I’ve been doing a little work for a big State agency. By “big,” I mean big budget, large number of citizen-clients served, lots of personnel records, and – as in all big environments – lots of potential for harm absent strong controls. What sort of harm are we talking about? Data breach: With exposure of names, addresses, work histories, and even arrest records and information about children and spouses… occasionally, SSNs are parts of these data sets.
And in fact, the potential of harm turned into actuality: A large breach has happened – and has gone totally unreported in the news or to any of the agency’s oversight authorities. Stunning is the fact that for months a breach situation was ongoing, known, and no steps were taken to stop the ongoing loss of data: Sort of a slow-motion, high volume, leak of data. Wow.
For this reason, the agency and State shall remain anonymous. I’m confident that I can provide a reasonable guarantee of anonymity being that I’ve contracted at a number of facilities. However, even if the agency comes to light, exposure would be a good thing: It would likely accelerate critical fixes to systems, practices, and policies. I am at present wrestling with making my concerns known to a higher level of State Government; I must assess IT governance’s understanding of peril and their associated sincerity in securing the environment ASAP – and the speed and quality of changes in delivering security – vis-à-vis client risk for identity theft or just exposure of sensitive, perhaps embarrassing, information.
In the course of my work, I’ve stumbled upon some egregious security problems. These aren’t gnarly, difficult-to-see, expensive-to-fix liabilities. These are obvious problems involving: poor practice; lack of policy and documentation; and lack of training and awareness. Through my involvement many of these liabilities have been taken care of. Let’s review a few –
The agency has a large Resource Room at the front with about 30 PC workstations. These are provided for clients and jobsearch activities. That is, taxpayer-citizens who are generally unemployed or perhaps facing layoff. Many of these clients are blue collar folks with little or no PC experience – many do not have computers at home, or they may lack internet access, or lack appropriate software and skills in producing a resume and related documentation in applying and competing for jobs. There’s a rather nice proprietary application called ResumeMaker that does a good job in walking clients through documenting their education, job history, and the other necessary information in building a nice looking, comprehensive, resume. Not only are computers and broadband available, there is help in the form of staff who help craft resumes and cover letters, help with uploads of same to online job openings, and who even do the typing for some clients.
The first thing I noticed was that in creating a login profile for access to the computers, they were advised (onscreen) to use the last four of their Social Security Number and the last two digits of their Birth Year. Further, upon subsequent logins to the system, this six digit login ID was not masked – the numbers were exposed in the login field, until the client clicked “OK.” Of course, any client looking over another client’s shoulder, knowing full well the context and content of each ID, would be able to glean last four of SSN and last two of birth year. Wouldn’t you know? When I call Verizon, my mobile phone provider, the exact vetting info they ask for is last four of my SSN and year I was born. I’m sure other examples are out there. This login field is now masked, thanks to your humble blogger and his elevation of this breach potential. But this pales in comparison to the rest of what I’m going to tell you – most of which remains to be fixed. Over the next few posts I’m going to report exactly what I’m going to do in the face of a very poorly maintained environment. I’d also like to solicit Comments for things you’ve seen out there.
Upcoming in the next post: Data breach (client records); wireless insecurity; network outages with lost work/data; unregulated environment… leading to…? Stay tuned…
You say To-MAY-to, I say To-MAH-to… one thing’s for certain: When it comes to organizational security we cannot call the whole thing off. Today, any business that has a single computer has an interwoven Business-IT security challenge.
I was speaking with a colleague who works in Washington, DC last evening. We were talking about the interwoven (mutually reinforcing, mutually vulnerable) security means, methods and practices in the business-technology realm – the Weave.
Amazingly, his Fortune 500 ® company deals with clients who mount discussions and attempt whole solutions with virtually NO security considerations. None, that is, until the client is brought back on balance by my friend’s company’s project managers and allied teams. Unfortunately, there are other solutions providers in the mix and often his company has to deal with security considerations across a broad range of other “solutions,” associated providers, and competing lines of authority.
Consider this: Almost any discipline in the physical world considers security up front. Adding a room to your house? The strength of the materials necessary has long been established – but beyond that, you or your contractor will consider how the room attaches to the existing structure; the floor will be sound, as will the walls, extended roof… etc. Adding a deck? The first consideration?…
The size, number and strength of the supports holding the deck up. The size of the deck will yield the potential capacity of people, therefore pointing to the size, strength and number of the supports. You are securing the people’s safety who will be standing on that deck – before you even start to build.
In any circumstance, there must be a virtual “security prism” through which every activity and construct is viewed. The same goes for today’s IT-Business solutions: Security must be Job One. And yet, security lags and is often a sidebar consideration – or overlooked entirely.
It’s not difficult to find a great example – one that potentially touches us all. According to a study by the Ponemon Institute (sponsored by Compuware), most banks are lacking critical data, privacy and security controls. I picked banking because that should hit home – we likely all have bank accounts, and some measure of money and associated personal data associated with them, and we’d like to think those things protected and secure! But…
Even though the survey found that 76% of organizations have a data protection plan, only 47% of those same organizations review new software apps and databases for privacy concerns and compliance to law prior to placing them in operation. If that were the case 30, 20, maybe even 10 years ago, that would be one thing. Today, it is stunning.
The survey also found that over 83% of financial service companies use live information, such as customer and employee data, for developing and testing. More than half of these companies admit a lack of appropriate protections for real data in these circumstances.
What about vetting business partners when sending data to third parties regarding customers, employees and others? Only 49% review these partners – and the same percentage lack even a standard contract for ensuring privacy protections of that data.
In the agencies I counsel and contract with, I hammer home the points:
1) Everyone in the organization must be a mini-Security Officer, and –
2) They must view every action, project, implementation, business and IT change, through a virtual Security Prism.
Tomorrow: What I uncovered at a State agency concerning personal privacy and data (the State and agency will have to remain nameless, but just wait until you hear this…)
As we consider our WorkOns, WorkWiths, and WorkFors, there will be situations where people take on some responsibilities, characteristics, and behaviors usually associated with occupancy in one of the other groups. Certain behaviors are not only adopted, but they distort: someone may take on additional responsibility and become overbearing, or they may suffer a lack of confidence.
We must be aware of situational changes and the feelings they engender in people. This way, we can adjust our own behavior in managing our relationship with them. In other words, we have to maintain that constant of pulling their “best game” in contributing to maximum success. Also, it’s our obligation to support them effectively – particularly during change.
Your organization, and specific environment, will have many situations that will influence power in many ways. Change brings about general unfamiliarity. In the case of changing business practices, new business competition, new products, new services, new support applications, new computers – whatever is happening – there is an environment where some are assuming power, and some may be losing it.
It can be helpful, and downright important, to view matters through a Power Prism: that is, to view each situation and circumstance as a matter of who may gain, and who may lose – or who simply harbors those perceptions. Power is often deception, illusion – or delusion – as the case may be.
Eventually, we’ll examine all groups, but we’ll start with the WorkOn group. They are a frequent recipient of major change. These folks generally have the least to do with planning change – their power is limited. True, their opinions are solicited, and they provide basic facts during analysis of requirements, but this usually follows on to the big decision to make a change. The WorkOns are not the big decision makers, and they can feel “put upon.” Occasionally, however, we see a person from the WorkOn group shift when they are asked to “step up” within a project and represent their department, or when taking on a leadership role in an endeavor that is parallel to their main job efforts. Perhaps a temporary increase in responsibility is even a test; an evaluation of promotion potential. Let’s look at a look at what can happen when a WorkOn temporarily shifts to a position of greater responsibility.
Frequently a WorkOn person assumes oversight duties, a measure of power, during the implementation phase of a project. Perhaps this person is asked to coordinate internal department meetings regarding the collection of requirements for new software, or to meet with people to design new reports. Perhaps the compelling reason that this person is selected for this is because he or she has the time to do this – this person may never have done anything like this before. Here you have to ensure that this person doesn’t become too overbearing. A person in this situation can overcompensate for a lack of experience by exhibiting a blustery “confidence.” Or, this person may feel slightly intoxicated with their newfound “authority.” They can’t help but being somewhat inexperienced, – they have no prior scale against which to measure effort and delivery in this realm. Your responsibility is to mentor and coach them, and as importantly to help the WorkOn balance and adjust their attitude to the new role.
Occasionally an opportunity comes along for a WorkOn person to assume a higher profile in the organization at large. Unlike an actual promotion, whereby a WorkOn might become a WorkWith (with formal power over others), what we’re talking about here is a situation. Perhaps it’s an additional-duty type of condition, or a nuance to their position – one that now requires a perspective and judgment that the bulk of their job usually does not require or demand. They may now have a duty that involves an increase in responsibility, and within that, a certain authority.
A good example would be the assignment of a WorkOn to payroll clerk, or perhaps payroll manager. This person is no longer buried in the Finance department, but is seen by the entire organization as someone who manages a process. That process stripes across the entire organization. Someone stepping into this role for the first time may be prone to panic a little if timesheets are not submitted in a timely fashion. They may go a little heavy-handed in their communications to get the timesheets in. We can see that this person often needs a little coaching to keep things in perspective, and in the proper escalation for problems concerning submittals. Conversely, the new payroll person may be a little shy about communicating expectations for timely submittals. They may lack the confidence to institute a system to help ensure timely submittals. So, the power-prism in this regard is showing us that there is a situational change in how people behave, as they remain in their primary group – in this case, the WorkOn group.
A good example for the IT leader regarding WorkOns is the assignment of new responsibility to someone who has, until now, been totally task-oriented. Perhaps one of your new HelpDesk technicians is assigned to manage the rollout of new PCs. This is a nice step up in responsibility, and who knows the PC population and the attendant user population better than a HelpDesk technician? This person should have the inside knowledge as to who needs the latest, most powerful machines, how the departments should be prioritized, and what a reasonable rate for the rollouts is. It is not unusual for the task-oriented person to become nervous about larger endeavors that have a multiplicity of details. At the same time, you should try to prepare the WorkOn for elements of their new work that may not be apparent to WorkOns in general.
In this case, departments may suddenly clamor and compete for prioritized standing in the PC rollout, individual users generally clamor for early issuance of a new PC, late-changing department schedules can upset the rollout plan, and so on. In these cases, the WorkOn’s fresh responsibilities, and these related exigencies, can be viewed as a huge spike on the “problem chart.” The WorkOn feels a loss of control. However, the manager’s steady guidance should lead this person to a calm attitude and a balance of perspective in managing these sorts of things. They come to be seen as routine in a real world environment.
Generally speaking, when rotating the power prism with a WorkOn in view, the behavioral change usually involves anxiety regarding an increase to responsibility – they are operating in a WorkWith realm. They’ve been chosen to assume a managerial role in that they have to lead activity – as opposed to operating in their usual reactive, or parallel, mode. Help this person – a sort of hybrid WorkOn/WorkWith – to a good understanding of their new role. Point them to the tools at their disposal for achieving results, and show them their sanctions, their sponsorships, and the limits of their lead.
We will come back to this discussion for an examination through the power prism’s view to WorkWiths and WorkFors – but for now, remember these groups and associated characteristics – and – how they can shift. It can be a powerful realization and can help you to negotiate your way to better interactions. Better interactions will yield success, promotion and achievement of your career goals.
[Please read a couple posts just prior to this one for context]
When examining these definitions and considering the people you work with remember that, from IT’s vantage, there will be circumstances whereby individuals will occupy, or shift into, a different class at times. For example, I was once tasked to provide someone to our company president for computer training. He wanted to “get more out of his PC.” In this circumstance the president became a WorkOn for IT (since we ‘worked on’ him by training him to standards we set), as well as remaining our WorkFor (in that we still ‘worked for’ him in the larger sense).
Because all training requires challenge, we had to be aware of our limitations in challenging him– because of his primary occupancy in our WorkFor class. Remember too that people in positions of power frequently feel vulnerable when they confess an ignorance or need. Being mindful of these things in this circumstance, whereby the trainer has knowledge (and therefore a small power advantage) over the president, allows us to be mindful of special sensibilities and discretions.
Next, we’ll employ the “power prism” whereby we’ll view the circumstances and shifts that bring individuals into other classes. We’ll see how this understanding is necessary for a true optimization of relationships and performance. These shifts are ongoing in the change continuum – and therefore their influence and required management is continual.
Let’s provide the definitions for the classes of folks we talked about in the prior post (please refer to that if you haven’t yet read): There are three classes of people the successful IT leader must manage – in the organization at-large:
Those you work on: The first group is those people in the IT department reporting to you, an IT leader. This is the group of people that you formally manage, appraise, mentor, coach, reward, and discipline. This group also includes vendors and contractors, for while they don’t report directly to you as their employer, they are subordinate to you. They do report to you within the scope of a project or service agreement. You indeed rate their work as feedback to their employer, and you even hire and fire these people for and from whatever endeavor they are supporting. From here on, let’s indicate everyone in this group as WorkOns.
Those you work with: The second group is IT’s fellow managers and business staff – co-workers with whom IT has no direct formal control from a management standpoint. In keeping with our syntax, these folks are WorkWiths.
Those you work for: The third group is those people who occupy hierarchy in the organization above IT; those who directly and indirectly manage IT. These are IT’s direct supervision, the governance team, the senior executive class/directors/managers, boards, and any other authorities with influence. Hereafter referred to as WorkFors.
Given these recognitions, how do we leverage them?…
Spike Jones may have said it best: People are funnier than anybody.
People are our biggest challenge, and we should know this. Let’s help everyone – Business and IT alike – understand the special nature of the IT challenge when managing people. Not just their management of “IT people,” but the effective management of IT’s relationship to everyone around them. We’ll also get around to looking at the special challenge from a Business perspective. For now, let’s talk about the IT leader’s challenge – be that person a vice president, chief technology officer, chief information officer, director, helpdesk manager, network manager with administrators, etc. – any IT leader will benefit from this discussion. Just as importantly, each Business person will benefit from the awareness we establish here.
Any organization and each supervisor requires proper management of those around them to achieve ultimate success. Let’s look at that in a little detail. Here, we’re going to propose that IT manages three classes of people – of equal contribution, of equal importance: These are people that IT works on, those they work with, and those they work for. Classifying people this way will yield some interesting relationships. We’ll also talk about a “power-prism” – a device we can look through and rotate. The prism will have facets that expose how different issues or circumstances appear to change the class occupancy for any given individual – by exposing the dynamic of their power and ability, or lack thereof, in each of those circumstances. In the continuum of change, this prism is a powerful, virtual, “device.” The resulting awareness (that regardless of an individual’s formal standing, circumstances can cause the individual to shift class on an informal basis) will allow us to recognize a person’s behavior, reasons for it, and any negative influence on engagement.
Behaviors can be influenced by feelings of fear, vulnerability, or power, for example. If we can recognize these feelings and their cause, we can then adjust our treatment of persons for ultimate outcomes. Too, we can assess ourselves for these shifts and protect ourselves from imprudent behavior or action. Recognition of these shifts can be a powerful tool in managing your relationships in the Business-Technology Weave.
Upcoming, we’ll classify people for you, the IT manager, so as to match their formal standing in the organization’s hierarchy: The WorkOns, the WorkWiths, and the WorkFors.
Things never remain static. If you are not planning the action, driving the action, managing the action – taking action – you are still moving. The stream of time and surrounding change is carrying you whether you paddle and steer or not. As your competitors progress, as your business tools fall out-of-date or become less than optimal, as your organization falls behind on evolving best-practice – you will in fact be moving backward – by a comparative default. Make sure you’re moving forward.
The “Whens” of action should become evident by virtue of the forward-looking postures we’ve described for individual and organization through discussion in the BIT forum, and the delivery of prudent action to the matrix of Five-Year, One-Year, and Individual Action Plans.
A huge assist to moving forward effectively in technology’s support to business is to identify actions that can be turned into routines, and to put them on schedules: a leveraging of “whens.” Business should facilitate thorough understanding by IT of the organization’s business burdens through exposures: the annual calendar of events, any regularized absences of key personnel, business cycles, predictable tax on resources, etc. IT should strive to optimize schedules, in sympathy to the business: workstation upgrade and deployment; fileserver review and update; infrastructure review and update; documentation and policy review and update – get these things identified and slotted to a particular quarter of the year. Even if exigencies change your priorities, you can easily swap one thing from one quarter with something from another quarter. You’ll still have a balance on your routine and your resources, and you’ll still have everything identified – things are less likely to fall off the table.
The proper schedule of ‘whens’ will yield an efficient cycle. The more comprehensive your cycle, the more time you will have for special projects. You will move forward in the best posture for controlling outcomes. If you wait to do something until you are forced to take action, you’ll likely move forward, but you’ll do so at greater expense – in terms of money, effort and efficiency. You’ll find yourself lurching from one area of problems to another. Therefore, find the “sweet spot” for action in all of your routines, in accordance with the organization’s events, distribution of resources, and cycles of business.
When discussing “Business” and “IT” roles and responsibilities – the Who Does What, Why and When? – we’re trying to position activity according to efficiency: to the arena that is best suited to a particular action by virtue of knowledge, resource, and responsibility. This facilitates better business.
In parsing the Business-Technology Weave we find that most of what occurs at the users’ desktops is in the domain of business: things such as the utilization of your core business software applications: proprietary mission-critical software such as an AMS, a customer-centric management system, sales and inventory, and so on. There too is the use of shelf applications (word processing, spreadsheets, presentation graphics, e-mail, etc.) and likely some specialty applications used by everyone (such as content management). The organization also has specialty applications used by the few (such as payroll, HR applications, laboratory analysis packages, statistical analysis, graphic arts, etc.). From the context of the Weave, we can think of the main business domain as “the front of the screen.” This is the utility and potential of the power to be had on the front side of the computer screen at the desktop, as delivered to users.
Those things that happen “behind the screen” (from the users’ perspective) are in the IT domain: In no particular order: Internet connectivity, security, server and workstation maintenance, installation/maintenance of software, backup and recovery of data, contracts, service level agreements, and so on and so forth.
Earlier, in determining where activity belonged, we asked: “Who is the relevant party that knows, or should know, the ‘business’ of what is under consideration”? We can now further sharpen our appreciation to who does what and why by asking that identified-party a question. We can help them understand where the burden of activity truly lies: “Does this happen on the ‘front side’ or ‘back side’ of the screen?” Let’s apply this question to a couple items to gain some clarity – one obvious, one not so obvious in terms of where activity belongs: backup of data and department orientation.
Backup of data: Backups happen on the back side of the screen – that is, backup of data should be done by IT and it should be transparent to the user. You could make the argument that someone dragging and dropping files to a CD for backup is employing a “front screen” process – true. But this is not a backup scheme appropriate to a comprehensive security of business. A backup scheme in the Business-Technology Weave context is an automated routine that does not rely on any single individual’s memory or action to achieve or regularize it. Also, IT has the discipline and fallbacks to ensure coverage of backups. IT ensures they’re running each night, and checks content of the backups. No real backup routine or scheme in a business environment should be in one specific user’s hands. You can make exceptions at your peril or convenience – but true data security relies on a backup that is a “back of the screen” process. Therefore, when discussing what is recognized as a comprehensive business backup, it is an IT activity.
Department orientation: Here we’re referring to a narrow slice of orientation – not a general IT orientation, or the overall HR orientation that a new hire goes through upon in-processing – but rather the hiring department’s orientation of the new hire. If IT is orienting the new hire to the specifics of your department’s use of software applications, as frequently happens, ask yourself “why?” Your department’s use of software is a “front of the screen” endeavor. The organization has people in each department who are much more familiar with that department’s procedures and rules for use. Have one of the business staff in the department provide this orientation. An orientation of sorts will happen anyway, in effect, through the new hire’s questions of your other staff. Avoid duplication of effort by freeing IT in this regard, and posit the activity of familiarization in the business department. Use of business applications is “front side of the screen.”
A couple articles ago, I talked about a business deficit. It’s only fair we consider one on the other side of the line.
Let’s look at a common mistake on IT’s part. How many organizations have a requirement for “centralized” data, yet have full knowledge that users – the business community – are storing data on local (c:, etc.) computer drives or on desktops? Even the most sophisticated organizations, and the most tightly controlled environments, have this condition. This goes on even in organizations where it violates a document retention and content management policy – policies that are often imposed or required by outside regulatory agencies, or other bodies (that is, boards, classes of customers/clients, and so on). Yet, if business members and leaders insist that it’s a necessary “work-around,” IT goes along. This can be a major mistake on IT’s part. Let’s leave the document retention/content management considerations aside for the moment, and look at the situation from a simple backup and recovery standpoint.
IT’s position in any organization should be that all data is secure: accessible according to authorization; safely and securely maintained in the technical environment; recoverable in the case of loss in the production environment through any reason. Too often, users are responsible for backing up their own local drives. This is wrong. If there is genuine business data that is not coming under the umbrella of IT’s backup domain, then that is a wrong situation and you cannot profess to have complete security. You are at risk. You can hash out in the BIT forum as to how to expose peripheral data, and how to manage it, secure it and back it up – at a minimum you must document exceptions to policy and put them on record. Many important caches and swaths of data have been lost by organizations because the central, qualified, authority for the safekeeping of data (IT) was unaware of it. So, there was no central authority guaranteeing its safekeeping under these circumstances.
Let’s look at one more area where IT is frequently remiss. Increasingly, organizations are responsible for anything and everything that happens within. We see where large judgments have been made in favor of employee plaintiffs who had complaints regarding offense and damages over electronic content containing porn, offensive jokes, illegal advocacy, and other inappropriate content. This is content that has long been defined as this kind of liability by courts. Remember too that just because some content may be “legal” in the broader sense, it can still violate your organization’s best interest. Should your organization’s data be subpoenaed, you wouldn’t want negative characterizations of business partners or critical evaluations of members made public, for example. Most organizations have policies to guard against inappropriate use of business resources and to explain the consequences of harboring improper content, but many don’t adequately reinforce the policy. Further, it’s apparent that a lot of IT departments haven’t picked up their responsibility, or perceived their own liability, in this area.
Let’s be clear: One thing you don’t want to have happen is that something blows up into an embarrassing exposure, with people asking how “IT” could have let inappropriate content broach your business-technology environment. For it is IT that implements spam-guards, monitors storage, and has the means (even if only under special permission by Business) to do a comprehensive review of data. The mechanics of, and the burden in, running a “clean” environment is IT’s. While it is true that Business must cooperate and contribute to a clean environment, and that this is reinforced by policies both Business (HR) and IT – no business person has the authority to look across the board at data and content on a regular basis. No business person is tasked to have knowledge superior to IT’s regarding best practice protections and best software solutions. This is a “behind the screen” faculty. If you’re an IT staff member, and your IT department is not comfortable in answering to your organization’s content, you need to get this into the BIT agenda quickly.
Next, we’ll discuss putting activity where it belongs.
According to a recent ruling by the New Jersey Supreme Court, a former employee’s past company should not have read e-mails that she sent from a private, password-protected, web account.
The employee was using company resources (computer, internet access, and indeed company time), but the Court ruled that she had a reasonable expectation of privacy for the account, being that the company’s policy regarding computer use was that “occasional personal use is permitted.”
Various states have differing views of workplace privacy: Most, if not all, have ruled that company-owned, corporate, e-mail accounts belong to the company – including all data that is contained – business related or otherwise. Many have ruled that any data on a workplace computer belongs to the company, “personal” passwords and allied info notwithstanding. But in gray areas, companies and individuals alike need to thoroughly understand Acceptable Use policies and to grow and amend those policies as necessary based on precedents and local rulings. Some predict that workplace expectations of privacy vis-à-vis differing locales and laws will ultimate settle into a uniform judgment as the issue inevitably makes its way to the Supreme Court.
But there’s another consideration here: Who might be accessing your e-mail and any other personal data in the workplace that you may not know about, and will never know about? Someone could be surveying your workplace computer right now – for entertainment purposes, or for judgment in your suitability for promotion, or even further employment. Can this be done in secret? Of course. Is it? Well… for certain environments and for anyone who understands enough about human nature… the answer comes back again, “…of course.”
For a little background, the following article by Susan K. Vivio at NJ.com is of interest: N.J. Supreme Court upholds privacy of personal e-mails accessed at work.
This much is certain: If you’re in the policy-making arena (whether IT or Business policy), be sure your Acceptable Use and Content Management policies are thoroughly up-to-date and that staff is apprised of your organization’s expectations. If you are a workplace user of resources (again, whether IT or Business staff), be sure you are thoroughly familiar with all policies affecting use of computer and allied resources – and be certain that any people you may manage are also fully educated and current.
In all regards, it is always wise to carefully consider what you may be saying and storing on workplace computers.