Welcome to The UltraTech Zone Sign in | Join | Help

Talking Out Loud with ASB

Views on Life, Technology and Everything, by ASB (aka Logik!)...

My Profile

Andrew S. Baker (ASB)

News

  • Platform: CS v2.1 SP2...

    Get a FREE phishing filter for your domain!

    Who links to my website?

    Pando Pro

Dueling Business Mindsets

imageIf there is one lesson that technologists need to understand in order to be successful, it’s that business is ultimately more about people than about process or technology.  At the end of the day, how people think, behave and operate will have be the greatest influence on the success of any organization.

With that said, it has been my observation that every single business operates in two contexts or modes.  For now, we’ll call them Mode 1 and Mode 2, where Mode 1 is the normal or typical mode of operation, and Mode 2 is the mode of operation in or around the timeframe of “an incident.”

From a technology perspective, the nuances of  Mode 1 and Mode 2 are somewhat different depending on whether we are discussing general technology management or information security management.  For general technology management, the issues tend to be related to the following:

  • Redundancy (system, application, network or site)
  • Performance
  • Capacity
  • Disaster Recovery and Business Continuity

For information security management, the items in question tend to be related to the following:

  • Encryption
  • Access Control
  • Segregation of Duties
  • Logging and Monitoring
  • Operational Risk of any kind

Remember, the following is true of every business…

In Mode 1, or normal mode, the business moves along as fast and as seamlessly as possible.  This is the mode of getting-things-done, and the goals are to increase business, improve revenue, and get things out of the door.  Under regular circumstances, this mode is supported, condoned and many times even sponsored by the organization’s senior management team.

Mode 2 is the mode that gets turned on immediately after "an incident."   An incident can be anything related to a system crash or failure, a broader outage, a security breach, or anything that requires PR or other customer communication.  It can be anything that affects our IT Operations or Information Security considerations listed earlier. The severity of the issue or incident will dictate how long Mode 2 remains in effect.

As soon as it is recognized that something highly undesirable has occurred, the senior management team – or its duly elected representative – leaps into Mode 2, and tries to drag the entire business with it.

Mode 2 is where security and high availability are really and truly taken seriously.

Generally speaking, most IT operations teams try to operate in Mode 2 as often as possible, but over time, they will get worn down to the point where they hang out in a sort of Mode 1.5 state.   Information Security teams, however, have are motivated by more paranoia, and almost always remain in and around Mode 2(This tends to annoy other people, who are likely to suggest that the InfoSec folks lack people skills or don’t understand how business needs to operate.)

Despite this general grumpiness about the relentless Mode 2 focus of the InfoSec team, as soon as there is a security incident – or even a near miss – the senior team jumps into a Mode 2 context, and starts trying to find out why the business hasn’t been in that mode the whole time! 

Nothing is more frustrating than being blamed for something happening that you saw coming but were not allowed to reasonably address, when the blame is coming from the very people who could have facilitated the solutions.

Some points about corporate mode switching:

  • The larger the organization, the harder it is for the senior team to get everyone out of their normal mode and into Mode 2 during an emergency.
     
  • After a while, no one is fooled by the switches between Mode 1 and Mode 2 – not the employees and not the customers.
     
  • Systems engineers and administrators that have grown weary with the futility of trying to do the right thing, ultimately stop trying, and just do whatever they can get away with.  This increases the number of incidents, but they no longer feel the torture of the inevitable blame.
     
  • We should be very, very afraid when Information Security professionals get worn down by the same futility, because the stakes are higher.
     

While it is generally accepted that people are the weak link in any security model (or any operational technology model, for that matter), it is rarely recognized that the low-level employees are not the biggest problem.   This is because the employees on the bottom part of the org chart can only pose a risk to the operational or security posture of the typical business if the folks in the upper portion of the org chart allow them to by the corporate culture that is created, nurtured and enforced.

Still think this is not a regular situation in the corporate world?  Then take some time to look at the next set of breach notifications or outage notifications, and see if you can identify organizations that have temporarily escalated to Mode 2

And, trust me, you’ll have plenty of opportunities to look at some high profile outage and security breach notification in 2013…

Share Post:
Posted: Tuesday, April 30, 2013 9:59 PM by Logik!

Comments

No Comments

Anonymous comments are disabled

About Logik!

Andrew S. Baker aka ASB aka Logik!

Andrew S. Baker is a business-savvy, hands-on IT leader with expertise in mentoring people, mitigating risk, and integrating technology to drive innovation and maximize business results. He creates competitive advantage for organizations through effective IT leadership: implementation of processes and controls, and architecture of robust business solutions.

Mr. Baker has successfully led a number of high-performance technology teams in designing, deploying and maintaining secure, cost-effective computing environments for well-known companies, including Warner Music Group, The Princeton Review, Bear Stearns, About.com, and Lewco Securities.

For over a decade, Andrew has exhibited thought leadership on technology and business topics via mailing lists, technical forums, blogs, and professional networking groups, along with contributions to podcasts, webinars, and over 20 technical/business magazine articles. He also serves on several boards and committees for non-profit organizations, and within the Seventh-day Adventist church.

His personal interests include Astronomy, Basketball, Bible Study, Chess, Comics, Computers, Family Life Ministries, Reading, Strategy/Role Playing games, and Professional Networking...

A summary of Andrew's current résumé is available here, and he can be reached on a variety of social and professional networks, including LinkedIn, Facebook and Twitter.