The Business-Technology Weave

November 4, 2010  12:04 PM

Policy and Planning in View of Risk’s Velocity

Posted by: David Scott
business and IT policy, business and IT planning, business planning, business plans, business policy, business risk, IT planning, IT plans, IT policy, IT risk, risk analysis, security policy, velocity of risk


[Note:  You may wish to see Velocity of Risk prior to reading this post]


Recently, a colleague was crafting policy at a satellite organization.  In other words, it was subordinate to a parent organization.  This was not a case of one specific type of company owning another type of company, of a wholly different mission and set of products and services (albeit a common enough occurrence).  This was like-companies providing the same product and service set, but having robust business operations in different physical locations, and one reporting to the higher headquarters.  Futher, headquarters published most policy, with minimal room for local influences or accommodations.


Interestingly enough, the satellite wanted specific policy that was further-reaching than the higher headquarters’ policy.  It involved security.  My colleague was careful to consider that any policy crafted, as a draft, should not violate the “trunk” of the headquarters’ policy.  Further, any additional security measures should be “greenlighted” by headquarters.


And, of course, any satellite policy would have to be approved by the headquarters, wouldn’t it?  “Yes,” replied this IT leader.  Through careful query, I was able to determine that the IT leader felt a liability in his particular environment due to lagging policy on behalf of headquarters, and headquarters’ guidance.  It was his intent to await the next regularized meeting with headquarters to lobby for his local institution of what he felt his superior policy to be.


Absent approval, he at least had a policy that, in the event of a breach or bad outcome, he could pull from a drawer.  Ah ha!  Look what I wanted to do! 


This represents a divide in communication on a couple levels.  1)  He should have called his boss upon completion of the policy.  If the policy had merit, and if he can communicate effectively, he should suggest that the robust policy supplant, or be used to infuse, the headquarters policy for update, with subsequent distribution to the satellites.


Minimally, headquarters should look anew at all security measures:  Solicit input from all satellites.  Collect and evaluate.  Use the occasion to bolster the central headquarters security policies, and distribute.  Consider a degree of local freedom in allowing satellites to make proper adherence of policy to local liabilities and allied protections – all with full knowledge and approval of headquarters, of course.


Why wait?  Velocity is now associated with risk.  Risk does not wait. 


November 4th:  On this day in 1939, the first air-conditioned automobile was exhibited in Chicago, Illinois.

November 3, 2010  11:51 AM

The Criticizing of Excellence, Pt. II: Maintaining a balance

Posted by: David Scott
business criticism, business evaluation, constructive criticism, employee evaluation, invalid criticism, IT criticism, IT evaluation, justified criticism, unjustified criticism


We need to keep a balance in our reaction to all criticism because there is value even in much criticism that is poorly delivered.  There can be merit in critiques that are rude, or even delivered in “attack” mode.  Too, we can recognize criticism at the bottom end of the scale, and dispose of empty criticism through appropriate channels before it spreads and infects other opinions and attitudes to the detriment of the organization.  It helps to build immunity to the negative sort of criticism that, unfortunately, permeates certain endeavors. 


With experience, knowledge, and well-placed faith in the organization comes a patience that, however unjustified and harmful some criticism may seem, it can be handled and disposed of in a forum sanctioned by the organization.  This is especially important:  I recently consulted in an environment where a supervisor refused to mediate a relatively minor spat between two individuals – one of whom wanted to meet to iron out difficulties in person, and the other who did not.  An e-mail record well-documented the problem and the attempt at resolution.  The irony?  A 25-foot virtual circle would have encircled the desks and people involved, in offices along and across a single hallway.


We also need to take a look at the sponsors of different sorts of criticism and learn how best to handle those people.  It is always helpful, and in most circumstances downright necessary, to consider the source.  Here it is especially important to maintain a balance, as many critics are powerful people.


As we consider the receiving end of criticism, we see that too many of us assume that our efforts should be immune from criticism.  In that unbalanced posture, we cannot fail to resent criticism – no matter how on target, and no matter how expertly delivered.  Reasons vary, but perhaps it’s because we feel we’re doing an excellent job: we’re putting in extra hours (without being asked!), we’re “carrying” our department (“they’d be in big trouble without me”), or maybe criticism just catches us on a bad day.  Often, we feel that we’re doing the best we can in murky circumstances (another reason to get The Weave under control).  Therefore, when criticism is directed at some of us, we respond in a negative fashion – with negative outcomes.  Responding to criticism with anger, sarcasm or defensiveness is counterproductive.  At the same time, it’s counterproductive for leaders to allow others to engage in invalid criticisms.  If we don’t take care, this can become a self-reinforcing cycle; for the individual, and even for the organization.  Criticism and its disposition, as much as anything else, influences the organization’s culture. 


For leaders, criticism can bring a particular kind of pressure.  Too much pressure for anyone can lead to an imbalance:  the stumble of mistakes that otherwise wouldn’t be made.  Pressure can yield bad judgments.  Managers – Business and Technical alike – should watch for undue sensitivity to criticism; in them and in helping others.  Ultimately, everyone needs to inculcate a healthy perspective to criticism – this includes the deliverer and recipient.  Balanced people are aware of the appropriate, positive, responses to criticism – take what is positive, accurate, suggestions for the betterment of business and yourself, and move along.  This healthy perspective toward criticism, and the appropriate method in delivery, receipt, and disposition, will defuse sensitivities and lead to progress.  None of this is to say that we should ignore egregious instances of pure belittlement.  Leaders need a balanced, objective, ability to weigh criticism, assign the relevant worth, and dispatch or handle it on that assigned basis.    


Cloaked Criticism:  As mentioned above, there can be validity in criticism that is poorly delivered.  This leads us to acknowledge a category of criticism that is generally not addressed in other discussions.  It is a category that is especially important to IT and Business, as we cannot afford to miss important requirements and details (regardless of source). 


Simply, cloaked criticism is either constructive or destructive criticism that has the appearance of the other. 


For example, you may receive “constructive” criticism that has you doing busy-work at the expense of emerging priorities.  The critic may have a good heart, but in this case the criticism will destruct our efficiency.  Too there is criticism that has the appearance of destructive criticism, but which nonetheless contains merit.  In pressure environments, criticism that is often legitimate (therefore valid), gets perceived as unjustified criticism:  it is criticism that comes to us in anger, or as an attack, and therefore it is poorly expressed.  Regardless, the issues may be legitimate.  If something is in dire need of attention, we can’t afford to miss it just because we don’t care for the critic or his delivery. 


Therefore, in all cases we need to recognize that criticism isn’t always packaged correctly – like anything else, the delivery of criticism won’t be perfect.  In extreme cases, we could say that criticism is “cloaked.”  Because some “constructive” criticism can yield poor outcomes, and because some “destructive” criticism can have value in part or all of it, we’ll discuss how to recognize this cloaked criticism.  We can then handle it according to what it truly represents; we pan for the legitimate portions of critical information, and neutralize whatever remains.


We’ll take a couple days’ break from our discussion of criticism, but in the coming month we’ll weave a furtherance of this important topic through the blog.


NP:  Oh, Mother I’m Wild – Jack Kaufman, original Columbia 78rpm disc, 1919 – played on a red mahogany Victrola.

November 2, 2010  12:27 PM

The Criticizing of Excellence: How to dispense and handle criticism – Pt. I

Posted by: David Scott
business criticism, criticism, IT criticism, performance review, personal review


The absent are never without fault, nor the present without excuse.


Benjamin Franklin



The only way to avoid criticism is to do nothing, say nothing, be nothing.





Why The Criticizing of Excellence?  Because that phrase snaps all criticism into an important perspective:  Once it’s understood that criticism is going to come, regardless of circumstances, we can recognize that fact, accept it, and effectively deal with it.  In a challenging arena like the Business-Technology Weave, we know that criticism must be driven toward constructive criticism.  As it is, for most of us, dealing with criticism is not the best part of our day – whether dispensing it or receiving it.  Poorly managed criticism, and critics, can impair business. 


If not carefully managed, criticism can set up a sort of negative ping-pong exchange of recriminations, attendant “scoresheets,” and possible “get even” scenarios.  Preventing this sort of atmosphere is far easier than repairing an environment that has been allowed to drift.  You don’t want personalities clashing.  We must not allow problems between people to be woven into your organization’s fabric. 


Many an organization suffers through the “silo-ing” of departments and the resultant impairment of communication and efficient business.  At the same time, various people are silo’d vis-a-vis certain other people – and all manner of cumbersome alternate methods of getting the job done start to impact efficiency.  Working through a minefield of political liabilities is what mucks up many good faith endeavors.  But that’s largely because most people haven’t learned what criticism really is meant to be, and how it is to be used (both in its delivery and in its receipt).  When we understand the nature of criticism, we learn to value criticism.  In learning how to value and use criticism, we need to recognize constructive (or justified, valid) criticism – and destructive (or unjustified, invalid) criticism – and we need to act on criticism to effect the appropriate outcomes. 


In Defense of Criticism:  Let’s establish a little background:  In a field as challenging, dynamic, and high profile as IT, there is much that presents a ripe target for criticism.  At the same time, the pressures faced by Business, and their demand for quality support and services, generally means that Business has a fully stocked quiver of critical arrows.  Yet, healthy criticism is necessary to the Business-Technology Weave. Critical evaluation and communication will be ongoing.  This, paired with the challenge in creating, interpreting, and implementing a Business-driven IT strategy, makes it extremely important that we understand criticism and how to wield it.  If you’re not making effective use of criticism, then you not only lose out on the positive lever to be had in progressive business, but you allow the deployment of a negative, depressive lever.  Particularly in circumstances where we suffer divides, and have not yet achieved a proper Business-Technology Weave, there is that tendency to mount criticism from a less than fully informed perspective.  When we combine that with a natural tendency to bristle at criticism, and mix in the resultant impairments, we find that we have a “perfect storm” formula for significantly diminished returns.


