A Plan: The DAPR Plan, and its actualization, is the manifestation of your policy. Your policy should set the overall mission, beliefs, values, and standards for prevention – as well as recovery, when recover is necessary. The mission and its associated quality will be realized in detail by the plan. In this way, prevention is defined, and a schedule and level of recovery is established. And, when prevention and recovery are performed according to plan, they satisfy the policy.
Threats and Risk: The condition of threat is the thrust behind planning. Threats enter your awareness, you assess associated risk, and where necessary you make a plan of action in order to deny threats’ delivery of harm. You also plan recovery actions when threat manifests as actual harm.
As you consider your DAPR policy and plan, you must assess various threats for consideration of risk to your business, and to what level you need to accommodate these risks. The same threat may pose different risks to different organizations. For example, an organization that serves reference material to customers can possibly afford to be off of the web for an hour or so. However, for an organization that relies heavily or solely on real-time, time-sensitive online transacting, such as stock brokering, or something like ebay, being offline for even a few minutes can cause extreme inconvenience or even damage to customers. It can also hurt that organization’s reputation tremendously – imagine if AOL were “offline.”
Also realize that the same threat may represent differing demands on resources to differing organizations. For example, some organizations will be in a sole location – they may store their offsite backup data within that same city or general geographic area. We know this to be a condition for many organizations. A catastrophic disaster could conceivably wipe out the whole of their business intelligence – or ready access to it, and hence would impede their whole recovery effort. They may have to consider the expense of offsite storage to another city.
Another organization may be more dispersed, and may be able to afford and secure more “redundancies” (of data, and complete business platforms) because of already existing alternate business locations. Indeed, each discreet business location within a chain could be a backup to another location. A citywide disaster at one of their locations would, from a strictly business point of view, be far less threatening to their continuity of business. The former organization at the sole location may have to allocate a larger proportion of their total resources to DAPR than the latter.
Therefore, you must get the issues on your table for threat evaluation of the risk imposed, against ranked business processes. Even if you feel that some items are beyond your capacity or resource to deal with, you should still document them; the reasons why their scope of treatment is as it is; and document whose authority set the scale of treatment.
Apportion your resources for DAPR against a sanctioned policy and plan that is understood and agreed to by all relevant parties.
Next: Harming Events and Circumstances.
Leveraging Documentation: In some cases, you may be “rediscovering” knowledge, and this is extremely important. As many of us are painfully aware, there are countless systems out there that were put into place by people long gone from the organization. These are “mystery systems” – the people utilizing them and counting on them hope that they keep working. Often, no one knows how to service them, or how to upgrade them for currency. Perhaps associated vendors and companies have gone out of business, or sold their product to someone else. Maybe you have systems that were developed in-house, and that were never properly documented. Some of these systems’ technical concerns are too complicated to understand in the fast moving environment of the usual business day – imagine trying to recover them following a disaster.
These systems drifted so far off the maintenance map that only through Herculean effort can we bring these systems back into the ‘zone of known’: A nice benefit of DAPR is that it often helps your ongoing business efforts by identifying and documenting all areas so that you have comprehensive, “bullet-proof” knowledge that is independent of employee turnover and other change. Therefore, DAPR should also prevent any business process or system from drifting into an undocumented and poorly maintained state. The DAPR posture and the documentation you build also contributes to content, and its management.
Assessing Risk: Once these key business areas have been ranked, they should be assessed for risk. Risk can influence how you direct your resources, and can even re-order some of your key areas in terms of priority for protection and recovery. You may have an internal business process that is critical, and which, at first glance, occupies a high order on your list for protection, recovery, and resources. However, this process may be in the exclusive control of internal, trustworthy, personnel, within a physical security space. Perhaps equipment and process are in a secure laboratory at a business site. The site may already have “local” departmental control and protection that already makes demands on resources, and which are sized to protection in accordance with DAPR. In this circumstance, the DAPR policy can nod to this condition, and better utilize the organization’s resources elsewhere on the list.
Other conditions may take seemingly lower-priority areas to a greater elevation on the list. Let’s say you’re transferring data on a daily basis to business locations that have unreliable connectivity due to surrounding, relatively undeveloped, infrastructure. Here you may choose to place alternate, backup, means to transport data to these locations. You may employ redundant point-to-point connections that rely on different service providers and transports, for example. In this example, you may allot greater resource to the external business locations than you would have at first surmised necessary – having assumed data-transfers to be “mundane”.
