Holding Your Ears is not an Effective Strategy

Closing your eyes and holding your ears is considered an effective IT strategy. At least here in Denmark, where the Danish public schools have been ignoring European data privacy regulations. With much hand-wringing, they are now scrambling to replace their Google Chromebooks as the new school year starts.

The 2020 Schrems II judgment from the European Court of Justice said that because all data passed to American providers end up in the databases of the NSA, you are not allowed to store personal information with American cloud providers. Nevertheless, Danish schools kept using Google services. The Danish Data Protection Agency (DPA) has finally told them to stop.

The people at the coalface in your organization know where corners are being cut. But there are several layers of management between the people who know and the CIO and CTO who will be fired once the problem explodes. So if you are in an IT leadership position, how are you ensuring that you hear about questionable practices in your organization?

How to Avoid Techno-Blindness

Techno-blindness is a dangerous affliction. It is a disease of over-optimism mainly affecting people in the technology industry. The symptom is overconfidence that a system works as intended and a lack of awareness of what might go wrong.

Somebody in Moscow thought it was a cool idea to have a computer play chess with children, using a robotic arm to move the pieces. Until a child made an unexpected movement. The robot grabbed his hand and broke his finger. TuSimple is building autonomous trucks, and one of them accidentally executed an old instruction, causing it to turn left in the middle of the highway. Fortunately, nobody was injured as the truck veered across the I-10 and slammed into a barrier.

Important systems need independent safeguards. That means a completely separate piece of code that can intervene if the output of an algorithm lies outside some boundary. A truck shouldn’t be able to turn left at high speed. A robotic arm shouldn’t move on the chessboard until the player’s hands are off the pieces.

As a CTO, it is your job to ensure there are safeguards around important systems. You cannot depend on techno-blind developers to do this by themselves.

How Do You Handle Security Issues?

Over breakfast, the CEO asks you about the latest Atlassian vulnerability that he’s just read about in the Wall Street Journal. Good answers are: “That doesn’t apply to us” or “It has been addressed.” OK answers are: “We’re looking into it” or “It is being mitigated.” The horrible answer is: “What vulnerability?”

Last month, 1,973 new vulnerabilities were published. July 2022 was a quiet month – most months have over 2,000. Many of these don’t apply to you, but you need to evaluate all of them. Do you just have one guy following @CVEnew on Twitter, or do you have a real process able to handle the ever-increasing load?

Somebody Else’s Problem

Things that are Somebody Else’s Problem (SEP) are invisible. Douglas Adams famously joked about this in “The Hitchhiker’s Guide to the Galaxy,” but the effect is serious and real.

For example, local British politicians were falling over each other trying to attract data centers. They were focusing on the cachet of having Google or Facebook in their town, and the half-dozen jobs for the electricians and plumbers maintaining them. Supplying these energy-hungry behemoths with power was Somebody Else’s Problem.

Now they have so many data centers in West London that their electrical grid is overloaded, and they won’t be able to build more housing until they have upgraded their main cables. That’ll be sometime in the 2030s.

As an IT leader, it is your job to ensure that each team knows the problems they might cause for other parts of the organization.

Clueless Developers are Dangerous

A company used by 83% of the Fortune 500 is clueless about security. Scary. I’m talking about Atlassian, whose Confluence product was discovered to have a secret admin account with a hardwired password. It is worrying that any company would hire developers that could simply get the idea. It is more worrying that this got through code review. And it is very worrying that Atlassian doesn’t seem to have anyone who does a separate security review.

If you are an IT leader, take a look at your systems list. Make sure there is a name and a date in the “last security review” column for each and every system. If you have home-built systems without a separate security review by someone outside the development organization, you might be the next Atlassian.

The Regulators are Coming

The Chinese are willing to bring the hammer down. The Americans and the Europeans, not so much. Draconian fines are theoretically possible for data privacy violations in the EU, California, and elsewhere in the West but are not imposed. In China, on the other hand, ride-hailing giant DiDi was hit with a $1.2 billion fine, close to the cap of 5% of annual revenue. Not that DiDi didn’t deserve it – regulators have identified 64 BILLION separate data collection violations.

Are you still looking at the puny fines handed out to everybody who is not a vilified American tech giant? Sooner or later, the regulators will start using their power. So you might as well get on top of any problematic data collection habits now.

Cloud Services Leak Your Data

Big Brother is watching what you write. Chinese users working on the local equivalent of Google Docs discovered that there are some things you can’t write. An author was locked out of the novel she was writing, with the system telling her that she was trying to access “sensitive content.” It didn’t matter that she wrote herself.

Of course, Google would never lock you out of your Docs or Sheets. And they claim they don’t look at your documents to sell you ads, though plenty of users report spooky coincidences. The default setting in Microsoft producs is to enable “Connected Experiences.” That means your content is being sent to Microsoft servers for analysis. Microsoft claims no human looks at it.

Do you have guidelines and technical measures in place to prevent sensitive data leaking out of your organization through cloud services?

Pick the Right Place for Each Task

Peak employee effectiveness and wellbeing depends on finding the optimal balance between working alone and working with others. Microsoft does big studies of their many thousand employees. They found that disengaged employees complained about too little collaboration. Overworked employees complained about too much collaboration.

Now that both office and home are valid work locations, it is a leadership responsibility to make the most of each of them. Collaboration needs to be in the office. We survived two years of Zoom meetings, but at the cost of massive Zoom fatigue. Focused work should happen at home where the employee is in full control of their time. Leaders need to set the rules and clearly delineate what happens where.

Learn From New People

I’ve been traveling through four countries this week, and every country does some things differently. Some have stupid rules that sensible people would never implement. But others have great ideas that should be implemented more widely. Unfortunately, ideas do not automatically cross borders the way viruses do.

Ideas also don’t cross organizational boundaries easily. As a consultant, I help organizations with good ideas proven in other places. But you also have another source of new ideas: The people you hire. Do you have a formal post-hire process for gathering ideas from new hires? Probably not – few people have. But think about how much you could learn if you had…

Always Measure Two Things

Be careful what you measure. You are going to get exactly that. You remember “Dieselgate,” where Volkswagen installed software in their cars to cheat on emissions tests. Samsung was just caught doing the same thing, programming their TVs to recognize a typical testing scenario and boosting brightness during the test.

A single measurement is easy to cheat on. If anything depends on that measure – bonuses, promotions, reputation – somebody is going to cheat sooner or later.

That’s why every measurement needs a counter-measure. Don’t just measure “Time to close support ticket.” I’ve been working with vendors who clearly had that measure as their main target, as have most people in IT. If you also measure customer satisfaction, it becomes much hard to game the metrics.