In those circumstances, we build resentments – we damage relationships between people, departments, and even organizations.  We create avoidance to people and issues, we slow progress, we hamper business.  Repair is costly.  So, we have to take special care with criticism and its disposition in all circumstances.  When we do, we find that proper criticism and proper reaction to it helps to expose important issues and aids in the resolution of problems.  Criticism must always satisfy the “does this move business forward?” question.  Therefore, criticism must have a positive motivator, helpfulness in spirit, and a benefit to be had in the form of suggestion and outcome.  Again, valid criticism has value – business value.


Once we know this, we realize that we need to manage criticism under a dizzying variety of circumstances.  It must be managed at all levels of the organization; criticism between individuals, as well as between and within departments.  Criticism must be managed between organizations that have relationships: it is dispensed between discreet organizations involved in shared missions and outcomes, for example.  Here there is a special risk:  poorly managed criticism can severely damage effective cooperation between “allied” organizations, particularly when it is motivated by protectionism and jealousy. 


Criticism is delivered to vendors, and even, in carefully crafted communication, from vendor to organization.  On a more local level, there is a critical need in keeping individuals on balance.  Those technical people directly supporting business on a daily basis are in a particular zone:  They face business staff who need to accomplish business, often under pressure, and these support people can face a larger proportion of criticism than the average staff.  The supported business people in direct contact with their support half are also in a target environment. 


The good news is that criticism, large and small, is essentially handled the same way.  If we’re able to take a dispassionate, objective look at the full range of criticism – from whiny, empty, counterproductive carping – to the valid critiques, suggestions, sound advice, and requirements – then we’ll be much more adept at recognizing and handling criticism.  We can vet criticism: defusing negativity and leveraging the positive to yield better outcomes. 


Next:  Maintaining a balance in the face of criticism.


NP:  “Brown Eyes Why Are You So Blue?” by The Golden Gate Orchestra – on original Edison disc (and player).

October 31, 2010  12:54 PM

Plans: Planning and Managing Change, Pt. III – the One-Year and Individual Action Plans

Posted by: David Scott
business plans, business projects, individual action plan, IT plans, IT projects, one year plan


The One-Year Plan


A properly maintained Five-Year Plan means that your One-Year Plan is being worked on and readied not only in a “near-term” advance; you’ve been working on it to one degree or another for five years!  That’s powerful.  Again, this plan drops into place from the front of your Five-Year Plan.  It outlines all of your major objectives for the year with just enough detail so as to present an efficient, informative overview of each objective.  Items on the One-Year Plan are broken out and assigned to individuals and, as necessary, groups, to manage as projects for the larger endeavors and as tasks for the smaller initiatives.  Hence each item on the One-Year Plan is on at least one person’s Individual Action Plan; some items on the One-Year Plan will be on several individuals’ action plans, since they will require a team, or project, effort.  Group initiatives will show on the Individual Action Plans as a specified role and set of responsibilities for that individual.   


The Individual Action Plan


Each IT staff member’s Individual Action Plan is a roll down from the department’s One-Year Plan.  Each item on the One-Year Plan is on various Individual Action Plans, with expanded detail and specific expectations.  Here are the actual projects, tasks, duties, and ownerships – indeed this plan is one of the most effective levers for getting things done.  Sure, you’ve got goals listed in each of your employee’s appraisals, and you may have a professional development document somewhere – these are generally filed away until a mandated annual review.  But the Individual Action Plan is drafted and maintained by the individual IT staff member, and approved by the manager.  It has projected dates for completion of items.  It is reviewed quarterly at a minimum, and on an ad hoc basis as necessary.  Items are marked as completed or pending as appropriate. 


If an item is not to be undertaken – for example if something cannot be funded as anticipated – it is removed.  Initiatives that were not originally planned, but which have been added to the year’s objectives, are assigned and added to an appropriate person’s action plan as necessary.  A well maintained Individual Action Plan is a ready reference come review time, and makes the preparation of each employee’s appraisal much easier – it also makes for great supporting documentation. 


A current year’s Individual Action Plan can also include items from any year of the Five-Year Plan.  For example, a somewhat distant future initiative may need researching now.  However, the Individual Action Plan is primarily a “get it done” document for achieving the near-term objectives of the coming year.


The “Who” of Getting Us There:  Further, as we consider the importance of ‘where we are,’ ‘where we’re going,’ and ‘how we’re getting there,’ consider the ‘who’ of getting there.  Who exactly is doing what?  Within the organization, the Individual Action Plan is the ultimate setting, documenting, and control as to who is doing what.


