Ten Monkeys …
Bear with today’s post, there is a point, but I have to set the scene….
If you’re unfamiliar with the Ten Monkeys analogy, a recap is below, otherwise feel free to move to the next section.
A sociological experiment was conducted, Ten Monkeys, five were kept separate to the five who were paced in a large enclosure. In the middle of the enclosure was a ladder, above which a juicy bunch of Banana’s can be reached.
The Monkey’s were deliberately starved until eventually one would climb the ladder to reach the tasty treat.
That Monkey was subjected to Electric Shocks before reaching the Bananas, whilst the rest of the group were hosed down.
The Monkeys sit and wait before another tries to grab the tasty treats, and again the same happens, brutal treatment, until none of the hungry Monkeys dare ascend the ladder.
At this point, one of the original Monkey’s removed from the enclosure and is replaced with one of the other five in the control group.
The new Monkey eyes up the snack and in their attempt to climb the ladder, the rest of the group (Not wanting to be hosed down or given electric shocks), beat the living daylights out of their new member. They have no idea what they’ve done wrong, though eventually learn that there’s consequences to reaching the forbidden fruit. Even though external punishment wasn’t exacted.
The experiment continues until all Five of the original Monkeys are replaced, for which none experienced the original trauma of climbing that ladder.
This Phenomenon is known as Cultural Training or On-The-Job training…
It’s a story right? We’re all free thinking individuals and if we were that Tenth replaced Monkey, we’d grab the food and fill our boots so to speak, right?
Around Fifteen years ago, I was part of an Elite group tasked with setting up a new financial institution. Complete Greenfield site, they had no servers, software, infrastructure, operations centre, nothing except a freshly signed contract and deterministic spirit. That organisation recruited some of the brightest and most talented minds to deliver the seemingly impossible in a timeframe many banks would laugh at. It was a privilege to work with some brilliant people, experts in their fields, with the ability to transfer new skills, delivering a large scale project in only nine months.
One of my many side tasks, was helping set up the Operational Side of the business and the recruitment of various people to run the day-to-day activities. Like everyone working on the project, we were stretched beyond our comfort zones and experienced many facets of creating a new organisation, undertaking roles usually covered by other professionals.
Once Operations were up and running and we’d been live, there was a problem that needed solving. I spoke to one of the new recruits about sorting that issue out. To my surprise (They’d only started a few weeks prior to go-live), the response was, “We’re not allowed to do that”.
Is this the Ten Monkeys coming into play?
I explained it was perfectly possible, at that point in time, I hadn’t written the procedures, it was a live issue and needed immediate rectification, each second lost cost the business. It was this point I realised that although starting afresh, green field and all that, people bring their baggage and learned behaviours from other companies. You find some people will expend more energy into blocking a task than actually doing it. Of course there’s the caveats of safety to production environments etc. Also I’m not suggesting anything ropey, or outside of proper change control of course.
And there it was, the birth of in-house politics and shenanigans, when that person could have defined their role and take ownership.
What’s the Point to This?
A great question! I’m beginning to wonder myself…
In 2016 my late wife started writing a complaint to the NHS Trust due to the errors and failings of safety of her care whilst being treated/mistreated for her cancer. Her only goal was to ensure no one else suffered or experienced these errors going forward.
In 2017 I had to continue that complaint as she passed before anything was done. They take a long time to handle complaints.
Long Story short… The Hospital wrote a 25 Page document exonerating themselves of any misconduct/wrong doing or failure of care on their part of the 40 significant failings in patient safety and care.
I had a meeting with the various Directors and other members of the Trust to go through the key points of their fantasy document. The two plus hours were recorded on audio equipment by the trust for their records and of course mine.
In that meeting was met with profuse apologies and shaking of heads, alleged embarrassment along with statements from the lead Director such as “I can’t believe I signed off on that report, I’m so sorry“.
In five years, nothing has fundamentally changed, patients are still experiencing the same issues we encountered, many of which are nothing to do with funding, simply attitudes, proper due diligence and care for the patient.
Since complaining though, I’ve had reason to complain to the same trust in respect to my mistreatment and errors on their part, including discharging me with Sepsis (How did they miss all the symptoms, especially Sepsis Awareness campaign posters were all over the wards). Each time though, they exonerate themselves time and time again. A policy of deny all, close ranks, losing key non-contemporaneous notes or simply falsifying records. You’re up against a system unwilling to change or admit and address their own failings. It’s hard to not take it personally for daring to point out their mistakes.
Maybe that’s a bad trust?
My local pharmacy dispensed the wrong medication to me, an error that could have consequences if not detected. Not the first time either, they once gave me another patients meds (Controlled Drugs) with my name on them.
Pharmacies are required to have four eyes check on all dispensed medication. That particular day they were too busy larking about and being utterly unprofessional.
Imagine my lack of surprise upon receipt of a letter today exonerating themselves of all wrong doing, even with the evidence clearly showing the mistake. No wonder they were keen to retrieve the wrong meds.
The Local Council
My local council made a basic principal of security mistake by emailing out usernames and passwords in the same email to the public. No out-of-band communications on one half, no notice to expect it. All under the name of Digital Reform which doesn’t give security requirements weirdly enough.
I spoke directly to alert them of this error that will be open to abuse… They tried to assure me the councils mail servers are very secure…
They picked the wrong person for that discussion…
They couldn’t understand that email is by its nature is insecure once it leaves their servers or that it doesn’t go directly to my inbox but my traverse the world depending where servers are located and the number of hops required to get there (Yeah techno babble).
If they’ve never worked this field, I’m no surprised they don’t “Get it”.
I asked if they had an Amazon account, “of course”.
I also asked if their post room is secure, “naturally”.
I asked if they would be prepared to write their Amazon Username and Password on a postcard, address it themselves at their home address, stick a stamp on, and pop it down to their mailroom.
A long pause…
An unsealed postcard will be seen by anyone in the mailroom, post collection services, sorting offices, delivery drivers etc, control has been lost, any one can take a copy, store a copy on various devices. Basically by the time it reaches your home address you’re going to have to change your password if you haven’t already. The principal is the same with email servers. Unless you have full end-to-end encryption, there’s no security!
Cue writing to my MP… They received a reasonably quick response back from the Chief Exec from the Local Council who played the “I only make decisions, not the implementation card” (Fair enough), but did follow up with a technical team response, whosereply may sound plausible to a non-cyber security professional.
The reality is, it’s a f**k up, in fact, it looks like this is endemic across all councils using this piece of software, as I learned that the supplier was the main winning bid for the country.
Mistakes have been made, again, no one wants to be held accountable or even address issues raised. I’d like to think there’s a Cyber Security professional shaking their head in a “I told you so” moment, something we’re very accustomed to, as someone without Cyber experience “Risk Accepts” these findings… Weirdly they’re never accountable when that risk materialised…
You could argue, it’s about effective communication, articulation of the risk, or the ability to influence change and I agree to a point, equally there has to be a desire to change, to be effective and improve. You also have to factor in, where there’s no sponsoring exec for security, or when the old practice has suddenly been replaced with new IT Infrastructure and inadequate training and up-skilling has been achieved, then of course they’re going to risk accept something not understood, when they’re balancing budgets.
Sadly, it usually takes a significant data breach for any real action to be taken, at which point it’s far too late.
Conclusion, I sometimes wonder if energy is better spent that trying to convince the remaining Monkeys to change their world view and experience…
What are your thoughts?
Leave a Reply