Platt Perspective on Business and Technology

Building a business for resilience 15 – open systems, closed systems and selectively porous ones 7

Posted in strategy and planning by Timothy Platt on August 25, 2016

This is my fifteenth installment to a series on building flexibility and resiliency into a business in its routine day-to-day decisions and follow-through, so it can more adaptively anticipate and respond to an ongoing low-level but with time, significant flow of change and its cumulative consequences, that every business faces in its normal course of operation (see Business Strategy and Operations – 3 and its Page 4 continuation, postings 542 and loosely following for Parts 1-14.)

I successively touched upon a series of situations and contexts in Part 14, where a business and its employees and managers might lose control over access to sensitive or confidential information in a business, in a supply chain or other business-to-business collaborative context. And all of them can readily be seen as real-world examples of at least why a business that holds such informational resources, has to actively develop and maintain risk management-based systems for more effectively balancing access and visibility needs, with confidentiality and information security requirements. Ultimately, and referring here to the ongoing title of this series:

• If a business cannot achieve and maintain an effective balance for this as an ongoing dynamic part of its operational reality, it cannot achieve or maintain any overall resiliency as an organization as it waits for the next of what should be avoidable business intelligence security failures to show itself.

I focused more on the problem and potential problem side of this in Part 14, and I turn here to at least begin to address the solution and resolution side of this. Or as I wrote at the end of that installment:

• I will discuss intentionally controlling information access and the overall conversation in a business, and how that has to be seen as a dynamic process.
• And I will at least briefly look into information technology options and how they can be used to facilitate all of this. In anticipation of that, I will be discussing rules-based automated access control systems and how they can be developed as artificial intelligence systems.
• But I will also discuss human behavior, and the development and enforcement of best business practices and behavior that is needed in order to support them.

I will discuss all of these issues and largely in that order. But to set the stage for that narrative to come, I begin with a single point of detail from what might arguably, primarily belong to the third bullet of that list:

• Businesses are human enterprises and ultimately they are complex systems of human-to-human relationships and actions. And one of the immediate, compelling consequences of this is that ultimately both good and bad business process and practice depend on human decisions and actions. Bullet point 2, above, addresses the hope of what as a worst case can become magical thinking, and certainly when human behavior is not fully taken into account: finding a perfect, strictly-technical solution to what is in essence a human problem. I offer this caveat to this intended narrative here, because the unavoidable fact that I am raising in this bullet point shapes what types of information need what types and levels of safeguarding, how that can best be accomplished, and how to increase the chances that the real people involved will do the right thing, and ideally as an essentially automatic response and proactive practice.

So I begin, with this operational caveat in mind, with the first of my three discussion topic bullet points from above. And I will begin that by more explicitly discussing what types of information would be covered here, as you cannot develop or enforce a meaningful rules-based system for securing and safeguarding sensitive and confidential information, while still allowing necessary access to it, absent consideration of precisely what has to be safeguarded. To point out one possible reason for that, you need this type and level of information to even begin to know who should have legitimate access to any given set of business data or processed knowledge that is based upon it, if you are to devise meaningful access control rules for it. So I begin addressing that first point with an at-least-brief critical business intelligence taxonomy:

• Personally identifiable information that is specific to individual customers, employees or others (e.g. consultants, volunteers, etc), always has to be safeguarded from improper access and use, while leaving it available for legitimate business use. And this is the first category that is essentially always acknowledged in this type of discussion – and because of ongoing news coverage of loss of control of such information and the consequences of that, if for no other reason. This, I have to add, is often the only category of sensitive and potentially sensitive information that comes to mind, and even for business professionals who should know better.
• But legally mandated information security and confidentiality often only begins with safeguarding personal confidential information. And throwing open this topic to its fuller possibilities, this type of discussion should address essentially any and every type and form of raw data and processed information, that could compromise or create increased risk for a business and its competitive position, if it were to fall into the wrong hands.
• Obviously, information such as online-accessible employee login information for email and other networked business systems is important here. But this also, for example, includes raw materials and third party provided parts purchases where that can be used to determine production and manufacturing plans moving forward.
• I have occasionally noted how armies tend to keep information on their purchasing levels and distributions of items such as toothpaste and shaving cream secret; if a foreign power can access and track that level of personal use, disposable item purchases and where these goods are shipped and sold through base commissaries and related facilities, they can precisely identify and track overall troop strengths and where those forces are deployed in that system of bases and related facilities. And shifts in those numbers can shed crucially important light on strategic planning too, where that would depend on what troop levels were available in order for it to be practical and realizable. My reason for noting this non-business example here, is simple. Data and insight gained through intelligence gathering insight is not generally immediately fully useful in and of itself. It is assembled into patterns with other data, as a matter of assembling puzzles, and the overall insights gained from that can be much more far-reaching than might be expected from consideration of the individual data and data types gathered, in and of themselves. Would a sudden big increase in the levels of toothpaste sent to base commissaries in a potentially hot-spot country, politically, indicate a specific shift in overall strategic thinking as to force deployment, that might even have global implications? The answer to that might actually be yes. Would a sudden big increase in shipment of toilet paper to a forward base, where other indicators suggested that its troop count was not increasing, indicate widespread health issues there and at least temporary drops in overall capability there? “Little” puzzle pieces can be just as important in business analysis and business intelligence gathering too.
• And as I often write of supply chain and other business-to-business collaborations here, I will add in the need to secure any potentially sensitive or confidential business intelligence gained from partner businesses too – and even if that is not explicitly contractually called for. Loss of credibility as a safe and reliable supply chain partner can be just as costly as any direct and immediate legal action that might be faced from some specific loss of information management control – and certainly long-term.

I am going to conclude this posting here, and in anticipation of its continuation in a next series installment:

• I am going to complete my discussion of the first of three topics bullet points, from above: “intentionally controlling information access and the overall conversation in a business, and how that has to be seen as a dynamic process.”
• And that means considering specific business processes that call for availability and use of potentially compromisable information, and who needs access to what information and why.
• That also means thinking through those business processes themselves and how they are structured, and for benefits if they successfully complete and for risks and costs faced if they fail, absent consideration of breach of confidentiality issues per se. I am writing about these business processes per se and even when they are functioning normatively here. Would risk management considerations suggest that any such processes or ones connected to them functionally, be updated or replaced? This is a crucial point where the word “dynamic” enters this narrative.

Meanwhile, you can find this and related postings and series at Business Strategy and Operations – 4, and also at Page 1, Page 2 and Page 3 of that directory.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: