If a data breach occurs, what’s the important first step?

If a data breach occurs, what’s the important first step?

Digital Guardian, a vendor of information technology security solutions, recently invited me, as well as 29 other IT Security practitioners to comment on a security topic (made all the more relevant by the recent media coverage of several significant  data security issues). The topic was: “What’s the most important next step you should take following a data breach?”

Here’s what I wrote.

Following a data breach, there’s really only two options:

You either implement your data breach response plan, or you resign, because if you don’t have a predefined plan you are doomed.

Implementing a data breach response plan can be a significant (and expensive) undertaking. It’s complex; it is absolutely not something that can be done by the seat of your pants.

What does a data breach response plan look like? Actually, to call it a plan is probably a misnomer; it’s really more of a template that allows you to quickly develop a customized response plan that is based on the specifics of the actual breach. The key to crafting this plan is to have a cross-functional team defined and ready to spring into action at a moment’s notice. In addition to a team lead, it should include representatives from the organization’s executive, IT, Legal, Risk, Privacy, PR/Marketing and Customer Service, as well as any third parties that may be required. And they need to be trained; to maximize their effectiveness they should have had the necessary education and training, and a number of dry runs through a series of different scenarios. (Don’t let the response to an actual breach be the first time that the plan has been executed.)

It’s important to remember that this is really an exercise in crisis management. Studies show that organizations can avoid longer term impact as long as the perception held by their customers (and shareholders) was that the issue was properly managed. Handle the crisis poorly and the recovery will likely take longer (or not happen at all).

One more thing to remember. The data breach response plan is a living document. As individuals change roles and as the organization evolves (mergers, acquisitions, divestitures etc.) the plan needs to change as well.

Care to see the other 29 opinions? There’s many that I agree with completely (and to tell the truth, a few that I think are a bit offside). You can find them on the Digital Guardians blog.

photo credit: Amarand Agasi via photopin cc

Share This:
CRM for Fun and Profit, Part II: Costs

CRM for Fun and Profit, Part II: Costs

Some time ago I was at a Microsoft Convergence conference and was immersed in all things CRM. During one discussion the topic of the costs of CRM implementations came up. I distinctly remember one of the comments.

“The trouble with CRM projects is that the first 80% of the project takes the first 80% of the budget and the remaining 20% of the project takes the other 80%.”

I recall that we all had a pretty good laugh over this.

Like most humor, it’s funny because it’s true. The typical CRM project costs more than originally expected.

I think there are a few reasons for this. The first is most of us are unreasonably optimistic and tend to underestimate the complexity of the average project. This just doesn’t apply to CRM projects – it’s virtually every technology project. (See Management by Wishful Thinking for background on why this occurs.) Invest some time and though in the planning process in order to combat this.

A second reason is that companies try to go it alone and don’t get expert help. It is very difficult to get it right the first time; contracting some expert help can minimize the risk greatly.

A third (and biggest) reason is that the scope of CRM projects become broader than originally planned. There are several factors that influence this.

Business Processes: Your company probably has its business processes documented and there’s a good chance that they reside in some dusty binders resting on an obscure shelf somewhere. The challenge is that they are likely out of date. Processes change fairly regularly and unless your company is extremely diligent the documentation doesn’t necessarily get updated. And these are just the formal changes. Users develop their own shortcuts and workarounds and these never get documented. The processes in those binders are at best an approximation of what actually happens. So you are going to have to spend some extra time understanding the current state of your processes.
Organization: It’s not just business processes. To get the maximum benefit from CRM you have to make sure the culture and philosophy of the organization are themselves customer centric. Companies that are implementing CRM for the first time typically aren’t focused on the customer – they are focused on whatever product or service they offer the customer. The journey to becoming customer-centric is longer and harder than expected.
Another organizational consideration is who owns the customer? I have seen CRM create turf wars in organizations over ownership of the customer. Sales? Marketing? Customer Service? Does the regional office or national office own the customer? CRM requires a customer engagement strategy where this type of thing is defined in detail, or else your customers could be bombarded by disconnected messaging from various functions in your organization. Developing this strategy takes time and money.

People: Winning the hearts and mind of the users can be difficult. It’s great that CRM is good for the company, but what’s in it for them? There will be resistance because the implementation of CRM is creating a new area of subject matter expertise and likely diminishing the importance of some existing subject areas. That’s a difficult situation for the present subject matter experts. Change is always hard – it can be helped along by providing compelling explanations of the benefits that the users will get from CRM. Make sure that end-user training is complete and answers the ‘why’ questions as well as the ‘how’. Also remember that CRM can give you a lot of information on end-user productivity and that attention is not always welcome. The bottom line is that training and education will be a larger effort than you originally anticipated.

Integration: Most CRM systems are integrated with existing systems and data. Integration with existing systems is harder than you think it will be. There’s a number of reasons for this. It’s likely that, like your business processes, your current systems and data are inadequately documented. The effort to better understand your current state will again be larger than expected.

Once you understand what you have there is the issue of data quality. Data quality has numerous properties that need to be considered (accuracy, validity, timeliness, consistency and completeness). The older your data the greater the likelihood that a data quality effort will need to occur before this data can be integrated into the CRM system. This is not a trivial effort.
One more thought about integration – there are actually two integration efforts that need to be considered. The first is the initial data load, the second is the periodic (daily, weekly or whatever) update/refresh. The efforts are similar but different; plan to manage them as two separate and distinct efforts.

Security: CRM collects (and generates) a *lot* of data. It needs to be managed and safeguarded. Regardless of whether it’s on-premise or in the cloud, security, confidentiality and privacy of data is a big deal and by implementing CRM you have just made it bigger, particularly if any of the data is being exposed to the internet through a portal. Protecting the CRM data from unauthorized access from both internal and external sources needs to be considered part of the project.

Success: Success can be a problem. Once the business community starts to better see the benefits of CRM there will be pressure to broaden existing functionality or add additional capabilities. There will be demands to broaden scope and start adding these additional capabilities immediately, particularly if you are implementing CRM in a series of small releases. Indiscriminately adding scope to the project is an easy way to turn a 12 month project into one that takes 18 months. Ensure that you have a robust change control process defined or you may find yourself with a project that never ends.

CRM is worthwhile investment but it’s good to start with your eyes wide open. There are aspects to CRM projects that aren’t readily apparent at first glance; missing these can lead to increased costs, extended durations, unfulfilled expectations and general disappointment.

And who wants that?

photo credit: photosteve101 via photopin cc

Share This:
Nightfall – a story about change and consequences

Nightfall – a story about change and consequences

In 1941 Isaac Asimov (who was a prolific writer – he wrote or edited over 500 books as well as hundreds of short stories) published a short story entitled Nightfall.  Set on a distant planet, it’s a classic science fiction tale. The theme of the story is cultural and societal in nature; it’s about the consequences of change and our unpreparedness for it. Even after 70 years its message (and the conclusions we can reach from it) are relevant.

The action takes place on the planet Lagash. It seems to be a planet much like earth but the solar system that Lagash belongs to is unusual; there is one primary sun but there are also five secondary suns. It is never night on Lagash; the inhabitants live in a state of perpetual sunshine because of the number of suns and the complexity of their orbits. Since night never falls on Lagash they are not aware of the larger universe; for them the entire universe consists of six stars and one planet.

The story reveals that scientists have recently made several discoveries. Archeologists have uncovered evidence that the Lagash civilization collapses every 2,000 years. They have proof that there have been nine previous cycles. Astronomers have discovered aberrations in the orbits of the suns, leading them to hypothesize that there is another unseen object in their solar system, which in turn leads them to a theory about the potential of eclipses, one of which is predicted to be imminent. There are also religious nuances to the story.  A group, called The Cult, possess ancient texts that speak about the Night and the Stars, two topics that are dismissed by many of the scientists as mere mythology. But to their credit some of the scientists try to anticipate what will happen if night does fall. One speculates that the universe might be bigger that they had ever considered; maybe one or two dozen suns. Some even build a chamber to simulate how stars might appear (and to see if their appearance drives them mad).

The eclipse begins as predicted and panic builds across Lagash. When totality is achieved and night finally falls to everyone’s horror they find that the issue isn’t the darkness. It’s the stars.

“With the slow fascination of fear, he lifted himself on one arm and turned his eyes toward the blood-curdling blackness of the window. Through it shone the Stars! Not Earth’s feeble thirty-six hundred Stars visible to the eye; Lagash was in the center of a giant cluster. Thirty thousand mighty suns shone down in a soul-searing splendor that was more frighteningly cold in its awful indifference than the bitter wind that shivered across the cold, horribly bleak world.”

And for the tenth time, all across Lagash the cities burn.

I read a lot of science fiction when I was in my teens and I vividly recall reading Nightfall. In re-reading it now I am a bit disappointed when I realize that I kind of missed the point. I originally believed it to be just a good astronomy story (I thought my 14 year old self was brighter than that!) but now I realize that it’s about change, and I see three lessons.

What you see is all there is

In his book, Thinking, Fast and Slow, Nobel prize-winning author Daniel Kahneman discusses the concept of ‘What You See Is All There Is’ – WYSIATS for short. Kahneman asserts (and he has the research to back it up) that because of the way our brain operates we jump to conclusions based on the consistency of information available. In short, we take the information available and create a coherent story out of it.  It’s not the quality or the quantity of information, it’s the consistency of it. Sometimes we think it’s intuition or a hunch, and to quote Kahneman, “Much of the time, the coherent story we put together is close enough to reality to support reasonable action.”

But sometimes it isn’t. The more complex the situation the less lightly that the intuitive answer is correct. In Nightfall, the scientists have their story and the cultists have theirs. Both are reasonable based on the facts that they have gathered, but neither group sees the entire picture.  They only see parts of the whole; yet both groups are confident that they are taking the correct actions.

How can we combat this tendency? Unless you are in a life-threatening situation taking the time for a period of sober second thought is a good idea. Take some time and expand your frame of reference by obtaining extra data or by taking a closer examination of the data you already have. It’s ok to have a hunch, just make sure that you find concrete facts to back up your intuition.

Ignorance is not bliss

The behavior of the characters on Lagesh is different depending on how well they understand what is happening.  The scientists have their calculations, hypotheses and predictions. The cultists have their faith and their scriptures. The general population has neither facts nor faith; they just have their ignorance, uncertainty and fear.

Change initiatives in organizations are no different. It’s my experience that all too often we make the mistake of assuming that because we (the leaders, or designers, or implementers) understand the change initiative everyone else does too. That’s a dangerous assumption.  I think in general organizations do a poor job of helping individuals understand the change that is occurring.  Communication is a good start but it’s on its own it is not enough. In the past I have used an informal tool that I call ‘the Knowledge Continuum’ to measure how well a change initiative is understood.  It looks like this:

Data –> Information –> Knowledge –> Understanding –> Insight

Based on what I have observed the communications for most change initiatives provide a great deal of information, some knowledge and virtually no understanding. (If your organization is an exception, then please accept my congratulations – you should package your methodology and sell it). I believe that the challenge is one of time and cost. It takes an effort (and it could be significant) to move along the continuum, regardless of whether it’s an entire organization or a single individual that is being moved. In my opinion, in virtually every case it is worth making the effort. Your change initiative needs more than a communication plan – it needs an understanding plan. I view this as an investment and the justification for it falls under the realm of risk management. Compare the cost of the understanding plan versus the potential productivity loss you risk from a disengaged workforce. Do the math and see what makes sense.

Prepare to be surprised

Sometimes we are the initiators of change and sometimes we have change thrust upon us.  Regardless of how well prepared you are for change you will face surprises and uncertainties that will need to be resolved. They may not be as big as the one at the end of Nightfall, but even the smallest surprise can result in major setbacks. I remember when my first child was born; I had read dozens of books on baby care and parenting, but reading is different that experiencing.  I was prepared as I could be but in retrospect nowhere near as prepared as I would have liked to be. I remember the first month of  fatherhood as being a very intensive learning experience! But I muddled through and eventually became reasonably competent in the art and science of parenthood.

It can take time prepare yourself for change and to work through the intended (and unintended) consequences of change once it occurs. Temper your expectations and give yourself and your organization sufficient time to prepare for what might happen, to internalize what has happened and to address what still needs to happen.

Interested in reading Nightfall? Check it out here.

photo credit: Skiwalker79 via photopin cc

Share This:
Optimization WordPress Plugins & Solutions by W3 EDGE