|
|
Why rely on one guess about what the future holds?
I once worked with a mid-sized bank with some decidedly odd ideas, my favorite of which was their emergency relocation plan for their headquarters. When disaster struck, their plan was to move – to a different part of the headquarters building.
The building was large for the small town in which it lay, but enormous it was not. Innocently, we asked what they would do if the entire building was affected. The question was not relevant, they replied. They had fireproof doors and sprinklers. An emergency affecting the entire building was impossible.
Tempting fate and other silly ideas
Overreliance on one scenario, the most likely, leads to some weird decisions – like the aforementioned bank’s. Why not accept that the future is hard to predict and create more than one scenario? Odds are that the bank will never face an emergency that closes their headquarters, but what if it did?
The bank’s mistake is common. They are no more foolish than the people who built the Titanic were when they famously divided the ship’s hull into nine watertight sections. Under the most likely scenario, nine sections would have been more than enough. The ship did not encounter the most likely scenario, however, and nine sections were not enough. Might sufficient life boats have been a good idea? Should the bank think through an alternative to its current plan?
Does having only one plan make you any more successful? More handsome? Better at golf?
A CEO I spoke with this week had a refreshingly different take on using multiple scenarios. If only, he said, someone had asked them what their most dangerous scenario was back in 2007, when they were planning on the basis of five years of 50% growth. Having a most dangerous scenario might have spurred a moment’s thought to the price of their plans, if their expectations were not met.
Capturing a few ideas on paper about how to react if the going gets tough makes creating alternate plans much easier than having to create them out of thin air – under stress.
If only ignoring business risks was more fun – and profitable
The silliest part of the bank’s story is that managing their risk is not expensive. All they need to do is look at the problem. Their data is probably backed up off site. Their staff probably take their laptops home at night. The big challenge probably is going to be communications.
There’s no fun in ignoring risks like the one above – and no money to make by running them. The savings gained by not holding a few meetings or thinking a few scenarios through are minimal compared to the potential downside. So why do we do it?
… integrating it into operations can be tough.
Your organization has a mission and it is probably not risk management. Schools exist to teach, manufacturers exist to make things, and service providers exist to provide services. Accept that risk management is just one of many things that needs to get done so that the teaching, making, and service providing can happen. How do you avoid the fate of all the other people who want a piece of everyone’s time, but do not get it?
Face the facts
A common mistake among specialists is believing that the world revolves around what we do. Shaking our heads, we commiserate together that they, whoever they are, “ just don’t get it”. The less attractive truth might be that we are the problem, not them. It would be comical if it were not so common. If they are not listening, we, not they, may need to take a different approach.
Management commitment is essential, but it needs to be used sparingly. Threatening to tell the teacher did not make you many friends in school and it will not save your bacon here either. A customer I once worked for once told another consultant, “Oh, yeah? Well, our boss says a lot of things. I’ll wait for him to come and tell me to do it.” The only good thing about the situation was that I was young enough to take note and learn. Use management support as a supplementary tool, not a trump card.
Take human bites
Accept that your organization is not going to master risk management overnight. The guys in finance who think risk management is purely a financial task may never come around. Operations will grumble about having an extra task to squeeze into tight schedules. Not everyone will be a fan from day one.
Scary as it may sound, most places need to start with figuring out who works where and getting their current contact information, next of kin, and so forth. Outsourcing means a simple staff list is no longer enough. How do you reach everyone who matters, but is not a direct employee? Getting all of the information and keeping it updated is no small task.
Listen
Talk to the people who have to manage the risks and listen to them. Odds are that they understand why risk management is important. Storytelling is an excellent tool – and the key may be to get them to tell their stories instead of telling your own. Their stories can help convince them of the need, as long as you can help them with the implementation.
A plant manager without the time to implement risk management once told me about a neighbor from ten blocks away who walked into the plant after an accident. He brought with him huge metal chunks from a machine that had blown up on their site - chunks which he had dug out of his driveway. The story was a perfect opportunity to walk the manager through how he could have handled the accident and how he could use the tools we were providing.
Do not blame the user
Change takes time and all implementation processes require patience. The process may need adjusting. Resistance can be useful if it shows you a better way to implement your solution. Some things need repeating, and often repeating in different ways, before they sink in. This is true even if you get the overwhelming urge to scream, “that’s what I’ve been telling you!” Resist that urge, if you can.
It’s all about the basics
Almost any professional golf or tennis coach will tell you that they spend most of their time teaching the basics. Golfers forget to keep their heads down. Tennis players fail to follow through. No one, no matter what the sport, seems to remember that footwork is key.
Regular readers know that this site is less than impressed with the threat presented by Russian internet mafia syndicates or potential Chinese cyberterrorists, state-sponsored or otherwise. Both groups are prefectly unsavory, but the fact is that they are usually a much smaller threat to us than we are to ourselves.
So simple, yet so hard to remember
Many IT-security specialists will tell you that for all the fortunes we spend on technology, a surprisingly large number of audits reveal former employees, who left months and even years prior, that still have accounts and valid passwords. We can speculate on why coordinating with HR is harder than sending checks to vendors, but the task, though uncomplicated, gets left undone.
H1N1 sent a shiver of excitement through offices worldwide last year, but the real story ought to be the depressing level of unpreparedness. It was demoralizing to see how many clients needed to start their preparations with tasks as basic as updating their telephone lists. Lots of companies spent a long time figuring out who was responsible for doing what. It was basic stuff.
What to do?
Focus on the basics. It is interesting to see how often you can predict whether a player will score a basketball free throw by watching whether they bend their knees and follow through. The same was true for penalties at the World Cup. Players who put their bodies over the ball generally put enough power behind the shot to leave the goalie helpless. Both sports teach these techniques to kids who are still learning to read. It is basic stuff.
The basics may be easier to learn than they are to remember. We are mistaken when we think that once we understand something, we can shift our focus to something we do not. Checklists help, but most important thing my be having the humility to stop and check that we are doing the basics right. While you are at it, remember to drink some water and check your shoelaces.
Why Plan B – and the means to execute it – matter
The zipper was invented to fasten shoes. Columbus left Spain looking for the Far East. Apple spent a fortune on the Newton. Sometimes good ideas do not work out exactly the way we expect they will. Decades after the first patent, the zipper became a hit. Columbus’s failure to reach the Orient turned out well rather well for Spain and the Europeans. Apple went on to put the lessons from the Newton to rather good use.
What we do when things do not go exactly to plan matters.
A big IT-portal project I once worked on sank a small fortune into development without once showing the concept to the users for which it was intended. Better yet, the entire budget was scheduled to be used before the launch with just a small amount set aside to fix eventual glitches. No prizes for guessing the user feedback – or the tone of the subsequent discussions among all the parties involved in its development. It was not pretty.
The alternative was obvious to many of us working on the project. Involving the user would have been a good idea, clearly, but even more important was the need for a budget to pay for changes. All the customer research in the world cannot predict the future with complete accuracy; it is how the future works.
Business plans are plans – and plans never go exactly the way you think it will.
Carl von Clausewitz said that no plan survives first contact with actual events, and if one the smartest guys to every write about how to plan things said so, it ought to be enough for anyone. You can plan all you want, buy the best market analysis ever conducted, but the odds of everything going exactly as planned are, well, ask Steve Jobs.
The smart automaker in late 1990’s America was making big SUVs as fast as possible. Who cared about fuel economy? But even if one accepted this, did it mean that every single designer at GM had to work on SUVs? What if the future was not the SUV? Why place all your eggs in one basket?
So you can’t afford a Plan B?
The answer is the opposite. You cannot afford not to have a Plan B. It does not have to be as expensive as the original plan, but it does take some thought – and usually some money. What will you do if your intended customers are not interested in your new product? Will you develop a new product or find different customers? Can you make adjustments that will solve the problem?
What if everything goes right?
Congratulate yourselves and count your blessings. Odds are it will not happen exactly the same way next time. Put aside some of what you make now for when the next plan goes awry. Call it a reserve, they come in ever so handy when the unexpected happens.
What is your Plan B – and do you have the means to execute it?
Tomorrow’s competition may not be who you think
Surprises are hard to predict. This may seem obvious, but what children understand, adults often refuse to believe. Disruptive innovations show a pattern of surprising us when they should not. This is silly, but silly or not, established firms miss the pattern over and over.
The competitors we fear usually do what we do. They look the way we expect them to look and are therefore easy to recognize. They may do what we do better or slightly differently from us. They may do it for different customers. Generally, however, they do more or less what we do – and this is why the threat that will turn our industry upside down is usually one we miss.
IBM’s mainframe division saw the other mainframe makers as their competition, not the mini-computer. Harley Davidson did not see Honda’s little scooters as a threat. GM shrugged at the Toyota Corolla. These were all costly mistakes and ones we are just as likely to commit.
Who is the disruptive threat?
Your direct competitors are unlikely to upset your business model because like you, they are focused on doing what they do as efficiently as possible. The disruptive threat will likely come from below. To quote Clayton Christensen, usually it will be something simpler, cheaper, and more reliable. More likely than not, you will overlook it.
The reason why we overlook these threats is because they are different. Established firms tend to move upmarket over time, looking for bigger margins. We add “value” to our products to justify higher prices. We sell more add-ons, layer on more luxury. Like GM, we forget that sometimes people just want to get from A to B without consuming a supertanker full of gas and they may not need electric windows.
How do you counter the disruptive threat?
Fending off the disruptive threat is tougher than you would think. IBM fired tens of thousands of employees and tore their corporate culture apart to survive the upheavals in their industry. Scarier still, they were one of the fortunate ones that survived. The shipbuilding industry in the west was not so lucky, nor were the steel makers. It is a difficult task.
The first step is to be on the lookout – and to take a good look in the mirror. How much more complexity can you add to your product before it is merely icing on the cake? Can your customers do what they need to do with less than you are giving them?
The disruptive threat is probably underneath you
Who is selling the discount version of what you do? Why does it not do enough to capture your market? What will it take for them to make up the difference? What will the warning signs look like if they start stealing your customers? Will you recognize them? Will it be your small customers first? Will it be your customers with less complicated needs or tighter budgets? Do you know who they are?
Will you see the threat coming?
—
Christensen, Clayton M., The Innovator’s Dilemma, HarperCollins, New York, 2000, p.220
Your ground-breaking innovation is more likely to be ignored than copied
Some risks are smaller than they seem – and having someone run off with your revolutionary innovation is one of them. Small improvements and changes are usually copied quickly, but the disruptive changes are not, even if you think they should be. Simply put, your blinding flash of the obvious is not always obvious to everyone else. If it was, they would have seen it too.
The fact that they have not seen how obvious your idea is usually has one or more perfectly sensible explanations, like those proposed by Clayton Christensen. The established firms are seldom stupid. They have merely focused their efforts differently, on different market segments, business models, processes, and so forth. Instead of worrying about whether your great, big idea will be stolen, the situation might be quite the opposite.
“Perhaps the most powerful protection that small entrant firms enjoy as they build the emerging markets for disruptive technologies is that they are doing something that it simply does not make sense for the established leaders to do.”
Christensen, Clayton M., The Innovator’s Dilemma, HarperCollins, New York, 2000, p.260
Jeff Atwood may have put it best, when he said something along the lines of how if your idea was good enough, you would have to stuff it down people’s throats. Stop focusing on your worries and get to work!
Do you even know how your firm will react?
Change is a constant. Steady, constant change forces firms to continuously update their products and processes, but the sudden disruptions caused by major new innovations can present a completely different task. Markets and business models can be turned upside down, destroying some firms and creating others almost overnight. Simply put, the risks can be huge.
Managing disruptive innovations presents big challenges and they can be even harder to manage at established firms. The latter tend to be stable, mature, experienced, and therefore particularly vulnerable when conditions require agility, experimentation, and risk-taking. Many managers realize this, but find themselves powerless.
Work With, Not Against the Organization
The answer may lie not in changing the characteristics of their firms, but working with them. The first step is usually to recognize them and Clayton M. Christensen famously laid out their five principles in his book, The Innovator’s Dilemma. Paraphrased they go something like this:
1. “The customer is king” is more than a slogan; like gravity, it’s the law. If your customers do not want the disruptive innovation, be aware that you will have a hard time getting resources from your organization to develop products that use the innovation. Back when the vacuum tube was king, the invention of transistor that was overlooked partly because there was no customer demand.
2. Big companies need big markets. This focus means that usually it will be hard to sell the organization on small products that might have a future. Think IBM and PCs. Why develop a “Personal Computer”, when the market was so tiny?
3. Disruptive innovations are usually unpredictable. How many times have competitive solar energy and electric cars been right round the corner? Successful companies succeed by focusing on what works and it can be very hard to prove that a completely new innovation will succeed. The error part of trial and error can be a very hard sell.
4. The organization’s skill at what it does can be an obstacle to innovation. Groups of people build up ways of working and looking at problems. This can be good for focusing on what your customers want and how to give it to them most efficiently. It can be an obstacle, however, when trying to look at what you do in a completely new light. Getting staff to embrace developing software that can eliminate their jobs, for example, can be quite a challenge.
5. What makes the innovation unattractive to your customers may be exactly what appeals to other customers. IBM’s mainframe customers were not interested in puny little computers that fit on a desk, but plenty of other people were.
Taking Advantage of Risk
Risk management is about taking advantage of risks as well as reducing or mitigating risks – and the first step in any risk management process is analysis. Knowing what you are up against makes the task easier to understand, if not always easier to execute.
The list above also goes part of the way to explaining why so many firms create separate organizations to experiment with disruptive innovations. Taking advantage of risks is not easy, but again, if it were easy, everyone would do it.
See: Christensen, Clayton M., The Innovator’s Dilemma, HarperCollins, New York, 2000, p. 113
Innovation is not easy. If it were, everyone would be doing it.
The business school researchers tell us that established firms are good at the constant, incremental innovation necessary to stay on top of their fields. New firms are famously better at the disruptive innovation typical of new technologies. The risks of not managing disruptive innovations seem obvious and it begs the question why established firms are not better at managing this risk. The answer may be simple: follow the money.
“At its core… the issue may be the relative flexibility of successful established firms vs. entrant firms to change strategies and cost structures, not technologies.”
Christensen, Clayton M., The Innovator’s Dilemma, HarperCollins, New York, 2000, p. 63.
Someone Stands To Lose Money
Take accounting, for example. None of the products in the multi-billion dollar market for accounting software were created by the big accounting firms. One obvious reason is that developing software to do what they use people to do is not in their interest. The accounting industry business model relies on billing customers for hours worked. Millions of hours worked equals billions of dollars billed. Anything that reduces the number of hours worked reduces the number they can put on the bill, ergo, no interest.
This lack of interest may be understandable, but it also carries risk. The big accounting firms may not be excited about accounting software automating much of what they do, but they need to react – and they may need to react differently than they have far. Furthermore, what is true for the accounting business applies to other service industries.
Customer Feedback May Be Misleading
One response to the challenge of cheap software and online solutions is to increase revenue by increasing the value of the services provided. Last year’s consultant takes a few courses, gains a year’s experience and becomes a senior consultant. A partner advises on the account, bringing expertise and a new level of fees. The replacement product can do more, better, faster, quieter, more efficiently, and, not indicentally, at a higher price.
But what if the previous product was fine? What if it perhaps even already exceeded the customer’s requirements. The higher-priced services of the partner and the specialists may have been appreciated last year, but are they making your bill a tempting target for cost-conscious budget committees?
Less May Be More
What signs are you looking for to warn you that you are pricing yourself out of your market? Will your customers warn you that you are making yourself vulnerable to lower-priced entrants or replacement products? Can those lower-priced entrants mature into providers that can replace your services at a lower cost? Might your customers decide they can get by with less?
You customers generally want what you are providing, but most firms are not your customers. What are they buying instead? Are they making do with something more basic, but much cheaper? Most service firms focus on providing the best product they can with the best people they can, but this can also make it hard to determine what is “good enough” as opposed to “best in class”. Do you know? Can your customers tell you? Will they tell you?
What Can You Do?
First, you need to accept that doing anything about this is hard. It may be impossible. Business models are very difficult to change. Louis Gerstner would not be famous for turning around IBM if it were easy. Firing people, especially loyal, talented, hard-working people, is hard. Walking away from previously profitable product lines is hard. Letting customers go can be even harder. It is as hard as walking away from a poker table while you are still willing – and it is also about as rare. Genteel decline can seem so much more palatable.
Second, accept that it may be hard to recognize the need to change. Organizations used to winning tend not to like losing and so they often rationalize why the activity they are losing at is not one they should be doing. They say a market segment is wrong for them or that a new, basic product has no future. Think of all the silly historical IBM quotes that appear on lists. Now think how hard IBM must have worked to survive making all those mistakes.
Finally, if nothing else, be aware of the risk. The Dow Jones Industrials Index would not have the turnover it has had if the enormous challenge of meeting disruptive change were not a fact of life. Change is inevitable, your firm’s survival is not.
Hollywood may not make films about USB keys, but they’re probably your biggest information security threat
Given the choice between writing a special 12-page supplement about Cyberwar and trying to fill as many pages about the threat presented by the USB key, it is no surprise that the editors of The Economist chose the former. Hollywood does not make films about USB keys, because, like it or not, they are a bit boring. Boring does not sell newspapers, but since most of us are not in the business of selling newspapers, our focus ought to be on the biggest threats to our organizations.
It is common knowledge in retail that most shoplifting is done by employees – not strangers. Much the same is true for data-losses and IT-security breaches. Employees leaving for other jobs take privileged information with them. Forgetful types write their passwords down in obvious places. And awkward security procedures prompt people to maintain local, often very insecure, copies of information – on USB keys for instance.
Ease of Use vs. Security
Security exists to enable the organization to do what it does safely, but all the rules in the world will not protect your systems from your users if they are careless or willfully circumvent your systems. Codewords and secure connections help keep outsiders outside, but neither protects your data once your users successfully log onto your network.
You can do a lot to structure your information by compartmentalizing it and restricting access, but this requires active management and it does not prevent the information for being stored in other places either accidentally or not. However, you also need to protect yourself against all of the bugs and worse that you users bring with them into your systems.
The threats outside your network know that most of the efforts to stop them focus on outsiders trying to access your networks, so many of them rely on your users. Social engineering is one term for it and it is not limited to letters from Nigeria promising riches. Viruses and the like can use USB-keys as physical Trojan horses to get past your security measures. Users forget the threat the storage devices present and seldom think twice about where they use them. They are so convenient that your users unthinkingly accept the risk.
The Role of the Humble USB-Key
The accidental virus transporter is often a double-victim. They have been used obviously by the hacker. Your users may also be victims of your IT-systems and your security policies. The fact is that many firms make it so hard to get data out of their systems, that users are often left no alternative, but to rely on tools like USB-keys.
Slow data retrieval and cumbersome systems often do not take into account the needs of the user, whose customers are often not willing to wait while yet another password is entered or a slow server looks for an answer. The local, insecure file or database is almost always a violation of company policy, while being a necessity for fulfilling another – like good customer service or short deadlines.
The Beatles, Dandruff, Cyberterrorism, and You
Back in the day, the Beatles were asked whether the atom bomb or dandruff presented the biggest threat to their careers. Their famously replied the atom bomb, because they already had dandruff. A lot of information security specialists like talking about threats like Cyberwar, because the source of the threat is a long way away, and because others are much closer.
The Beatles could not do much about the prospects of nuclear war and you are not going to be able to stop either the Chinese Government’s supposed Cyberterrorists or end the scourge of the Russian Internet Mafia syndicates. The Beatles could have and probably did manage their dandruff problem with a quick trip to the supermarket and you can do a lot for your cybersecurity, or whatever sexed up name you want to give it, by focusing on the threats that are nearby – and that you can do something about.
What Are You Doing To Ensure Your Users Accept Your Security Policies?
“Cyberwar”, the cover story of a recent issue of The Economist, beats the call to arms for an international effort to limit the threat to modern society from attack via the Internet – and they’re onto something. Stories about state-sponsored Chinese cyber-espionage and Russian Internet mafia syndicates make for dramatic headlines – and good headlines sell newspapers.
All of this, however, may be distracting attention from the people who cause the most damage – you, me, and the person sitting at the next desk over. We, the people inside the organization and not some foreign conspiracy, constitute the biggest IT-security threat most organizations face.
What to do – and the threat of boredom
This raises the obvious question of what to do. The grandees of international politics are not going to help. Ban Ki-Moon is not going to talk Tony Blair into chairing a UN-sponsored conference on the subject. They are not going to talk about it at Davos. Cable news channels will not follow motorcycle-escorted motorcades as diplomats circle the globe trying to solve the problem of why we and everyone we work with threaten the security of our networks on a daily basis.
The rather unfortunate answer is that it will take hard work. This will be even harder, because often people – bar talk of cyberwar and the aforementioned internet mafia syndicates - think that information security, well, boring. Boredom is dangerous for several reasons. Boredom breeds complacency, which is natural enemy of safety. It also makes it very difficult to get the people at risk – and also causing the risks – to take the threat seriously.
Buy-in, commitment, and other lofty goals
The task of changing these attitudes is no different than the task of convincing employees that a merger is a good idea, that a company reorganization will improve the business or that the introduction of a new ERP system will make life easier. It takes a deliberate effort; it takes change management.
Good change management programs always have employee buy-in as one of their central goals. IT-security efforts often forget this. The user too often becomes someone who is required to follow the rules, not have an opinion about them – and this is a big mistake.
Acceptance
The image seems to be that users are like soldiers and can be ordered about. Anyone who has ever served in uniform will tell you that soldiers spend as much time evading and avoiding orders as they spend following them.
Like everyone else, soldiers are human; they have opinions like the rest of us. Your users have opinions about the rules you make and there are many ways of following – or not following – them. You can write all the rules you want and create all sorts of draconian punishments for violations, but you will not get far without their acceptance of the rules you write.
Evasion – deliberate and accidental
Recent items on Wikileaks demonstrate that even the US military cannot stop their personnel from stealing sensitive data – and neither can you. Risks cannot be eliminated; they can be reduced, transferred, or mitigated. Your risk management goals stand much better odds if your users agree with those goals – and how you intend to achieve them.
One way to gain user acceptance is to make following the rules easy. Keep it short and keep it focused. Know that you lose users with every layer of detail. Ask yourself what are you trying to protect and make your rules accordingly. Perhaps, for example, you could write guidelines for social media use instead of blocking access entirely.
Ban vs. ignore?
The last point is an important one. Twitter and Facebook and the rest of the social media have attracted a lot of attention from management. One popular approach is the outright ban. ”What if one of our employees says something bad about our company?”, they ask.
The same nervous managers seldom pause to think that they same employees they do not trust with social media often spend all day writing e-mails and talking on the phone, all without damaging the firm or its reputation. If you are concerned, create some guidelines and move on.You face bigger threats – from unsafe USB-key use, for example.
Other organizations, optimistically perhaps, ban their employees from visiting sites with adult content. If your organization does this, you might want to ask yourself why. Are the odds of malware more likely there than at a site offering the latest Justin Bieber screensaver? Is there really a reputation risk to your firm? The point is not for or against pictures of naked ladies, but rather against wasting time on something that does not improve security.
Keep it simple and get acceptance
People accept most of the rules and restrictions society places on them because they agree with them – and problems arise when they do not. The 21-year-old drinking limit in the United States causes huge problems because most Americans under 21 do not accept it. A debate has finally begun asking whether the ban is achieving the intended goal of limiting the dangers associated with young people and alcohol or actually increasing the risks.
Your users have jobs to do that do not revolve around adhering to information secuity policies. Many are required to have their laptops with them whereever they are and the machines become an integrated part of their lives. Your information security policy can be a positive – do this – or negative – do not do that. It is hard to be both.
Basically, do you want them wondering whether the Sports Illustrated Swimsuit edition is in or out of bounds when they’re sitting in a faraway hotel room in the middle of a long business trip or do you want them to be aware of the risks in using USB keys, smart about sharing proprietary information and good at representing your company when writing comments on blogs and surfing social network sites?
|
|