Why do we need Information Management

    I am guessing most of the readers of this blog are in the University of Washington’s Masters of Science in Information Management (MSIM) program.  For those that aren’t, the MSIM program focuses on connecting Technology, People and Information.  I am sure you have heard the statistics about how much information is out there.  With the advancement of the internet, we have caused the amount of information in the world to explode.  All of this is well and good but the problem arises when you try to make sense of the information.  I was watching a TED talk recently that was basically an overview of what the MSIM program is without meaning to.  The talk is given by Thomas Goetz and it focuses on two things, first the use of fear to accomplish things and secondly the idea that more medical problems could be solved not by better medicine but by better information presentation. 

     As a security professional the  idea that fear wasn’t the best way to relay information was something that I hadn’t considered before.  If you have heard any sort of talk in regards to Computer Security you have heard that a hacker can steal you identity, your bank account and with a little effort your first-born.  Okay so I am exaggerating a little but every talk I have given or heard about Computer Security has been about the negative effects of not securing your network.  Then after giving presentations about how there is never a secure system they wonder why executives haven’t approved their expanded budgets.  I believe we, as security  professionals, are going about this all wrong.  Instead of focusing on how impossible security is, we need to start focusing on how we can make the network better overall with the enhancements that security brings.  In this realm I have found that UX people do a good job for the most part.  When they make a presentation about a new website design they don’t sit there and say how little traffic and how confusing the current User Interface (UI) is and then sit down. They quickly go over part of the problems the current UI and then go on to show how well their UI will work and what it can bring to the table.  Now this might just be an issue for Security professionals but I have a feeling it isn’t.  Overall, as professionals, we need to focus on the idea that has been thrown around this blog, and that is the Value Added principle.  Focus on what value you are going to add to the company and how much it will help in the short and long-term. 

     Now as a final statement, this doesn’t only apply to people working.  If you are looking for a job focus on what you can do for the company.  If you can get the other person even a little bit excited about what you could do for them or the potential you have to help their company you will stay in their mind.  And believe me the more good things you give the interviewer to remember you by the better. 

     Now I realize that this may not be new to most  of you but I found the talk incredibly interesting.  I have a link to it below in case anyone is interested.  What are you thoughts?  Is it better to go all positive?  Are there any drawbacks of only focusing on the Positive? Or is it better to talk about a combination of fear and potential?

Advertisements

Wikileaks and weak links

Photo of an unlocked gate padlockThis post is about Wikileaks, without being about Wikileaks. We know the most recent Wikileaks release was an overwhelmingly large set of data, generated by a fairly low-ranking intelligence analyst, and contains potentially sensitive information. The aspects of the Wikileaks scandal that fascinate me, however, are the human and organizational factors affecting data security.

Why did Bradley Manning do it? He must have known he would be subject to a long prison sentence (at best), and made no efforts to hide his actions. Assuming he was acting rationally, the benefits he imagined from doing so outweighed the prospect of certain punishment. Manning must have evaluated the volume and nature of the data at his disposal – data owned by his organization, effectively the U.S. government – and chose to place his individual motivations above those of the organization to which he belonged.

His own Wikipedia page and various media reports describe Manning’s “disillusionment,” and some opinion pieces paint him as “disgruntled.”

Disgruntled at the age of 23?

This fact points to the causes of the leak: it’s a people problem, more than an information problem. This includes security clearances, i.e., how many eyes need to see the information, but the solution is not about security clearances. Safeguarding organizational data such as that shared in the Wikileaks event is ultimately a management issue, for the following reasons:

A change in employee behavior is a crucial signal to management. It would surprise me if Manning’s behavior changed overnight from unassuming analyst to data thief. A good manager should look for changes in employee behavior that signal a shift in attitude. Furthermore, a manager should ensure he has enough information to act on if restricting or revisiting information flows becomes necessary, particularly in the event that an employee’s risk profile changes.

Digital natives exhibit different workplace values than their older counterparts. At 23, Manning is a digital native. Individuals under the age of 30 have grown up with technology in a world where a sense of possession is poorly defined in digital terms. Digital natives have a different notion of right and wrong in sharing information than previous generations of workers, even when information is proprietary to their organizations. Generation Y is also less loyal to organizations, and expects authority figures to earn their respect, rather than commanding it automatically. (I realize the Army is a very special kind of organization; however, the military cannot claim to be modernizing for warfare in the Information Age and expect to preserve outdated management philosophies, particularly when recruiting overwhelmingly from the digital natives demographic.)

Technology itself distracts from the human issues. Security specialists discuss access protocols and authentication procedures, but focusing on such issues is like staring at the end of someone’s finger when she points to a mountain in the distance. Internal data leaks are a real threat, but they are also perpetrated by people. The Information Age is changing the relationship between people and organizations. Adding to the urgency of the problem, today’s technological capabilities allow people to share and act on information as quickly as they think to do so. When “think it – do it” is the norm, it is important for an organization’s management to communicate expectations about information use and dissemination and to assess and monitor, in an honest way, the risks associated with information flows.

The landscape of information behavior is undergoing a major shift, and technology is merely an enabler of behavior. An individual’s ability to act impulsively, and with powerful tools that can execute enormously impactful actions digitally, should prompt organizations to manage closely the human aspects of internal security threats. It takes one weak link in an organization – unmonitored, disillusioned – to commit a destructive act with sensitive data. Although individuals should be empowered to make ethical, informed decisions when acting on behalf of their organizations, management culture must continue to adapt to the new Information Age, and its digital natives.

Photo by -Tripp-. Used in accordance with a Creative Commons 2.0 license.

Getting to expert: software learning skills

Picture of whole pie
Getting up to speed on 'Preferred' software experience can be as easy as pie (mmm...pie)

One of my fond memories of working in Finance MIS was a short-lived tradition called “Nerd Lunch.” I and another analyst would log in to a net meeting and work through complicated SQL queries every few weeks. We would brainstorm solutions for ongoing information problems facing our department. I ask you: Has there ever been a more appropriate moniker for an event?

The analyst was my guru. With her help, I went from landing a job where I knew next to nothing about the software I would be using to finding solutions for decision makers in our organization.

I’m writing this blog post because it’s great to get excited about a job posting that sounds perfect in terms of industry, position, and advancement opportunities – but then it’s disappointing to worry about qualifying on ‘Preferred’ software experience. Worrying about software experience may even keep a job seeker from pursuing a position. What follows are tips I’ve found helpful to first get through an interview without perfect software experience, and then to get up to speed quickly in software skills once hired.

For an interview: Likely you will be facing a hiring manager when answering questions about software skills. Before the interview, it is possible you may be able to fully investigate the software – say, with a free trial for more common products. Barring that, prior to sitting down with the hiring manager, I suggest Googling the software listed in the job posting to find its specifications, as well as those of competing software products. This is a particularly helpful step with specialized software, such as enterprise management, accounting or asset management software.

Investigate the capabilities of the software to understand the functionality, and then come up with (intelligent!) questions related to the software’s application to itemized job responsibilities in the position listing. After all, once you get the job, that will be your contribution to the organization. It is most important in an interview with a hiring manager to demonstrate understanding of the role and to express critical thinking skills related to a position’s responsibilities.

Once hired, read a book: Find a beginner’s guidebook to the software if you can. Also, read it. (NOTE: No one really thinks you are a dummy when you read those Dummies books.) Rather than buying it new, I suggest checking out bookins.com, half.com, or posting an ad on Freecycle for a used copy. I’ve always found that starting with these books gives a good comfort level for tinkering in the software, at which point you are ready to sandbox.

Sandboxing: This is when you’ll start breaking existing tools in a calculated way. Set up a dev environment for this step, whatever that may be. For tools that use scripts, like VBA, or query language, like SQL, pretty much everyone learns by stealing snippets from existing tools and modifying for new applications. This is the sort of stuff you can do while waiting on a batch of project work or during down times in cyclical reporting periods. Please do not underestimate the “Help” tool in a software package; these tools tend to get more useful as your grasp on the software jargon strengthens (ironically). There’s no shame in using company resources to iterate and build on your technical skills, particularly if you are the type to check Facebook or text during working hours.

Find a guru: A guru is different than a mentor. This is a person whose geek runs deep, but who has enough patience and time to answer your technical questions. A guru will also have excellent problem-solving skills, in that she (or he) can help you find answers to existing problems by walking you through previously applied solutions in the software tool. Surprisingly, perhaps, a real guru won’t do things like grab your mouse and make a quick fix; that person will have a conversation with you, explore the scope of the issue, and explain in plain language what you need to do. You will learn to deepen the relationship with increasingly thoughtful questions about the work at hand, eventually adding value instinctively. In the long run, a guru’s approach will ideally make you a better thinker.

When this person helps you, be sure to recognize her. Buy her coffee. Send a thank-you email to her boss. Write a blog post about her. Someday, if you care to, you’ll be in the position to act as a guru.

I hope this makes learning new software (or becoming an expert in familiar software) more attractive and less painful. The software is just a tool for the tasks at hand. In the end, you are the element adding value in the position, first by applying software and later by sharing your knowledge.

Photo by Caitlinator. Used in accordance with a Creative Commons 2.0 license.

Putting the Organization in Info Management

Cheeky screenshot of text exchange with a big, uncaring bank
You know this is a dramatization of the event because Big Bank doesn't answer texts after 5pm

Information management can be described using a couple of different but fairly similar models. The University of Washington’s iSchool depicts a triangle-shaped model of Information, People, and Technology. However, our readers might notice this blog examines the intersection of People, Information, Technology and Organizations (this model is explained in greater detail by Ping Zhang and Robert I. Benjamin in a paper titled “Understanding information related fields: a conceptual framework”).

We’re square rather than triangular, if you will.

Why do we add organizations? Because gathering and acting on information changes fundamentally in an organizational context. And sometimes, information behavior within an organization can be downright bizarre or frustrating.

Here’s an example: I went out to dinner a few weeks ago with friends, and my debit card was declined (happily, the waiter did his best to not treat me like a deadbeat). Since the card was declined for no obvious reason, I had a mystery on my hands. Unfortunately, customer service representatives (CSRs) at the national bank where I have my checking account were stumped as well.

Eventually, two weeks later – after three calls to the 1-800 customer service line, two trips to the local branch, and a dozen fact-finding missions through the online banking portal – my debit card was still not operational and I had been told it might be because the number had been stolen.

Think about all the failures in my interaction with the bank: I had several types of contact with different outlets of the organization, and none of them were satisfactory.  At least three CSRs were unable to access my account because I had opened my account in a different state (each of the representatives did sheepishly suggest I could open another account at the branch and then they could help me; I declined those offers).

I can do without naming the bank because this isn’t meant to be a Consumerist-type rant. But I think the episode does bring to light the irrational and haphazard information strategies organizations seem to employ. As a person and a consumer, I scratch my head when representatives of the bank cannot answer my questions or help me understand what is happening with my account access. But the madness of the situation also affects the bank employees: imagine the exasperation of working a front-line CSR job and having one’s hands tied routinely in a significant number of common issues.

But for the organization, this information strategy is working on some level. I imagine – the finance industry being particularly yoked by multiple layers of regulation – this national bank has designed its policies and procedures to serve up a savory dish of compliant operational spaghetti. Somewhere, a satisfied auditor completes an X on a checklist when a CSR in Washington cannot access my account, what with its Massachusetts provenance.

This is operational reality in the modern banking industry, and I mostly understand why my encounter with the bank was so dissatisfactory. However, I think such encounters are at the very least opportunities for learning in organizations. Holistic customer experience (a process of design that includes all touch points in dealing with customers, or even vendors, of organizations) should focus on tasks vital to customers at all service delivery points.

Here at infoscussion, we believe information management model has four facets – and that an organization’s needs can be separate from, but equal to, those of the people involved with the organization.

This feedback goes to 11

Guitar AmplifierI used to believe a person could learn more about management from a bad boss than from a good boss: it is easier to articulate what is missing from a working relationship than to notice the efforts of a good manager. Now, I think the truth is that a person always has expectations for a working relationship. The gap between expectation and reality is where learning, through constructive feedback, takes place.

When I left the workplace to attend graduate school full-time, I had a great boss. He was a great boss because he was a master of feedback: timely, thoughtful, economical, progressive feedback. Feedback is a personal information exchange we engage in throughout the working day; because of this, I would argue that maintaining a healthy feedback routine (outlined below) with other individuals is the foundation of a good working relationship.

Good feedback is timely. Work is a series of unending interruptions. It is natural to feel pestered by an employee or team member asking for feedback, but it is also important to support the priorities of the organization. Often, if I procrastinate on giving feedback, it has to do with not managing my own time well, or – this is worse – feeling I do not know the subject matter well enough to give meaningful feedback. In the latter case, my feedback should be: “I’m not the right person for an answer;” a polite “no” can also be appropriate feedback.

Good feedback is thoughtful. If I am the right person to give feedback, then it is my responsibility to really examine the item or issue in front of me. My former boss was good about this: his feedback contained questions that demonstrated he had thought about the item. Alternatively, if he had not set aside sufficient time to look at the item, he would set a time when we could sit down together. Courtesy creates goodwill.

Good feedback is economical. I mean this in two ways. First, feedback needs to be exactly as long as it needs to be. A good feedback routine gives each party a chance to clarify points, if needed, but it is a matter of personal discipline to make sure all points are salient. The second element of economical feedback means that it should be intended to maximize future efforts: it is better to determine at 10% completion that a project adds negligible value than to let sunk costs pile up. Employees and project teams will experience more satisfaction when they know all efforts are regularly analyzed to ensure added value.

Good feedback is progressive. There should be a common thread linking all feedback sessions, particularly between a manager and his employee. If a manager is unable to both criticize shortcomings of a project and praise improvements over time, he is either criticizing too much (which can paralyze an employee’s continued improvement) or leaving out recognition of improvement. As an added benefit, progressive feedback all but guarantees that an employee will know where she stands at regularly-scheduled formal reviews.

No one executes good feedback perfectly all of the time (certainly not me). And everyone experiences an occasional Terrible, Horrible, No Good, Very Bad Day that will derail the best intentions. In the long term, however, simply being mindful about the feedback one gives and receives goes a long way to improve working relationships.

Photo by Andres Rueda. Available under a Creative Commons 2.0 Generic license.

Schooling customers in sustainable consumption

Schooling by Benson Kua

new development in the way Whole Foods displays its seafood has me thinking about how consumers use information in their decisions. The supermarket chain recently started labeling the seafood in its fresh cases with a color-coded system to indicate the sustainability of fishing practices for each type of fish offered. (For example, fish in danger of being over-harvested, or caught using ecologically damaging practices, are labeled Red or “Avoid.”)

Initially, I thought this was an odd move: why carry “Avoid” fish at all? But if I consider the Whole Foods tactic as an information strategy, there seem to be some advantages to giving consumers more data related to their purchases, rather than simply adjusting prices or changing the variety of products offered. I have tried to identify and outline the important components of the Whole Foods information strategy in my analysis below.

Consumers act in a social setting in a supermarket. A consumer may be less likely to order an “Avoid” species in front of other customers, even if she does not personally worry about collapsing fisheries. The social pressure to responsibly consume could impact on the overall demand for certain species.

Perhaps more importantly, consumers gain lasting information from a single transaction. The next time a consumer purchases fish – even if it is not at Whole Foods – he may likely remember certain species labeled “Avoid.” In this way, the labeling tactic could inspire a shift in demand throughout the marketplace, or at the very least cause consumers to ask more questions about the origin of their seafood.

Prices are point-in-time data, and may inaccurately reflect the sustainability of consumption. We suspect many fisheries may be close to collapse, and the negative impact of fishing practices worldwide will affect all points of the food chain. We are not able to price a salmon fillet to capture the opportunity cost of fisheries collapse (the 1992 collapse of the Northern Cod fishery demonstrates some of the complexities of gauging the health of a fishery). Consumers need more information than price alone to make sustainable choices.

Whole Foods sends a powerful message about its perceived role as a corporate citizen. Corporations are supposed to care about the profits in this period or this year. However, sustainable practices require a longer view than quarterly (or even annual) earnings statements can offer. By giving consumers more information, Whole Foods takes the long view on the seafood market, the importance of ocean ecology, and its place as a food retailer, while continuing to give consumers optimum choice.

We are surrounded by information constantly. Curiously, though, the information available to us as consumers in the grocery store is truncated by federal regulations, and in some cases, state laws. The seafood labeling practice at Whole Foods demonstrates the possibilities of giving consumers clear, salient information to encourage sustainable and healthy choices in the supermarket.

(You don’t have to go to Whole Foods Market to refer to the Seafood Watch guidelines. Downloadable guides are available through the Monterey Bay Aquarium.)

Photo by bensonkua. Available under a Creative Commons Attribution-Noncommercial license.

And, why exactly is this a good idea?


illustration borrowed from Flatland.com

We’ve all experienced it before.  Some VP or director has a brilliant idea for a new distribution method, a plan to launch a new product line, or any number of other schemes that have the potential to be a really good idea.  The idea makes its way onto the company’s strategic road map, and resources start getting thrown at it to complete the project in some crazy time frame.

At some point the project will make its way to some smart analyst’s desk.  He starts to do some investigation and quickly finds that either no work has been done to look into the potential costs and benefits of the project, or that the figures being thrown about are little more than someone’s educated guess.  As an analyst, this is when I usually ask, “Why exactly is this a good idea?”  But by then it’s too late.

Businesses often leap before they look into projects, both large and small, without taking the time to delve into the data and use facts to determine if benefits justify the costs. For large decisions, such as new product launches and entering new distribution channels, such an analysis is crucial to the well-being of the company, but is often overlooked or done in a superficial manner. The same is equally if not more important for small projects since such analysis is so often missing.

Taking the time to investigate the value of a project helps reduce the amount of money, effort, and energy we waste on projects that just aren’t worth it.  So, why do businesses so often jump into projects without taking the time to look at the data and make well informed decisions?  I think the answer is twofold.

First, businesses are run by people, and people have more motivating factors than the best interest of the business. The personal (not business) cost of answering these questions can be high.  It takes time and effort to do the research required to make an informed decision.  Not everyone is going to be inclined to put in that kind of effort for an idea they already believe to be a winner.  Furthermore, answering these questions upfront runs the risk of having to kill one’s own project, which can create a conflict of interests between the individual’s ego and the business’s best interest.  The business often loses out.

Second, managers empowered to make decisions do not always have the right skills, tools, or data to identify and access the information needed to make these decisions.  Even if I had the best possible intentions to thoroughly examine my next initiative, if the data didn’t exist or I didn’t know it existed, I would have to rely on my gut or just make up some numbers.  This is often the case in projects with no existing analog.

Alternately, when dealing with projects that extend or modify existing methods, the information to drive such decisions should exist.  However the needed data might be incomplete or non-existent because the designers of the system at the time didn’t bother to store it.  This is problem of design intention and a failure to think adequately for future needs.

In another possibility, the data may exist, but it is buried deep down in the unearthly bowels of several databases and would take an expert to retrieve.  This is a situation where the business decision makers need to have strong relationships with the analytical and technical folks who know how to get this information.

The solution to the problem of making informed decisions is a two-way street: it is equally incumbent upon analytical and technical folks to build relationships with the people running the line of business. Such relationships could save us all from having to ask, “Why, exactly is this a good idea?”