Who watches the watchers?


I have always tried to live by the philosophy that when there is a big problem that needs fixing, you should run towards it, rather than away from it ~ Henry Paulson

Trust but verify is a maxim often quoted when it comes to testing and certification frameworks. Can it be applied in a manner that produces the desired outcomes?

In a prior life, I was in the business of wielding the hammer of compliance against the anvil of organizational policy. At the end of that journey, I was left with the cold realization that the hammer gets heavier with each use and no one, including the wielder, enjoys the … experience! So, I am simultaneously jaded and motivated to find a better path.

So, to start, it is important to understand that effective trust-building and leadership practices require knowing when and why to use the “trust but verify” approach, and in particular that …

... when the outcome is essential and matters more than the relationship, use "trust, but verify." When the relationship matters more than any single outcome, don't use it.

Nan S Russell, Psychology Today

To make this discussion a bit more practical, there are two maturing areas where independent testing and evaluation could unlock great value:

  1. Digital wallets
  2. Automated contact tracing applications

One could easily make an argument that in both of the above cases what is important is the outcome and not the relationship, given that both are concerned with the collection, storage, management and use of sensitive and personal data. As such, the priority should be on verification before trusting.

However, while this approach signals compliance, I do not believe that it is sufficient as it does not address the value of adopting and using a test and evaluation capability. To encourage both the adoption and compliance aspects, I believe that we need two separate but related capabilities that are set up to answer the WHAT and the HOW questions about the systems that need to be tested.

Two critical points when it comes to implemenation are that (1) to ensure choice and prevent business capture, there should be multiple providers of the ‘HOW Capability’ available to those seeking to test their products and (2) the same entity cannot and should not own and operate both the ‘WHAT Capability’ and the ‘HOW Capability’.

Unfortunately, what I am seeing in these early days is a whole lot of coalitions and foundations of vendors, as well as platform players focused on enabling testing (the HOW) and implicitly or explicitly also defining their own criteria for that testing (the WHAT).

In short, an opportunity to do things better! Are you ready to seize it?

cyberforge: random and relevant

 Tweet  Share  Email

Get the best cybersecurity research, resources and insights to help secure and safeguard the digital world.
No Charge. No Spam. Unsubscribe Anytime.