Today’s social networking environment is interesting from a variety of perspectives.

There’s the security aspect, of course.  Folks have to be careful not to divulge too much information, such as: 

“Hey!  We’re on vacation in beautiful [insert location here]!” 

This is the equivalent of a news bulletin to every nearby thief: 

“Hi.  We’re not in our home at the moment, and won’t be for the next couple weeks.  Come on by, break in, and peruse our stuff – take what you like…”

In fact, it is often auto-responders that let criminals know that people are on vacation – and these can be very dangerous.  Criminals survey the ‘net to find out which houses are empty, and auto-responders make for very efficient pairing of house-to-criminal.  Think.

I remember the good old days when, as IT Director and later CIO, I’d walk out the door one afternoon and not touch a computer or send a message for two whole weeks.  I might write a regular paper letter or two and post it while on vacation, but that was it.  Today’s eCulture really has people tethered to their accounts and devices: 

According to TechCrunch:

-          50% of all Americans are on Facebook – but only 37% have a passport.

-          There are 750 million active users worldwide.

-          There are 700 billion minutes per month spent.

-          58% of people are online while on vacation. 

People feel pressure to stay “plugged in.”  There’s pressure to e-mail, tweet, IM, update websites with vacation photos and blurbs… 

This is a lot of people, and a lot of time spent.  I would urge all users, family members, children, professional associates – all interconnected and linked people – to be very circumspect about what information you make public. 

Also:  Be very wary of what kinds of information new “friends” solicit.  If you know someone exclusively through the domain of online social networking, e-mail, etc., be quite careful.  Not to encourage spying, but take note of what children are doing too.

Also, consider private moments “breachable” – anything can happen, and it’s important to view every activity through a security prism.  I counsel everyone with whom I work and deal:  View all activity through security’s prism.  Yes, that bears repeating – and often.

Rather than a burden, it becomes second nature – like fastening a seat belt or locking your door when exiting the house.

To “business” I say:  Take stock of what you’re doing, saying, and exposing on social networking sites.  Many businesses have official social networking sites and more are jumping in all the time.  Employees often exit the “party” of their personal account, and bring the wrong voice to the work account.  Know what employees are saying there; how they’re interacting with customers/clients and potential ones.  Guard against mixing “friending” with “businessing” – have a social networking policy that comports with, and augments, the organization’s Communications Policy, Acceptable Use Policy, Security Policy, Content Management Policy, and any others.

If don’t have each of those, or if you’re a small org, that’s ok – just be certain to cover the bases in whatever general policies you have concerning employee activity and behavior.  If you’re not sure what you have or need, find someone to help you and get liabilities and protections documented and dispersed throughout staff – via communication, training, and hopefully both.

For private individuals, for organizations, now is the time for these reviews, actions, and behaviors.

NP:  John Coltrane, Live at the Village Vanguard, original Impulse! 33rpm LP.

[Note:  You may wish to see Velocity of Risk prior to reading this post]

Recently, a colleague was crafting policy at a satellite organization.  In other words, it was subordinate to a parent organization.  This was not a case of one specific type of company owning another type of company, of a wholly different mission and set of products and services (albeit a common enough occurrence).  This was like-companies providing the same product and service set, but having robust business operations in different physical locations, and one reporting to the higher headquarters.  Futher, headquarters published most policy, with minimal room for local influences or accommodations.

Interestingly enough, the satellite wanted specific policy that was further-reaching than the higher headquarters’ policy.  It involved security.  My colleague was careful to consider that any policy crafted, as a draft, should not violate the “trunk” of the headquarters’ policy.  Further, any additional security measures should be “greenlighted” by headquarters.

And, of course, any satellite policy would have to be approved by the headquarters, wouldn’t it?  “Yes,” replied this IT leader.  Through careful query, I was able to determine that the IT leader felt a liability in his particular environment due to lagging policy on behalf of headquarters, and headquarters’ guidance.  It was his intent to await the next regularized meeting with headquarters to lobby for his local institution of what he felt his superior policy to be.

Absent approval, he at least had a policy that, in the event of a breach or bad outcome, he could pull from a drawer.  Ah ha!  Look what I wanted to do! 

This represents a divide in communication on a couple levels.  1)  He should have called his boss upon completion of the policy.  If the policy had merit, and if he can communicate effectively, he should suggest that the robust policy supplant, or be used to infuse, the headquarters policy for update, with subsequent distribution to the satellites.

Minimally, headquarters should look anew at all security measures:  Solicit input from all satellites.  Collect and evaluate.  Use the occasion to bolster the central headquarters security policies, and distribute.  Consider a degree of local freedom in allowing satellites to make proper adherence of policy to local liabilities and allied protections – all with full knowledge and approval of headquarters, of course.

Why wait?  Velocity is now associated with risk.  Risk does not wait. 

November 4^th:  On this day in 1939, the first air-conditioned automobile was exhibited in Chicago, Illinois.

Let’s examine new scales of risk, weighted outcomes, and what must be done in the face of escalating catastrophes – as delivered by ever more powerful technology.  Over the course of this post and the next two, we’ll fold an examination of BP’s crisis (and ours) back down to the local organization, and what you can learn and do in preventing bad outcomes and in making fast, efficient, recoveries from the truly unforeseen.  To help us, let’s consider the biggest news item of the day – indeed the past month and a half.

This week, the Administration in Washington decided to allow more drilling in shallow water (500 feet or less).  New regulations are in effect, and newly require:

The CEO of the company must certify that a rig and anything happening with it meet all Federal standards.  A professional engineer must be hired by the company to certify that the blow-out preventer works [DS – a blow-out preventer is a device to stop a leak once one begins; details did not include whether the “professional engineer” had to be an independent consultant, or merely someone who might be an insider; the next requirement would seem to indicate the latter].  Requirements also include third-party verification for the status of all blow-out prevention mechanisms.  (Source:  Fox News, The Fox Report with Shepard Smith, Major Garrett reporting, June 8^th,2010).