There are other influencers as you develop your plan. For example, you may have a critical business function that is an absolute necessity for business continuity. However, if that process is hosted – that is, if it is being supported mainly by a vendor, at their site – it largely falls under their DAPR-equivalent plan. The continuity of business mission, beliefs, values and standards would translate as a service level agreement (SLA) within your contract with that vendor. That vendor should provide test results, and also conduct any testing in concert with your organization, to your satisfaction. Thus, realize that your DAPR resources will not always weight in direct proportion to risk, or even importance, of key areas. There will be many influencers that will evidence themselves as you plan – another important realization for the need to bring DAPR into focus. Once the organization has a good understanding of how to rank process and systems within the scope of critical business functions, their dependencies, and risks – a definition of the mission will begin to take shape, and an assignment of resources can be made. Resources such as money, personnel, and time must be fairly and proportionately budgeted according to accurate requirements for prevention and recovery.
People: In the review of various organizations’ “disaster recovery” postures, and even when appraising “model” plans on the web, we will notice something curious. Many plans don’t account for the loss of people. Likely, it is because of the simple fact that we don’t like to think about losing co-workers, friends, and other associates. We also don’t like to think about our own risk in this regard. Yet, this omission is surprising, and we should expand on a concept here: People are our biggest challenge, our biggest resource, and, from a pure business perspective, they are a huge investment and a critical asset. We hope that we never lose people, but none-the-less have to plan for their loss – not planning for this contingency would be irresponsible.
Hopefully your organization already has a model in place to “cover” for absences. Vacations, arrivals of new children, emergencies, promotions, dismissals, turnover, all contribute to the necessity for a plan of coverage to essential duties and support of systems and processes. Here again DAPR assists in the normal course of business by helping us to establish an awareness, and subsequent construction of a “weave” of backup. We have personnel who are trained to a necessary degree and who know enough to step in as an alternate “player” to cover absences to positions. In the formal case of the DAPR policy and plan, people know what their duties are regarding recovery, and they know how to shift given specific absences of personnel. Let’s note here that unavailability of personnel doesn’t have to be related to death or injury from disaster. You may find that key people simply cannot reach the worksite due to environmental problems, as an example.
Next: A Plan.
Security must be made a routine part of the day. A good way to handle DAPR is to have delegates, such as members of a Business Implementation (BIT) Team, or their assignations, participate in the creation, maintenance, and evolution of your policies and plans in this area, in the testing of the deliverables necessary for continuity of business. Further, this team should deliver a regularized report to senior management regarding the organization’s security posture against evolving circumstances of risk.
Any denial is extremely risky as the destination is always moving further out: as you accrue new systems, exposures, and risks – and as the world turns. External challenges to the organization mount. You continue to drive toward the evolving destination in fulfilling the best state of preparedness you can – regardless of limits. Prevention is possible only through exposure and mitigation of risk. Recovery is possible only for having prepared for a recovery.
If and when your organization has a robust DAPR plan, still realize that there is always room for improvement, and that meeting essential DAPR requirements is a moving target. If your organization has no DAPR plan, or has one that is outdated, incomplete, or merely represents a “feel good” placeholder, then Business and IT need to begin an immediate address of the problem. Getting a basic plan in place is akin to acquiring your “wind” in order to compete in the race.
DAPR: Policy and Plan
Now that we’ve established an understanding of awareness, preparedness (which includes prevention), and recovery, let’s discuss policy and plan in further detail. It is policy that will help the organization at-large adopt and adhere to the appropriate level of awareness. It is the plan that will translate the organization’s awareness into achievement of proper preparedness. Let’s look at policy first:
Policy: Your policy defines and sets the mission. Your DAPR policy has to acknowledge some realities. If money were no object, all organizations, and each of us as individuals, would maintain a comprehensive “mirror” of our computing platforms, content, and systems. It’s been said that Lehman Brothers were back ‘online,’ conducting full business, 20 minutes after losing their primary business site in New York on 9/11. They maintained a staffed, duplicate, physical site across the river – essentially a comprehensive ‘backup’ of all content, platform, business systems, people, and real-time transactions as they went along. From a pure business perspective: Loss of their primary site simply meant a few technical changes to throw the alternate site online, as the new primary. Of course, Lehman Brothers later had problems of another sort.
It may seem a cruel example to discuss the continuity of business in the face of catastrophic human loss, such as that which occurred on 9/11 in America. But what we can realize here is that if we’re able to make business recovery as rote and as painless as possible, we’re then able to focus that much more on helping people. The need for a job, a solid place of employment, and the sustaining of an economy are not going to melt away in the face of disaster. Taking care of survivors, and surviving family members, does not go away. Indeed, meeting those needs will be of extreme importance to the organization. Therefore we can think of it as a manifest duty to secure the relatively “mundane” continuity of business in the face of human disaster – to have the path cleared of competition for attention of our bruised minds, as it were, so as not to blur or obscure our focus for taking care of people.
Setting Priorities, Apportioning Resources: The Lehman Brothers example is one of extremes: extreme disaster, and extremely good recovery (fast, comprehensive, and according to plan). Understand too that their recovery from disaster presented a “prevention” face to the world: they prevented the loss of their ability to conduct business, in the face of an extreme impact. Certainly if you’re part of an organization that has the resources to mount a security and recovery posture such as Lehman Brother’s, all to the good. The larger challenge is for the majority of organizations that have limited resources. It can be difficult to know how to apportion critical resources for DAPR vis-à-vis the daily concerns. Too, it can be difficult to know how to apportion resources within DAPR.
There is competition for all resources in sustaining the overwhelming normalcy of conditions: the daily business grind. It is a challenge just to meet those requirements in keeping up, and remaining functional and competitive. Even if you feel you have no real competition (perhaps you’re a non-profit with a unique set of products and services) you must still remain functional in an ever-changing world. Within the demands of the real-world day-to-day, and in planning the future of the day-to-day, how do we responsibly apportion and balance critical resources for something that might happen, and which “probably won’t?”
Rank and Document Key Business Areas: A logical start is for a DAPR team to identify, list, and rank key business areas. This way, the policy will guide Business’ application of resources. As we’ve said before, your BIT team can begin DAPR planning, or DAPR may be delegated to a subset of this group – whatever is efficient and effective. As with all projects engaged by BIT, the DAPR planning team will further assign responsibilities as necessary. This team will also bring other people onto the team where appropriate, or invite them into specific discussions as the planning goes along.
Assembly of coherent business documentation for each of these areas is crucial. We don’t need to provide a generic list here of functional areas: each organization should have a good start on this documentation. You can also find sample lists and ideas on the web for areas of inclusion to your own list, if your concern is that you’re overlooking something. With simple diligence, this ranking will not be difficult to do – particularly if you survey your department heads for their ideas to DAPR.
Remember too that your organization has likely already identified and described key business areas, and associated values, standards, and practices. Where this documentation exists, it can be appropriated and repurposed to DAPR (here is where content management and simple Business Intelligence [BI] can assist and streamline this process) – no need to reinvent the wheel. Even if you are not yet maintaining critical business documentation, you may still find surprising information in this regard: You can dig for important detail regarding business processes, and associated values and standards, in such things as job descriptions, RFPs, and sales and marketing literature. Consider other areas too; these often have comprehensive descriptions of business process and associated needs. Collect, repurpose, create, and build the documentation as necessary.
Once you have identified major business areas, your team can begin to rank the areas in order of importance to the organization. Your list should include a description of each business process, and its relation to other processes (its dependencies on, and its supports to, any other processes). Also document whatever other dependencies exist: internal systems and resources, external systems and resources, and personnel, for example. The list will reveal important interdependencies, many of which have never been known, formally recognized, and documented.
Next: Leveraging Documentation.
In continuing from days prior, let’s understand the elements of DAPR: Because prevention of – and where necessary, recovery from – harm is so central to security and business continuity, let’s take a closer look at some of the fundamentals:
Awareness: Awareness starts with the board or governing body’s commitment to establish and maintain a Disaster Awareness, Preparedness, and Recovery (DAPR) policy and planning process. From here, all management and staff are made aware of their requirements. Everyone has a duty to conduct business in the best possible way, in the most secure fashion, in compliance with all policies and protections. Prevention of harm begins with awareness.
If harm comes, everyone has a duty in ensuring the ability to recover from it. It requires planning at every level in order to ensure that essential business of the organization is able to continue in the face of adverse events and circumstances.
Important projects like DAPR planning have to be approved and sanctioned at the highest level in order to secure the required level of commitment and resources throughout the organization. The sale for DAPR planning should be easy to make in today’s environment – for reasons we’ve touched on. Primary is one of business’ most important foundations, which we touched on earlier:
- An Awareness Regarding the Business Foundation: Business has shifted from a mostly linear, non-abstract system of paper, filing cabinets, adding machines, and largely non-intermediary systems of support – to a virtual, almost abstract environment. It is now one of electronic bits and bytes, accessible only through the intermediary of computer systems, allied applications, and associated availability. Further, there has been a steady expansion of this foundation. Growth of wide area networks, their ties to the internet, their ties to other business locations, and remote access that ties in home computing and all manner of other access, has exploded the vulnerabilities to be managed. Thus, through the corresponding expansion of access to this foundation – there has been expansion of exposure and expanded risk of harm.
Remember that we are talking about a foundation to business here – not some “enhancement,” appendage, or luxury. This is a foundational underpinning that you cannot allow to be knocked out from under – otherwise your business “crashes”, and you cannot “do.”
Harm to this foundation can be unintentionally sourced: things such as earthquakes, power failures, weather damage, etc. Short of nature, harm can arise from simple human mistakes or oversights: someone can corrupt the content of a database by transferring the wrong information into it. Someone may accidentally delete or move (lose) entire structures of data, break important links, and throw crucial parts of business offline.
Harm from human interaction can also be intentional: things such as acts of sabotage from within or with-out, or terror attack. We’ll take a closer look at a number of specific risks when we discuss Threats. For now, awareness starts with a true appreciation for the vulnerability to this foundation, the sheer weight and range of disruption to business should this foundation be removed for any period, and the absolute necessity in securing it to the best possible degree.
Preparedness: Preparedness should first and foremost be seen as a posture of prevention from harm. Preparedness next defines action and resources in the event of harm. Preparedness begins with its contribution to policy, such that our awareness gets translated into a plan and an outcome. The plan can then be affected to meet the policy’s stated objectives.
You can combine your policy and plan: The XYZ Corporation’s Disaster Awareness, Preparedness & Recovery Policy and Plan. In fact, your policy will not completely take shape without the plan – they are reinforcing, particularly as they develop. But a firm sense of policy must precede the plan; so as to identify your organization’s concept of DAPR, and the basic principles and levels of prevention and recovery expected (you must know the ‘where you are’ of expectations before you can plan to your ‘where you’re going’ destination of deliverables).
The policy states the mission – the detail you deem essential in explaining your organization’s critical business functions, the expectations for preventions, the required recovery protocols for disastrous harm, and responsibilities. Further, it should expose the beliefs, values, and standards for these essential business functions and their dependencies, or supports.
Because resources are not unlimited, the organization must arrive at agreement for what constitutes the greatest risks, the likelihood of events, and the impact of those events on various ranked business elements. Once your organization has agreement among various lines of business, practices, departments, agencies, etc., you then have common beliefs in what merits protection – values – and can proceed with the plan for protection and recovery of those things. We can note here that you may not achieve total agreement, but in that case the belief will at least be acknowledgment of, and agreement to, compromises made, and actions resulting.
Once things have been prioritized, you can set various standards for prevention and recovery: the planning of the what, when, how, and where. When you’ve established the mission, beliefs, values, and standards through policy, and made the plan for meeting the policy’s objectives, we define the tests that we’ll employ to validate our recovery plan.
Recovery: Unlike other Business and IT objectives, your disaster recovery posture is usually never fully realized, and never fully known. That is to say, your ability to recover from disaster does not usually evidence itself (hopefully) in a real-world manifestation. Conversely, almost anything else you do is reflected back to you in the form of real-world success and feedback. For example, if you launch a new product, it either succeeds in the marketplace, or it doesn’t. You may have tested it beforehand through survey or some small market, but you will have the ultimate arbiter of the real marketplace as your final ringing authority; it will either deem your product some measure of success, or deem it a failure. You won’t have to wonder.
Disaster recovery is something we hope never to “test” in the real world. Of course, right up front we know that we don’t want to experience disaster – that’s obvious. But secondarily, if there is a disaster, we don’t want our recovery efforts to be the first test. A test implies an unknown – will we pass or fail the test? That is the test’s purpose – to eliminate that unknown by exposing a true level of knowledge and ability.
Therefore, we want to test beforehand, and on some regularized basis, so as to expose points of failure, and areas where we can improve. Therefore, as our environment changes, our disaster recovery testing continually exposes and helps us to eliminate unknowns – divides between our ever-new requirements, and standards for recovery. This way, we can reasonably expect a yield of success in the form of a recovery that goes according to our plan, and meets our policy’s requirements when we have to deliver on a real-world “test.”
As best we can make it, recovery from disaster needs to be efficient, effective, predictable – and safe.
Next: DAPR is never finished.
NP: The Doors; Full Circle. The second, and last, album released by the surviving members of The Doors after Jim Morrison’s death. Whereas Other Voices is rather middling, with a few high points, Full Circle deserves a listen by Doors fans who may have eschewed it by virtue of the post-Morrison reviews and discussions. I’m pleasantly surprised upon hearing it for the first time. (Krieger and Manzarek handle vocals). Original vinyl.
In yesterday’s post, we began a discussion of Disaster Recovery vs. the more comprehensive Disaster Awareness, Preparedness, and Recovery.
When we talk about Disaster Awareness, Preparedness, and Recovery, we stand a better chance for securing business in the real world (recognize that the “preparedness” aspect of DAPR incorporates provocative standards of prevention, wherever possible, with the attendant posture for recoveries where the truly unforeseen, or uncontrollable, manifests). We must associate a reality-based handle to disaster, and all business/technical considerations that go with it. The leverage to understanding and compliance is essential:
DAPR forces, not a different question but, a set of questions:
“Are we prepared for disaster?”
“I guess so – we have a disaster recovery plan.”
“Do you have an updated awareness for potential disasters?”
“Well, let’s see – I guess we should list them.”
“Now that you have an awareness, are you prepared?”
“No. We’ve added some events, and we have a better understanding of others.”
“Are we properly prepared to prevent certain outcomes?”
“Prevention? I thought this was Disaster Recovery…?”
“Can you prevent harm where appropriate? Can you truly recover from disasters – have you tested your preparedness?”
“Well, we’ll have to develop some tests, and then conduct them…”
As usual, we can leverage understanding in a powerful way when we set simple and accurate identifiers right up front. DAPR helps us to better know ‘where we are.’ Disaster’s potential is a part of where we are, and we need an awareness of our surroundings as a part of that. Preparedness is a route to a destination – a journey – a ‘how do we get there’ factor. It leads us to the ‘where we’re going’ zones of prevention and recovery.
Awareness is required before you can achieve preparedness, and preparedness is necessary for requirements supporting prevention and recovery. Can you see the ‘where are we’, ‘how do we get there’, and ‘where are we going’ elements of the previous statement?
We then require the satisfaction of a test to indicate your level of success in arriving at a state of prevention or recovery – and in arriving at a properly sized DAPR position for any moment in time.
Who drives DAPR? One guess… Particularly for Business, it is inadvisable to rely on a simple conversation with IT regarding this area. This is not to put down anyone’s IT endeavors, or business continuity efforts. Rather, this is because IT may feel that they’ve done the best they can regarding security of business in this regard, based on the resources they’ve been able to lobby for (including Business’ attention). It also includes IT’s belief (whether erroneous or actual) that they’ve met the Business expectation, and mounted the best mission. But here again there is an ignorance in many organizations. Business may like the numb comfort they often have in this area: Walking away with a simple “Yes, we’re covered” allows Business to go back to the core business focus of the day.
There is also a certain denial at work in many organizations, or a simple pushing aside of DAPR: “We’ll get to that next quarter, next year, soon,” etc. – or – “our vendor handles that.” But like all things in the Business-Technology Weave, the IT Enlightened Organization makes disaster awareness, preparedness, and recovery a Business-driven initiative, too. Who owns “business-continuity?” IT? After all, it’s Business’ continuity. Further, IT can only establish DAPR according to its own allowance, safe-channel and lead – from Business’ sanction and support. When IT fulfills a Business expectation, Business has to make sure the expectation is sized appropriately.
To Business: You own it. It is your business that will suffer from a state of non-recovery. You must oversee DAPR, its maintenance, its evolution, its testing, and you must believe that you can rely on it to your satisfaction, values, and standards. IT will serve, participate, suggest, focus, and implement the mechanics of preventions and recoveries. IT will lead when that lead is designated by Business – but policy and planning must be driven by Business.
Next: Understanding the elements of DAPR.
NP: The Doors: L.A. Woman; original vinyl release with the round-corners jacket and front cover window. Thorens TD-125, Shure v15v xMR, Carver C-1 and M-500t, Jensen cabs and Peerless drivers. Some other goodies in the signal chain, too.
Organizations, vendors, and practices have created a ready handle for recovery from disastrous harm – Disaster Recovery – with the attendant “Disaster Recovery Plan.” The venerable Disaster Recovery Plan is meant to secure business continuity in the face of disaster. However, security is ill served by this handle, and so too are many of the plans (and associated realities) that fall under it. “Recovery” is reactive, when we should have a plan that includes prevention of disaster. Some measure of prevention is within our internal control, and some lies within our ‘agility’ in sidestepping much of outside disaster’s influence. And, we strive to make disaster “transparent” to those whom we serve.
Too, mere “disaster recovery” is often given short shrift in terms of attention, resources, and any sort of test or proof of concept. Many people, particularly Business people, are left to assume their disaster recovery efforts are in place, and will work, when in fact there is no reliable evidence to support this assumption:
“Can you recover from disaster?”
“I guess so – we have a disaster recovery plan.”
Many don’t really know, because there’s never been an event to recover from. But they have a plan. (Place a check in that box. Sleep well).
Absent are identified, known, and agreed upon missions, beliefs, values, standards, and tests. Here, again, we’re building awareness.
¨ Mission will be defined by your requirements for prevention, recovery, subsequent assignments, and exercises. The mission will be associated with a policy, and the policy’s manifestation is achieved through a plan.
¨ Beliefs include ‘prevention’ as a standard; the understanding of prevention’s true value; those things that need protection according to assessed risk and available resources; and your confidence and control.
¨ Values support your beliefs – those things valued as necessary for sustenance of business. Values will help establish that which is protected to the best point of prevention from harm. There are also those valued business elements that determine the order of recoveries according to priority.
¨ Standards establish the degrees, or levels, to which your protection is certified, in supporting preventions. Too, when recovery from damage is made, standards establish a period of time for how quickly full recovery is expected or necessary. Standards can define increments of recovery, and they support the prioritization of the valued business elements through ranking of them.
¨ Tests will be those simulations of harm that you employ to expose your level of success in preventions, recoveries, restorations, and the employment of identified alternative resources.
You must satisfy yourself (believe) that you can meet your organization’s identified values and standards of business continuity in the face of disaster. These things are necessary in order to provide some assurance that the best efforts have been made according to acceptable risks and available resources.
When we arrive at that place, we find that what we really have is a policy, plan, posture – a mission – for:
Disaster Awareness, Preparedness, and Recovery (DAPR)
To be continued…
First, recognize that social engineering is the biggest factor in personal breaches and matters of identity theft; the “grooming” of folks, getting them used to clicking on offers as distributed in e-mail, and even through social networking sites. Children can be especially vulnerable.
Oftentimes job offers, or “You’ve won!” scenarios, have templates for fill-in. If you’re not careful you, or perhaps children in your household, may end up divulging name, address, date-of-birth, and other highly sensitive information.
Be wary too of targeting that meets areas of your interest, yet is unsolicited. Scammers rake social media websites and glean all sorts of info. Avoid following your curiosity when assessing any unsolicited electronic contact with you, or your household.
Here are some tips – share them with younger people too:
- Encrypt your home wireless network, for those that have them, and pay attention to security setups on iPads; iPhones; Androids; laptops; desktops, etc. There are innumerable cases where people use others’ networks for the propagation of crimes – especially within large apartment houses and condominiums.
- Generate strong passwords – forget pet’s names; tricks like reversal of D-o-B. Use long passwords – consider 25 characters or more, as crazy as that sounds. Many can be stored anyway. The main liability with storage is, if you access an account on a device other than the one with stored password(s), you either may not remember it/them, or you’ll have quite a chore typing it/them in. But the extra security is worth it – algorithms now can hack just about any password, but if a program takes too long trying to crack yours, it’s more efficient to move on to a more vulnerable one. You can also use password generators/randomizers – just Google for that if you’re not familiar with the concept.
- Update your anti-virus/malware programs regularly; set these to do auto-updates in background where possible.
- Turn on personal firewalls. Search Help for “personal firewall” – check to see what’s available in your operating system.
- Consider using an Identity Protection program.
- Seek recommendations from your workplace: If you can check with your IT department, see if they have any suggestions for home protections.
Of course, on that last one, a good IT department will survey the user population for personal/corporate tethers anyway, and will perform their due dililgence in sewing shut this area of liability. But, it’s good to solicit advice and updates anyway, as things can get overlooked quite easily, even in these terms.
Stay safe out there.
Today we’re privileged be with Karen Favazza Spencer, author of the Agile primer A to XP: The Agile ABC Book (ISBN: 978-0-9883358-0-6), available at Agile Kindergarten. Karen’s book is not only used here in North America (where I sit), but also Europe, India, and Australia.
Good afternoon, Karen. What, in your view, is “Agile”?
A: Hi Dave. Agile is the marriage of scientific empiricism and social psychology. It is an umbrella term for several project and product management frameworks. Agile works well when the work to be done is complex and the methods necessary to accomplish the work are not yet fully understood.
Agile “chunks” functionality so that small bits of business value are delivered to the customer on a schedule; typically a one-to-four week schedule. This schedule provides the customer and technical team with ready opportunity to validate the product, and incorporate change, based on timely feedback, as well as experience. This process allows the business to better forecast the time required to complete complex features based on their ongoing experience.
Shared ownership, transparency and small cross-functional teams are a few of the cultural underpinnings of the Agile frameworks, such as Scrum, Lean and eXtreme Programming. Consequently, knowing how to collaboratively make decisions, and how to deal with interpersonal conflict constructively, are foundational skills in an Agile shop.
What inspired you to write this book?
A: Well, when talking with different teams, both co-located and distributed, in different companies, I asked “What books have you read on Agile?” A dozen or more team members all gave me the same answer: “None.” When asked why, they justified this with “I’ve got one on the shelf but haven’t gotten around to reading it yet,” or, “we don’t have to read about Agile because we’re doing it,” or, “I don’t know which one to read, there are so many.” I decided that what was needed was an obvious entry point – something engaging and easy to use.
I see; then what is your book’s main argument?
