I recently heard the phrase “The structural engineer saves you from the architect.” It was playful banter between two members of the construction and building professions. See, the root of the joke is that the architects will design these fanciful buildings that, while visually appealing, are totally impractical in a way that the structural engineer would only be able to understand. It’s a twist on that old saw about Mars vs. Venus.
While humorous, it reminded me of the control strength measurement approach which asks you to assess the strength of the control design as well as its effectiveness. Let’s assume for a second that you are building a new house (well, commissioning one to be built, but you know what I mean). You meet with an architect and they design you an amazing new home, just superb in all the ways you want, and even exceeds your expectations in so many ways. So you score the design accordingly. Those plans are sent over to the builders and you can’t wait to see that amazing design made real. A couple months later you are invited to a walk-through of your new dream home.
Except it’s not what you hoped. You can see the design through the poor construction, but it’s nothing more than a sad echo of your expectations. In addition to general shoddy construction, problems with the design are made apparent. All the cantilevered balconies are there, but there wasn’t enough room to properly secure the support beams, so the walls beneath are sagging under the excess weight while the beams bow downward. Walls that would serve as load-bearing supports for the home do not have proper reinforcements. Aside from the severe structural problems are minor aesthetics as well. The baseboards have quarter round base shoe, but the base cap doesn’t match. Chair rails are crocked. And on and on.
So let’s assess how satisfied you would be with your new home. What percentage of your happiness would you say is derived from the design and how much from the actual construction? I couldn’t imagine trying to host a housewarming party and reassuring the guests that you are happy with the house because it was so well designed.
The same is true of control strength measurement. Could you imagine having to describe to your customers that you gave yourself credit for how well you designed your controls, even though the implementation left much to be desired? No, in the end, what really matters is how effective it is. Who cares how well it was designed, tell me how good it is at repelling bad guys. In fact, I might even be so bold as to say that I could derive the strength of the control design once I know how well it performs under the stress of attack.
In the same way that it’s the job of the structural engineer to keep the architect honest, it’s the job of the risk analyst to speak the truth to the risk owners. While good intentions are laudable, they do nothing to protect your organization’s data from the wicked actions of others. Good design can help, but only solid execution can protect you.