Leveraging your plans


Toward the middle and end of each year, a major focus shifts to year-one of the Five-Year Plan.  It is now the upcoming One-Year Plan, and it should be on the agenda in the BIT meetings.  It should be raised in budget meetings, all-staff meetings, and IT staff meetings:  anywhere futures discussion and planning is happening.  The IT leader must be sure to do a final survey of Business regarding all of their needs, real and imagined, and the various Business teams must vet and justify each.  It is also very important for Business to make their own effort:  to make needs known to IT on a timely basis, particularly as regards changing needs that evolve between formalized meetings or understandings.  The fourth quarter of the year is a good time for IT’s sponsor(s) to attend a BIT meeting or two.  Getting everything on the table and identified as a “need,” “want,” and “wish-list” type of item is very important. 


Once the year starts, remember that the current One-Year Plan is a living document.  As the BIT team meets, and issues are raised or fine-tuned, relevant items add to the plan and get tracked.  Some items may drop.  There should be very few “surprises” in a properly maintained plan environment.  IT works within its supervision to make sure the BIT-developed and other work is on track with the organization’s goals and expectations. 



The One-Year Plan’s Support to Projects


As a One-Year Plan approaches actualization, specific items take shape as separate, defined, and detailed plans in support of managed projects.  As the bulk of the work is viewed from a requirements standpoint and a budget perspective, and as work is discussed and balanced in terms of load to departments and individuals, it starts to become apparent what can be supported – and perhaps what cannot. 


In other words, the overarching One-Year Plan becomes fairly steadfast, and becomes a catalog of sanctioned projects and initiatives – pointing to detailed plans that are under development or ready for execution.  As importantly, any delayed or disapproved work will be known to all participants – expectations and requirements are now being satisfied according to the organization’s authority and sanction, with everyone’s full knowledge.



Remember ~


Any specific IT plan should have a match to a business plan or objective in the organization.  The Five-Year, One-Year, and Individual Action Plans must support sanctioned business initiatives.  IT’s plans help to establish where you are, where you’re going, and the route for how you’re getting there. 


As importantly, direct responsibility is assigned through the plans; the specific “who” of getting you there. 


Remember to leverage BIT and its agenda in support of managed change according to plan. 


October 31st:  It’s Halloween.   :^ )

October 31, 2010  12:31 PM

Plans: Planning and Managing Change, Pt. II – Three plan types

Posted by: David Scott
business management, business planning, business projects, change management, five year plan, individual action plan, IT planning, IT plans, IT projects, one year plan


Three Plan Types


IT’s general support to the Business-Technology Weave can be effectively planned and managed through three major plan types.  These are the high-level, across-the-board support plans – which acknowledge and mark the upcoming projects. 


We’ll refer to these IT-Business support plans as the Five-Year Plan, the One-Year Plan, and the Individual Action Plan.  You may wish to label these plans differently in your organization; you may need to look further into the future with a ten-year plan – or more.  But here we’ll use these generic names for ease.  Let’s take a brief look at each plan type, how it relates to the other plan types, and how together they help maintain your directed change, and adjustment to outside, impacting, change. 


The Five-Year Plan


The Five-Year Plan begins with the upcoming (next) calendar year, and extends through each of the upcoming five years.  The upcoming first year becomes the organization’s detailed One-Year Plan, upon the turn of that new year.  Therefore, the first year of the Five-Year Plan should contain everything you intend to do in the upcoming year.  Since the One-Year Plan is the near-term focus for what needs doing, it should be as detailed as necessary – it is executable in that it has been vetted and sanctioned, is budgeted, has been announced, and all preparatory steps have been taken for each element of the plan.  It matches the organization’s business expectations, needs, and overall business plan for the year.  Also, the One-Year Plan spawns all of the detailed project plans and individual action plans as necessary for the organization’s various managed projects and changes.  The organization’s overall project management benefits from the coordinated tracking on the Five and One-Year plans; supports, dependencies and competition for resources can be adjusted in maintaining optimal results.


The Plan’s Progression:  Years Two, Three, Four and Five are progressively less detailed, respectively, as you consider periods of time that are further out from “now.”  Looking out to Year Five, we can see that in a year’s time, its detail and plan moves into the Year Four slot; the former Year Four is now Year Three, and so on.  At each turn-of-year, a new Year Five is added to the back of the plan.  As each year of the Five-Year Plan marches toward you, it is massaged into better focus; adjusted according to changing business priorities or objectives; availability of resources; advancing technology; changing environment; and new methods and practices.  There is an ongoing maintenance for the organization’s alignment of business and technology.  Eventually, our original Year Five clicks forward, having evolved and focused according to needs, until it moves into position as the One-Year Plan.  In this manner, we find that a properly maintained Five-Year Plan can efficiently generate a comprehensive, executable, sanctioned, and aligned One Year Plan.  This means that an organization’s staff is fully informed and qualified to tackle the forthcoming changes, and changes align with business needs in fulfilling expectations accurately, comprehensively, and efficiently.  


At any given time, we can expect that Year-Two doesn’t have quite the focus or detail as Year-One – however, most major initiatives are known and a fair amount of detail is present.  The more distant years will have large bullet items without a lot of detail, because technology and business factors change, sometimes radically, over a period of years.  Your Years-Four and Five may even contain rather whimsical “wish-list” type of items, just to keep them on the radar.  Your organization may have potential mergers or acquisitions under consideration, which will require different technology and business practices – these considerations can call for placeholders on the plan, ensuring some exploratory discussion and gathering of pertinent information.  These efforts establish and define a ‘where we are,’ also project a ‘where we’re going,’ and ensure the start of a bona-fide, progressive, route for future actualization. 


The Plan’s Direction and Flexibility:  Planned items can go one of two ways:  Some things become certified as bona-fide objectives, and additional detail is accumulated and added to the plan.  Just as importantly, other things may be dropped due to a change in business priorities.  Likewise, other things may pop on as completely new items.  The flexibility of the plan means that you may “bump back” certain items over the course of a couple months, or even years – maintaining them as placeholders – perhaps until a return-on-investment threshold is reached.  Other things may “heat up” and slide forward. 


At the same time, the Five-Year Plan cannot simply be a receptacle for every crazy brainstorm or trendy practice that comes along.  It must represent a managed plan that adheres to the true needs of the organization, as best as you can determine them at any given time. 


The Five-Year Plan (or any long range plan) also does something else that’s very important:  it should not only expose dependencies, but should also show vulnerabilities and strengths.  For example, if your plan is to implement a new content management system in the course of the next few years, you may need to consider an upgrade to your hardware platform and infrastructure.  Your plan may have to accommodate new fileservers and workstations, for example.  You’ll have a significant training and support burden.  Once that decision is made, it may be evident that another project that was waiting for these upgrades can now move forward.  The preparation and timing for implementation of many things will coordinate nicely through the plan. 


Remember:  As the first year of the Five-Year Plan becomes the current year, that part becomes the new year’s One-Year Plan.  The Five-Year Plan adds a year at the end of its range, is populated as necessary over the course of time, and all years are updated and tuned accordingly.  A properly maintained Five-Year Plan not only means that you know where you are, and where you’re going, but also means that you’ll always have your One-Year Plan ready at the beginning of each year.  In fact, you’ll have one-year plans under development for each of the next five years.  That is managing change as a continuum.  Also keep in mind that you can project further if you feel you need to.  Just remember to match your time and effort to the likelihood that a particular plan objective will actually be undertaken.


Coming:  The One Year Plan, and the Individual Action Plan.


October 31st:On this day in 1956 Brooklyn, NY ended streetcar service.

October 31, 2010  12:03 PM

Plans: Planning and Managing Change – Pt. I

Posted by: David Scott
1 year plan, 5 year plan, business and IT change, business change, change management, five year plan, individual action plan, IT and business change, IT change, one year plan


I was speaking about plans and projects with someone the other day.  As far as challenges go –  next to people – change and the associated planning is the most difficult element of The Weave.


Change is a continuum.  For the organization, something is continuously changing that affects it:  Change is happening within, and it is happening in the surrounding environment.  All change must be weighed and assessed for impact, and there must be a ready posture for doing this.  Too many organizations think of change as something mounted in a burst; “now we can rest.”  This is why so many organizations seem to take action at the back edge of the envelope:  change for them is constituted as an addressal of problems under pressure-filled and even desperate circumstances. 

When change is mounted under pressure, there is usually a failure to fully survey where you are.  It may seem obvious, but in planning a destination (that is, a project’s destination), with appropriate directions, you must know your point of origin:  the organization’s true station and status.   You must survey business process, your technical enablements, and your people.   If you don’t know where you are, the route to destination is a broken one – reaching the destination is painful, inefficient, and sometimes not even achieved.

The smart organization doesn’t disengage from change – nothing around the org stands still if it does.  Therefore, the management of change isn’t just some reaction to what is happening internally, or some engagement that is “forced” by outside change.  You must present a position of readiness, so that you have the “muscle” in place to exercise change.  You must be able to forecast, develop, and schedule.  This requirement for readiness presents itself to the individual, to groups, and to the organization in equal measure, as we’ll see. 

Today, we need to realize and acknowledge that even change changes.  How does change change?  Consider:  While we’re busy implementing a documented, sanctioned change, some of our assumptions, support products, fiscal supports, regulatory requirements, business practices, etc., haven’t done us the courtesy of standing still.  Further, various projects and their change can compete for common resources; they can shift in schedule and crash into one another; they can have interlocking dependencies and impacts that must be carefully coordinated.  Any time you make a course correction, an accommodation, an expansion in scope, etc., you are making a change to change. 

Circumstances such as these, and the quality of planning in your organization, yields one of two things:

1)     A house of cards, or

2)     A solid structure of mutually reinforcing initiatives and projects. 

Because things are shifting and evolving around us all the time, we need plans that have enough structure to guide us effectively, but that are not so rigid as to “straightjacket” us.  We don’t want to be implementing so-so or broken solutions today that looked great yesterday.  We don’t want the organization to be thrashing as it attempts to mount major changes without regard to prudent sequence, or that are even in direct competition with each other.

High Level Plans in Support to Detailed Plans

From a high level view, we need to plan support to the Business-Technology Weave.  High-level plans should identify, guide, assist, and facilitate that which you wish to accomplish.  They provide the general documentation and a calendar position for a collective of projects and initiatives, the sum total of which represent the organization’s forward thrust, and each of which have their own detailed, operational plans as separate documentation. 

Aligning an organization’s detailed plans, projects, and initiatives is similar to tuning a car:  you want all of your cylinders firing in proper sequence and timing.  When properly tuned, your car not only has maximum power in ‘getting to where you’re going,’ it is making the best possible use of resources (in the form of highest gas mileage, and with minimal wear to the engine).  Your organization’s individual operational plans are like cylinders – each contributing to the organization’s forward movement relative to time and circumstances.  You must ensure that each of these plans “fires” in proper sequence, so as to assist the next plan – or at the very least not impinge upon its “firing.”  You must get the collective of projects and initiatives making a concerted best-use of resources.

At the same time, any higher-level plan must have some flexibility in order to make allowance for an adjustment in schedule or direction.  Yet, they can’t be so ill defined as to provide no structure at all.  And, we have to preserve order:  an order in change, and the order of the organization.  How do we effectively manage this trick?

IT’s Onus

If you’ve followed The Weave over time, you know that we’ve discussed the importance of communication between Business and IT.  And we know that it’s wise today for Business to make known its planning and direction for early participation and contribution by the organization’s technical investment.  Certainly Business must facilitate IT’s understanding of required support to business initiatives, evolving technology needs, and changing environmental factors (such as security, expansion, new regulatory requirement, etc.).  But realize that whether this happens effectively or not, IT still exists for, and at the pleasure of, Business.  The onus is on IT to support, align with, and enhance Business’ plans for business.  IT must dig where and as necessary.

There is plenty of chance to do that, so recognize your opportunities:  There will be the obvious occasion for plans’ creation and adjustment within specific, formal, plan meetings – but also formally and informally in the course of budget meetings, staff meetings, board meetings, etc.  The exercise of snapping them into focus happens largely in the BIT forum (The Business Implementation Team), and in specific IT plan meetings:  but anywhere that there’s a discussion of futures planning contributes to the overall opportunity to assess change, and to effect the “gel” of a plan. 

Further, in a changing world, there is the onus on IT to “hear” and garner everything, as a weigh on a scale of possible change requirements.

Coming:  Part II – Three Plan Types.

NP:  Bessie Smith, on original 78rpm.

October 29, 2010  12:16 PM

Velocity of Risk

Posted by: David Scott
2010 Global SMB Information Protection Survey, AITP, Association of Information Technology Professionals, business management, business policy, business risk, business security, business security plan, information securrtiy, IT risk, IT security, risk management, Security Plan, securtiy policy, velocity of risk


Wow.  I was reading an article in InformationWeek magazine:  The Top 10 Security Challenges for 2010.  I guess I’m slowing down:  The article is from January 2nd.  Ahem, however -


There’s a great, great, line in the article – I wish I’d written it, but I’m happy to source it:  Speed may be Google’s most cherished goal, but it also increases the velocity of risk.

The “velocity of risk”!  That is an incredible concept:  Velocity’s definition comprises speed paired with direction.  In other words, 35mph is an indication of speed.  35mph due North is velocity.

But, what is Velocity of Risk in an IT/business sense? 

Well – risk now arises quickly, and comes from many directions:  The cloud (internet apps and services), social networking sites such as facebook and MySpace (just recently suffering its own breach), business sites such as LinkedIn, real-time enablements like Twitter and chat agents… and on and on and on….   you get the idea.

So, we can see that risks stream toward us from many directions (sources), and risk speeds toward us (opens quickly) – in both the unmanaged (or poorly managed) environment; but also too often in the best, most carefully managed, environments.  Unmanaged risk opens, and will ultimately deliver, incidents of directed harm in the form of malware, hacks, etc.,  and incidents of inadvertent harm (lack of centralized data/nightly backups, as one example).

A tenet from The Weave that we’ve hammered many times:  In the realm of risk, unmanaged possibilities become probabilities.  And quite naturally, an ongoing situation of probability will deliver in the course of time  - it’s a guarantee:  data breach, identity theft, corrupted data, applications crash… followed by costly recoveries… or – loss of business reputation and customer-faith.

When IT and Business converse across the table, be sure to discuss risk management, associated costs, and delivery of protections (ROI) in a specific context.

That context is Velocity of Risk.