A: A to XP is basically a job aid. Like any ABC book, it’s an introduction to literacy. What I’ve done is arranged about 100 Agile concepts around 26 themes, so that things hang together. For example, I talk about pairing and swarming behaviors in context with Continuous improvement and Emergent Design, all under the theme of Planning, accompanied by an illustration that shows the iterative nature of the framework.
A: Everyone using or interested in using Agile practices. Agilists such as Scrum Masters, Product Owners, Coaches or Teams, Business stakeholders, and C-level or other management.
What is unique and original about your book, and your thinking?
A: That’s the question! It is unique. It would have been easier to write 10 pages on each of the 26 themes, which would have resulted in a traditional book. But I wanted something that could be read in 30 minutes, and skimmed in 5. I wanted something that could serve as a quick and handy “cheat-sheet.” I wanted each of the themes to be absorbable at a glance. So I decided to use three methods of communication – 1) a simple illustration of the concept, 2) a heading like a proverb that was pithy and memorable, and 3) a rational paragraph or two that would provide more substance. What I tried to do was to access the metaphorical mind – our right brain, or narrative mind as Steve Denning calls it. I pair this with branded formatting: Unique illustrations, memorable hooks, and the rational argument to support each concept. In this way, readers actually LEARN the concept. In other words, I wanted to walk the Agile talk by providing just enough information, in easy to understand chunks, so that the concepts on each page would be DONE when you turned the page.
How specifically can your book help an organization; an individual?
A: Having a common glossary of terms, or shared understanding of concepts, is central to smooth operations. We all think we think the same, but often discover we don’t – at inopportune times. The Agile ABC Book gives everyone a common-understanding from which to start. What’s more, the How to Use this Book section provides a workshop format for teams to practice Agile meetings, where they can further explore their mutual interpretation of any one of the 100 concepts. This guides them toward creating their own Action Plan for improvement.
A: Management might be interested in the cultural implications of doing work in an Agile way, yet may not really understand what stresses it will bring to bear on their typical operational structure. The themes Why, Team, Quality and Greatness all speak to that cultural mindshift. Other themes such as Whiteboards, Scrum and Information Radiators communicate more behavioral information.
What happens in some Agile adoptions is that very superficial and often modified, or incomplete, frameworks are put in place, that subsequently fail to deliver on the Agile promise of high productivity. Agile simply doesn’t work if you pick and choose. It would be as if you chose which bits to use when assembling a piece of furniture; it might end up looking good, but functionally it would be unsound. It pains many Agile coaches and Agile consultants when the enterprise sets itself up for difficulties with this à la carte mentality. I provide a cohesive model of proper Agile that outlines the transformation agenda – a balanced diet, so-to-speak.
What does following your book’s principles mean beyond IT – that is; to business and related successes?
A: Glad you ask that, Dave, because although Agile in general, and Scrum & XP in particular, are closely associated with IT, Agile also speaks to the business mind. A CFO or a business manager can use A to XP as a primer in preparation for conversations with the technical folks.
One of the reasons the short proverbs and images work so well with the Agile concepts is that all of us, business people and engineers alike, have a basic understanding of these principles from life experience. Let’s face it; people tend to overcomplicate things. Granted, the technology we are using and the products we want to create can be complicated, but execution should be incremental, output should be cohesive and business value should be clear. Everything has to fit together in a way that is flexible and sustainable. Agile provides a conceptual language that does that.
What Agile is about at its core is GOOD DECISION MAKING PRACTICES – and my book speaks to this. It’s about seeing the forest and the trees… the greater picture, the long-range implications, along with the pragmatic step-by-step work that needs to be done. It’s about aligning strategy with tactics… but it’s about more… it’s about Value Driven Leadership and Respect for the Individual.
Well thank you Karen, for “being” here with us today – is there a nice summary you’d like to wrap with?
A: I’d like to say that if you’d like a “Cliff Notes” version of Agile, if you want something that you can actually use, even on-the-fly, to spark meaningful conversations with your colleagues, if you need help in your Agile Adoption or Agile Transformation so that you make better collaborative decisions, then get multiple copies of A to XP and use them to develop your, and your organization’s, literacy. This is a book that is meant to be used.
Thank you Karen: Today’s guest has been Karen Spencer, author of A to XP: The Agile ABC Book (ISBN: 978-0-9883358-0-6) available at Agile Kindergarten.
Well… I’ve frequently spoken about a new agility being necessary for organizations, and their subsequent ability to mount new security initiatives quickly, in response to fast-changing threats. Happily, tomorrow, I’ll have an interview with the author of the book, “A to XP: The Agile ABC Book.” Agile, as a discipline and a business process management practice, serves the threat landscape well: It applies where the unpredictable is common; and where business processes cannot change quickly enough for necessary business practices.
