Audit and Security

I heard of a place where internal audit was told to do a comprehensive security of all aspects of an organization. All aspects.

How is that possible?

The IT organization is likely working at 110% with all their energy and effort to manage, monitor, invest and improve an organizations security so how can a short audit effectively grade how they are doing? Now I suppose that if the auditors were knowledgeable about security aspects and if there were huge gaps in what IT was doing then those would surface in the audit. But how could an audit detect deep matters in the enterprise in a short audit?

Further, how can an IT organization comprehensively know that all is in control? Further, how can a CIO assure a board that everything is under control?

They can’t.

They can only attest that they are doing all they know to do, they are vigilant and they are working to set the tone across the enterprise that all must work together to secure the organization.

They can only assure that they are doing all they know to do.

These are difficult times for CIOs.

High-Skill, High-Focus

Those of you that I talk with know that the cyber attack on Sony of a few months ago made a huge impact on me. I’ve thought about it for days and weeks since and talked to many about it in informal and formal conversations.

It is so easy to sit back and say, “how could Sony have let that happen?” but as this article in the WSJ points out, it could happen to anybody. Sony was the victim of a high-skill, high-focus attack. Very likely, most individuals and organizations would fail against such an attack. There but for the grace of God, go we…

An article in Forbes last December said such a hack could crater a company. I believe that day will come. I wrote about what the future might look like last year here.

Finally, we should all be reminded that we shouldn’t say things in email that we wouldn’t want post on the front of a newspaper.

Getting Better at Getting Better

Wonderful article over in the New Yorker called, Better All The Time. I saw it in the context of getting better at running which someone had referenced in that regard. However, it applies to work, to running, to most things. We need to think about getting better at getting better.

I’ve started running and I’m planning to run a marathon in a few months which is something inconceivable to me just a few years or even months ago. Now I’m running several times a week and recently did a 15 mile run with my running partner which is the longest run I’ve ever done. Now I’m running half marathon lengths just to train for the marathon!

All of this running has started me thinking about how do I become a better runner who can not just complete a marathon, but actually enjoy it and finish it in a strong, heads up fashion? There are lots of web sites and training plans and tools to help one prepare for this, but what is interesting to me is the idea of deciding to get better and then doing the research and taking the steps to get better. When exactly should I drink water, or consume some energy (Gu)?

We need to do the same in our IT shops and in all our organizations.

  1. We need to measure results, times, costs, efforts, etc. in our processes. Not in a needless fashion or dumb fashion, but measure the right things.
  2. Ask the people who are doing the work how to do things better. They are doing the work so ask them what are their obstacles and what is slowing them down. Likely they know how to help get things done better and faster.
  3. Don’t be arrogant and assume the way you are doing is the right way. Keep asking questions. Ask your vendors what ways they’ve seen things done better? Be open to all good ideas.
  4. Keep looking, even when you do find an improvement because there is another one behind it.

I’ve been learning when to hydrate, when to consume Gu, when to drink Powerade and I’ve discovered I’ve been taking these things in the wrong order and not enough. I’ve also learned different training methods than I had not heard of before. I think these things will help me get better and improve my ability to be successful at the marathon.

We need to be thinking this way in our IT shops.

Celebrate Those Who Get Things Done

Read something a few days ago that I can no longer find to reference. It got me thinking that we should celebrate those who get things done, not the ones who cast a vision or who are the appointed leaders. The ones who get things done are the ones we go to when we need help, when we have problems, when there are hard problems to solve. We don’t need a vision in those situations, we just need to get something done.

We need to be better at identifying these people in our organizations and honoring them in whatever fashion is appropriate. And we need to develop a sense of think about them, looking out for them and helping them get things done faster.

Maybe leaders should focus on getting obstacles out of the way of those who are getting things done?

Been gone for a while. Been busy, but aren’t we all? Wrote a bit about it over here.

Collaboration Thinking

I’ve recently being doing some work with friends on a personal project and during the course of our work, notes were shared via mailing a ms word file to all the team members asking for input and additional ideas.

I have to say that I can’t work this way anymore. I don’t think this way anymore.

I’ve become used to working collaboratively on the same document at the same time. Mailing around files to share is the past. Sharing a link and jointly and simultaneously working on the same document is the present.

I’ve also noticed that this is hard to explain to someone who has not worked this way. If someone challenges you to work with some of the new tools like Google Apps, you need to give it a try.