Are you under attack from your corporate immune system?

It was supposed to protect us.

One of the most disconcerting aspects of the recent Crowdstrike incident was that the process which caused the disruption - a rapidly deployed update to a piece of endpoint protection software - was meant to prevent disruption. Rapid deployment was intended to help us respond quickly to new threats against which we would otherwise be defenceless. Low level access to the operating system was intended to enable us to detect and deal with anomalous behaviours and subtle modes of attack. Tools such as Crowdstrike are supposed to be vital parts of our immunity against deliberate attacks and accidental failure: they are not supposed to turn on us.

It might seem that incidents such as the Crowdstrike update failure are, mercifully, rare. Most of the time, we rely on our corporate immune system to help us, not to harm us.

And yet, if we think harder, we quickly realise that our corporate immune systems are frequently full of failure and that, if our organisations were biological organisms, we would be perpetually inflamed. This is not just on those occasions when we normally invoke and lament the corporate immune system, such as when we are attempting deep and disruptive change. It affects the work that we try to do every day.

If you doubt this, consider the journey you take when getting from idea to implementation for a new system. You will need to gain approval for your business case, for your resource plan, for your action in hiring against the resource plan, for your design, for your procurement, for your testing approach, for your security defences, for your resilience plans, for your deployment, and for any changes you subsequently make. If you have been on this journey, you will recognise that this list is only a tiny subset of the times that you will need to ask permission to do your job. You will probably feel tired at the thought of it: every one of these approvals has its own structures, its own templates, its own stakeholders - and its own delays.

In some organisations, especially those in highly regulated industries, these approvals may form part of some formal framework, called something like a control system. In other organisations, they may just be known as the stuff you need to do to get things done. In both types of organisation, however, the original intent is usually sensible. Launching projects, hiring staff, building systems and putting them into production are all things that can go wrong in damaging ways. In most organisations, they have gone wrong at some point in the past, sometimes spectacularly. Controls, however they are described, are meant to protect against these failures: they are the core of the corporate immune system.

However, we have to ask ourselves whether this immune system actually works, and who and what it is protecting us from. Despite the ubiquity and overhead of these controls (they have been a part of life in every organisation I have worked for, large and small, private and public sector, and are especially prevalent in enterprise technology, where the power of computing lets us break big things fast), they frequently don’t work. Projects still fail, poor hiring and procurement choices are made, systems fall over in production, vital technology is subject to neglect and decay. The only comfort we have, if we choose to seek it, is that we can point at failures in process rather than failures in our own judgement. I do not think that we should seek this comfort.

How should we respond to counterproductive controls, that slow us down to no good purpose? I think that we should treat them in the same way that we treat any other source of cost: with constant scrutiny, and awkward questions about whether they are truly necessary. In one highly regulated company I used to work for, we periodically ran controls effectiveness reviews, which asked whether controls were successful in mitigating the risks that they were supposed to address. That was a useful thing to do: there is no point in running controls that are not effective. However, I now think that we should have gone further, and assessed the cost of each control, and whether the reduction in risk was worth this cost. We could even adopt the approach of zero based budgeting, in which you start with a budget of zero, and work up to those costs which are absolutely essential. A periodic exercise of zero based controls, in which we assume that there are no controls, and argue for those which we could not live without, might help us discard processes and approvals which have become useless or harmful.

If we undertake this exercise then, as well as counting this cost in the obvious currencies of time, resources and money, we should also count its cost in behaviour and motivation. In a corporate setting, leaders often say that we want our teams to be accountable, to be autonomous and to take ownership. Every time we delegate authority to a control or a process, we contradict this intent. Controls corrode autonomy, and we have better be sure that this corrosion is worth it.

I do not think that we should have no controls. As biological organisms, our immune systems are vital: the last few years have shown us how essential they are to our survival. However, to operate effectively, our immune systems need to be able to interact with our functioning at a low level, and when they goes wrong, the effect can be catastrophic or debilitating. Crowdstrike reminded us that we can experience the same phenomenon at the technical level: we should take the opportunity to ask which of our other controls are worth the cost, and which ones are damaging our ability to function.