Platt Perspective on Business and Technology

Building a business for resilience 19 – open systems, closed systems and selectively porous ones 11

Posted in strategy and planning by Timothy Platt on January 24, 2017

This is my 19th installment to a series on building flexibility and resiliency into a business in its routine day-to-day decisions and follow-through, so it can more adaptively anticipate and respond to an ongoing low-level but with time, significant flow of change and its cumulative consequences, that every business faces in its normal course of operation (see Business Strategy and Operations – 3 and its Page 4 continuation, postings 542 and loosely following for Parts 1-18.)

I concluded Part 18 of this, with a set of information management related, to-address points that I said I would analyze and discuss here, as their issues enter into this series as a whole and its ongoing narrative. And I repeat them here for continuity of discussion:

1. Thinking through a business’ own proprietary information and all else that it has to keep secure that it holds.
2. And reducing avoidable friction where there are apparent trade-offs between work performance efficiency, and due diligence and risk remediation requirements. This, in anticipation of discussion to come, means consideration of both short-term and long-term value created and received.
3. And this means thinking through the issues of who gathers and organizes what of this information flow, who accesses it and who uses it – and in ways that explicitly go beyond their specific work tasks at hand.
4. What processes are this information legitimately used in, and who does that work? With the immediately preceding point in mind, what other, larger picture considerations have to be taken into account here too?
5. And who legitimately sees and uses the results of this information as it is processed and used and with what safeguards for the sensitive raw data and the sensitive processed knowledge that are involved, where different groups of people might have legitimate need to see different sets of this overall information pool?
6. Think in terms of business process cycles here, and of who does and does not enter into them.

I begin that with Point 1 of this list, noting that while I did primarily discuss sensitive and confidential information in more general terms in Part 18 and in preceding series installments here, I have at least occasionally delved into the details in this blog as to what would belong there too.

I am going to in effect reconsider and reframe earlier more specific examinations of this topic here, and with a focus on change. Business resiliency is, after all, essentially entirely about change and about how the business as an organizational entity does or does not effectively respond to it.

So my focus here and for this posting, in addressing Point 1 is not one of either:

• Parsing out and identifying specific categorical types of information held, that would require special secure keeping, or of
• Analyzing specific new regulatory law change, or case law reinterpretation of same, as they would determine what has to be safeguarded now, or how in that.

To take these two points out of the abstract, and with a specific real-world example, they mean my line of discussion here not delving into how changes in regulatory law and its interpretation in court cases, would impact upon how a US business with Canadian online customers (for example), would need to change how and how long it stores what types of personally identifiable customer information, or how it would notify the public in general as to its privacy protection policy and practices.

• And my goal here is not to consider or discuss a new attack vector or approach that a malicious hacker might attempt to deploy, in order to gain access to within-business held confidential files, including customer information database files. The emergence of new risk factors there, simply represents a succession of point in time events that initially arise as new and novel challenges, that quickly become more routine and even old-news known challenges. And to take that out of the abstract, consider zero-day vulnerabilities that can be used to launch massively significant cyber-attacks while still unknown except to the attacker, but that cease to be stealthy sources of vulnerability of that type, as soon as they are exploited in an actual attack and even just once. And after that, patches and other corrective/preventive responses are developed and propagated through what were initially vulnerable networks and computer systems and those once stealthy attack vulnerabilities become well known if not old-news challenges that can be readily addressed.

Think of the issues and examples that I just noted above, as representing snapshots in time issues. My goal here is to move past that level of consideration, to look at here-relevant information security management as it systematically takes place over time and as businesses face ongoing change that calls for it. And my focus here, to be more specific, is on how information management systems have to dynamically change and evolve, as a business and its connected context do. And I add here that context, for purposes of this discussion, includes change in its markets and its customer demographics, in the supply chain and related systems that this business participates in, and in the computer and communications technology that their employees and managers use, and both personally and as they carry out work-related activities. And the last of those three areas of potential vulnerability represents the true wild card here, and particularly as more and more people bring their own wirelessly, ubiquitously connected smart phones, tablets and laptop computers to work with them and as they bring their work into what used to be their more entirely private and non-workplace contexts, through those personally owned and maintained devices.

I have touched on the issues and challenges that this opening up of business information technology systems create, and in postings and series that I have offered here since early in writing to this blog. I will continue their lines of discussion, as well as the narrative offered here in this series, in a next installment to it as I begin to look more closely into the details of Point 1, as offered above. Meanwhile, you can find this and related postings and series at Business Strategy and Operations – 4, and also at Page 1, Page 2 and Page 3 of that directory.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: