cult"
At least with the former, we got to build cool bamboo models of planes and control towers.