In a security breach, the perspective of whose responsible is shifting…

securityThe implications of boards holding Chief Executive Officers accountable for breaches will be something to watch. Recently a survey of 200 public companies shows that corporate boards are now concerned about cybersecurity and willing to hold top executives accountable.

Since the board (and the CEO that they put in place) is ultimately responsible for the results of the company, making the CEO responsible shouldn’t be a surprise.  A security breach is just one example of a business risk. not just a “technical issue,” so it should be treated in a similar fashion.  There are roles like the CISOs, CIOs, CROs that may support the CEO in their efforts to steer the ship, but if the organization runs aground, the highest levels of corporate leadership need to be held accountable — just like they are rewarded for improved corporate performance. Neither scenario is accomplished by the CEO alone.

A data breach can impact customer confidence, stock price, and the company’s reputation for a long time and those are not “technical issues.” Unfortunately, it is not a matter of “if” but “when” a security incident will occur so a formal effort must be expended to anticipate, detect, develop contingency plans to limit, and correct the situation when it occurs, as quickly and effectively as possible, reducing the impact on the customers as well as the organization itself.

That is likely one reason why in job postings today there are an abundance of openings in the security space.

Waste can be Good – it’s all relative

AbundanceAs businesses makes the transition to where the edge of the enterprise is wired into the operational processes of the business, we will start to consume our resources quite differently than we have in the past. We can use the abundance of computing capabilities to shed light on all the dark data currently available to develop a deeper contextual understanding of situations we encounter. Money may not be growing on trees, but there is much more we can be doing.

An article in Wired magazine back in 2009 discussed how: Tech Is Too Cheap to Meter: It’s Time to Manage for Abundance, Not Scarcity. In this world of exponential increases in capability, 2009 is ancient history, even so, the article is useful. It works through examples like how Alan Kay used the precious resources of the computer to display pictures on the screen instead of just textual data. George Gilder called this “wasting transistors” — making people more productive by using the transistors (computing capability) available.

The funny thing about waste is that it’s all relative to your sense of scarcity.

As we look to use higher levels of automation to handle more “normal” activities and focus people’s attention to turning anomalies into opportunities, we’ll use pattern recognition and other techniques that may appear to waste cycles. I hear people today complain about the expense of cloud computing and that it is out of control. That is more about what they use these resources for, how they measure impact and exercise control than anything to do with cost, at least from my perspective. As more capabilities become available and algorithms improve, we’ll need to do even more with more – not less.

The Wired article shows how behavior needs to change as we move from a perspective of scarcity to abundance:

From a perspective of Scarcity or Abundance

Scarcity Abundance
Rules Everything is forbidden unless it is permitted Everything is permitted unless it is forbidden
Social model Paternalism (We know what’s best) Egalitarianism (You know what’s best)
Profit plan Business model We’ll figure it out
Decision process Top-down Bottom-up
Organizational structure Command and control Out of control

This kind of shift in perspective is disruptive, useful and the right thing to do to take maximum advantage of a truly scarce resource – the human attention span.

The ‘Who Moved My Cheese?’ of Legacy Systems

Having recently gone through a personal disruption related to employment, I dusted off my copy of Who Moved My Cheese? After re-reading the book, I thought about how this applies to the life of the CIO and application portfolio management. We are all too often with the world we understand and the 80% (or more) of the budget it consumes – failing to Sniff out opportunities.

Recently there was a post: CIOs make the tough call on legacy systems by Mary K. Pratt that delved into the issue of managing the layer upon layer of project success that builds up to calcify an organization’s ability to respond, that I found a worthwhile read.

Even in this day of IaaS and SaaS, the basics of optimizing the application portfolio of an organization remains relatively unchanged. It gets down to where the organization is headed and an assessment of costs vs. value generation.

Organizations need to ask some fundamental questions like:

  1. What needs to be done and why?
  2. How is it going to be accomplished?
  3. What is the expected outcome?
  4. When will it be needed or done?
  5. How will we measure outcomes, so we can validate that the task is complete and effective?
  6. What resources will be required? ($$, people…)

Essentially an assessment of leading and lagging indicators and how the portfolio can support them.

A simple view of the assessment is summed up in this quadrant chart:

Apps Portfolio Assessment

I am sure there are other complex and wonderful interpretations of this, but to me this view is the simplest. Keep what adds value and has a low cost to operate. Refactor those programs (where possible) that have a high cost to maintain and also add high value. Validate the need for anything that delivers low value – you may be surprised how many of these you can turn off. Finally, replace those that have business support and high cost.

In this age of automation, the concepts of cost need to be holistic and not just the IT maintenance costs… For a parity of Who Moved My Cheese? touching on automation look to this Abstruse Goose illustration.

It is not hard to start but it is constantly changing so it may never be done.