But that’s tomorrow – back to mainstream awareness: There’s a growing unease amongst the general populace regarding cyber attack, cyber terror, cyber war… and just hacks in general… a burgeoning awareness. There can perhaps be no better indicator of any particular thing’s ubiquitous nature than its inclusion to Late Night television fare.
The other evening, on “Late Night with Jimmy Fallon” (NBC), Fallon mounted a joke that shows just how mainstream cyber awareness has become:
“This is scary - a new report shows that Chinese hackers could one day take out America’s power supply. Or as that’s also known: Pulling a ‘Beyonce.’”
This is an obvious reference to the recent power outage at the Super Bowl, and speculation that Beyonce’s half-time show taxed the stadium’s or region’s power capabilities, perhaps overloading equipment… or something like that. (Whatever was the cause, they obviously need new, comprehensive, backup plans and systems).
But the awareness grows: It’s now in the comic; economic; personal; and military realms: General Jack Keane, former Vice Chief of Staff of the U.S. Army, and now a Fox News military analyst, states that the U.S. is “the best” when it comes to things such as hacking, cyber espionage, and related activities; that Russia is second; and that China is third. However, according to him, China is “by far the most prolific,” stating that thousands of the People’s Liberation Army (PLA) members engage in cyber hacking daily, further assisted by civilian hackers and contractors – penetrating thousands of U.S. companies.
They have penetrated political, economic, and military intelligence realms, stealing related intellectual property – thus stealing technology and innovation to use in advancing their own economic interests.
At the same time, another far more local challenge exists: Retail Cyber Attacks. Retailers are targets of 45% of all computer hacker attacks in 2012. There are an estimated 79 successful cyber attacks a week on U.S. businesses.
36% of all targeted cyber attacks in the U.S. are aimed at small businesses. Those are the very ones that cannot afford robust, up-to-the-minute, protections. They also can’t afford to be without them. A dichotomy.
Hand-in-hand with hacking go the flourishing underground industries that bundle together customer information; addresses; credit card numbers; PINs, and such, and utilize them – or sell them to other crime syndicates.
Consider: A Subway breach had a compromise of data involving 80,000 customers: Unauthorized transactions were made for 3 years on that data.
So we find that what’s turning out to be an omnipresent awareness for cyber vulnerabilities must be paired with a new agility: Tomorrow, Ms. Karen Spencer will share with us her thoughts on Agile, as contained in her book.
Further, a tweet indicated that “the whopper flopped” and that BK had thus been sold to McDonald’s. Several other tweets contained obscenities.
It’s not clear who hacked BK’s account, and I am not implying that it was a “competitor hack” (that is, it was not likely initiated by McDonald’s, or any potential rogue employee of that firm – although the Hamburglar’s criminal tendencies are well-established).
However, this hack has to fit squarely into one of two realms, and it provides a nice entrée to some new definitions for an evolving threat landscape. Let’s create the concept of a “branded hack” that is unique to this forum – branded hacks that will be handles for discussion, and which will hopefully propagate for ease-of-discussion at orgs, with vendors, with media, etc.: 1) Competitor-Hack (CH), and 2) Hack-at-Random (HaR). This is a good opportunity to define these two types of hacks, for purpose of establishing exactly “where we are” in 2013, in getting to where we need to go – these definitions will likely evolve a bit:
New Definitions for New Realities
Competitor-Hack (CH): This is a directed hack by a business competitor, with a business motivation: The purpose of disrupting the competition’s ability to conduct competing business through harm to enablements (data, infrastructure, apps, etc.), or to cause damage to any specific competitor’s reputation (such as false Tweets, implanting of false content, false business positions, etc.). These CHs can include political motivations, and political targets – they include any orgs and/or individuals who compete on some plane.
Hack-at-Random (HaR): This is an attack that has more of a mischievous spirit as motivator. Motivators can include humor, bragging rights, or even the preference of Big Macs over Whoppers, or Whoppers over Big Macs – but generally speaking, the people mounting these are not employees or formal representatives of the organizations in question – they are people who mount trouble for sport and fun.
Recognize this: In discussing cybersecurity a few articles ago, as contained in this post, and as indicated in another post’s matrix, I mentioned that organizations would have to guard against CHs from business competitors. I also debuted the concept of HaR. It is easy enough for me to envision these things coming, as immodest as that may sound: In the realm of risk, unmanaged possibilities become probabilities.
It is easy enough to see that risk is being compounded by three fundamental things that are being driven to everyone:
Ever-more power, affordability, and capability are being driven to very modest “players” and devices.
Ever-more robust hacking tools will be available on rogue “gaming” sites, and the business and sport of hacking is going to explode. Watch for it – and be positioned to guard against it.