Platt Perspective on Business and Technology

Building a business for resilience 16 – open systems, closed systems and selectively porous ones 8

Posted in strategy and planning by Timothy Platt on September 30, 2016

This is my sixteenth installment to a series on building flexibility and resiliency into a business in its routine day-to-day decisions and follow-through, so it can more adaptively anticipate and respond to an ongoing low-level but with time, significant flow of change and its cumulative consequences, that every business faces in its normal course of operation (see Business Strategy and Operations – 3 and its Page 4 continuation, postings 542 and loosely following for Parts 1-15.)

I began working my way through a list of to-address topics in Part 15, that I repeat here for purposes of discussion continuity:

1. I will discuss intentionally controlling information access and the overall conversation in a business, and how that has to be seen as a dynamic process.
2. And I will at least briefly look into information technology options and how they can be used to facilitate all of this. In anticipation of that, I will be discussing rules-based automated access control systems and how they can be developed as artificial intelligence systems.
3. But I will also discuss human behavior, and the development and enforcement of best business practices and behavior that is needed in order to support them.

To be more precise as to where this ongoing narrative now stands, I began Part 15 with a brief but important digression into the third of these points as a matter of building a foundation for discussing decisions and actions taken in addressing the first two points. And I then began to systematically address point 1. I continue addressing point 1 and its issues here, with a set of finer-detail issues and considerations, that I initially raised for discussion at the end of Part 15 as the subject of this posting:

• Considering specific business processes that call for availability and use of potentially compromisable information, and who needs access to what information and why.
• That also means thinking through those business processes themselves and how they are structured,
• And for the benefits that they offer if they successfully complete and for risks and costs faced if they fail, absent consideration of breach of confidentiality issues per se.
• I am writing about these business processes per se and even when they are functioning normatively here. Would risk management considerations suggest that any such processes or ones connected to them functionally, be updated or replaced? This is a crucial point where the word “dynamic” enters this narrative.

How would you best approach and address these issues? There are several possible ways to answer that, but for consistency in what I have been offering here, I will at least begin by taking recourse to an approach that I have found useful.

First of all, you need to know what business processes you routinely employ. That, I add is one of the most deceptive statements that I could possibly make here, for the opportunity that it offers for gaps and misunderstandings in any answers offered. This, after all, means knowing what the people in your organization actually do – which can be quite different from what official understanding of the business and what it would suggest, might entail. Broken and dysfunctional processes and practices are all too often simply ignored in day-to-day practice, with “work-arounds” actually carried out and even routinely so – and certainly when changes in need and opportunity have left “official” systems in place as no longer relevant or valuable to the business, and when more senior management is never told that the fundamental nature of their actual hands-on employee practices have had to change if they are to do their jobs and reach their assigned performance goals.

Even relatively standardized, routine ad hoc here can be crucially important for purposes of this discussion, because local solutions that are arrived at in this way, within an overall business system, can mean systematic but unconsidered new patterns in who has access to what information, and under what circumstances, and when and where. And this can all arise and even become fairly routine, out of sight of any information security risk management effort – and certainly in more out-of-sight corners and more taken for granted areas of the business and its operations.

Needs and priorities change with time, and both gradually and in disruptively sudden shifts, and both of those change scenarios leave opportunity for gaps in what is seen and intentionally adjusted for, in the formal business systems in place. And resource bases available can and do change too, as can resource accessibility; essential resources are not always going to be available when and where they are needed, and they are not always going to be available to the specific people who most need them even if they are there in their vicinity.

Let me take this at least somewhat out of the abstract with a simple example, that I have seen variations of in real world situations. Bob is a lower-level hands-on employee who as a new hire was given access to an older model desktop computer – that has not been replaced with a newer one as limited equipment budgets are set and prioritized and spent, and as Bob has successfully taken on greater responsibilities. Now Bob carries out essential functions that call for access and use of some very highly sensitive business information, as a crucial area of his now expanded job description. And the new release of the third party software that he needs to be able to use for this work, no longer runs on his old desktop computer very efficiently. He can do most of his work there, but he now has to use another computer for some key tasks if he is to complete them on schedule. Now, any and all raw data and processed knowledge that he has to use, and that he generates while doing those tasks is going to be visible, at least potentially to anyone else who also logs onto and uses this shared newer model resource computer – which is officially only expected to be used for specific shared team task activities, to control the network bandwidth that they would take if everyone did them separately on their own assigned computers. I am addressing the first of the above numbered points in terms of who needs information access and why and where, and in terms of who actually has access to that information and when and where too. The two can be very different than would be officially expected and I have seen problems like this arise and certainly when no one in Information Technology is keeping effective track of who has, and who needs what computer resources and when the services and personnel involved are deemed to be “mere support” in nature and function.

I am going to continue this discussion in a next series installment where I will turn to consider point two above, and “automated access control systems and how they can be developed as artificial intelligence systems.” And in anticipation of that, I note here that I will address that point for both its pros and cons and in terms of point 3. Meanwhile, you can find this and related postings and series at Business Strategy and Operations – 4, and also at Page 1, Page 2 and Page 3 of that directory.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: