Increasingly I see articles about “young” employees lobbying managers and senior executives about using social networking sites for work-related activity. These sites generally comprise (perhaps compromise?) a mash of party pics, all manner of stream-of-consciousness ruminations, drunken escapades, perhaps a little business/quasi-business.
Ah yes… when it comes to heads-down, empirical, meritorious and measurable Fortune 500 business results… I think… Facebook!
It’s not just Facebook, but also some measure of other sites, the Top 5 being: Facebook, MySpace, bebo, Friendster, and hi5 (source: toptenreviews.com).
The argument is that this class of employee – the young, the hip, and the connected – considers social networking to be an integral, perhaps inseparable, part of their lives. I haven’t yet heard whether this class considers their workplaces’ archaic e-mail systems and telephones to be so unreliable so as to require the steady fallback of Facebook.
I hate to use a dirty word here, but it fits: That word is “discipline.” I see no real harm in allowing employees to take a break and pop over to a social networking site during the day, from time-to-time. This is quite similar to people surfing the web at work, and checking their personal e-mail accounts. Speaking of personal e-mail accounts, no one 5 or 10 years ago would have argued – would they? – that it would be more efficient to conduct work business through personal e-mails, as a twin-track to the company e-mail system, merely because you happened to be in your personal e-mail account at any given moment. You’d have some extremely broken e-mail chains – and should the company have to assemble a coherent, chronological, sequence of communications in order to settle something with a customer or client, it would be that much more difficult.
Consider social networking sites: How easy to make an exposure on a wall, or even to lose important information: After all, the company isn’t making a comprehensive backup of Facebook communications for each employee, regarding company business. However, the e-mail system is backed up each evening. And by funneling corporate communication through a common system, legal and other issues of contention are well documented and managed as content within the control of the company (Content = that which your organization contains and controls. Your organization does not contain Facebook, etc., data – nor control it!). Let’s make life easier, shall we? I’m not even particularly concerned about malware, which is the usual straw argument mounted, so that it can be shot down with Facebook’s and other’s “new and improved” spam guards and virus and breach protections.
Who cares about that if the argument doesn’t even get that far when we examine the question from a simple content management point of view, and where the efficiencies of communication (and protection) really are? And trust me: If you have just one employee make the wrong communication to an important client, while brain-toggling between “friending” and “businessing” if you know what I mean, you will be very sorry you didn’t take heed here. In the realm of risk, unmanaged possibilities become probabilities. Common sense, discipline, and adherence to best practices do have their place.
Advertising and Marketing
What about advertising and marketing? Social networking can provide some exciting possibilities here – and yet… social networking is all about “seat of the pants,” ad hoc, timely, edgy, shoot from the hip communication. It’s real time, too. How do you protect branding? Reputation? A certain… business gravitas? Who the heck is doing what? Again: “What is being done in the name of your domain?” There may be far more peril and pain, than gain. Be wary.
To me, using social networking sites (emphasis on “social”) for business is kinda like texting while driving. Is it possible? Sure… Is it wise? No. Period. When driving, focus your eyes on the road. When conducting business, focus your eyes on business.
That is best done in the securtiy wrapper of authorized systems: e-mail, business phones, company websites, sanctioned and company-supported blogs, and any other means and methods that are in the exlusive domain of the company’s control, or the control of sponsored and proper outside players such as contractors and service providers. Oh, I guarantee there will be companies that go the social networking route – and if you think data breaches and bad judgments regarding communications are a problem now, just wait. I think in a few years’ time we’ll see an entirely new focus regarding social networking and business: It will be considered to have been a serious wrong turn… a crash through a guardrail while answering a text, if you will.
Review your company’s Acceptable Use and other pertinent policies. If they do not now accommodate social networking sites, make them address that now.
Even if you do allow social networking to be part of your arsenal of communications and collaboration, you need to detail exactly how and when that can be used.
June 20th: Today is Father’s Day of course. Also on this day in 1819, the Savannah becomes the first steamship to cross any ocean (the Atlantic).
We’ve touched on the disaster of what’s happening in the Gulf of Mexico and with the ongoing tragedy of BP’s oil spill. We can understand that technology is enabling: For both good and ill.
On a smaller scale, many local organization’s have had sad yields of data breach, crashes of systems, and implementations that deliver the wrong products to business. The latter result in poor fit, unreliability, or flat-out delivery of products and services that are unusable. “Finished” projects are torn back open for a new (and expensive) stab at success. Technology makes deliveries of good and bad to the local organization.
Today, business challenges and demands are such that projects no longer meander to conclusion, with adjustments along the way. There’s almost a command to craft a timeline the length of an arrow’s shaft, and to shoot that arrow into an ever closer target to today’s date – for ultimate delivery of working, serving, solutions.
Certainly in large-scale projects this is happening: How else to explain a project to drill in a mile of water, in order to capture oil for use, only to have a disaster for which there is presently no recovery? There is not even a vetted plan.
Large projects with large deliveries need matching, LARGER, postures for prevention of bad outcomes, and pre-defined, tested, and extremely robust recovery means for the truly unforeseen. In scaling this idea to the local organization, all implementations and plans deserve adequate attention to possible pitfalls, so-called “unforeseeables” that become foreseens with proper imagination and attention – and thus valid preventions for bad outcomes.
In examining large scale yields of the extremely bad variety, there is one that delivers catastrophe to the local organization – that is, yours – and in fact all local organizations. It is Electro-magnetic Pulse (EMP). While we may consider it’s manifestation as a small likelihood – consider that no one thought the Gulf situation would manifest in the first place, and even when it did, in its earliest days people minimized the outcome. Further, in considering EMP and its likelihood, you might wish to consider that the U.S. Congress has had an EMP Commission for quite some time. (Sources: www.empcommission.org – www.senate.gov – www.house.gov )
By examining EMP, it can help us to think critically within smaller, more routine, and even blasé projects. Fresh thinking will help you deliver with accuracy, safety, and surety. The CIO, CTO, IT Director, Network Manager, Programmer, etc., who can deliver with swift accuracy is a hero to business. Well, they should be in my humble opinion.
THE THREAT OF ELECTRO-MAGNETIC PULSE
Our concept of Unrecoverability (from IDRU, as referenced in a couple posts prior to this one) aligns with some realities that have already emerged: existing means of accomplishment; the will of those who wish to accomplish it; and inadequate recognition of threat. Hence, there is no real definition, plan, project, and solution to thwart those who are working at this moment to deliver Unrecoverability. This lack of recognition, and the risk associated with it, falls not only on “government,” but also on each of us. So too will responsibility.
The easiest means of defeating a modern country – a country that relies on a Business-Technology Weave at the highest, lowest, and broadest levels – is through an EMP attack. This sort of attack could be something as simple as a scud missile carrying a single nuclear warhead. This missile need not be accurate for any specific target. It need only be detonated at a suitable altitude: the weapon would produce an electro-magnetic pulse that would knock out power in a region – all power.
Not only would some measure of a nation’s power grid be out, but also generators and batteries would not work. There would be no evacuation of affected areas: Cars would not work, and all public transportation would be inoperable. Even if trains, planes, and other mass transit were operable, the computers that enable their safe use would not be. This would be due to the loss of all electronic data, rendering all computers useless. There would be no banking, no stock market, no fiscal activity of any kind, and there would be no economy.
Hospitals would fail without power. There would be no electronic communications: no mobile phones, no land phones, no e-mail, no television transmission, nor even radio. There would be no refrigeration of food, which would quickly rot to become inconsumable. Potable drinking water would quickly be expended, and the means to create more would not exist. Fires would rage, since the ability to deliver and pump water would be virtually nonexistent.
No Federal Government would be able to govern – nor would any State or local government command any control over events. No police department could be able to know where events were happening requiring response. Priorities would be non-existent. The only actionable situations would be those in a direct line of sight. The Military would not be able to communicate. Hence, there would be no chain-of-command; no control. Scattered commands and units would soon begin operating autonomously in the vacuum.
The affected society, on all levels, would be sliced and diced into small groups and factions hell-bent on survival – the situation would be an almost immediate chaos. As we’ve seen during New Orleans and other disasters, breakdown of the social order is rapid and deadly. In this circumstance, it would also be prolonged, and possibly permanent – until the arrival of an enemy control. Imagine, if you will, a peak, sustained, Katrina/New Orleans disaster, coast-to-coast.
Ah, but there is hope for all of us. Let’s hope that the government, with this BP oil spill as a serving example for lack of plans and pre-defined assets, will learn and mount proper preventions.
Now that we understand what true “Unrecoverability” means, are there any “EMP”s or “oil spills” lurking in your organization? That is, something that – in scale – looms so large and comprehensive as a risk that, should it actualize, it would whisk away your business’ reputation?… your business’ ability to conduct and continue? It can happen and has to others.
DAPR: It’s time has come: Disaster Awareness, Preparedness, and Recovery. Last century’s “Disaster Recovery” is outdated; indeed its very name is reactionary. I often wonder if there should be regional Business Security roundtables with local government. After all, plenty of IT and business people are being affected in the gulf at the moment. Shouldn’t they have had a keen awareness for mile-deep drilling, its risks, and potential consequences? And… wouldn’t business and IT people have the best handle on risk, its management, and whether proceeding under those conditions, given the unprecedented nature of things, was prudent? They certainly would with DAPR as their overriding guidance.
Come on along – we’ll continue to prepare as we meander through many topics in the coming days and months.
We’ll lighten up in the next post. Senior executives are being pressured to let younger workers utilize social networking sites not only at work, but for work. Good idea? Bad? I have an opinion…
June 17th: On this day in 1837 Charles Goodyear obtains his 1st rubber patent
Understanding IDRU (Inadequacy, Disaster, Runaway and Unrecoverability) in contrasting Disaster Recovery (DR) vs. Disaster Awareness, Preparedness and Recovery (DAPR)
In our last discussion, we talked about new scales of harm – weighted outcomes that are so great, as delivered by disaster, that holding them in abeyance through prevention wasn’t some part of a plan; it is the goal and the whole of it.
Disaster Recovery is old-school, outdated, and dangerous. An almost provocative awareness for potential disasters must now hold sway, with attendant protections for outright prevention of bad outcomes – being that we are in an era whereby technology is not only enabling good things; we must realize that technology’s mismanagement is enabling extraordinarily bad things.
As discussed previously, the oil spill in the Gulf is a timely example of an extremely bad (and ongoing) outcome as delivered by technology. Technology allowed us out there, down there, and caused the opening of the oil field to the ocean.
To appreciate why DAPR is necessary, and to fully appreciate what it is, we must first completely understand it’s counterpart: IDRU – Inadequacy, Disaster, Runaway, and Unrecoverability. We debuted that term in the last post – let’s examine it in more detail and also provide an example that any person, whether “IT” or “Business,” can readily understand. This may help you examine and discuss your environment and potentials with your counterparts. IDRU is:
Inadequacy: Inadequacy is manifested as lack of awareness, lack of planning, lack of action, lack of results, and dire consequence. On a local scale, we’re aware of inefficient, ineffective, and inadequate attention, inadequate business, and inadequate technology (or use of it), leading to poor business outcomes.
We needn’t belabor inadequacy’s national influence: in America, we’ve achieved a large yield from inadequacies. Ready examples exist from both natural and man-made harm: the loss of New Orleans (through Katrina and neglected levees), and 9/11, respectively. The Gulf oil spill is the latest disaster. On an organizational level, the news is full of data breaches and harm to business…
Disaster: Today, disaster can manifest itself as a relatively new phenomenon: an individual, or small group of individuals, can dispense catastrophic harm through the actualization of Nuclear, Biological, or Chemical elements (NBC). Because relatively small groups now can possess a formerly disproportionate amount of power to harm, already possess the will to harm, and can exploit inadequacy on the part of those they desire to harm, we have a prevailing threat of disaster.
Beyond NBC, there are new threats of disaster so monumental, that their prevention is not just some measure of abeyance in the style of a 9/11; their prevention is necessary to deny a state of total Unrecoverability. A massive, generalized state of Unrecoverability has to be of overriding concern to the collective Business-Technology Weave, of any Nation, group, endeavor and person. Consider IDRU from the perspective of EMP: Electro-Magnetic Pulse. We will discuss that in some detail in an upcoming post.
Runaway: A simple analogy will serve: You are the driver of a car. You are speeding on a wet and winding road. There are signs, and they are warning: one gives the Speed Limit. One indicates Slippery When Wet. One indicates Dangerous Curve Ahead. Given the nature and conditions of the road, you should have an adequate awareness of danger, and you should have enough information to take action: to slow down, to drive with care, to prevent a bad outcome.
However, you fail to do these things. Your attention, concern, and actions are inadequate. You fail to imagine and plan for the contingency that soon happens: you cannot make the dangerous curve; you break through a guardrail; and you begin a plummet down a cliff. Your predicament was preventable, but now this, for you, is disaster.
But – you yet have ‘systems’ at your disposal. You mash the brake. There is no effect. You turn the wheel to the left, to the right – again, your action has no effect. In fact, your fall accelerates. You pull the emergency brake. You are in an emergency and beyond: You are in a condition of Runaway. You, and any action you take, are irrelevant to an inevitable outcome. It is, simply, too late.
Here, prevention wasn’t some part of a disaster plan – it was all of it. Once you begin Runaway, there is no meaningful action to be taken, and – regardless of remaining plan – no executable part of a plan that contains any meaning.
Unrecoverability: Once you’re in the zone of an inevitable bad outcome, you are in a position of Unrecoverability. Our car is in a Runaway condition, and the car and its occupant are now Unrecoverable – they will be smashed and killed, respectively.
Today’s Business-Technology Weave, and any measure of it, is susceptible to unrecoverable situations. Many companies mount expensive core business applications, platforms – so-called “solutions” – only to find them to be poor fits; often it’s an extremely expensive “wrong turn” and you’re through the guard rail heading for a business crash. I would imagine that any reader here has an example.
Ah, but there is hope. Stay tuned…
June 14th: On this day in 1834, Sandpaper was patented by Isaac Fischer Jr. of Springfield, Vermont
Let’s examine new scales of risk, weighted outcomes, and what must be done in the face of escalating catastrophes – as delivered by ever more powerful technology. Over the course of this post and the next two, we’ll fold an examination of BP’s crisis (and ours) back down to the local organization, and what you can learn and do in preventing bad outcomes and in making fast, efficient, recoveries from the truly unforeseen. To help us, let’s consider the biggest news item of the day – indeed the past month and a half.
This week, the Administration in Washington decided to allow more drilling in shallow water (500 feet or less). New regulations are in effect, and newly require:
The CEO of the company must certify that a rig and anything happening with it meet all Federal standards. A professional engineer must be hired by the company to certify that the blow-out preventer works [DS – a blow-out preventer is a device to stop a leak once one begins; details did not include whether the “professional engineer” had to be an independent consultant, or merely someone who might be an insider; the next requirement would seem to indicate the latter]. Requirements also include third-party verification for the status of all blow-out prevention mechanisms. (Source: Fox News, The Fox Report with Shepard Smith, Major Garrett reporting, June 8th,2010).
Almost two months late and a few dollars short.
In seeing the recently released high-resolution video of the leak, James Carville said, “…this is a matter of national security; the Louisiana coast is being invaded right now… literally we’re under invasion from this oil. And I’m waitin’ for somebody to say, ‘Hey, we’re gonna fight ‘em in the estuaries, we’re gonna fight ‘em on the beaches, we’re gonna fight ‘em in the bayous, we’re gonna fight ‘em in the bays’… I mean, I’m with the Governor here [DS – Louisiana Gov. Jindal], let’s get this thing cranked up here.” (Source: CNN, Anderson Cooper 360, James Carville, June 8th, 2010).
I believe Carville has been on the leading edge of truly understanding and expressing just how dire the situation is in the Gulf. And at present, the condition is one of Runaway. The leak is in a runaway condition, whereby one of two things is happening:
– No one knows how to stop the leak – or –
– A method of stopping it is known (or at least suspected), but no one has managed to assemble the resources and team(s) that can deploy the method for stoppage.
Either way, BP’s own estimates now are that they’re capturing 15,000 barrels of oil a day from the leak. This leaves as much as 10,000 gallons yet flowing into the Gulf. This is a factor of 10 in terms of the original estimate for the leak (1,000 barrels/day) – after a nearly two month effort of containment. The situation is a catastrophe and its true scope and future impact are yet unknown.
What can Business and IT learn from this? In looking at certain outcomes from disasters, we can recognize that prevention is not some part of a Disaster Recovery Plan, or Business Continuity Plan – it is the goal and the whole of it. To further illustrate what we mean: During the Cold War between the old Soviet Union and the U.S., a defacto policy of MAD – Mutually Assured Destruction – held a nuclear exchange and total destruction at bay. There’s not likely much of a recovery plan post-apocalypse. Prevention was the goal and indeed whole of the plan – the great driving motivator that influenced all subsequent activity. An extreme example, to be sure, but a potent one nonetheless.
I’d like to introduce two concepts at this point that serve the local organization (and would have served BP) quite well: IDRU (id-roo) and DAPR (dapper).
IDRU is Inadequacy, Disaster, Runaway and Unrecoverability.
DAPR is Disaster Awareness, Preparedness and Recovery.
In the case of the BP Gulf oil spill (which is a yield of a failed weave of business and technology), IDRU is presently at play. There was an Inadequacy of awareness and respect for true risk and condition (given the present outcome, and well-reported disagreements on the rig concerning conditions and risk, there can be no argument regarding inadequacy here). We have Disaster (again, no argument). We have Runaway; certainly a runaway condition of spillage is occurring – when humans desire a stoppage of oil leaking into the Gulf, and the flow remains to any degree, we have a runaway condition.
That brings us to a very scary prospect: Unrecoverability.
The Gulf will be “cleaned.” At what cost? To what degree of “recovery”? How, and how long, will fish and wildlife be contaminated – and to what intensity? Will anyone eat seafood caught in the Gulf in the next two years? Five? 20? I don’t think anyone can say with certainty at present. It is truly frightening for anyone who examines the core problem and the tangential effects.
Disaster Recovery – even if perfectly mounted according to human capacities and limits – and associated concepts is not really sufficient here. DR must be supplanted with DAPR. Disaster Awareness – true appreciation for the scope of a potential disaster – and preparedness in the sense of prevention (where and as truly possible) is now necessary in an increasing number of arenas. Yes, there remains a recovery posture for the truly unforeseen; whether accident or deliberate events of harm. But a new standard of awareness and preparedness in terms of prevention is absolutely essential, given business’ reliance on technology and technology’s vulnerabilities in an imperfect world. Humans can’t be perfect either, but their record had better improve fast given the realities of The Business-Technology Weave.
It’s easy to look backward and make a couple suggestions: BP could have shrouded the whole mile-long pipe, blow-out preventer, and well-head in another outer pipe and dome. Why didn’t they? Expense. However, as my father would have said, “Cheap at twice the price,” given what BP will end up paying. Why not an automatic simultaneous relief well (presently being mounted) for deep water drilling? Again, cheap at twice the price. In these cases, it’s not just risk that must be evaluated against the bottom line – the scale of an outcome must weigh into measures of protection and prevention.
Again, a tenet of The Weave is paramount: In the realm of risk, unmanaged possibilities become probabilities. (Note: We’re not taking issue with deep water drilling vs. shallow drilling that is often prohibited due to environmental regulation. Our examination is based on the empirical, the observable and meritorious argument; not politics or preferences. Deep water drilling happens; preventions must be ultimate; lessons must be learned and applied).
For those at the local organization, you must think anew and bring fresh perspectives to assessment for potentials, scales of outcomes, and cost-benefit for outright preventions. IT folks are going to bear the burden for making these examinations – they naturally lead business counterparts in assessing vulnerabilities to The Weave from technical perspectives – and even from the human perspective (in terms of errors, inadvertent or deliberate harm to content, process, systems, etc.).
I actually sympathize with BP a bit. They are in the middle of an extreme catastrophe – as are the affected people in the Gulf. I believe IDRU and DAPR would serve BP, and other “potential BPs”, quite well. If the concepts serve you, that is good.
And this brings us to the next post… stay tuned.
June 10th: On this day in 1910 Howlin’ Wolf (Chester Arthur Burnett) was born.
According to a recent survey by BDO, “Business Continuity” ranks higher as a security concern than “Data Breach” among most U.S. companies. Security risks such as wars, natural disasters, and terror attacks were cited by 55% of responding companies, vs. 44% expressing concern about breaches of security and the resulting privacy and theft issues.
One could well ask: If you suffer a catastrophic compromise of data, and the resulting compromise of reputation and trust, are you not imperiling the continuity (the continuing) of your business? Well, sure… but… plenty of organizations have suffered large, embarrassing, breaches of data – and have survived quite nicely.
If you really want to understand Business Continuity in the face of large-scale catastrophe, consider New Orleans: When those levees broke during Hurricane Katrina, how many businesses, large and small, had locks on their doors? How many had system and data backup and recovery plans? How many had robust Disaster Recovery plans? All to wash away in the comprehensibility of a flood. Business = Gone.
That’s what we’re talking about when we talk about Business Continuity. For businesses in New Orleans back in ‘05, no measure of a conventional Disaster Recovery plan would suffice. Given the fact that levees were long understood to be underspec’d for a Cat 4/5 hurricane, it would seem that a prudent business would have extended its DR and Continuity planning to include the surrounding whole: Perhaps joining a local association of companies in common purpose to lobby local government for a true surety posture that secured the local environment. You need a place to do business, first and foremost.
Today, true Business Continuity planning means that you must, in part, survey where you’re at in a physical sense, and assess physical vulnerabilities to public infrastructure, power, water, security, roads, access, policing, emergency response, recovery postures, etc. Your organization may not have a powerful lever in influencing local leaders’ actions for the protection and securing of your surrounding whole – but that doesn’t mean you can’t lay the groundwork, or ally yourself with other sympathetic organizations, in making the case for a surrounding policy and plan for security. That is, the “security garden” in which your organization grows and prospers.
What would happen to your business in the face of a “dirty bomb” (dispersal of radioactive matter), or a natural disaster such as a hurricane or tornado? While human life and treatment for survivors would be the first priorities, the continuity of business would be a close second: Hospitals, emergency response, policing – these all are businesses in The Business-Technology Weave. Even charitable organizations are considered “business” here: They are in the business of getting something done according to mission and desired outcomes. For any human activity, a real recovery needs to have people working and getting back into the routines of their lives quickly.
Maybe you’re thinking, “I’m not in a city that’s below sea-level with aging levees” (as was New Orleans); perhaps, “I’m not in a major metropolis like those most vulnerable to terror strikes” or “I’m not in a tornado zone.” And yet, who in the Gulf foresaw the spill and the impact to business? Today’s business continuity planning must examine risk and contingency in a much more imaginative and comprehensive fashion.
Next: We’ll consider lessons from the BP oil spill. We’re going to examine BP’s deficiencies, not from any political perspective, but from an empirical point of view, so that the “local” organization – that is, yours – can learn from the disaster in the Gulf. Prevention must be made a value, a standard, a mission, and most of all – a belief. Increasingly, in more and more areas, prevention on a steady, ongoing, basis is going to be a thorough necessity to ensure business continuity.
This examination, from the perspective of The Weave, will lead us to the largest, most comprehensive disaster imaginable… and what can be done in terms of prevention. But I’m getting ahead of myself…
June 7th: On this day in 1963, the Rolling Stones made their first television appearance (Thank Your Lucky Stars) and released their first single, “Come On”
(with apologies to The Wizard of Oz)
Forty-six States have now enacted data breach notification laws, whereby businesses must contact consumers to advise when their personal data gets lost or stolen. Laws also exist in the District of Columbia, Puerto Rico, and the Virgin Islands. It’s a safe bet that the remaining States will get around to notification laws.
Why are such laws necessary? First and foremost: Breaches happen. Secondly, people wish to know – are entitled to know – when their sensitive data is compromised so that they can take action to protect themselves. Not least, breaches are on the increase. Why?
Being that most data breaches originate with human error it seems likely that a combination of lack of awareness, lack of education, sloppiness and poor decisions are reasons.
High profile breaches seem to happen on a constant basis. For some perspective, have a look at The Chronology of Data Breaches, courtesy The Privacy Rights Clearinghouse. That’s just the high profile ones and meant to be, in the words of the PRC, “… a useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches.” A comprehensive listing of breaches would scare you.
Among “new ideas” in data protection is the banning of physical transfer of data. This seems Draconian – and where would this begin and end? As one example: What if you wish to walk a thumb drive across the office? You’d better refer to the organization’s Acceptable Use policy, Security policy and any other controlling documentation. Can you imagine the granular detail of data security policies under such constrictions?
But doesn’t it all come down to one thing? Care. Care that people are trained in the proper handling of data, and subsequent exercise of care. That is, constant awareness for what you’re doing, what you’re putting where, why, when and how.
A fairly high-profile company recently decided to have clients verify and update sensitive information. They decided to merge data sets with each corresponding individual e-mail account and… Send! You already know what happened – things got scrambled and individuals received other folk’s sensitive data.
Where were standards for testing in a test environment, for then producing an action on a limited real-world basis for assessment, and final conduct of large-scale action? Let’s not forget solid contingency planning for the unforeseen – but prevention is key. I believe prevention is possible, but it requires care, awareness, and education. Constant education.
The culture of your organization helps to determine what you do, how, when, and under what circumstances. In this century, it all boils down to eCulture – electronic culture: Know what you’re doing with electronic data and also what that electronic data produces: Paper and other physical records and repositories, such as tape, disk, stick, phone, laptop – indeed anything that can store and transport data from a sheet of paper on up. Policy, education and training – control – must also include personal storage devices that people bring into the environment. Absent appropriate safeguards: If people can do it, they will.
Does your organization conduct regularized training regarding data security? Depending on the nature of your organization, its people, and its business, you may need monthly, quarterly or annual awareness training.
Don’t let your organization’s good standing get mauled by a data breach: The fallout – the loss of trust, loss of reputation, and the reparations – can be enormous.
June 4th: On this day in 1896 Henry Ford took his first car, the Quadricycle, out for a test drive.
With the advent of Cloud Computing – that is, Internet-based computing – many are asking, “Is it secure?”
That, of course, depends on who is managing your status in the cloud and their adherence to best practices and prudent new practices. It also depends on your understanding of just what the cloud represents, and the degree of reliance you place on your piece of the cloud.
We’re going to focus on a couple basic security considerations here, and without being too assumptive, I believe this audience knows what cloud computing is. However, and briefly, we can consider cloud computing to be: 1) Platform as a Service (PaaS); 2) Infrastructure as a Service (IaaS); and 3) Software as a Service (SaaS). The business advantages in shifting the burden for capital expenditures and associated maintenance to an outside entity are many – to include a reduced burden for number of staff, and the “inside” need to maintain that staff’s currency for changing and evolving environments. Reductions of staff are not necessarily good for IT staff (and certain allied business staff), but we must acknowledge what the business edge is going to consider.
The chief concern for any organization, and therefore any IT senior staff who may be considering general recommendations or specific responses to business questions, is that whenever control of anything goes outside of your “four walls,” you lose a large measure of control. We all rely on outside providers, and the overall infrastructure of the ‘net, but as one example: A server in your server room, under the watch of your own internal staff, is not the same as an amorphous server “in the cloud.” True, for outside elements, you can bear down on providers, you can make contracts as tight as you can possibly make them, but on the day you’re not delivering service, content, access… computing – none of your “remote” oversight much matters in the moment.
Nothing beats (or should be able to beat if you’re doing things right) internal security. You can readily survey and adapt security. You directly manage and access the personnel who manage security. You can assess any breach potentials and make corrections of course on your terms, on immediate terms, on as strict of terms as you like.
On the other hand, it has been argued that cloud providers have a natural incentive to mount trust, and to brand cloud computing with security. No doubt – but any provider has that incentive.
As we’re fond of saying in The Weave:
In the realm of risk, unmanaged possibilities become probabilities…
“Risk” is the operative word here: You must actively manage against the possibility of security breaches, or episodes of inoperability, or anything the cloud is delivering to you, for you, or operating on your behalf. Most data and security breaches are due to human error – and “outages” are security breaches in my mind. If you have an outage of any sort, your business or particular element can hardly be called “secure.” Therefore, awareness and common sense are key in backing up best practices and wholly new practices in the realm of insuring your piece of the cloud.
If you’re in the cloud or going to the cloud, what imaginative, evolving, practices are you bringing to your extended environment? Is your security forecast sunny… or cloudy?
We’ve discussed WorkOns and WorkWiths – let’s wrap this series up with the WorkFors class.
These are the folks who “work on” you – the IT leader – and include any entity or individual who has sway over IT-business matters. These are your direct supervision, senior management, your governance committee members, your board, and other senior players who have influence. It also includes clients, members, and customers. For your organization, it may include regulatory bodies or government agencies. But the steadiest and most influential WorkFor interactions will be with those superiors in the organization itself.
For the IT leader, you must embrace the fact that many, if not most, of these people are not particularly interested in information technology. Even when they are, they don’t have time for a lot of details. They are not oriented to details – at least in a situational sense. They don’t have time for details – they have people working for them that attend to those. You for instance.
WorkFors are big-picture players, and are focused on results. They’ll want to hear about solutions, not problems. They want to hear about progress. They want to hear about productivity and efficiency. They want to hear about success. Keep in mind that anyone you speak to in this group, no matter how highly placed, has to report to someone too. Their burden for delivering success is in an arena of stress that is likely greater than yours.
In order for you to succeed, you must align your resources and methods so that you deliver consistent success to this group. If you’re escalating problems to the WorkFors, you have not done your job effectively at the WorkWith and WorkOn levels. You have not established your sanctions, sponsorships, and you likely have failed to make the sale (in terms of cooperation, teamplay, etc.). Perhaps you’ve exceeded the limits of your lead. Remember this: If you start to sense yourself as tipping toward a “problem reporting” stance when engaging with the WorkFors, as opposed to a “success reporting” and summary style of communication, you must make immediate adjustment. A qualified exception is your interaction with your direct supervision. Here, you’ll iron out problems and strategies. But even here, you must present solutions – you must have a positive answer for moving business forward.
As you may suspect, TechnoShines can be rare in this group. There is an overwhelming majority of TechoFinds here, and a sizable proportion of TechnoBinds. The heavy proportion of TechnoFinds in this group works to an IT leader’s advantage, and also to any Business manager when interacting and discussing the Weave. That’s because WorkFors rely on your knowledge and the strength of your position to pilot the organization into the future. Once you’ve established a sound reputation with this group based on solid performance and trust, you should find very rewarding relationships.
It should be a rare situation where you go to this group to lobby for relief – but if you feel you must, or if you have a special relationship at this level whereby someone specifically wants to be kept apprised in a more detailed fashion than is usual, you must yet remember your audience. Keep things very focused, very positive (even when reporting problems), and make certain you pose valid solutions to problems in a positive way. Your reputation should be such that you are seen as the facilitator to progress. Nothing is personal, everything is business. Nothing is personal, everything is business. It matters not how some others engage – this is your engagement, and this will be your reputation’s enhancement of your credibility.
Those that facilitate progress will ultimately cook to the top, regardless of temporary setbacks or small, inconsequential, battles lost. Keep that larger picture in mind when talking to the big-picture people.
You will find three kinds of people in the WorkWith group. (Indeed this next examination of people in the Weave can be applied with equal vigor to WorkOns, WorkWiths, and WorkFors. But there is the most significant representation and impact inside the WorkWith group).
The three kinds of WorkWiths are:
1) TechnoShines: Those who like technology, embrace it and look for ways to leverage it. These people partner well with IT. They go out of their way to cultivate good relations with the IT staff. They appear happy, well adjusted, participatory, and understand technology quite well – therefore, they use technology very well. They are generally pleasurable to work with for these reasons.
2) TechnoFinds: There is then that kind of person who is ambivalent about technology. The “just show me what to do” types. Give them a computer, keep it running, and you won’t hear too much from them. They go with the flow. They “find” that there’s a change coming, and roll with it. We can think of them as having a sort of benign “whatever” attitude, and they deal with whatever comes down the pike. These folks can’t be counted on for any groundbreaking suggestions, but they are generally positive – at their worst they won’t actively inhibit progress. As they find that they’re in a Business-Technology Weave, they can be counted on to do what is necessary.
3) TechnoBinds: The third kind of person is someone who seems unable to appreciate technology. They may view it as a necessary evil – and worse for them, it is constantly evolving. I hesitate to use the word techno-phobe here, although there are those. But most of the people we’re considering in this category are able to use technology, and many very effectively. We know that within the Weave they pose a problem because they generally don’t treat IT matters well, and they don’t treat the people in IT very well. Whether through extreme criticism or negative attitude, at best they slow progress and at worst they may halt it; they bind things up.
Having defined these folks, let’s examine them closer. It should be easy to slot the WorkWiths in your organization into one of these three groups. Recognizing them and their corresponding behavior helps to work with them as effectively as possible.
TechnoShines, TechnoFinds, and TechnoBinds in Detail
The TechnoShine: The TechnoShine is a satisfying, even fun, person to work with. Don’t underestimate the power of fun. People are going to be a whole lot more creative, resistant to negative effects of stress, and much more productive if they feel they’re having fun and working with fun people. This person is always looking for “the better way” and is enthusiastic regarding improvements – thus they bring enthusiasm and energy to change. They work well with others, in and out of their department, and this carries over into their appreciation for what others do. So how do we manage this WorkWith person? What is the leverage in maximizing this person’s potential, contribution, and influence?
This person is an obvious candidate for the BIT team. They will not only represent their department well, but they’ll have an overall appreciation for the organization’s business. This kind of person tends to build time in an organization. They’re well connected politically. They don’t “job hop.” They have important institutional knowledge. They give credit where credit is due. They will make suggestions regarding best-practice with appreciation for how it will affect, and enhance, other departments. In fact, they make suggestions regarding other departments in a way that is not intrusive, but helpful and acceptable. They also accept suggestions and criticisms very well.
In addition to soliciting this kind of person’s participation on the BIT team, you can employ them to serve as a liaison. Often they’ll become an informal liaison between their department and IT anyway. However, the IT leader should push this kind of arrangement. During large-scale implementations, someone in each business department needs to take the lead anyway in collecting business requirements and helping to translate those into effective solutions. No less important, the TechnoShine can help buffer IT from some of the more difficult people in their area. TechnoShines by nature are informal sponsors for initiatives, and IT in general, by virtue of their positivity.
TechnoShines are necessary to BIT endeavors. However, don’t load the BIT team with TechnoShines to the exclusion of other valuable people who may not rise to this level. You will have to have representation by virtue of position and influence, as well as ability.
The TechnoFind: The TechnoFind is a person who adjusts to the temperature around them. They “find” that technology is permeating everything. It is an increasing influence on the part of their daily lives, both in the professional environment and the personal arena. They adjust.
TecnoFinds do what is necessary, and little more. They don’t like sticking their necks out. Therefore they don’t make waves – which in itself can be valued in many circumstances. They’re safe and practical people – they avoid risk. So, how can we leverage this kind of person? Should we merely be satisfied that they, at least, won’t “muck things up?”
Actually, this kind of person is very useful. TechnoFinds tend to be very honest about system performances and deliverables. They are not idle complainers, therefore a criticism usually has value. Nor do they “inflate” technology’s contribution. They don’t seek to hang every bell and whistle on a system to the point of a diminished return. Theirs is usually a very balanced, informed opinion. They want to know how to get their job done – they’re not fooled by the “sizzle” and want the steak. Most of the people in any organization will be TechnoFinds – therefore, you must satisfy this important majority. This person is invaluable for feedback – how’s the new software performing? How is your remote-access working? Are you satisfied with HelpDesk support? Since TechnoFinds will likely make up the majority of an organization’s staff, surveying them and exercising improvements in service to them is a winning combination.
But don’t look to this kind of person for a leadership role. You don’t want to select this person to oversee their department’s implementation of a business software application module, for example – unless there is no other choice. This person may or may not be a good choice for participation on the BIT team. Remember, the BIT team’s seats are valuable. The people who occupy them should be those who are informed enough to contribute, who desire to contribute, and who have the institutional knowledge and the good judgment to occupy one of these important seats. A TechoFind person simply may not qualify.
However, in an instance where you must have a department’s representation on BIT, and the department is populated by TechnoFinds, you must choose the best person by virtue of position and influence. Too, a TechnoFind may outclass certain TechnoShines by virtue of deep business-knowledge and sheer know-how in other areas. Choose that person who best meets the diverse qualifications necessary to moving business forward.
We can’t afford to imply here that TechnoFinds are unlikely to make a contribution or deliver anything of value in contributing to the Weave’s momentum. For example, solicit this person’s contribution when conducting requirements-analysis. For the reasons stated above, this person will know the practical side for getting work done, and will be very matter of fact about what a new system needs to do. They’ll have high expectations in meeting and beating what the old system did, as you can usually rely on them for the pragmatic view.
The TechnoBind: Uh-oh. The time has come to discuss that kind of person that we’d all rather avoid, but that we must, alas, deal with. We must try to discuss TechnoBinds in keeping with the overall positive tone of our discussions, but there are some simple realities that we need to examine if we hope to overcome the obstacles that TechnoBinds can impose. Let’s define the TechnoBind in plain language – then we’ll discuss methods to blunt their influence, and where possible to neutralize them. We’ll also note that TechnoBinds are frequently correct, and can contribute on occasion. However, it is necessary here to recognize their contribution to inefficiency. We’ll need to know how to identify them, and how to best handle them.
TechnoBinds can be very negative people – and frequently are complainers. Therefore, when they’re in a Business-Technology Weave, IT represents a fat target. So, too, does work in general. Because TechnoBinds aren’t interested in acclimating and moving forward at an efficient pace, they contribute to their own, self-reinforcing, “complaint-ready” environment. Be aware that TechnoBinds are a counter-productive influence on everything they come into contact with: their department, group projects, other’s attitudes, and so on. They may not drive things backward, necessarily, but they create enough of a drag on events that they s-l-o-w things significantly, if not carefully managed.
Next and last in this series: We’ll look at the WorkFor group – those folks we report to.
As planned, let’s return to our discussion as originally begun on May 7th, Managing People in the Weave. As necessary, review that post and its follow-ons regarding WorkOns, WorkWiths and WorkFors.
I think we all believe that IT professionals have unique challenges within support and betterment of business. In understanding all of the people around us, we can come to better interactions. Better interactions will yield success, promotion and achievement of your career goals – in addition to furtherance of business’s aims and success – no small thing!
Let’s pick up our discussion by examining the class of employee I call the “WorkWith.” Remember, this second group is IT’s fellow managers and business staff – co-workers with whom IT has no direct formal control from a management standpoint. They also comprise middle managers, controllers of business process, and are neither too senior nor too junior.
The WorkWith group helps to select and plan the future courses of business. Many WorkWiths will be on the Business Implementation Team (BIT – see post of Mar. 8) Here there can be a compounding of risk for change in behavior. This is because (as with WorkOns) WorkWiths are frequently required to assume greater responsibilities within the scope of their present responsibilities – but the compounding factor is that they also have to manage and direct change. This group is especially active in the preservation of order amid change, and the preservation of change amid order. In planning and managing change, those involved have to stick their necks out. Simultaneously, they have to cover the bases. WorkWiths have to deal with consequences and are on the hook to report what’s going on and why. They have to answer for things.
Too, the WorkWiths are likely in the middle – situated between the WorkOns and the WorkFors. There is a special challenge to this group, because they’re not only communicating within the Weave – speaking with special care to Business and Technology – but they also have to communicate up and down the organizational hierarchy. Theirs is a special balance. For IT, let’s examine how this person may appear to you when changing groups.
Essentially, any WorkWith shifts and becomes someone you WorkFor when you’re dealing with him or her as a customer (as does anyone, in any group, for that matter). Whether you’re updating the WorkWith’s department’s PCs, implementing new software solutions, or addressing general support concerns, you’re working for this person and you have to provide service to their satisfaction. In these cases, the WorkWith can become demanding, even unreasonable, as the power tilts their way. They have to get the job done and you have to deliver. In this case, it helps to understand the pressures a particular WorkWith may be under.
Next, we’ll examine three kinds of WorkWiths (TechnoShines, TechnoFinds and TechnoBinds) before wrapping up with WorFors.