Platt Perspective on Business and Technology

Intentional management 37: contextual management 15 and evolutionary and revolutionary change 10

Posted in HR and personnel, strategy and planning by Timothy Platt on November 29, 2016

This is my 37th installment in a series in which I discuss how management activity and responsibilities can be parsed and distributed through a business organization, so as to better meet operational and strategic goals and as a planned intentional process (see Business Strategy and Operations – 3 and its Page 4 continuation, postings 472 and loosely following for Parts 1-36.) This is also my 15th installment within this series on an approach to business management that I have come to refer to as contextual management.

I focused in Part 36 of this, on random non-trending change, and systematically trending change and on the relationships between them, and both as they arise and for how they would be responded to. Then at the end of that discussion, I said that I would continue from there to discuss stressors, and as sources of challenge and of opportunity. I begin that by explicitly defining the term, as I use it in a business and an intentional management context:

• A stressor is a factor or condition that holds significant potential for directly impacting upon or changing the performance or competitive position of a business, or of a significant functional area within it.

Note that according to the terms of this definition, stressors can hold either negative or positive value; they can challenge and threaten to limit, or they can add value and improve a business and its effectiveness and competitiveness. And in anticipation of discussion to come, I add that a same single stressor can have either negative or positive value: negative or positive valance here depending on its timing, context and circumstance – making it essential that any such term address both positive and negative forces and influences here.

• Stressors challenge the status quo, and whether that means compelling a search for ways to more effectively limit risk and reduce loss, or whether that means finding new and better ways to more effectively capture emerging sources or levels of positive value.
• And stressors indicate specific paths forward in this, and with as much clarity and focus as is put into seeing and understanding them for what they are and for their implications moving forward. Stressors can, when addressed effectively, serve as road map markers for making change where that would make sense and for maintaining continuity where that would. And stressors can be used in determining which of these alternatives is best for a business and its people, and for where they are now and for where they seek to go.

I have been addressing this entirely in the abstract here, and conclude this posting by at least briefly taking the issues here out of the abstract, and with a real-world example. And I intentionally chose one where its valance: whether it is a positive or a negative change driver, is ambiguous insofar as circumstance and the details of its implementation can cause that to go either way.

Effective stressors always address crucial processes and subsystems of them in a business. Those processes might be core or peripheral in nature, to use the terminology of a concurrently running series here (Business Planning from the Back of a Napkin to a Formal and Detailed Presentation), and its Part 10 installment. And if they are peripheral to directly supporting the business’ core mission and vision, and in creating marketable value in that – if they are more supportive in nature, the processes and subsystems involved here are at least ones that would best be maintained in-house and even if they qualify more as cost centers than they would as profit centers. The working example that I would cite and at least briefly explore here is one that would be peripheral in nature for most businesses – though it is one that most would want and even need to maintain in-house: their password based access control system for managing access to sensitive business-held information. And I begin this line of discussion, exploring this source of business systems stressors, with the fundamentals:

• Businesses, and essentially without exception, hold at least some confidential information that they are required to keep secure. This can include proprietary business-owned information such as sales plans, but it also includes information gathered from and about clients and customers, and employees – where protecting confidentiality is mandated by law as well as business self-interest as it seeks to remain competitive in its field and its markets.
• Businesses do not simply hold such information. They have to be able to use it as well – and this means access controls where employees and managers who need specific data and/or data types in performing their work can access that – but just that, when and as they need it. But others would be prevented from accessing this.
• And when code-based access systems are put in place on doors, controlling access to what lies beyond them, you can add access to and protection of physical resources to this too. The boundary between these general categories: critical information and critical physical resources blurs, as for example when ID codes of one sort of other have to be entered into a locking mechanism on a door, in order to gain access to a computer server room – expensive physical resources that are filled with business held and owned information, including highly sensitive business and personal information.
• Let’s consider software-based computer access password systems, where there is a great deal more flexibility in what is allowed for and required in setting an acceptable pass code, than would be found for example on a standard door lock keypad. Simple door lock keypads per se, as routinely used in low level security contexts usually allow and require four or at most five digit numerical-only codes. Software-based password and access code systems can allow and even require much more complex sequences that can include upper and lower case letters as separate character sets, numbers and any of a list of acceptable special characters. And it is possible to set minimum password sequence lengths that would be allowed, and it is possible to specify that at least one or more of any combination of numbers, upper and lower case letters and special symbols be included. Such systems can be set up in such a way that passwords have to be changed at least as often as once a month, or even once a week or less – according to a set rules-based schedule. And these systems can be set up to prevent the same person from reusing the same passwords and can be set up to deny as valid, sequences that include dictionary entry words or whatever else a systems designer or manager might find problematical. The idea here is to make sure that no one can readily guess a current password, and where they are date stamped and time-limited, that they do not stay useful long enough to be widely leaked to unapproved potential systems and data users.
• This is all very basic, and I only repeat it here as background for how these security systems can, and frequently do become stressors – and of both a positive and negative nature and simultaneously. What is the best approach for setting up a rules-based password-based access system for safeguarding critically sensitive confidential information? The obvious answer, at least stemming from the last sentence of the immediately preceding bullet point is require long, complex passwords that are anything but obvious (and therefore anything but easy to remember) that have to be replaced (with a new long awkward sequence to learn) on a regular and frequent basis. No outsider might be able to guess the passwords in place and certainly without help – but legitimate users are likely to find themselves just as stymied. So they cheat by writing down their current passwords and putting them where they can easily find and see them (such as the infamous post-it notes stuck to the frames of user computers.) And the result is that these supposedly secure systems become wide open to breach and violation by anyone inclined to look. The term of art here is social engineering: the art of convincing people with legitimate access to in effect open the doors for those who do not. And in this case, sufficiently stringent password protection systems create environments where social engineering-oriented hackers do not even have to ask. They only have to keep their eyes open and look.

Developing and enforcing a productive and protective password-based access system means finding a middle ground that real world legitimate users can use and without those post-it notes or similar work-arounds, while still keeping passwords in use difficult to guess. And from the perspective of this posting, that means framing and developing and managing these systems in ways that shift them from primarily being negative stressors, to where they can become positive in nature – protecting data access in the here and now and moving forward.

I am going to end this posting by at least briefly turning back to consider the secure doors that I briefly noted earlier. But the doors that I would raise here are not low-level security concern access points, such as rest rooms and janitors’ closets. The doors I have in mind are entryways to highly sensitive resources such as those computer server rooms. Imagine the mischief that a skilled computer hacker can accomplish in a minute or less, with unobserved illicit access to such a facility, with a flash drive that has the right malware on it – with that just starting with root kit software that they can download into one or more servers in the system that are connected into the internet. Illicit brief access to such a facility can in effect turn the keys to the kingdom, over to a hacker – such as a delivery person with intent and skills, and in ways that the owners of the system would be hard-pressed to even find out about. Why do I raise this example here? A couple of days ago, I found myself in conversation with a network hardware professional, talking shop. And in the course of our chat I told him about a situation that I have seen variations on several times over the years, where a server room door is left propped open – because it is all but impossible to actually enter a password on the keypad, and use the biometrical scanner and other security entry controls that have also been added for security purposes, while trying to carry a new or newly repaired or updated server computer into the room. The principles that I noted by way of password systems management software example, above, are all much more widely applicable – and not just in security contexts.

• I have written at least periodically in this blog of fragile systems – ones that tend to break if stressed. Potential negative value stressors turn negative when they arise and play out in fragile contexts, and they are more likely to show as being positive when they enter into the execution of more flexible and resilient systems.

I am going to step back from this particular narrative to summarize and organize some of the key points and issues raised in this series, in a next, concluding installment, doing so from an evolutionary, and change-driven perspective. And I will explicitly do so from a HR and Personnel perspective. Meanwhile, you can find this and related postings and series at Business Strategy and Operations – 4, and also at Page 1, Page 2 and Page 3 of that directory. Also see HR and Personnel and HR and Personnel – 2.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: