Are Security Issues Ignored in your Organization?

Delete production database, go to jail, do not pass GO, do not collect $200.

A disgruntled Chinese sysadmin wiped his company’s servers after feeling ignored. He had complained about a lack of basic IT security, but found no understanding from his boss. He then wiped out most of their infrastructure, paralyzing a $6 billion company with 120,000 real estate brokers. He did prove his point. He was rewarded with a 7-year jail sentence.

The person with the most detailed knowledge of the vulnerabilities in your IT landscape is not the CISO. It is the database administrator or the network engineer. Do you have a process to ensure that potential security issues can be raised anonymously and will come to the attention of the CIO?

Do You Understand What You are Running?

Don’t run systems you don’t understand. Some people had placed billions of dollars into a cryptocurrency called TerraUSD. They were told this was a “stablecoin” that would keep a value of $1. Underlying this claim was a clever algorithm that interacted with investors and another cryptocurrency in complex ways. Until its magic no longer worked and the supposedly stable TerraUSD dropped 80%. Trading in it is now halted.

In the global financial crisis of 2008, people had invested in complex financial instruments that they didn’t understand. Many billions were lost and large institutions went bankrupt. The banks who came out of the crisis unscathed were those who had stuck to simple banking products that everyone could understand.

Take a look at your IT landscape. Can you find somebody who understands your operating infrastructure? Or have generations of DevOps engineers just googled problems and tweaked your Kafka and Kubernetes configuration until it somehow seemed to work?

Why Employee Surveillance Doesn’t Work

Do you know what a “mouse jiggler” is? Your most innovative employees do. It is not a device to shake a rodent in a cage. It is a small USB device that sends random mouse movements to a computer.

Who would want such a thing? Employees subjected to tracking software, that’s who. With the mouse moving, the software will record “productivity.” The pandemic led to a boom in surveillance tech, euphemistically called “employee productivity software.” As workers return to the office, that tech is not removed from corporate laptops. But workers are pushing back, in accordance with Newton’s Third Law of IT systems: Whenever the organization implements a policy, the employees will implement an equal and opposite workaround.

Techno-optimists keep trying to replace humans with technology. There are some places where that works. Replacing human leadership with surveillance technology is one of the places where this strategy doesn’t work.

Imprecise Language

Elon Musk understands the danger of imprecise language. He builds spacecraft, and that is an unforgiving business. NASA does not use precise language, causing them to crash the $125 million Mars Climate Orbiter. SpaceX does use precise language.

Twitter uses imprecise language. You used to get banned for wishing violence on anyone. After the war started, they decided to make an exception for people who wish death on Russians. And then they had to clarify that you were still not allowed to wish death on good Russians, only bad Russians. And Twitter will be the arbiter of who is good and who is bad.

Elon Musk is so unhappy about Twitter’s imprecise language that he is willing to spend 45 billion dollars to buy the whole thing and fix it. His proposed fix: A short, clear list of banned conduct.

Whenever I am called in to do a post-mortem on a failed IT project, the root cause is always imprecise language. The specification calls for something vague like “easy to use.” But it does not provide the precise detail to evaluate if the system meets its goals. Systems must also be “fast,” “mobile-friendly,” and be “visually attractive.” Vagueness allows different people to get different messages from the same document. In diplomacy, agreements are sometimes worded so both sides can read it as a victory for them. That doesn’t work in IT systems. Are you using imprecise language in your communication?

Optimization to Powerlessness

Here in Denmark, we were surprised to find that the Russians have rendered our military combat ineffective. When NATO asks what we can provide, we can offer a hundred special forces soldiers, some past-due-date antitank weapons, and an armored brigade without armor. The reason is not lack of money. We spend many millions. We just don’t spend it on things that matter.

The Russians did not have to attack us kinetically or subject us to a devastating cyber-attack to achieve this. They simply needed to infiltrate the Ministry of Defence with spreadsheet-wielding MBAs supported by a fifth column from McKinsey. We have now optimized our way to warfighting impotence.

Many organizations have similarly found that they have optimized themselves to powerlessness. A ship stuck in the Suez or a war in Ukraine will bring their entire production to a halt.

The only way to resilience, as any capable army knows, is to have extra. You have more supplies on hand than the absolute minimum, and more different suppliers than you need. You have spare warehouses and production capacity. If you let the MBAs with their spreadsheets run the business, you might suddenly find you have no business.

Productivity at 10 pm?

They call it “productivity” but it’s more likely just busyness. Microsoft research into the use of their Teams product has discovered there are now three peaks in a day. It used to be only mid-morning and early afternoon, but now another peak has appeared at 10 pm. Euphemistically, Microsoft equates keyboard activity with productivity, but keyboard activity at 10 pm is unlikely to add much value for most people.

The workday has expanded by 46 minutes since the start of the pandemic, and most of that has been after normal office hours. It is a leadership task to preserve the health and productivity of your people. Do your employees work at 10 pm? Are you okay with that?

What Can and Cannot Be Said

Can you say “pay rise” in your company? At Amazon, that would not be possible. The internal social media app they plan to roll out for warehouse workers will filter out words like “union,” fairness,” and “plantation” (!)

Russian author Fyodor Dostoyevsky said, “The degree of civilization in a society can be judged by entering its prisons.” Similarly, the degree of civilization in an organization can be judged by its internal social media.

What does your internal communication platform and its rules say about your organization?

What Happens Then?

There is an easy way to avoid making stupid decisions: Asking “what happens then?” A decision is exposed as stupid when it turns out that the decision-maker did not carefully think through the consequences. Bad decisions occur when someone only looks at the immediate result.

New York City dodged a bullet when they started implementing bike lanes in the narrow streets of Manhattan. They could easily have made the stupid decision of simply marking a part of the street as a bike lane. Fortunately, someone clever at City Hall asked herself: What happens then? If you had simply painted bike lanes on streets, thoughtless New Yorkers would have wiped out bicyclists by the thousands with their car doors. So New York decided to paint a separation area between the car parking area and the bike lane. Clever.

Next time you are faced with a decision, try asking “what happens then?” several times. You might find this saves you from doing something stupid.

People and Material

“In war, three-quarters turns on personal character and relations; the balance of manpower and materials counts only for the remaining quarter.” Napoleon said that in 1808, and it applies equally in Ukraine today.

It also applies in other human endeavors. You can see organizations performing well with antiquated IT systems, and organizations making a mess of their customer service even though they have the latest and greatest cloud services. Simply rolling out new technology without considering people, organization, and processes will not improve your organization.

Don’t Ask Half Questions

Asking half questions leads to dangerous outcomes. We just saw an example when irresponsible Reuters pollsters looking for a scoop simply asked Americans “should NATO establish a no-fly zone over Ukraine.” They got a resounding 74% approval.

Another pollster asked the question with the qualifier “knowing that this will lead to direct war with Russia” and support dropped to 34%.

A complete question asks “are you willing to accept this downside to gain this upside?” Organizations get an idea, focus on the upside, take a cursory glance at the downside, and then take erroneous or even disastrous decisions. Who has the job of ensuring the downside is examined as well as the upside? You might need someone external to provide this.