Sten Vesterli's Blog

Making IT Live up to its Promise

Category: IT Leadership

Clueless Developers are Dangerous

IT Leadership, ,

A company used by 83% of the Fortune 500 is clueless about security. Scary. I’m talking about Atlassian, whose Confluence product was discovered to have a secret admin account with a hardwired password. It is worrying that any company would hire developers that could simply get the idea. It is more worrying that this got through code review. And it is very worrying that Atlassian doesn’t seem to have anyone who does a separate security review.

If you are an IT leader, take a look at your systems list. Make sure there is a name and a date in the “last security review” column for each and every system. If you have home-built systems without a separate security review by someone outside the development organization, you might be the next Atlassian.

The Regulators are Coming

IT Leadership, ,

The Chinese are willing to bring the hammer down. The Americans and the Europeans, not so much. Draconian fines are theoretically possible for data privacy violations in the EU, California, and elsewhere in the West but are not imposed. In China, on the other hand, ride-hailing giant DiDi was hit with a $1.2 billion fine, close to the cap of 5% of annual revenue. Not that DiDi didn’t deserve it – regulators have identified 64 BILLION separate data collection violations.

Are you still looking at the puny fines handed out to everybody who is not a vilified American tech giant? Sooner or later, the regulators will start using their power. So you might as well get on top of any problematic data collection habits now.

Cloud Services Leak Your Data

IT Leadership, Technology That Fits, ,

Big Brother is watching what you write. Chinese users working on the local equivalent of Google Docs discovered that there are some things you can’t write. An author was locked out of the novel she was writing, with the system telling her that she was trying to access “sensitive content.” It didn’t matter that she wrote herself.

Of course, Google would never lock you out of your Docs or Sheets. And they claim they don’t look at your documents to sell you ads, though plenty of users report spooky coincidences. The default setting in Microsoft producs is to enable “Connected Experiences.” That means your content is being sent to Microsoft servers for analysis. Microsoft claims no human looks at it.

Do you have guidelines and technical measures in place to prevent sensitive data leaking out of your organization through cloud services?

Pick the Right Place for Each Task

IT Leadership, , , ,

Peak employee effectiveness and wellbeing depends on finding the optimal balance between working alone and working with others. Microsoft does big studies of their many thousand employees. They found that disengaged employees complained about too little collaboration. Overworked employees complained about too much collaboration.

Now that both office and home are valid work locations, it is a leadership responsibility to make the most of each of them. Collaboration needs to be in the office. We survived two years of Zoom meetings, but at the cost of massive Zoom fatigue. Focused work should happen at home where the employee is in full control of their time. Leaders need to set the rules and clearly delineate what happens where.

Learn From New People

IT Leadership, ,

I’ve been traveling through four countries this week, and every country does some things differently. Some have stupid rules that sensible people would never implement. But others have great ideas that should be implemented more widely. Unfortunately, ideas do not automatically cross borders the way viruses do.

Ideas also don’t cross organizational boundaries easily. As a consultant, I help organizations with good ideas proven in other places. But you also have another source of new ideas: The people you hire. Do you have a formal post-hire process for gathering ideas from new hires? Probably not – few people have. But think about how much you could learn if you had…

Always Measure Two Things

IT Leadership,

Be careful what you measure. You are going to get exactly that. You remember “Dieselgate,” where Volkswagen installed software in their cars to cheat on emissions tests. Samsung was just caught doing the same thing, programming their TVs to recognize a typical testing scenario and boosting brightness during the test.

A single measurement is easy to cheat on. If anything depends on that measure – bonuses, promotions, reputation – somebody is going to cheat sooner or later.

That’s why every measurement needs a counter-measure. Don’t just measure “Time to close support ticket.” I’ve been working with vendors who clearly had that measure as their main target, as have most people in IT. If you also measure customer satisfaction, it becomes much hard to game the metrics.

The Tolstoy Principle in Action

IT Leadership, Technology That Fits, , ,

This is what failure looks like: 50% one-star reviews. The other half is five-star reviews. Assuming these are not all from the app developers themselves, the app apparently can work. It just didn’t work for me, nor for many others.

I call this the Tolstoy principle: All successful apps are alike; each unsuccessful app is unsuccessful in its own way. The end-user does not care that 98% of your back-end infrastructure is running. They care that they can complete their task. And if one critical component fails, your app is a failure. Like this one from my local supermarket chain.

When you build systems, is all the attention lavished on a cool front-end app? Unsexy back-end services are equally important.

You Need On-Site Time

IT Leadership, , , ,

You can work from home as long as you also put in 40 hours at the office. That’s official policy at Tesla, where Elon Musk has thrown down the gauntlet at his executives. The factory workers put in 40+ hours and their managers should, too.

There are some jobs that lend themselves well to remote working, and some that don’t. Elon has a point that managing people involves being visible, and much leadership happens outside official meetings. Nobody has figured out a way to simulate the informal encounters of the workplace in Zoom. That is why some on-site time is necessary for everyone inside the organization. We are seeing that fully remote workers never assimilate the culture of the organization, don’t feel a sense of belonging, and quit much faster than people who still have an in-person connection to the organization. People who are 100% remote should be contractors, not employees.

Are You Making a Fool of Yourself?

IT Leadership, Technology That Fits, ,

You’d think that an official digital ID project would be subject to a careful security review. Not in Australia. The government of New South Wales in Australia has rolled out a digital driver’s license that contains no less than five different security issues. Together, these make it trivially easy to alter any data on your ID, effectively creating a fake ID. That is good news to Australian identity thieves and underage would-be drinkers. The official response is “it’s illegal to make changes to your ID.”

Are there any embarrassing security oversights in the products you roll out? How would you know?

Don’t Use Illegal Defaults

IT Leadership, Technology That Fits,

You would never implement a system programmed to break the law, would you? The municipalities in Denmark did. If you get social security in Denmark, you are supposed to work at least 225 hours per year if you can. Those who can, and don’t, get less money. Those who cannot work are exempt from this deduction rule. The IT system has been programmed to automatically start reducing benefits unless a caseworker remembers to manually keep pushing the deduction date into the future. This means the municipalities save money by illegally reducing benefits for those citizens who do not have the energy to complain.

When you automate a process, your users will quickly come to accept the decision of the system. Make sure you have good defaults. At the very least, make sure they are in accordance with the law.