Blog

Strategy

Strategy, Not Knee-Jerk

Today a lawmaker who was briefed on the Federal Office of Personnel Management breach of employee data leaked that the incident is far worse than originally reported. Not 4 but maybe as many as 14 million records of federal employees, past and present, are in the hands of the bad people. Very disturbing. http://bloom.bg/1Fc8EMx

T
OPM Seal Small
hese record sets are what is known as “fulls” or “fullz” in the hacker lingo. They are full sets of information. Names, addresses, phones, social security numbers, pay, health records, military service records, and – most damaging – security clearances. Think of the opportunities. Think of the damage. Think of the outrage from the victims that their very safety and personal property has been exposed.

Plus it may have come from China.

But what bothers me most is the knee-jerk reaction from the Congressional hawks. They want a response. They want to declare war. They want to go to the alleged perps servers and destroy data. John McCain is almost shouting for a “preemptive strike.”

It’s another example of governmental leaders making quick decisions without thinking through the implications or consequences. Cyberwar is nothing trivial. Not only could it unleash a storm of “weaponized code” – as my clients in the information security world call it – but it may not come only from from a few sources like China or North Korea. The entire hacking community could get involved. That’s a lot of enemies. The implications are chilling.

McCain spoke about the ability to shut down the US power grid from abroad. If the US declares cyberwar we can probably expect exactly that type of action. The hawks will have guaranteed it. Often the government takes action without thinking through the unintended consequences.

Stuxnet, the malware developed to attack Iran’s centrifuges concentrating nuclear material, turned out to be reverse engineered and various versions were dropped back into US systems and weapons systems.

USCYBERCOM_Logo
Let’s not forget that the Snowden incident was a game-changer. One person was able to create an entirely different perception about government collection of data on upstanding citizens. He revealed the capabilities of the NSA and the US Cyber Command. Cybersecurity is an area where one person can create significant damage.

It is never good strategy to reveal your thinking to your enemy. “What’s wrong with you Santino? Never let someone outside of the Family know what you’re thinking.” Is it really a good idea to rattle sabers if you don’t have a prepared strategy to back it up. We can almost guarantee that one does not exist.

The smart way to approach this problem is with a two-pronged effort. One is the ratification of US and worldwide law that provides severe penalties for these actions. That’s what McCain should be backing and initiating with his history of taking brave political initiative. But the other prong should be a robust but clandestine plan to penetrate, invade, creatively disable enemies and deal with as many resulting contingencies as possible.

The Analytics Payoffs

For a lot of years I’ve been sharing a conclusion from decades of observing small group activity. I believe that when 5 or more people work together effectively on a challenge they bring the intellect of at least a genius to the work. It doesn’t matter if the group members are smart or high in an organization or what we believe is well-educated. I watched it for years and then put a measure to it.

Back when we used to have more time during training or planning or decision-making settings I used to administer a short quiz fashioned after the preliminary entrance exams for membership in Mensa, the society of genius-level IQ holders. I would do it as an intellectual warm-up. In order to determine if you could gain entry to Mensa you would need to score at least 7 out of 10 correct answers.

Every group, whether made up of corporate executives or hospital maintenance workers, to which I gave the test scored 7 or higher. Around half would score perfectly.

Today, the use of analytic techniques is proving my point. At the Wharton People Analytics Conference an interview published on Knowledge@Wharton cited Google’s head of HR Laszlo Bock who is an evangelist for the use of analytics in the field. Teams, when put together correctly, are at least geniuses.

The Wharton interview is full of useful bits of information. Make sure an employee being “on-boarded” meets their management on the first day. A person’s success at a company depends heavily on who they work for. A team IQ is often greater than the sum of the parts. A mix of introverts and extroverts along with norms of behavior make the most productive teams. Moneyball got it right and is at least partly responsible for the upsurge in the people analytics.

Surprisingly, the best firm on hiring, according to Wharton experts, is Teach for America. A not-for-profit that has embraced analytics in order to get better teachers in front of kids. But the organization also knows that they don’t know enough yet. That’s a good lesson for those of us who are futurists. Go with the best information you have but always doubt it and find even better ways of making good decisions.

The biggest question about the use of analytics overall? Why more top leaders are not embracing it. Whether it’s a lack of hubris or a fear that it might replace jobs it’s a baffling question but the condition exists. I hope for a change.

320px-DARPA_Big_Data
In almost all of my busiest industry niches there’s buzz about “Big Data.” Mostly buzz. Not much there, there yet. But it’s coming in a big way and the harbinger may be people measurement, especially help in hiring. Another observation I’ve made over the years of managing my own businesses was that a bad key person hiring (manager, salesperson, technician, creative talent) would cost at least 3-4 times their annual compensation. People analytics is proving it now.

While there’s more buzz about marketing analytics than anything else in the media my bet is on human resources as the place where the first major inroads will be for analytics in organizations.


Fear Most? Not the Right Question

One of the better edited digests of information I read regularly is the Wall Street Journal’s “CIO Journal.” It’s a compilation of news items that affect businesses from the perspective of the increasingly integrated information and communications technology side of enterprises.

This morning a question was posed. “…which of the following Black Swan events you fear the most: natural disaster, cyber attack or hack, a loss of top talent, or that one of your strategic vendors gets acquired.” The column will compile the results.

A laudable effort. I will be interested. But as a practical matter it’s not enough to be looking only at the obvious future events that will affect your organization. If it had been me, I would have used a widely flung and well-informed network like CIO Journal has in its readers for even more useful purposes.

Subject matter experts who’ve arrived at their conclusions independently can be the best forecasters of the events ahead that are NOT on the radar screen yet. That was one of the central tenets of the fine James Surowiecki book
The Wisdom of Crowds.

Will we see a natural disaster that will affect companies? A major cyber attack or hack? Loss of top talent? Changes in the competitive landscape? Of course. They’re givens, not forecasts. And we need to be prepared for all of them, not rank ordering which we fear most.

For the last two years I’ve moderated the largest worldwide meeting of information security professionals. When I poll that group about the probability of a major cyber attack 75% agree it’s imminent. The other 25% respond that it happened already or is now occurring regularly.

The overlooked future events are the ones we’re not thinking about right now. They’re hidden around the corner or over the horizon.

That’s why I use techniques in strategy sessions to draw them out. Lay them in front of leadership. Examine their place in the spectrum of what’s ahead. Contemplate the after-effects and consequences of their occurrence. Develop a range of approaches to deal with them. Perhaps even compile contingency plans to address them.

Should you plan for the obvious? Of course. A mark of a truly robust organization, however, is one that looks for the unseen, the hidden, the events ahead that are not obvious.