Why The Criticizing of Excellence? Because that phrase snaps all criticism into an important perspective: Once it’s understood that criticism is going to come, regardless of circumstances, we can recognize that fact, accept it, and effectively deal with it. For most of us, dealing with criticism is not the best part of our day – whether dispensing or receiving it. Poorly managed criticism, and critics, can impair business. If not carefully managed, criticism can set up a sort of negative ping-pong exchange of recriminations, attendant “scoresheets,” and possible “get even” scenarios. Preventing this sort of atmosphere is far easier than repairing an environment that has been allowed to drift. You don’t want personalities clashing. We must not allow problems between powerful people to be woven into your organization’s fabric, nor must we allow other impairing critics to exist.
Many an organization suffers through the “silo-ing” of departments and the resultant impairment of communication and efficient business. Working through a minefield of political liabilities is what mucks up many good faith endeavors. But that’s largely because most people haven’t learned what criticism really is meant to be, and how it is to be used (both in its delivery and in its receipt). When we understand the nature of criticism, we learn to value criticism. In learning how to value and use criticism, we need to recognize constructive (or justified, valid) criticism – and destructive (or unjustified, invalid) criticism – and we need to act on criticism to effect the appropriate outcomes.
Why address criticism here? Let’s establish a little background: In a field as challenging, dynamic, and high profile as IT, there is much that presents a ripe target for criticism. At the same time, the pressures faced by Business (the business stakeholders), and their demand for quality support and services, generally means that Business has a fully stocked quiver of critical arrows. Yet, healthy criticism is necessary to the Business-Technology Weave. Critical evaluation and communication will be ongoing. This, paired with the challenge in creating, interpreting, and implementing a Business-driven IT strategy, makes it extremely important that we understand criticism and how to wield it. If you’re not making effective use of criticism, then you not only lose out on the positive lever to be had in progressive business, but you allow the deployment of a negative, depressive lever. Particularly in circumstances where we suffer divides, and have not yet achieved a proper Business-Technology Weave, there is that tendency to mount criticism from a less than fully informed perspective. When we combine that with a natural tendency to bristle at criticism, and mix in the resultant impairments, we find that we have a “perfect storm” formula for significantly diminished returns.
We’ll continue this as a series, and we’ll examine both criticism’s potential dividing force, as well as its proper wield and yield: That is, how to mount appropriate criticism, for contribution to solid business-IT gains.
Business leaders with whom I speak are nervous about security. The recent report that the White House was breached by Chinese hackers doesn’t help their nerves. After all, the breach was characterized as a break into one of our most sensitive networks. The network is used by the White House Military Office for nuclear commands – this according to defense officials.
Many business folks think: “If they can hack the White House, for Gosh sake, they can break us too.”
Not necessarily (and I’ll resist the temptation to evaluate government “efficiency”). You see, this break was characterized as a “spear phishing attack.” Spear phishing relies less on sophisticated technical hacking, than on the simple fooling of e-mail-recipients into divulging confidential information, to include login credentials.
Officials characterize these types of attacks as “not infrequent” – thus you would think that staffers and officials would exercise extreme caution before divulging sensitive information. And yet, we know that human error and misjudgments are the larger part of breaches and loss. But what of you – and allied business?
Reinforce caution with all employees for use of electronic enablements: In-house systems; communications systems such as e-mail; social networks; info disseminated on blogs; live chat windows, and so forth. Ensure that all solutions partners – Vendors, visitors, solutions partners, associates, etc., understand your security posture and policy.
Keep training efforts regularized and up-to-date.
If the White House is listening: Please fix this fast. A former intelligence official who is familiar with the breached office says, “This is the most sensitive office in the U.S. government. A compromise there would cause grave strategic damage to the United States.”
Now Playing: Grateful Dead, Terrapin Station – vinyl, Nautilus SuperDisc. Carver C1; Carver M-500t; Thorens TD-125, Shure v15v xMR.
A business system recently came to my attention that had a number of ambiguous paths and choices – it was difficult to know what to click in order to proceed. The system is a core, mission-critical, business system at a “big box” retailer.