Almost two months late and a few dollars short.

In seeing the recently released high-resolution video of the leak, James Carville said, “…this is a matter of national security; the Louisiana coast is being invaded right now… literally we’re under invasion from this oil.  And I’m waitin’ for somebody to say, ‘Hey, we’re gonna fight ‘em in the estuaries, we’re gonna fight ‘em on the beaches, we’re gonna fight ‘em in the bayous, we’re gonna fight ‘em in the bays’… I mean, I’m with the Governor here [DS – Louisiana Gov. Jindal], let’s get this thing cranked up here.”  (Source:  CNN, Anderson Cooper 360, James Carville, June 8^th, 2010).

I believe Carville has been on the leading edge of truly understanding and expressing just how dire the situation is in the Gulf.  And at present, the condition is one of Runaway.  The leak is in a runaway condition, whereby one of two things is happening: 

-         No one knows how to stop the leak – or –

-         A method of stopping it is known (or at least suspected), but no one has managed to assemble the resources and team(s) that can deploy the method for stoppage. 

Either way, BP’s own estimates now are that they’re capturing 15,000 barrels of oil a day from the leak.  This leaves as much as 10,000 gallons yet flowing into the Gulf.  This is a factor of 10 in terms of the original estimate for the leak (1,000 barrels/day) – after a nearly two month effort of containment.  The situation is a catastrophe and its true scope and future impact are yet unknown.

What can Business and IT learn from this?  In looking at certain outcomes from disasters, we can recognize that prevention is not some part of a Disaster Recovery Plan, or Business Continuity Plan – it is the goal and the whole of it.  To further illustrate what we mean:  During the Cold War between the old Soviet Union and the U.S., a defacto policy of MAD – Mutually Assured Destruction – held a nuclear exchange and total destruction at bay.  There’s not likely much of a recovery plan post-apocalypse.  Prevention was the goal and indeed whole of the plan – the great driving motivator that influenced all subsequent activity.  An extreme example, to be sure, but a potent one nonetheless. 

I’d like to introduce two concepts at this point that serve the local organization (and would have served BP) quite well:  IDRU (id-roo) and DAPR (dapper). 

IDRU is Inadequacy, Disaster, Runaway and Unrecoverability. 

DAPR is Disaster Awareness, Preparedness and Recovery.

In the case of the BP Gulf oil spill (which is a yield of a failed weave of business and technology), IDRU is presently at play.  There was an Inadequacy of awareness and respect for true risk and condition (given the present outcome, and well-reported disagreements on the rig concerning conditions and risk, there can be no argument regarding inadequacy here).  We have Disaster (again, no argument).  We have Runaway; certainly a runaway condition of spillage is occurring – when humans desire a stoppage of oil leaking into the Gulf, and the flow remains to any degree, we have a runaway condition.

 That brings us to a very scary prospect:  Unrecoverability.

The Gulf will be “cleaned.”  At what cost?  To what degree of “recovery”?  How, and how long, will fish and wildlife be contaminated – and to what intensity?  Will anyone eat seafood caught in the Gulf in the next two years?  Five?  20?  I don’t think anyone can say with certainty at present.  It is truly frightening for anyone who examines the core problem and the tangential effects.

Disaster Recovery – even if perfectly mounted according to human capacities and limits – and associated concepts is not really sufficient here.  DR must be supplanted with DAPR.  Disaster Awareness – true appreciation for the scope of a potential disaster – and preparedness in the sense of prevention (where and as truly possible) is now necessary in an increasing number of arenas.  Yes, there remains a recovery posture for the truly unforeseen; whether accident or deliberate events of harm.  But a new standard of awareness and preparedness in terms of prevention is absolutely essential, given business’ reliance on technology and technology’s vulnerabilities in an imperfect world.  Humans can’t be perfect either, but their record had better improve fast given the realities of The Business-Technology Weave.

It’s easy to look backward and make a couple suggestions:  BP could have shrouded the whole mile-long pipe, blow-out preventer, and well-head in another outer pipe and dome.  Why didn’t they?  Expense.  However, as my father would have said, “Cheap at twice the price,” given what BP will end up paying.  Why not an automatic simultaneous relief well (presently being mounted) for deep water drilling?  Again, cheap at twice the price.  In these cases, it’s not just risk that must be evaluated against the bottom line – the scale of an outcome must weigh into measures of protection and prevention.  

Again, a tenet of The Weave is paramount:   In the realm of risk, unmanaged possibilities become probabilities.  (Note:  We’re not taking issue with deep water drilling vs. shallow drilling that is often prohibited due to environmental regulation.  Our examination is based on the empirical, the observable and meritorious argument; not politics or preferences.  Deep water drilling happens; preventions must be ultimate; lessons must be learned and applied).

For those at the local organization, you must think anew and bring fresh perspectives to assessment for potentials, scales of outcomes, and cost-benefit for outright preventions.  IT folks are going to bear the burden for making these examinations – they naturally lead business counterparts in assessing vulnerabilities to The Weave from technical perspectives – and even from the human perspective (in terms of errors, inadvertent or deliberate harm to content, process, systems, etc.).

I actually sympathize with BP a bit.  They are in the middle of an extreme catastrophe – as are the affected people in the Gulf.  I believe IDRU and DAPR would serve BP, and other “potential BPs”, quite well.  If the concepts serve you, that is good.

And this brings us to the next post… stay tuned.

June 10^th:  On this day in 1910 Howlin’ Wolf (Chester Arthur Burnett) was born.