NP:  Rolling Stones:  Metamorphisis.  The opening track - the alternate take of “Out of Time” - is worth the price of admission.  On vinyl.  Next week, some NPs involving hardcore Blues on original 78 rpm.

October 28, 2010  9:04 AM

Ongoing Social Networking Perils

Posted by: David Scott
America Online, AOL, business security, facebook, IT security, myspace, personal use, social networking, social networks


Oh oh – here we go again.  A Wall Street Journal investigation has found that the social networking site MySpace, in conjunction with popular applications on the site, has been sending crucial data to advertising companies.  This data can be used to identify users – and I’d call this a breach of identity.


This report comes amid news that many employers are blocking access to sites such as MySpace, facebook, and even AOL.  This comes at a time when social networking is becoming, or has already become, as ubiquitous as e-mail.  Many work folks stay abreast of family and friend occurrences and commitments through these means, just as they do through e-mail.


Companies need to revisit Acceptable Use and Security Policies again.  If you’re not covering and directing what people can do with organizational  resources, to include social networking, you need to address that at once.


For some companies, facebook and MySpace, et al, represent opportunity for marketing and expansion of client bases, exposition of products, and sales.  The authorized uses of social networking are obvious and can be easily documented in an Acceptable Use Policy.  If your company is utilizing social networking in expanding business, you merely follow many of the same dictates for appropriate use of e-mail, for appropriate communications, etc. 


However, in any Acceptable Use Policy’s three main sections (Required Activities; Forbidden Activities; and Limited Personal Use Activities), it is  the “Limited Personal Use…” section that is trickiest.  Here is where the organization attempts to be a “decent chap,” in making allowance for some of the mental snack time we all need; some idle web surfing, personal e-mailing, social networking perusal and update… 


In other words, it’s tolerated, so long as


1)     You don’t publish proprietary information

2)     Shared resources aren’t tied up,

3)     Inflammatory or illegal material isn’t published

4)     Personal activity isn’t conducted under the impression that you’re operating in your official capacity

5)     You don’t open security holes for breach


And so on and so forth.


MySpace is still around??  Be careful out there.   :^ )   Also, you may wish to visit Social Networking and the Blended Environment.


NP:  Band of Gypsys (Hendrix, Cox, Miles) on original vinyl.  Naturally.  (And yeah, it is “Gypsys” – but you knew that).






October 27, 2010  12:59 PM

A Model for Tearing the Weave: Starbucks, Safety and Security, Pt. III

Posted by: David Scott
business security, content management, content security, data security, IT security, Starbucks


(Please see Parts I and II, below)


Well, as you may remember, I wrote a letter to Starbucks.  After all, they want to hear my concerns (according to the website, “…We’re here to listen”).


However, 2+ weeks after the letter – nothin’.  No call, no e-mail, no letter.


So, I asked “Helen,” the original barista to whom I had made the complaint.


“Hey Helen, were you guys informed that I had written a letter to Starbucks Corporate Headquarters?”


Helen (coyly):  Mayyyybeeeee….”.


In the course of our short conversation, Helen informed me that “we’re discontinuing the practice” of counting money on the food-counter, in view of customers.


But, within 3 days, a barista was counting a huge pile of money on the same counter.  When I asked about it, the store manager, Jackie, informed me that tips would not be counted there any longer, but money at the end of shift changes would be.


When I asked if there wasn’t an office in the back, Jackie told me there was a desk.  Well, this would seem to be the natural place to do some accounting of money.  But no – apparently, it is corporate policy that money is counted out in the customer area.  Seems rather tactless, but what do I know?


Well, I know that large sums of money, over time, can inspire temptation and ultimately theft.  It might be beneficial to keep a tenet from The Weave firmly in mind: 


In the realm of risk, unmanaged possibilities become probabilities.


I spoke to the owner of several Tim Horton’s coffee shops.  He was incredulous:  He said that the only time customers saw money was when TH made change in selling coffee and pastries, etc.  Registers were emptied by whisking away the inside of cash drawers, and empty ones making replacement.  That seems reasonable.


Imagine going into AutoZone, and they’re counting stacks of money on the counter in front of you.  Or Sears.  Or WalMart…  or, anywhere else.


Starbucks’ practice is a temptation for sure.  Counting stacks of money in customer view can embolden a thief, who may don a mask and time a return trip.  In my case, I witnessed a large stack of money totally unattended for a lengthy period of time.  Technology (cameras) notwithstanding, it remains poor business practice.


And that is my point in wrapping this series.  I’d welcome your comments.


NP (now playing):  Jethro Tull, War Child.

October 24, 2010  12:04 PM

A Model for Tearing the Weave: Starbucks, Safety and Security – Pt. II

Posted by: David Scott
accounting, best business practice, customer courtesy, customer service, money, Starbucks

Here is my letter to Starbucks Corporate Headquarters.  In a day or so I’ll post Part III – what follows the letter below was a bit surprising to me.  Customer service, and general communication, is not what it used to be.  I suppose we all know that, but I was still a little surprised at the broken process and ultimate result of my contact with Starbucks: 

                                                                                                    September 7, 2010


Starbucks Customer Relations
PO Box 3717
Seattle, WA 98124-3717


Dear Sir or Madam:

I wish to make you aware of what I believe to be an ongoing bad-business practice at one of your shops.  It concerns the [address] location.

