Questioning Value

The obvious thing to do isn’t always the right thing and the right thing to do isn’t always obvious. As we get working and busy our minds are often so focused on the task we’re doing that we forget how what we’re doing connects to adding value. For a brief time in life, I had the job of a dishwasher at a brick oven pizzeria. It was a pretty mechanical job. Sort, load or scrub, dry and stack. Repeat. Repeat. Repeat. I had no idea what I was doing but knew everything about the tasks I was performing.

It’s easy for all of us regardless of our station to fall into this trap. Thankfully it’s also simple for us to pull ourselves out of it. Ask yourself the question: How do your actions add value to the organization’s stakeholders?

Let’s use the dishwasher for this exercise. It’s a pretty low-level job. Probably didn’t have much impact right?

Who were the stakeholders for a dishwasher and how did I add value? Well, there’s the cooks who needed the clean pots, the wait staff who needed clean cups and plates, and the customers who wanted to eat without the worry of getting sick. OK, so that’s cooks, wait staff, and customers. That’s pretty much everyone.

Too bad I didn’t see it when I had the job. Night after night of working my brain got trapped thinking that the only place in the world was the back corner of that restaurant. I never thought of my impact because I’d gotten so focused on what I did I didn’t even have to think about it anymore. Sort, load or scrub, dry and stack.

I was just doing the work, got frustrated, and quit because I didn’t see the value in the work that I was doing. If you see someone frustrated you don’t have to confront their attitude, just ask them questions that help them see the value they bring to the organization. Our society is pretty used to responding to the “what do you do question.” So, it’s not too much of a stretch to take that response and start a conversation about adding value.

So many negative feelings go away when we see how valuable our efforts truly are.

Management Reserves & Estimated Monetary Value

In project management, a Management Reserve is “an amount of the project budget withheld for management control purposes. These are budgets reserved for unforeseen work that is within the scope of the project. The management reserve is not included in the performance measurement baseline” (PMBOK).

There are three different types of management reserves identified in the PMBOK. These are listed as a Management Reserve, Contingency Reserve, and Activity Contingency Reserve.

Management reserve: Controlled by the management, but not necessarily the PM. This is an overall management reserve that could be spent on any project and has to be approved by the managers above the PM.

Contingency Reserve: a fund controlled by the PM and part of the project budget for any particular contingency within the scope of the project.

Activity Contingency Reserve: a fund specifically earmarked for a high-risk activity that could require more resources to complete. This fund is controlled by the PM and a part of the budget.

Earned Value Management is the process of removing the ambiguity between actual cost and planned cost within a project. EV is calculated as % complete X project budget. When EVM is applied to a project it gives the managers a clear line from which to measure project progress against other known calculations relative to the project’s time line and overall expenses.

Expected Monetary Value (EMV) is another tool in calculating risk costs. EMV is calculated by multiplying the value of each possible outcome by its probability of occurrence. The results of an EMV analysis can be used to determine the size of the reserves for the project. The decision tree listed as Figure 11-6 in the PMBOK shows how EMV can also be used to understand the monetary value of certain outcomes. When charted this decision tree matrix can show managers the probable consequences of their decisions to the project in relation to its cost and profitability to the organization.

Critical Chain

Eliyahu M. Goldratt became a master of project management through hard work and careful observation.  His ideas and contributions to project management would have gone unappreciated if he wasn’t also a good communicator.

In this business novel Goldratt articulates problems typical with project management.  Through careful dialogue his characters extract perspectives on solutions that help the reader not merely understand the concepts, but also how to communicate them within their sphere of influence.

This book, Critical Chain, looks at the human dimension of project management and how safe buffers added to the project timeline by individual offices do nothing to move the project along.  Instead Goldratt clearly explains through his characters practical methods for shifting these buffers from the individual lines of effort to an aggregate for the project.

Every manager wanting to make their teams and processes more efficient should add this book to their reading list.  It’s a clear winner designed to help teams deliver results.