As to the ambiguities, consider this: When ordering a major product for a customer (in terms of size and cost), a model number is entered – after calling up an existing customer record or creating a new one. Once the product is added as a line to the order, the user is confronted with two buttons: “Order Product” at center-bottom of screen, and “Continue” at bottom-right. Hmmm…
Now, after undergoing a modicum of training, and with some acclimation to the system, a user knows to click “Continue” in order to complete the order; and knows to click “Order Product” to add another line item (another specific product) to the order. However, for new employees, the system can be cumbersome and arcane. Here, it would be an easy enough job for any business analyst to view the system through the user’s eyes: The “Order Product” button can just as easily be marked as “Add Another Item” or “Add Another Product.” Once all products are added, it is quite intuitive to click the “Continue” button to move the order along to completion. Much easier on the users, and a better match of easy-to-understand screens in match to training.
Another area of the system has a template for fill-in of very complex products. One example: Carpeting. Here, specifications (and fields) include Type (loop, pattern, texture, twist), Color, Brand, Fiber, and other qualifiers. However, a system anomaly exists here. the more comprehensively you fill the template, the more likely you are to receive a system error! In fact, it’s best to fill one field, and to proceed through a more cumbersome (and under usual circumstances, more inefficient) path to ultimate resolution of ordering carpet.
I see breakages and ambiguities like this all the time in the course of my consultations. I hear complaints from business people quite frequently. Here, IT needs to build applications and associated designs while imagining the business-class user’s negotiation of the system – to a business end. It’s really not that difficult.
To business folks: When participating as a stakeholder, and partnering with an IT counterpart, listen to what you’re saying through their ears, and be aware of what may be ambiguous to them. Smash ambiguity – be specific in how systems are to work, how systems are to look.
To IT folks: Design and exercise beta versions from business’ perspective, and watch for ambiguous and broken paths and procedures.
It’s easy to do with a little practice – and well worth it.
Now Playing: John Lee Hooker, Endless Boogie, original (commercial) open-reel tape, 3 ¾ IPS.
A social network user suffered a federal criminal prosecution in 2008 for violating the site’s terms of service. However, this prosecution was grounded in the assumption that a private company’s terms and conditions enjoyed a standing within, and were incorporated to, the federal criminal code (the assumption was made absent any formal ascertaining of that standing for terms/conditions of service/use, by any proper oversight authority – a relevant court).
The court, in this case where the prosecution was attempted, held that this interpretation could not withstand Constitutional challenge, and entered a judgment of acquittal. Further, the highest federal legal authority (short of the Supreme Court), the U.S. Justice Department, now holds that these sorts of prosecutions will not be attempted.
Commercial sites collect and analyze data about their customers for purpose of marketing, service, and sales. Mere visitors also may have data collected regarding them. Recognize that the sites must disclose types of data, and the purpose for its collection and associated use. On the federal level, the Federal Trade Commission (FTC) will pursue violators of consumer privacy rights, or ones that mislead consumers by stating uses of data and associated protections that are not true reflections of use and security. At the state level, attorneys general make these enforcements of consumer protection laws.
What of children? They are consumers of web services too – just by virtue of “surfing” the web. The Children’s Online Privacy Protection Act (COPPA) provides an extra measure of protection for them. When a website is “directed to children,” or whose operator knows that the site is collecting information from children, it must not do so without parental consent. There is no formal definition of “directed to children” by rule or statute; the enforcer of COPPA, the FTC, has been seen to interpret this as meaning “directed primarily to children.”
Now Playing: Brubeck, Time Out.
It may surprise some readers that the Federalist Papers were written anonymously; published and signed as “PUBLIUS.” James Madison, John Jay, and Alexander Hamilton (maybe others) utilized this pseudonym in the production of 85 essays supporting ratification of the U.S. Constitution.
More recently, the State of Ohio and its legislature attempted to ban anonymous political literature. The law was struck down by the U.S. Supreme Court, which stated: “The right to remain anonymous may be abused when it shields fraudulent conduct. But… in general, our society accords greater weight to the value of free speech than to the dangers of its misuse.”
That’s an important recognition and right. But recognize this too: There is no right to express one’s views anonymously online.
At the same time, a certain de facto anonymity can exist and is quite common. Many forums, blogs, news articles, etc., allow login and submission for anonymous posting. One can also submit pseudonymously through simple account/free-mail creation. Yet, a practical means of identification does still exist. For example, an entity can contact a forum’s host, checking the IP address of a user; the ISP can then be contacted, and various logs can at least narrow the search considerably. This can be employed upon discovery of violation of intellectual property rights, defamatory comments, criminal activity, and so on.
Fortunately, there are State and Federal laws that help to discourage invasions of privacy online. The Electronic Communications Privacy Act (ECPA) prohibits access to any computer absent proper authorization. The Computer Fraud and Abuse Act (CFAA) makes it illegal to access any “protected computer without authorization, or exceeding authorized access.” Then there is the CAN-SPAM Act. This law requires all unsolicited commercial e-mail to provide an ability to opt-out.
Fortunately, most states now have data breach notification laws. Companies that harbor the private information of individuals must notify them in the event of any breach of privacy.
We’ll continue in the coming days…
Now Playing: Josh White sings Ballads – Blues; original 1957 pressing of this LP on Elektra. Carver C-1; Carver M-500t; Thorens TD-125 w/ Shure v15v xMR. Peerless in Jensen cabs.
It’s rather interesting to monitor what’s happening in the UK right now. Data protection legislation is moving forward. And… business there supports data protection legislation.
A survey of 1200 businesses indicates that those businesses are concerned about the strength of laws: Nearly 50% feel that laws are weak and require revision, and 87% believe that organizations should be required to divulge breaches of sensitive content where information about the public is involved. [Source: Sophos].
Here in the U.S., I rather doubt business is keen on more legislative oversight. Generally speaking, I’m wary of new legislation – new laws must be thoroughly reviewed so as to guard against unintended – and negative – consequences, particularly where business is concerned. In today’s economy, we don’t want to impinge businesses’ opportunities for hearty conduct and growth.
However, I do like the breach notification idea. It serves a couple purposes that come readily to mind:
– Stakeholders (the public, customers, allied agencies…) are entitled to know about breaches that affect them, or ones that just have the potential to affect the general well-being of the business.
– Also, healthy exposure, and just that potential, help to motivate business in the currency of their ongoing security measures.
Particularly for small/medium business, and smaller government agencies such as those at county/municipality level: Do you have in-house security professionals who cast the horizon for new threats, with attendant posture of proactivity? And (or), do you have strong security partners in the form of vendors and allied security products?
How do readers here feel about it? Would you welcome new legislation? Are you confident regarding security in your organization?
The Washington Post recently reported that foreign hackers disabled a pump at an Illinois water plant last week, according to the preliminary state report.
If the source of the attack is confirmed as foreign, it will be the first known attack on a critical public (that is, societal) support: That of water, power, communications, and other essentials such as policing and communications.
There have been many hacks and harming incidents of various scope and harm in years past, of course. However, those were squarely within the realm of information’s availability or wellness: Incidents involving theft of content, destruction/corruption of it, or the interruption of availability to it by harming websites and their availability.
But now, there are entirely new vulnerabilities faced by our government, and subsequently you and your organization. Any org relies on the steady reliability of public infrastructures and enablements – and we’ve discussed those here in the past. But what of more mundane, and perhaps likely, concerns for the average organization?
Threats are becoming more sophisticated, and in many cases eclipsing the status of security in even the most “sophisticated” environments (relatively speaking). What your organization must do is to survey your entire “security bouquet” prior to something that is certain to happen: Hacktivists, and just general miscreants, are going to shop for companies, agencies, and groups that they can “take down.” It will be sport. It will be an attempt to gain mention on the daily news cycle.
Why? Because if people can do it, they generally will.
Begin with a review of your Acceptable Use Policy (AUP): Make certain people in your organization are not opening security vulnerabilities. Then review your Mobile Policy. Folks shouldn’t be using work resources to spend time on nefarious sites, nor should they correspond with strangers – new “friends” – outside of any business context – using domain credentials, to include their simple work e-mail address. If your org has a Bring Your Own Device (BYOD) Policy, ensure that it is updated to support the AUP, the MP, and all other security policies and documentation sets.
They also shouldn’t be posting comments to boards or articles with domain credentials – What is being done in the name of your domain? – that could bring the wrong kind of attention to your organization. Further, when they are on legitimate sites, such as professional support forums, they should take care not to run afoul of Terms of Service elements, nor should they be argumentative or abusive: There can be definite risk of recrimination from a forum member who decides to seek retribution by a “take-down” of some element of your domain.
Review all security policies, and establish a monthly or quarterly security refresher training. All actions and activities should be viewed through security’s prism.
Make everyone in the organization a virtual security officer.
Whether we wish it or not, our lives are becoming ever more open, and the most intimate details of our personal lives are being made available in a very public way. Apps capture and compile information about our likes and dislikes, our shopping habits, where we go and how, etc.
If you use social networking, such as the seemingly ubiquitous Facebook, it’s not just what you choose to share – it’s also what your friends post and discuss about you. Even if you eschew social networking, we’re on store cams – smartcams – which include facial recognition on an increasing basis. Even our property is not immune from a privacy intrustion of sorts: Entities such as Google are photographing that, from cars and satellites no less.
Imagine this: You’re walking through town, a smartphone at your waist – facing front. It scans, captures and processes the faces streaming past you. You not only capture who they are, their names, but where they live, and work. You can know their interests, their professional associates and friends, as well as their educational and any criminal background.
Consider this: It is thought that most under-30 police officers have Facebook pages. Does this inhibit undercover police work? What of the future?
In the coming days, we’ll explore areas where a certain anonymity may be granted (and therefore an expectation of online privacy), and conditions whereby anonymity may be broken. That is undergoing a bit of research on my part, and we’ll pick this “thread” back up in the coming days…
[Note: These are my present understandings regarding specific areas of internet law; you will want to vet this material to your own satisfaction, and will also need to monitor this ever-changing environment. – DS]
Many readers here will be aware of the internet’s beginnings: From research and development of the early ‘60s by the Advanced Research Projects Agency, yielding the ARPAnet, on through the Department of Defense’s work, giving rise to the DARPAnet (check here if interested), we eventually arrived at today’s Internet.
By 1991, a limited internet was operating beyond governmental development, and serving a degree of academic user body, and that infrastructure evolved into the large widespread commercial use we see today.
In examining the period comprising the early 1990s onward and the Internet’s associated use, we can realize that Internet law has had a generation to develop. Of particular interest to both individual users and business are National and International laws regulating the Internet’s use – here we’ll concentrate on two things: 1) Online contracts and 2) Privacy.
Changing Terms: An important principle to understand:
Hardcopy Contracts, Purchase Orders, Requests for Proposals (RFPs), etc.
Be aware of an emerging trend and practice: Increasingly, organizations are issuing hard-copy form contracts and other similar documentation that do not have all terms and conditions printed on them. Instead, they incorporate these by reference to the organization’s website. The date of the hardcopy item, with associated signatures, determines which version of the posted terms and conditions applies. Watch for this situation to supplant “fine print,” comprehensive, contracts and documents. Hardcopy forms don’t have to be changed as often when “offloading” the details to a web reference.
This sort of “Hybrid” documentation has been challenged on the grounds that specific terms and conditions are not sufficiently conspicuous. However, courts have already upheld the validity of these incorporations by reference; there only need be a clearly identified website in the document, and that website indicated as harboring the proper provisions.
Next Up: Online Privacy.
According to security firm Rapid 7, approximately 94 million personal files of Americans have been exposed by government agencies since 2009 – those that we know about, that is.
There are likely even more, given the fact that many states do not require agencies to report breaches.
As to the Feds: According to a recent Government Accounting Office (GAO) report, 18 of 24 surveyed Federal agencies had poor security controls, deemed not of sufficient standards for securing our personal information.
Private business has nothing to brag about either. Breaches were up 58% in 2011 over 2010, and 2012 will beat last year.
None of this surprises me: From a recent visit, I know for certain that a certain high-profile Fortune 100 firm simply does not enforce their policy requiring all users to log out of computer systems at end-of-day, or during extended absences from their desks/work areas. It’s rather extraordinary: People who are gone for the day remain logged in throughout the office, with a variety of proprietary, confidential, client, and personal information displayed. So much for systems that employ individual and group securities, and associated access/enablements. (Lest anyone wonder why automatic logouts are not employed, I wonder too).
IdentityForce ™ estimates that 86% of data breaches are not IT-related (that is, due to faults within IT systems, processes, or protections), but rather are due to remises of policy and training.
It has always been my view that matters of human error, and simple lack of care, are the better part of so-called “breaches” – and in those instances are better described as data exposures. Regardless, organizations seem to be at increasing risk, rather than decreasing, for allowing sensitive data to reach the wrong parties.
Is your organization at risk? It’s time for a survey – even if you feel you’re fairly tight. Survey your environment, and you can pretty much figure that your Acceptable Use, Security, and Disaster Recovery plans, policies and postures are due for modernization and updating.
Then train your personnel for appropriate behaviors and contingencies… essentially, today, everyone should be a virtual security officer…
Keep this important BTW tenet in mind: In the realm of risk, unmanaged possibilities become probabilities.