Who watches the watchers?
Trust but verify is a maxim often quoted when it comes to testing and certification frameworks. Can it be applied in a manner that produces the desired outcomes?
In a prior life, I was in the business of wielding the hammer of compliance against the anvil of organizational policy. At the end of that journey, I was left with the cold realization that the hammer gets heavier with each use and no one, including the wielder, enjoys the … experience! So, I am simultaneously jaded and motivated to find a better path.
So, to start, it is important to understand that effective trust-building and leadership practices require knowing when and why to use the “trust but verify” approach, and in particular that …
... when the outcome is essential and matters more than the relationship, use "trust, but verify." When the relationship matters more than any single outcome, don't use it.
Nan S Russell, Psychology Today
To make this discussion a bit more practical, there are two maturing areas where independent testing and evaluation could unlock great value:
One could easily make an argument that in both of the above cases what is important is the outcome and not the relationship, given that both are concerned with the collection, storage, management and use of sensitive and personal data. As such, the priority should be on verification before trusting.
However, while this approach signals compliance, I do not believe that it is sufficient as it does not address the value of adopting and using a test and evaluation capability. To encourage both the adoption and compliance aspects, I believe that we need two separate but related capabilities that are set up to answer the WHAT and the HOW questions about the systems that need to be tested.
-
WHAT - Focused on developing the BOLTS (Business, Operations, Legal, Technical, and Social) of the test and evaluation capability (H/T to Scott David, Executive Director of the Information Risk Research Initiative at the University of Washington’s Applied Physics Laboratory). This is the development by an expert, trusted, independent, and inclusive group the criteria used for the test and evaluation.
-
HOW - Focused on the mechanics of conducting the test and evaluation using the criteria defined above.
Two critical points when it comes to implemenation are that (1) to ensure choice and prevent business capture, there should be multiple providers of the ‘HOW Capability’ available to those seeking to test their products and (2) the same entity cannot and should not own and operate both the ‘WHAT Capability’ and the ‘HOW Capability’.
Unfortunately, what I am seeing in these early days is a whole lot of coalitions and foundations of vendors, as well as platform players focused on enabling testing (the HOW) and implicitly or explicitly also defining their own criteria for that testing (the WHAT).
In short, an opportunity to do things better! Are you ready to seize it?
cyberLinks: random and relevant
-
DHS Science & Technology Directorate on how to use programmable multi-cookers with a sous vide function, or equivalent setting, to decontaminate N95 Respirators with moist heat at home.
-
Future of Privacy Forum on the Apple App Store and Google Play Store terms of service update for all COVID-related apps.
-
The dangers of tech-driven solutions to COVID-19. “Enshrining platforms and technology-driven “solutions” at the center of our pandemic response cedes authority to define the values at stake and deepens preexisting patterns of inequality in society […] We think the focus on data leakage and mission creep misses the forest for the trees.”