//ws-na.amazon-adsystem.com/widgets/q?ServiceVersion=20070822&OneJS=1&Operation=GetAdHtml&MarketPlace=US&source=ss&ref=as_ss_li_til&ad_type=product_link&tracking_id=libehawk-20&marketplace=amazon&region=US&placement=0884271536&asins=0884271536&linkId=0fc1b3d32d028c175497952ceda60c9e&show_border=true&link_opens_in_new_window=true

Ignoring Stakeholders While Upgrading

When the United States Army isn’t deployed fighting a war, they’re supposed to be training for it.  As a part of the Executive Branch they are required by law to account for its use of authorized funding.  As the fiscal times reported in March of 2015 the DoD can’t account for $8,500,000,000,000.  One of the areas where the Army has tried to improve its accountability is in its training management system.  In 2014 the Digital Training Management System (DTMS) received a major upgrade that turned it into a thoroughly embarrassing debacle within the Army.

Once released the new website lasted for just a few hours before software issues caused the site to go down for maintenance for several weeks.  Although released in October, problems were so bad that the Army withheld its press release touting the new features until January 12th of 2015.  Attention to detail was so low that when it did publish the article the press release stated it was published in 2014 because Mike Casey (the author) didn’t remember to change the date to 2015.  This lack of attention to detail during the project development lifecycle doesn’t begin or end with a delayed and miss dated press release.

While the aforementioned press release mentions how the program serves commanders in conducting training management it fails to identify which level of commander.  My personal opinion is that it serves commanders at BDE level and higher who would have a difficult time gathering training information on their more than 1000+ formations without the use of an automated tool such as DTMS.  

The command level that is the least served by the software is at the company level, the lowest level of command, where all of the required data entry occurs.  A company of approximately 100 individuals requires two full time personnel to manage the automated system.  Lower level stakeholders seem to have been neglected throughout the process.  

Other errors that affect lower level stakeholders include:

  • A non-intuitive interface requiring a full 40 hours of training before use
  • No back-button after saving an event requiring full navigation through the home screen to edit the next event.
  • Built on Microsoft Silverlight, a technology that forces the site to be run on older versions of Internet Explorer and one that has been abandoned by its creator, Microsoft
  • Limited resources to address issues found through feedback (some recommendations are years old with no resolution)
  • Unable to upload documents en masse (feature is listed as an option and fails upon execution)
  • Unable to make adjustments to the personnel assigned to the unit causing miscalculations of averages and aggregate data by including individuals no longer with the unit or misassigned
  • Exports to poorly designed formats
  • Exports UserID from database in Excel but hides the column with the UserID
  • Website susceptible to URL code injection
  • Higher echelons have more control over the data but are least familiar with it making it easy for them to misalign personnel and accidently delete crucial records with no easy method of restoration (no undo button) causing repeated efforts at lower levels to repair the mistake.

    A bad system is a good thing to learn from.  These issues are indicators of a project management team that failed to assess the project’s complexity and overlooked key stakeholders.  My role in the project was at the lowest command level where we were told to utilize the new system only to watch it go down for several weeks due to implementation issues.  Since then we’ve made efforts to assert ourselves as stakeholders using the appropriate feedback mechanisms only to have our perspective marginalized in the process.

    It’s a bit easier to see how the DoD can’t account for $8,500,000,000,000 when they fail to implement good project management practices while updating their training management system.

The Relevance of Enterprise Resource Planning

Enterprise Resource Planning (ERP) is an umbrella term for automated systems that combine multiple functions of internal business processing particularly in the capacity of the organization’s resources.  Although ERPs have evolved over the past years to the point where a Rip Van Winkle may not recognize their current implementation, they still exist and are by no means obsolete.  As long as there are human resources being managed by the ERP they will continue to be a valuable part of any organization.  

Human capital is generally one of the most risky areas of business.  It’s estimated that “on average, supervisors spend 17 percent of their time — nearly one day per week — overseeing poorly performing employees.”  Today’s current ERP include algorithms to identify underperforming individuals as well as those at risk for retention.  People are not only a valuable resource, they are also a complicated one.  More data and better analyzation tools can help managers make better decisions about talent management.

Deciding what will replace ERP isn’t easy.  The current model of cloud based ERP allows for a great deal of talent pooling on the software engineer side to cater products towards their customers.  In that model a company like Workday can develop a tool for a specific client and then scale it across their business giving them an edge against competitors.  This model encourages an evolutionary change not a revolutionary one.  

