NSA’s Domestic Spying Grows
As Agency Sweeps Up Data

The Two Biggest Lies Told During an Audit…

by Ross Sivertsen | Dec 26, 2007 | Blog, Business

My wife (an accountant) and I were having a discussion on the way to my dropping he off at her office this morning, and the whole thing stuck enough of a chord with me that I thought I'd share my insights with you on the subject (imagine that).

She and her office had just completed a year end audit from their internal audit department, and I'm about to go through the same thing shortly with my yearly GCC (General Computing Compliance) audit.

Apparently the auditor assigned to their case was more concerned about tactics than strategies in performing their audit.

It's been my experience especially in assessment and audit situations, that the demeanor and background of the folks responsible for audit oversight are every bit as important as the organization and processes being scrutinized during the audit itself.

I've found that the worst personality type to have an audit oversight is a highly structured and detailed oriented individual, someone with the background of requiring compliance in strict accordance with the letter of the law (or internal procedure as the case may be).

The problem with this approach, is that like most things in life, though rules may be interpreted as binary (0 or 1, black or white), life is not binary, and mostly consists on a continuum with everything being shades along the continuum.

Such is the case with the assessment or auditing process, the type of auditor, in my belief, that makes the best of these types of situations is that of someone with the heart of a teacher. An individual that understands the strategies involved with the process under assessment, understands that situations are different for different cases, and subsequently adjust to meet the spirit or intent of the process, not the letter of it.

I'm not advocating being sloppy about assessment processes, I'm suggesting that life requires balance. And understanding the spirit of the process and measuring against the objective evidence for assessment is every bit as important as the assessment itself.

I would rather have an organization seek to understand WHY things are measured a particular way, so they can do a better job at improving the QUALITY of the process, than worrying about HOW a particular instrument was implemented to collect data for producing an assessment artifact.

In my own experience I've run across several auditors, but three of them specifically come to mind, my experience with all three have been if not enjoyable, then at the very least educational. These are all people with the heart of a teacher, professionals interested in seeing organizations succeed during the assessment process, while not allowing for sloppy process failures. They are come from different organizations and disciplines but all share the same spirit of education.

I've worked with Mary Sakary and Neil Potter from The Process Group for several years in improving the processes on our software development systems using the CMMI, as a model systems and software process improvements.

Without this spirit of education, auditors can get caught up in the HOW data are collected and loose sight of the nature of the control and risk the process is intended to mitigate. This "tactical" approach can lead to crushing rigidity in organizations where strict adherence to the law actually causes processes to fail.

So as a note, remember WHY you're assessing a process, understand the risks and measures needed to mitigate the risks, instead of getting wrapped around the axle about HOW the data are collected.

So what are the two biggest lies told during an audit?

1. "We're here to help."

2. "We're sorry to see you leave."

Email’s Friendly Fire – WSJ.com

by Ross Sivertsen | Nov 27, 2007 | Blog, Business

Link: Email’s Friendly Fire – WSJ.com.

You know it, I know it, and anybody who works in an organization knows it.

We are organizationally overrun by email. I’m not talking about the spam we get in our gmail or hotmail accounts. I’m talking about the bread and butter communications used to drive business in the modern workplace.

My organization RUNS on its email, it is the communication fuel that drives just about every interaction with coworkers and customers. But I get on the order of 100 emails a day on a variety of subjects, all coming from coworkers, not spam. “That’s not too bad,” you’re saying, “I get 200 messages a day.” Sound absurd? It’s not, I know for a fact that the many of the senior staff in my organization get that many when you count customers as well.

I ran across this article, written by Rebecca Buckman, in today’s Wall Street Journal on organizational software that’s used to sort and filter, not spam, but REAL messages. I’m going to take some commentary license, and change the purpose of the article, because it focuses on some software that helps organize the inbox of the driven down masses.

A couple of things I think are really worth noting here are the messages that are sent out not as messages that require action on the recipients part, but rather as the term “colleague spam” will become known.

You know the messages I’m talking about, you’ve seen them, and you’ve received them and you probably, willingly or not, sent them. They are the messages that have either a superfluous recipient on them because of a CYA factor or a broadcast message to everyone about “I’ll be on vacation tomorrow…”

Here’s the problem, business and our culture is being inundated with hundreds of pieces of information per day, we are exposed to so much, so fast, so often that having Blackberry’s is quickly becoming a requirement in many workplaces.

Buckman writes “Last year, the average corporate email user received 126 messages a day, up 55% from 2003, according to the Radicati Group, a Palo Alto market research firm.”

This all stems from the notion that we’re being more productive. In fact, we are becoming less productive. The fact of the matter is, Buckman quotes “By 2009, workers are expecting to spend 41% of their time just managing emails.”

