It did not surprise me that the second indictment after Bernie Madoff charged his software developers. To succeed as the wizard of lies, the title given to him by Diana B. Henriques in her new book, Madoff needed to create digital information that was accepted as evidence of the truth. No matter how gracious he could be as a salesman, investor or executive, the data had to be convincing. And we know the rest of the story. The software itself served up convincing presentations but was, itself, designed to deceive.
I have not had the time to fully investigate all of the fine reporting done by others; I look forward to doing so. But I am fairly confident that the SEC’s failure in this case, and a persistent weakness in continued operations, is the absence of rigorous rules-based review of software integrity. Software that is properly designed, with solid documentation, that can be evaluated by auditors, should be the essential requirement for doing business in a regulated space.
The shift being suggested is, perhaps, significant. The records of a business have long been the focus of regulatory supervision. But we have come a long way from the anecdotes of two sets of books under the counter—one for the accountant and one for the government. Instead, government, to serve the public mission, must develop rules for the systems themselves from which records originate. Focusing on security is useful, but Madoff and his developers demonstrated that the strongest perimeter cannot truly provide trusted records. Instead, we must recognize that the inability to see how systems are designed, to understand how code is authored, and to validate the integrity of the resulting reports and data—all of these current conditions degrade trust.
But, even without public sector regulation, our own business interests should compel the same result. Our businesses demand reliable and trustworthy data on which we can make business decisions. As cloud services continue to tempt companies, the reality is that the service providers themselves degrade trust by not taking seriously the need of their customers to be able to assure that their data, once mobile across the cloud, must retain the same trusted attributes as the data holds within a corporate system.
So, whether sourcing from cloud providers, software applications (commercial or home-grown), or yet-to-be-invented solutions offering further economic efficiency, we fail to discharge our obligation to our investors, shareholders and customers if we do not learn from the lessons of Madoff and insist upon greater transparency in knowing the structure and function of the systems and services from which the data is produced.
Earlier this week, I presented a webinar for ISACA and Searchcompliance.com on developing a cloud strategy. The central theme: demand that the service be performed against known rules, for which compliance is integrated into the contract. In other words, “trust . . . but verify.”
Over 1,200 people around the world were actively logged in. At the end of my remarks, I offered that if someone wanted the RitterMap I had used, send me an e-mail. Astonishing—over 250 requests, and from corporations and organizations whose names are immediately known, flooded in (in a good way)! So, if you would like to obtain the same RitterMap, send an email to firstname.lastname@example.org requesting the RitterMap on Developing a Cloud Strategy.
On May 3, 2011, I will be in New York City. The day is a first for me—two keynote addresses at two different events, with two very different audiences.
First, I will be opening the day reprising for IANS at their New York Users Forum my keynote presentation on Governing Security: Charting a Path Forward. I gave this address at their Washington, DC event and am thrilled to be invited to deliver again the gospel of rules-based design for governing security.
Then, later in the day, I will be speaking to the LRN Knowledge Forum, a by-invitation only event for their corporate partners. I serve as a subject-matter expert for LRN’s Ethics and Compliance Alliance and will be speaking on Building Trust in a Digital World . This is how they are describing my presentation:
“Trusted information is the essential fuel on which any decision relies. We are learning at great expense, however, that we cannot presume digital information to be trustworthy. Indeed, our human and corporate standards for whether we can trust digital information continue to become more demanding. This session explores how trust must be built for digital information, and how that trust can be governed differently across an enterprise and beyond.”
If you will be attending either of these events, do send me a note or come up and say hello. As always, I welcome the chance to enrich your association or group meeting with my thoughts on how we will achieve trust in our digital information.
It’s really exciting to know that what I am doing with visual maps is at the cutting edge. Now, with nearly 2 million users, MindJet has invited my team to join their Developer Network, which allows us to connect our passion to mapping law and technology together to some of the most innovative developers for integrating mapping into other practical applications and solutions.
MindJet realized that mappers who create really cool content and developers creating really cool apps can achieve even more when they connect. This is an exciting development for us as we move forward toward the launch of the Ritter Academy, an online training facility that uses visual-based learning to build trust in digital information.
Thanks MindJet—we will try to earn your confidence with our continued innovation.
On April 12, 2011, I will be presenting a private webcast to the subscribers for the Ethics & Compliance Alliance, a superb knowledge resource for ethics and compliance executives, on Avoiding Legal Storms in the Cloud—Contracting for Security. This program will introduce a structured approach for addressing security issues effectively and with enforceable contractually-based controls. This webinar also launches a monthly blog I will be doing for ECA’s subscribers examining contracting for security in depth and presenting model clauses for navigating technically complex topics.
I offer coaching and training on these same topics to executives and their teams. So often, Legal, IT, Security, Compliance and Audit struggle to find a shared vocabulary to discuss how to accomplish what they all want to achieve—secure computing and trusted services. By using visual-based RitterMaps, my training transforms how these busy executives and managers look at the problem and, for once, they can see the full picture. If you think that I can be helpful to your team discovering a path forward, pick up the phone and give me a call.