Discovering what the revolutionary change could be isn’t easy.  The iPhone made a lot of sense to a lot of people.  Now that it’s been enough years since its release that it seems a bit obvious in hindsight.  Look at the gadgets folks are carrying around and try to find a way to consolidate them into one.  The next level of ERP will take the collection of items on the tool belts of businesses and consolidate them further.

Identity & Access Management

2013 and 2014 were major years for IAM awareness in both government and industry.  The Snowden leaks helped teach government agencies the value of limiting individual access to vast troves of information.  In the private sector space Target’s credit card breach cost the company 46% of its fourth quarter profits and litigation for more than 140 lawsuits (Radichel, 2014).  Although Target’s breach might have been stopped by any number of mitigation efforts, proper IAM would have limited the ability for the intruders to spread from the billing system used by the HVAC company to the more sensitive parts of the network.

The attention received from the breaches has resulted in an increased level of attention on the topic from all levels.  Some parts of the industry such as Staminus Security and NorseCop have responded with security theater (Gallagher, 2016 & Fisher, 2016) while other parts of the industry have taken a thoughtful look at making sure only the right people have access to the right amount of information. 

For local IT IAM often takes the form of a Microsoft Active Directory server or some LDAP variant.  LDAP v3 is described in RFC 4511 released in 2006 and includes a number of key features, namely bind, unbind, unsolicited notification, search operation, modify operation, add operation, delete operation, modify DN operations, compare operation, abandon operation, extend operation, intermediate response message and start TLS operation.  In general these commands are initiated through TCP or UDP port 389.

While RFC 4511 has served the industry well for creating functioning authentication protocols in the nearly full decade since its release has seen a great deal of growth and development.  In December of 2015 the VP of Technology for Advancer Corporation penned his IAM predictions for 2016 giving us an indication of how far the field has developed.  His seven predictions include:

 

  1. Cyber security has become the religion, equally for government and businesses.

  2. Cloud IAM to spread towards provisioning capabilities.

  3. Spreading of IDM systems on on-premise as well as cloud.

  4. Cloud will enable greater utilisation of IAM products by small enterprises.

  5. Safeguarding and securing super users through PAM.

  6. Managing of identity through secure user identity management and access governance will enhance.

  7. Businesses will stay agile by adding more layers of IAM into their IT infrastructure.

(Mittal, 2015)

In addition to SaaS, PaaS and IaaS companies to include Centrify are now talking about Identity as a Service (IDaaS).

All of these technologies are extensions of the need to be authenticated within cyberspace.  For individual users sites such as LastPass step in to help them manage their online identity across a myriad of websites.  SSH, bitcoin and bitmessage all operate using cryptographic keys to ensure sender and recipient identification during transmission. 

For the average user this effort really hits home in the area of social media.  As of 2011 facebook began forcing https connections to reduce the man-in-the-middle attack vector (Stackoverflow, 2011).  Google also adopted https in 2011 to reduce snooping on user search queries (Google.com, 2011).  The robustness and popularity of social media caused Gartner’s research team to predict in 2013 that future customer identities would be based on social media (Gartner Inc., 2013).  Today the spirit of that prediction holds true as social media sites are integrated into sharing economy sites such as AirBnB and educational sites such as Khan Academy.  Google’s developer websites now include easy to follow guides for leveraging their identification services into emerging technology (Google.com, 2016).

In mobile computing just like traditional machines identification management begins with authenticating on the device itself.  Fingerprint readers are now serious features on smartphones.  Although phones do have inherently insecure networking components (Anthony, 2013) they do enable a second layer of IAM, two factor authentication (2FA).  2FA on smartphones works because the phone itself is a part of two separate networks.  The SMS messaging service built around the purely cellular technology is in many ways a separate network from the data connection on the phone itself.  Because of this an attempted login over https can be verified using an SMS message.  Circle finance requires authentication before conducting bitcoin transactions and major social networks now offer 2FA as part of their authentication services.

In the cloud IAM has become a must have as cloud features have grown in popularity and potential.  Google for business accommodates several layers of cloud sharing options with respect to files hosted on Google Drive.  By default they are only accessible to the author.  The default for sharing is to have it shared across the entire organization.  Additional options exist for public read only, public edit and organization read only.  Because the system is cloud based it can respond quickly to new features suggested by user feedback.  Google’s products aren’t the only ones with these features.  Similar access control and identification measures are implemented into dropbox and owncloud and are considered a standard feature set when developing similar tools.

As we move more and more things to the cloud and big data becomes more of a reality for businesses IAM will continue to be a significant part of the organization’s IT strategy.  In the business world Sony’s 2014 breach attributed to an insider threat is a critical example of how big data matched with poor IAM can cause serious problems.  While 2013 and 2014 were significant years for IAM awareness today the industry has matured, but only time will tell of the pace of maturity across the spectrum has kept up with the pace of innovation from malicious actors.

 

 

 

References:

Anthony, S. (2013, November 13). The secret second operating system that could make every mobile phone insecure | ExtremeTech. Retrieved April 12, 2016, from http://www.extremetech.com/computing/170874-the-secret-second-operating-system-that-could-make-every-mobile-phone-insecure

Fisher, C., & Jude, A. (2016, February 4). Hot Norse Potato | TechSNAP 252 | Jupiter Broadcasting. Retrieved April 12, 2016, from http://www.jupiterbroadcasting.com/93496/hot-norse-potato-techsnap-252/

Gallagher, S. (2016, March 11). After an easy breach, hackers leave “TIPS WHEN RUNNING A SECURITY COMPANY”. Retrieved April 12, 2016, from http://arstechnica.com/security/2016/03/after-an-easy-breach-hackers-leave-tips-when-running-a-security-company/

Gartner, Inc. (2013, February 5). Gartner Says Half of New Retail Customer Identities Will Be Based on Social Network Identities by 2015. Retrieved April 12, 2016, from http://www.gartner.com/newsroom/id/2326015

Google.com. (2011, October 18). Making search more secure. Retrieved April 12, 2016, from https://googleblog.blogspot.de/2011/10/making-search-more-secure.html

Google.com. (2016, April 12). Google Identity Platform  |  Google Developers. Retrieved April 12, 2016, from https://developers.google.com/identity/

Mittal, R. (2015, December 18). IAM Tech Trends to watch out for in 2016. Retrieved April 12, 2016, from https://www.linkedin.com/pulse/iam-tech-trends-watch-out-2016-rajesh-mittal

Radichel, T. (2014, August 5). Case Study: Critical Controls that Could Have Prevented Target Breach. Retrieved March 29, 2016, from https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412

Stackoverflow. (2011, January 27). Force HTTPS on Facebook? Retrieved April 12, 2016, from http://stackoverflow.com/questions/4723983/force-https-on-facebook

Information Portability and Control

Information is the ultimate currency of any organization.  Protecting that information so the right message is released to the right audience at the right time is the responsibility of each individual in that organization.  In some sectors mishandling of information can lead to life threatening security concerns.  In most cases though information mishandling leads to a significant cost of time and money.  

Among the many things businesses can adopt to mitigate the risk of information spillage the first that I would recommend is to normalize encryption for all communication.  One of the major ways people communicate online is via email and there are several email encryption solutions available.  Most of the solutions are offered by private companies and are proprietary.  When selecting a proprietary system it’s important to evaluate how that system will accommodate future technology.  Currently the U.S. Army’s email encryption system requires a 32 bit version of Internet Explorer 9 in order to function which reduces users’ ability to leverage new technologies.

In many cases email is used to transfer files in addition to text messages.  Some conversations can be consolidated to a collaborative cloud based text editing system that allows multiple live editors such as Google Docs, Office 365, or Owncloud.  These solutions are more secure because they don’t require unencrypted transferring the information from one server.  The users can simply edit the documents using the secure (https) connections of their browsers.

If the business does need to transfer large files securely across multiple workstations BitTorrent Sync will allow easy and secure file sharing without any additional cost of organizational infrastructure.  Shared folders can be synchronized across a vast network with specific controls on who can read, write, and access the files.  I’ve used BitTorrent Sync to transfer several gigabyte movie files and large photo libraries across continents.

Businesses have to address the balancing act of sharing their information within the organization in a way that still allows them to maintain control and leverage that information for profits.  Handling this information is everyone’s responsibility and any system that gets implemented needs to be easy to use so it can have the widest range of adoption.