Holy Cow! Nearly 50% of my time managing the influx of messages I’m receiving?! I have to ask myself in those circumstances am I really being productive and giving quality attention to the issues I address?

Many businesses are declaring an occasional “Email Moratorium Day,” where team members use any other medium to communicate OTHER than email. Where I to mention an “Email Moratorium” to some individuals (especially at my place of business) it would generate a visceral response; much like a crack addict suffering withdrawal (what does THAT say about this subject?).

Ok, so in most places a moratorium isn’t a practical solution, but there are ways to stem the addiction:

1. Be really conscious of the when and if a message is REALLY necessary (I’m not talking about limiting communication, I’m talking about whether or not the janitor needs to know you have a dentist appointment and won’t be in until noon when you send it to “everybody”).
2. Does the recipient list you have on your message really reflect the true audience of the communication, or are you just trying to CYA, or make a power play by sending false bravado to (among others) your boss.
3. Can your message be more effectively communicated through some other means (like getting up from your desk and walking down the hall, apart from the additional exercise, the communication becomes more personal), so often email is used as the de-facto communication method when the communication requires little more than a phone call or a visit.
4. Avoid using the “Reply to All” when at all possible, and reply only to the original sender, there’s no need to chime in to everybody just to say “Me too.”
5. Know the limits of what email can provide, if a message is going back and forth between two people like a ping-pong ball, it’s time to pick up the phone, or walk down the hall.
6. Just as with most things in life, apply the Golden Rule, if you don’t appreciate receiving email, why do you think that others will appreciate your superfluous email.

Here’s an excellent link on Email: Do’s and Don’ts from Stephen Wilburs of the Minneapolis Star Tribune.

Thanks very much to Rebbeca Buckman of the Wall Street Journal, Stephen Willburs of the Minneapolis Star Tribune, and Kristan Arnold, author of Email Basics:  Practical Tips To Improve Team Communication.

The Office Pessimists May Not Be Lovable, But Are Often Right – WSJ.com

by Ross Sivertsen | Nov 27, 2007 | Blog, Business

Link: The Office Pessimists May Not Be Lovable, But Are Often Right – WSJ.com.

Ok, I was doing research on another topic when I ran across this article, written by Jared Sandberg, in the Wall Street Journal.

Sandberg’s article asserts, you’ll need to read it for yourself, that "pessimists are more accurate at gauging success and failure rates (than optimists)," and that "evidence shows that pessimism can be highly motivational, as what’s called ‘defensive pessimism’ drives people to achieve their goals."

In my experience, more often than not, this is less of an issue of optimism versus pessimism, and more of a perception of control.

What I mean by that statement is this; I’ve spent an entire career (25 years) in the technology services business in manufacturing. It’s taken me nearly that long to learn the lesson that I don’t CONTROL most of my environment. I might have influence over the people and events around me, but I don’t CONTROL their actions or outcomes.

The ONLY thing I can control in my life is me, and my actions, and more specifically my reactions to people and events. When I don’t trust my intuition, and more spiritually, my faith, that things will work out the way they’re supposed to; and I try to control and manipulate the people and events to achieve outcomes I perceive as RIGHT, I, more often than not, fail… miserably.

I’m NOT saying that I sit around in a “Pollyanna,” self-delusional catatonic state, with my fingers plugged in my ears yelling “nah, nah, nah, nah… I don’t hear you!” I can be, at times, fairly pessimistic (just ask my wife).

The key here, in my humble opinion, is balance. It seems to me that it’s easy, when things get tough, to either ignore them, or run around screaming “the sky is falling!” It’s all about understanding the influence an individual has in a given situation, and acting in balance according to that influence.

For example, in a real life illustration, I have a friend whose organization is restructuring, and he finds himself reporting to a new supervisor, one he apparently didn’t see eye-to-eye with the first time they worked together. My friend in these circumstances had NO control over whether or not he was re-assigned. He DOES, however, have control over how he REACTS to the change.

Look, I’m not saying that change is easy, change is hard. But we as individuals have a choice on the attitude we adopt when reacting to crisis. In a study done by the VA on resiliency, soldiers most likely to survive a traumatic experience like a war time prison camp are those who have certain key characteristics, among that optimism.

So in the end, this is all about balance, and being active participants in our own lives. Inaction, whether it’s fostered by optimism OR pessimism is complacency, and complacency more than anything else will lead to failure.

I’m reminded; again, about the old joke the man sitting on the stoop of his house during a flood…

As the flood waters were rising, another man in a row boat came by.

The man in the row boat told the man on the stoop to get in and he’d save him. The man on the stoop said, no, he had faith in God and would wait for God to save him.

The flood waters kept rising and the man had to go to the second floor of his house.

A man in a motor boat came by and told the man in the house to get in because he had come to rescue him. The man in the house said no thank you. He had perfect faith in God and would wait for God to save him.

The flood waters kept rising. Pretty soon they were up to the man’s roof and he got out on the roof. A helicopter then came by, lowered a rope and the pilot shouted down in the man in the house to climb up the rope because the helicopter had come to rescue him. The man in the house wouldn’t get in. He told the pilot that he had faith in God and would wait for God to rescue him.

The flood waters kept rising and the man in the house drowned.

When he got to heaven, he asked God where he went wrong. He told God that he had perfect faith in God, but God had let him drown.

"What more do you want from me?" asked God. "I sent you two boats and a helicopter."

Of co-location and fiduciary responsibility of services…

by Ross Sivertsen | Nov 1, 2007 | Blog, Business

I’ve been
thinking about something the last several days, you know I sit on the board of
a couple of non-profit organizations, and we’ve been looking at outsourcing
services to other organizations. I also had a discussion about outsourcing with
a lunch partner today, and this thought cropped up again.

As outsourcing
of mission critical services becomes more and more commonplace, especially in
small business where business owners don’t have the means to maintain a
dedicated technology staff, I have a question about how service organizations mitigate financial risk from service failures.

In
businesses that build and sell widgets, you would typically carry a warranty
reserve as a liability on the balance sheet to compensate for the cost of
returns from the field. But that doesn’t work in a services business that hosts
and maintains mission critical applications (and quite often sensitive private information). What happens if there is a failure that causes a service outage
for a length of time (which in many cases isn’t very long) creating a financial
impact on the business that relies on the service?

I mean,
I’m sure the company backs up, and I’m sure they co-locate their sites.

I’m
talking from a financial responsibility perspective, how they carry a loss of
service/information liability on their books.Even a publically held company’s
10Q mentions service disruption risks as part of their operating model, go ask
your CFO if your financial processes account for those service disruption risks
on the balance sheet.

Here’s
the reason why; any business that provides goods or services has some type of
reserve on their balance sheet to cover the liability of a failure in either
goods or services.

As part
of the T&C of the service agreement, they will make some claim regarding
confidentiality, integrity and availability of the information and service. If
they fail to meet those T&Cs they’re going to experience a liability. How
do they carry that liability (and how much) on their balance sheet?

It’s
important to know because we’re entrusting our very private and critical
information to a service outside of our control. I’m sure they do their due
diligence on backups, but it’s easy in a fast growing business to not keep up
with the controls necessary to protect the C/I/A of the information (both from
a process and infrastructure perspective).

 The single failure cost of loss to a small business could be
catastrophic (think loss of either information or unintentional divulgence of
information). The company you contract with has some financial responsibility
to make you whole (at least in part) because you have the SAME responsibility
to your community (think about it this way, if your credit card information was
left out on someone’s desk, the cleaning crew came by, took it and ran up
thousands of dollars on www.myporn.com, you’d expect the company to attempt to
fix the problem, wouldn’t you?).

So the
question is how does the company mitigate that risk? In similar cases the way
to transfer the risk is through the purchase of insurance, but you can’t insure
against that. So the company has to self-insure by carrying a liability reserve
account on their balance sheet. Ok, so now, the company has thousands of
clients, right? *IF* there is a failure (in service or process) and *IF* the
company doesn’t carry enough of a reserve on their books to compensate their
clients for a claim, they can’t (or won’t) attempt to make things right without
a fight.

Now, I’m
not so naive to think that we’re going to change anybody’s mind about how any company
does their internal risk mitigation or accounting. But if a company has shown
enough foresight to put internal controls in place to mitigate financial
liability against these types of risks, then there is a good chance that they
have enough foresight to place control in other parts of their corporate
governance. And, if they’re a publically held company, then SOX applies, and
they’re being audited on GCC anyway.

Now
before all y’all think that this makes no difference, and that I’m tilting at
windmills, consider that just in the last couple of weeks, that Home Depot had
a laptop stolen with "the names, home addresses and Social Security
numbers of 10,000 employees," AND Iron Mountain a DATA PROTECTION SERVICES
COMPANY admitted it lost a decade’s worth of bank account data and Social
Security numbers for almost all Louisiana college applicants and their parents
during a move when a driver apparently failed to follow company security
procedures.

All of
these weren’t malicious attempts at terrorism, they were simply part of the
category of sh** happens.

At the
end of the day how a company’s internal processes address these types of risks
is a barometer of where their focus sits.