I do most of my work at Starbucks:  I am a book author, writer (paid technical blogger), and IT consultant by profession.  I am a steady customer:  Some weeks, I am there working every day; other weeks minimally three times. 

I have professional standing for both a complaint, and positive suggestion, that I’d like to make.  (You may review my standing by Googling The Business-Technology Weave).  Absent treatment of this complaint, I will have to find another location for my business writing.  I do not wish to do that.

This past Sunday, September 5th, I was using my laptop, writing my latest article for my blog, when I noticed a large pile of cash on the counter (to one side of the food display, opposite the cash registers).  The pile was about 6 inches high – there was also quite a bit of change on the counter.  The money was attended only sporadically, when a barista performed some measure of counting.  In the course of my several hours of work, the money was there, and primarily unattended – I believe there was a period of at least an hour where no one touched the money at all. 

I have noticed this situation several times in the past and a thought occurred to me:  It would be easy enough for someone else to notice the situation, and time a return trip from the restroom, swipe up the cash, and exit the store.  (In fact, given the regularity that money is unattended on this counter, someone could build courage over the course of weeks, and time a theft).  I was the only customer seated in the back on this day, and when I left, the money was still there – making a theft even easier.  There were three baristas (that I noticed) on duty, and most frequently they were bunched toward the front of the store, near the drive up window and the cash register opposite. 

When I’m writing, I’m focused on my laptop largely to the exclusion of my surroundings.  Thus, if the money disappeared, suspicion would fall on whomever was seated toward the back of the store:  On this day, me.  I decided to speak to a barista about it.  I chose someone I know fairly well and that I speak to often.

Our conversation was as follows, and I assure you this is very nearly verbatim:

“Hey, Helen; may I make a kind suggestion?” 

The barista answered “What?” 

I said, “This pile of money makes me uncomfortable; no one is watching it.  Would you be able to…” 

I was interrupted, “Dave, I’ve been extremely busy.”  The response was snappish.

I said, “But if someone was to breeze by and snatch this, I or anyone sitting back here alone would naturally be under suspicion.  This situation makes me very uncomfortable.” 

The answer was very curt, “I will take that under advisement,” and the person turned away – leaving the money yet unattended.

I left the store about 10 minutes later, and the money was still there.  The baristas were again bunched at the front of the inside counter area, toward the drive up window.  No one was even facing the pile of money, about 20 feet away.  I don’t think there was even a direct line of sight to it.

If common and, perhaps, corporate sense is violated concerning the day’s profits, it leads a reasonable person to wonder what other violations may be transpiring at the store.  Frankly, money is dirty and I’ve seen food and drink mixes prepared at the same counter that the money was directly on.

Please, it is not my intention to get the barista in trouble and that is why I do not mention the name, or even gender, of the person.  I enjoy talking with, and the service from, Helen, Janice, Sally, Tim, Jerrold, Sharon, Martha and the other personnel at the store; I also know several other customers and enjoy the atmosphere.  My letter is sent so that the manager of the store – Jackie (who was not there on the 5th) – can train staff to a better level of standard regarding simple business security.  Perhaps the manager herself needs training.

I’m not privy to Starbucks standard business practices, but is there no office in the back in which to count money?  Is there not, at the very least, a table?  Certainly there must be a private area, away from general public traffic, for the handling of large sums of money?  That would be my first suggestion – and one that comports with common business advisement and secure practices.

Lastly, if a customer makes a good-faith suggestion, in the kindest of tones, service personnel should listen and at least be courteous.  A snappish response was a surprise to me.

Clients pay me to advise them regarding security.  My counsel:  In the realm of risk, unmanaged possibilities become probabilities.

For the [store name] Starbucks, there already exists risk – of theft.  It is certainly a possibility that someone can take the money – totally unobserved.  Given the unmanaged possibility, I believe the risk of theft is too high for sloppy handling of money at this store.  Given the economy and unemployment, the sight of money is too large a temptation.   Large sums of unattended money also puts customers at risk.  This practice is witless.

If for some reason you believe the practices at this store to be proper, or if you determine that my concerns are off-target or my observations of the 5th inaccurate, then I need to know that so that I can make a couple decisions.  Otherwise, I’d like to know what is being done to address the problem at this store.

Thank you for taking the time to listen to my concerns regarding the [store name] Starbucks store.

Best regards,



David Scott


I.T. Wars:  Managing the Business-Technology Weave in the New Millennium

Blog:  The Business-Technology Weave

[phone number] (mobile)


Octorber, 24th:  On this day in 1836 the match is patented .

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: