Why your incentive scheme is (most likely) wrong

If you have been reading my content and following me on LinkedIn or on my website ssedgwick.com, you will be aware that I am an active proponent of organisations committing to a purpose beyond profits and living by their values, rather than using them as surface-level marketing buzzwords. I strongly believe that this approach harnesses the discretionary energy of employees and leads to a successful, high-performing, and enjoyable organisational culture.

However, the culture and supporting values of a company are only one part of the puzzle. The structure and processes of an organisation must also be engineered to maximise that culture and achieve their strategic intent.

There is no more damaging structure to an organisation’s success than a poorly considered and implemented incentive scheme. If you, like some others, disagree with me and believe that “culture” is an intangible wishy-washy notion or perhaps you struggle to define exactly what culture means, then perhaps this will pique your interest.

When you boil it down, incentives are what motivates staff to produce the effort to achieve an outcome. There are extrinsic motivators such as compensation incentives (bonus, stock options, raises, profit-sharing etc.) and then there are more intrinsic motivators such as recognition incentives (certificates of achievement, awards, accomplishment announcements etc.). My focus in this argument is compensation incentives, particularly performance bonuses.

If you ask any typical CEO or business leader what the purpose of their organisation is, they will likely state a phrase containing one or more of the following: “innovation”, “customer success”, “value creation”, “growth”, “social impact”, “passion”, “sustainable”, “positive outcomes” etc.

Herein lies the problem. Performance bonuses, particularly in sales teams, are customarily geared towards monthly, quarterly, and annual revenue targets. The compensation incentives and associated key performance indicators (KPIs) are in no way geared towards any of their lofty purpose statement catchwords. Nor are they geared towards doing what is best for the organisation in the long-term.

For a particularly poignant example of incentives-gone-wrong, consider the most devastating cyber-attack in history, NotPetya, and its effect on the shipping giant Maersk. This statement is from an anonymous insider in the organisation, “the security revamp was green-lighted and budgeted. But its success was never made a so-called key performance indicator for Maersk’s most senior IT overseers, so implementing it wouldn’t contribute to their bonuses. They never carried the security makeover forward”. The aforementioned “security revamp” was scheduled to be completed before NotPetya destroyed their IT infrastructure and cost them close to half a billion dollars…. Ouch.

Could you imagine if an organisation’s stated purpose actually reflected what their employees were incentivised to do? “Company A is committed to growing our revenue, at the expense of all else.” I think it might be difficult to win customers and motivate or even retain employees with a purpose such as that. But that is EXACTLY the message that is being sent when you engineer your incentive structures for short-term revenue goals.

Speak to any project (whether product or service-based) delivery team and they will freely admit (perhaps after a couple of drinks) that their internal sales team promise customers the world, lower prices to win work to such a degree that the delivery team’s profit margins are in the toilet, and then expect the delivery team to, well, deliver on those promises. This perverse incentivisation leads to communication breakdown and siloing of effort because both teams have different and oft-competing incentives. If your organisation is actually committed to “customer growth” and “positive outcomes” then why aren’t your staff incentivised to achieve that very aim.

Ineffective incentive structures are evident in a company’s relationships with its customers and staff. You will find such companies often have to revert to the contract in its dealings with customers and the persistent arguments about who is living up to their part of the bargain is a never-ending quagmire of pervasive negative consumer sentiment. Staff are typically unmotivated for anything that does not benefit them personally and are so inwards-facing that they are unwilling to accept any risk to the warm little cocoon of bare-minimum effort and complacency they have built for themselves. Monthly and quarterly revenue targets are their sole concern. You will see things such as rounds of applause being given during meetings when sales targets are met, yet there is silence regarding their ever-worsening customer Net Promoter Scores (NPS) and subsequent blown-out budgets and timelines. You will hear statements from staff, behind closed doors, such as “I am just waiting until I reach ten years so I can get my long-term bonus and long service leave, then I am out of here”.

Another real-life example of perverse incentives is from Safi Bahcall’s new book Loonshots, “In the 1960s, the Ford Motor Company was desperate to compete with smaller, cheaper cars from Japan. So, the CEO announced an exciting stretch goal: the company would produce a new car that would cost less than $2,000 and weigh less than 2,000 pounds—the Ford Pinto. The goal and tight deadline, unfortunately, did not leave much time for safety checks. The fuel tank was placed just behind the rear axle with only 10 inches of crush space. The design flaw, as lawsuits later showed, led to a less-than-desirable new feature: on impact, the car could blow up.”

Is this type of environment or behaviour striking some chords with those reading? I am sure some of it is familiar to you.

No alt text provided for this image

Now for the denouement! I promise it is not all doom and gloom and coruscating attacks on a deficient commitment to values. I have the medicine! Although, to implement the solution will take significant structural changes to compensation and incentive schemes, and those who are most comfortable with the status quo will likely lash out and rail against these changes. That is a sure sign you are making the right changes.

I submit that an organisation’s sales, delivery, marketing, and other business units should ALL be incentivised by project success. What do I mean by project success? I define project success as a concinnity of the following measurable outcomes:

·     Customer satisfaction pre, during, and post-project (NPS)

·     Employee engagement and morale

·     Profit margins

·     Customer success (what this means should be pre-agreed prior to project commencement)

·     Delivery within scheduled timeframes

·     Quality assurance

·     Maintenance of scope (don’t draw outside the lines!)

When all staff are incentivised to achieve the above outcomes, an increase in new customer wins and increased revenue will follow. Except, with this approach, you will also enhance customer satisfaction, elevate teamwork and collaboration, create a positive impact, and all without sacrificing profit margins. You will be, in fact, living up to your stated values and purpose.

There is no such thing as a flawless incentive scheme and despite most incentive structures being well-intentioned, you can see how they can motivate the wrong type of behaviour. Consider what your company’s incentives are promoting and what the most likely adopted behaviour of your staff will be. Adjust accordingly.

Put simply, you can’t motivate your staff solely by revenue targets. Making money for someone else will not engage them beyond bare-minimum effort and it will erode relationships with employees and customers. It also sends a clear message that your purported values and purpose are embellished misrepresentations and that inevitably destroys trust. Look beyond revenue. You might find you like what you see.

Purpose is not the sole pursuit of profits but the animating force for achieving them. Profits are in no way inconsistent with purpose — in fact, profits and purpose are inextricably linked.” – Larry Fink – CEO of Blackrock

Consultants ≠ Nihilists

In the spirit of Festivus, I will now commence with the Airing of Grievances. In the wise words of Frank Costanza, “I got a lotta problems with you people, and now you’re going to hear about it!”

Over the holidays, I mostly spent my time reading; Marc Benioff’s Trailblazer, Malcolm Gladwell’s Talking to Strangers, Clayton M. Christensen’s The Innovators Dilemma, Jules Verne’s Twenty Thousand Leagues Under The Sea, Safi Bahcall’s Loonshots, and Marc Randolph’s That Will Never Work. The final book I read over the break, and the subject of my ire, is Peter Thiel’s Zero to One.

Peter is a well-known doyen of the technology industry and rightly so. He co-founded Paypal, Palantir, Founders Fund, and Mithril Capital. He was an early investor in Facebook and Linkedin and is worth approx $2.5 billion. While I give him points for his LOTR-named VC funds and I do agree with his points about capitalism vs competition, I found some of his statements in his book about consultants vs product engineers/designers to be almost an inchoate comparison of the “Proletariat vs. Bourgeoisie”.

On a scale between Nihilism and Dogmatism, he places consultants squarely in the Nihilism range and makes reference to consultants “dropping in and out of companies to which they have no long-term connection whatsoever”. He denigrates professional services businesses and consulting firms in a way that suggests they have zero purpose beyond short-term goals and increasing minor efficiencies in their customer’s organisations. He also aligns consultants solely with low-growth environments.

I find this type of one-sided coruscating analysis to be completely unhelpful. His grandiose image of himself and his up-turned nose at the services industry smacks of naivety. In my experience, product-based technology companies, particularly startups, often desperately need the assistance of strategy/management consultants to help founder/CEOs with little-to-no business experience navigate long-term strategy, finance, risk management, and the tying together of disparate business units while scaling. Not every company can achieve a monopoly and those who face competition often differentiate through more efficient processes, risk reduction, enhanced branding, and competitive pricing models. This is exactly what consultants can provide to businesses, both low and HIGH growth. For Thiel to suggest that consultants are nihilists who care little for the long-term success of their customers is utter nonsense.

While I do agree that some large professional services firms and consultancies do have a surface-level commitment to values and a lack of a purpose that goes beyond profits, I do not believe the entire consulting industry can be painted with that brush. Despite a public “fatigue” with certain large players of the consulting industry and their opaque business practices, there are consulting service providers who provide specialist advice that add a great deal of value to their customers in the long-term and give back to their community along the way. In fact, many consultants go on to start their own successful businesses, using the lessons they learned during their time working with clients. Innovation in technology may change the way we live and work but consultants help make those changes sustainable for the long-term. Whether your career is in services or products, you can build or help build a high-growth successful business and be a respected leader in your industry.

When choosing a career direction or pivoting from your current role, I often suggest to people The Hedgehog Concept from Jim Collin’s book Good to Great. The Hedgehog Concept is based upon an ancient Greek parable: “The fox knows many things, but the hedgehog knows one big thing.” Ask yourself the three questions in the diagram below and if one of your responses overlaps with all three circles, you have your direction.

No alt text provided for this image

In my opinion, specificity is the key to success in a landscape flooded with companies attempting to be everything to everyone, and thus, are nothing to no-one.

Ignore Peter Thiel’s gallimaufry of Blue Ocean Strategy rip-offs and biased rants. Do what you love and what you could be the best at, even if that path is consulting, you Nihilist, you.

Shannon Sedgwick GAICD – ssedgwick.com

Dumb and Dumber: A Study of Management and Decision-Making Structures

Anyone born before the early 1990s is likely familiar with the comedy film Dumb and Dumber, starring the geniuses that are Jim Carrey and Jeff Daniels. If you have not seen the movie or need a refresh, I will give a brief synopsis. Lloyd Christmas (Jim Carrey) and Harry Dunne (Jeff Daniels) are best friends who discover a suitcase full of money after Mary (Lloyd’s eventual love interest) leaves it in Harry’s limo. They decide to travel to Aspen, Colorado to return the briefcase, unaware their lives are in danger because the money is connected to a kidnapping. Harry and Lloyd travel across the country while pursued by assassins and police, to return the money and find love. Hilarity ensures from start to finish. Caught up now? Good.

Arguably one of the funniest scenes in the film is when Lloyd goes to get “the bare essentials” with the last of their money and is subsequently robbed by a “sweet old lady on a motorised cart”. Watch below for the full scene.

Let’s consider Harry and Lloyd’s situation from a management point of view.

Their mission (the WHAT) is to return the money and find Mary. Their strategy (the HOW) is to travel cross-country using the money they are supposed to be returning to cover the necessary travel expenses. Their Purpose (the WHY) is to make us laugh.

Through careful analysis of the above case study (watching it while eating a bag of Kettle chips), it is evident that Harry and Lloyd employ decentralised management and decision-making structures. They operate in a flattened hierarchy where each is trusted with making decisions that are made towards their common goal or mission.

The benefits of decentralisation include flexibility, increased morale, development of expertise, resilience, individualisation, and the ability to process information faster and more accurately. By employing a decentralised management structure, Harry and Lloyd promote recurring values of “success through trusted friendship” and “stupidity”.

Another benefit of a decentralised organisational structure is the granting of greater autonomy and trust. Harry and Lloyd are empowered to use their knowledge (limited as it may be) and experience to innovate and implement their own ideas into their workflows.

However, like all decentralised organisational structures, there needs to be a clear understanding of the mission and a framework/structure for effective and timely decision-making, ensuring it is aligned with the overarching mission, and not exceeding the capacity of the individuals or teams. Here is where Lloyd and Harry come unstuck. It is clear from the above scene that Lloyd’s and Harry’s definition of the strategy and “bare essentials” is not aligned. Lloyd, if he were not robbed by the sweet old lady would have returned with an oversized cowboy hat, a ball and paddle, sparkly paper pinwheels, and a box full of assorted accoutrement (likely booze). This evidently would have contributed little to their mission. There was a breakdown in communication due to a lack of an agreed-upon decision-making process.

If there is a clear understanding of the team’s (or organisation’s) mission, this allows leaders to delegate decision-making to individuals and teams with the implicit trust that the decisions made will be with the intent of achieving the mission. Studies have proven that the more complex an organisation is, the more they must employ a decentralised organisational chain of command, to aid in rapid decision-making and easing the burden of their leadership. Quite clearly, Lloyd and Harry are in a complicated situation. The negative consequences incurred from their lack of an effective decision-making process could have been avoided had they agreed upon what defined “bare essentials”. Additionally, had a policy been implemented that gave clear boundaries for decision-making in unforeseen circumstances (i.e. locking your wallet in a newspaper vending machine), the negative outcome (robbery) could have been avoided.

Harry and Lloyd, through the employment of strict data-driven evaluation of new environments and ideas, could have created an effective blend of both centralisation and decentralisation. Centralisation of mission and purpose, and decentralisation of management and decision-making. As research has proven, individuals given the trust and tools to make decisions and innovate, are far more likely to be successful if the mission and purpose are clearly communicated and understood, and a strict decision-making structure is implemented, allowing for rapid and accurate decision-making in what is an increasingly evolving and uncertain world.

The trust placed in each other through a decentralised management structure and the reliance on rapid and accurate decision-making via a structured framework would give Harry and Lloyd the ability to move with speed, accuracy, and surprise to maintain their competitive advantage. We can learn a lot from Harry and Lloyd.

Are conferences as good as they could be?

It seems every week there is a conference purporting to be the biggest and best industry event of the calendar year. Event sponsors have varying sized booths and banners, and ads littered throughout event collateral, and are sized dependant on their financial commitment to the event. These conferences are not inexpensive! Thousands of dollars and multiple staff over 2-3 days are committed to running their company’s booth. It is a significant financial investment. Vendor staff wear their branded shirts and spend their time trying to gain eye contact with you while not-so-subtly checking your name tag to ascertain whether you are someone worth speaking to. Rinse and repeat hundreds of times per day. It’s almost a kind of awkward dance where each party knows what the other is trying to do but aren’t willing to have a direct conversation about it. A strained conversation is had where the vendor representative asks the attendee where they work and what they do, and when answered is usually proceeded by a sales spin of that vendor’s “market-leading” capabilities.

We all have attended these conferences. I often speak at these conferences. I know the environment well. Some people prefer to attend conferences just for the networking opportunities. Others state they are there just to hear certain people speak. However, I don’t know of anyone that attends conferences to be sold to. Attendees often are not interested in the booths unless they are getting a pen, webcam cover, or are able to test-drive a unique bit of kit like VR.

I admit I am not a professional speaker. I don’t even think I am a good speaker. However, I do understand that stories and an interesting narrative are essential for the audience to engage with your content. If you are a speaker and you attempt to sell your company or it’s products/services, you will lose the audience immediately. Yet it happens constantly. I wonder, would it be better for conference organisers to institute a strict “no selling” policy during presentations?

Are conferences stale? Does the recipe need to be changed in order to give attendees and sponsoring vendors more bang for their buck? I would be extremely surprised to hear of a vendor recouping their investment from a conference. I am sure it happens but not often. Are there more cost-effective ways to market your brand and capabilities at a conference while differentiating yourself from the competitors? You can’t do the same thing as everyone else and expect different results.

What it boils down to is, nobody wants to be sold to. People want to be recognised for their hard work and their achievements and empathised with for their hardships. Relationships and understanding human nature is the key to successful brand awareness and marketing. Are you discussing something that benefits them or does it just benefit you?

I have my own thoughts about how to improve conferences for all involved parties but I would be interested in hearing your opinion on how to tackle the issues I have raised. Or perhaps you disagree with me. If so, I would like still like to hear your opinion. I don’t have all the answers!

Save ‘crown jewels’ from cyber crims

Cybersecurity is, and will continue to be, the hot topic this year, with global cybersecurity spending expected to reach $US124 billion, according to research company Gartner.

Recent cyber attacks against Toyota and LandMark White serve as a stark reminder of the pervasive threat of cyber criminals. The issue becomes dispiriting when you delve into the statistics of data breaches.

An IBM-Ponemon study last year, Cost of a Data Breach, concluded the average cost of a data breach was $US3.86 million and the likelihood of a recurring breach in the following two years was 27.9 per cent. A data breach of more than one million records will cost about $US40m, and a loss of more than 50 million records will cost a staggering $US350m.

Australian small and medium business owners have long had a delusion that they “fly under the radar” of cyber criminals because they deem themselves “too small to bother with”. Recent statistics from Verizon show this is no longer the case, with 43 per cent of data breaches involving small business victims. Unfortunately, more than 500,000 Australian small businesses fell victim to cyber crime in 2017, and research shows that more than 60 per cent of SMBs go bankrupt within six months of a data breach. It is no longer an option for Australian businesses, regardless of size, to do nothing and hope for the best.

So, what can be done? At the outset, every organisation should consider the data and assets they own and identify what is critical to their business operations and their consumers/customers. It is impossible to protect everything at all times, and there is a limit to the capital available for cybersecurity budgets. The identification of your critical data and assets, your “crown jewels”, will enable you to implement appropriate security.

Invest in cybersecurity awareness training for staff. Most data breaches occur because of human error, such as clicking on phishing emails or sending information to the wrong recipient. Promoting a risk-aware culture and ensuring your employees are capable of responding to cyber threats is a cost-effective method of reducing your risk.

The theft of credentials can compromise an organisation’s entire network. Multi-factor authentication requires the user to enter a password, then another form of credentials, such as a PIN sent as a text to your phone, a fingerprint scan or universal second-factor security key. When multi-factor authentication is implemented, it is substantially harder for a cyber criminal to gain access to credentials and networks.

Last, and of equal importance, back up your data. Ransomware is a type of malware that blocks access to your data or systems until a financial payment is made. Many organisations choose to pay the ransom because they do not have their data backed up, and to retrieve it they must decide between making a payment with no guarantee their data will be returned or lose everything.

Australian companies need to make cybersecurity and data privacy a priority and demonstrate their commitment to the trust of their stakeholders, to remain competitive in the digital age

As published in The Weekend Australian on June 15th 2019. https://www.theaustralian.com.au/business/careers/save-jewels-from-cyber-crims/news-story/97bc6ec6b3df03a027849d140e2c7bde

 

Ethics in Technology and Cyber Security

Global connectivity is on a meteoric rise. Increasingly we see everyday items connected to the internet — connected refrigerators, baby monitors, washing machines, vehicles, medical devices, and even fish tanks. As innovative technology proliferates and evolves, it becomes increasingly embedded into our personal and working lives. However, this increased connectivity leads to increased risk for Australian citizens and businesses. It is no secret that cyber security is and will continue to be the hot topic in 2019, with global cyber security spending expected to reach USD 124 billion. (Gartner, 2018) The recent and highly-publicised cyber-attacks against Toyota and Landmark White serve as a stark reminder of the pervasive threat of cyber criminals. The issue becomes rather dispiriting when you delve into the statistics of data breaches.

However, data breaches are not the only concern arising from the proliferation of technology. Ethical issues, particularly concerning automation, artificial intelligence, and robotics, are now in front of mind for the public and media. Recent incidents have raised questions on ethics and responsibility, such as a death in March 2018 caused by an Uber self-driving car. Who is ultimately responsible? The manufacturers? The driver? The software programmers?

There is always a trade-off in technology. The trade-off by achieving a balance between accessibility and security, functionality and compliance, and convenience and privacy. It is essential to achieve a balance between these themes to establish trust and minimise any potentially harmful effect of the loss, theft, or destruction of sensitive data.

As we create and adopt technology, there needs to be ethically sound standards and regulations that govern the use of artificial intelligence and automation. This piece examines emerging innovative technology, ethical issues for the cyber security industry, the efficacy of current regulations and guidelines, and the options available for organisations who aim to embed ethical decision-making into their culture.

Ethical decision-making is about making the “right choice” and the reasoning behind those choices. The standard of ethics in an organisation is a direct reflection on the purpose of the organisation. Ethics forms the basis of the organisational purpose by asking “Why do we do what we do?”. Ethics in cyber security is about what decisions are aligned with our values and what is morally acceptable for both the data owner and the organisation. Ethical standards should also describe how to implement processes for ensuring ethical decision-making.

Ethical issues are a daily occurrence in cyber security. Every organisation that stores personal and sensitive data has a responsibility to ensure that ethics are interwoven throughout the company, from the boardroom to the interns and grads. Ethical decision-making promotes transparency and honesty, and as this piece concludes, the pursuit of such laudable values leads to both greater trust in the marketplace and greater profits.

The Australian public, consumers, and the media expect organisations to protect the data they store and use and have effective frameworks in place for guiding ethical decisions concerning the confidentiality, integrity, and availability of that data. They expect organisations to abide by legislation and regulations as a minimum, but as we have seen in recent times, “legally right” does not always equate to “morally right”. The oft-competing values of legislation vs morals means that the decision to abide by one or the other must take into account the organisation’s corporate social responsibilities and what is in line with both their organisational and personal moral values.

Emerging technology and risks

The IBM/Ponemon Cost of a Data Breach study concluded that the average cost of a data breach is $3.86 million, and the likelihood of a recurring breach in the following two years is 27.9%. A data breach of more than 1 million records will cost approximately $40 million, and a loss of more than 50 million records will cost a staggering $350 million.

Australian small to medium business (SMB) owners have long had a folie à deux that they “fly under the radar” of cyber criminals because they deem themselves too small to be a target. The recent statistics from Verizon show that this is no longer the case, with 43% of data breaches involving small business victims. Unfortunately, over 500,000 Australian small businesses fell victim to cyber crime in 2017, and research shows that over 60% of SMBs go bankrupt within six months of a data breach. It is no longer an option for Australian businesses, regardless of size, to do nothing and hope for the best.

Emerging technology, such as the Internet of Things (IoT) is designed to solve problems that affect us as humans and to make our lives easier and more enjoyable. However, that same cutting-edge technology can be used against us. While the employment of IoT yields many benefits across a vast range of industries, it is not without risks including privacy and security concerns, liability around automated equipment and self-driving cars, and a lack of global regulations and standards. There are numerous case studies of IoT use gone wrong, from hacked vehicles and baby monitors to the destruction of nuclear reactors and shutdown of the largest websites in the world via a D-DOS attack launched by the Mirai Botnet.

No alt text provided for this image

Artificial Intelligence (AI) has been used by cyber criminals to create something called a “deepfake”. A deepfake is a fake video, image, or audio message that looks incredibly realistic and fools the recipient into believing it to be a real person. This malicious use of AI takes phishing to a whole new level of sophistication and can be used to trick people into handing over passwords and sensitive data, or to pay fraudulent invoices, or possibly for “catfishing”. Malicious actors could also use “deepfakes” to manipulate elections by posting a fake video of a government leader discussing inflammatory topics or renouncing their campaign. This type of “fake news” could cause electoral disruption or cause conflict with foreign governments.

No alt text provided for this image

It has been argued that it is quantum computing, not AI, that will define our future. Classical computing systems are binary, which means they work on bits that exist as either 0 or 1. Quantum computers are not limited to binary bits. They use something called quantum bits, or “qubits”. Qubits stand for atoms, ions, electrons, and photons and control mechanisms working collaboratively as both memory and processor. Because a quantum computer is not limited to binary processing, it can contain multiple states at the same time which gives it the ability to be infinitely more powerful than even the most advanced computing systems available today. Cyber criminals could possibly harness the processing power of quantum computing to break advanced encryption algorithms.

No alt text provided for this image

Cloud computing is leading the transformation of where businesses and individuals store and use their data. As the volume of cloud usage grows, so does the amount of sensitive data stored in the cloud, which is potentially exposed to risk stemming from cloud-specific security issues:

  • Malware injections are malicious code that is injected into a cloud computing repository and enables malicious actors to gain access to any data that is uploaded to that repository. This type of malware is particularly challenging to identify without appropriate detection systems.
  • APIs (Application Programming Interfaces) assist organisations by enabling them to create customised cloud solutions that meet their data and operational requirements. Improperly secured APIs are a commonly-used entry point for cyber criminals, leading to lost or stolen data.
  • Just like physical servers, accessing cloud databases requires login details, which makes usernames and passwords a valuable target to cyber criminals. Similar to “deepfakes”, phishing emails is a common method criminals use to gain access to cloud login credentials.

Ethical issues and challenges for cybersecurity

The landscape of cyber evolves continuously. As does the threats that organisations and governments face. This required an evolving and equally-agile workforce. However, there is a widening gap between demand and supply of qualified cyber security professionals. This quite often leads to the rushed recruitment and onboarding of new cyber security staff, and potentially, a lack of guidance provided to the new recruit on ethical decision-making and expectations. When a recruit is forced to rely on their own standard of morality, this causes a rise in differing standards of right and wrong in the workplace, which ultimately leads to mistakes.

When an organisation sets and follows ethical standards or an industry abides by regulation that enforces ethical behaviour, it ensures that all relevant parties are held to the same standard and have a clear understanding of their ethical responsibilities. The C-Suite and the board must be seen to be leading by example and engendering a culture of high standards of ethical decision-making,

If a company’s data is compromised, it may face lawsuits, reputational damage, and questions about its ethical standards. Delaying a public announcement can compound these consequences. Those responsible for overseeing information security practices within organisations, such as CISOs and supporting management, must ensure a fit-for-purpose communications policy is implemented to guide incident response procedures.

There are a number of ethical considerations regarding the impact of technology and cyber security. One is the privacy of a user’s data. Organisations need to consider whether they have appropriate controls and processes in place to safeguard the integrity and privacy of their customers and their data. A key question to ask would be: what would the result to the customer be if this information was compromised?

Another consideration is the customer’s right to their information. This is particularly important when considering how long user data should be stored. Should it be deleted immediately after its use? If it is kept, how will it be secured? An even thornier question is what happens to the data when the user dies? Should their family be able to gain access to it?

A customer consenting to the use of their data is a critical consideration. It is now not sufficient to have a tiny script at the bottom of contracts and webpages detailing user’s rights to their data and the company’s privacy policy. Informed consent requires easy-to-access and easy-to-read language so the user can acquiesce without having to go to university to study law.

The consideration of bias in algorithms and AI is increasingly a topic of consternation for developers. Algorithms used in correctional facilities to determine the likelihood of recidivism, i.e. a prisoner’s likelihood to re-offend, has been used to decide the outcome of bail/release hearings in America. It was discovered that this algorithm, called COMPAS (Correctional Offender Management Profiling for Alternative Sanctions) contained biased data and was less likely to look favourably upon African Americans or people from low socioeconomic neighbourhoods.

There is currently at play, an Australia-specific example of an ethical issue concerning cyber security. The Assistance and Access Bill that was passed in 2018 allows Australian government law enforcement and intelligence agencies to demand technology manufacturers and providers to give access to encrypted communications. The law stipulates that a technology provider must create a “back door” or access point into their products so the government agencies can gain access to encrypted communications. This forced creation of a back door into technology created by Australian organisations leads to various ethical issues, not the least of which is the privacy of their user’s data. Technology companies, especially those who invest heavily in encryption products, may be forced to move their manufacturing operations internationally. The legislatively mandated “weakness” will likely undermine the trust of users in their products. This will have a profound effect on local research and development initiatives and manufacturing due to a reduction in jobs and revenue from the export of technology products.

Ethical case studies

Two (2) case studies come to mind that reflects the opposite ends of the spectrum of ethical decision-making in response to cyber security incidents and the effects the wrong decision can have on an organisation.

Yahoo was in the middle of being acquired by Verizon in 2017 when it disclosed it had discovered three data breaches in 2013 and 2014 that affected over one (1) billion users. Unfortunately, these data breaches were not disclosed until late 2016 after the original Verizon acquisition deal had been agreed to, but not yet paid for. The original deal between Verizon and Yahoo was worth USD 4.8 billion, and after the data breaches were disclosed, Yahoo’s worth was slashed by an incredible USD 352 million. The Security and Exchange Commission (SEC) also investigated Yahoo for waiting too long to notify victims of the data breach, and whether Yahoo violated SEC securities legislation by not providing documents to the SEC related to the data breaches. Yahoo continues to be liable for half (50 percent) of any debts incurred from third-party litigation and regulatory fines.

The Yahoo breaches and their lack of ethical behaviour concerning the notification of victims and regulatory bodies is an apt example of the damage that can occur when behaviours are not governed by ethical principles.

On the other end of the spectrum of ethical decision-making sits the Australian Red Cross. The Red Cross suffered a data breach of over 550,000 blood donor’s details, including name, address, date of birth, gender, and information regarding sexual history. The data was inadvertently published by a third-party contractor to an online public-facing application form.

The Red Cross immediately disclosed the data breach to affected donors and to the Australian Government CERT (Computer Emergency Response Team). Not only did the Red Cross avoid any fines for the data breach, but they also received an extraordinary commendation for their response efforts by the Commissioner of the Office of Australian Information Commission, Timothy Pilgrim. The assurance that the Red Cross provided donors served to increase their reputation for transparency and trust within the Australian community.

Both of the above examples highlight the importance of adequate incident response procedures that align with the values of the organisation. All organisations should seek to establish trust between themselves and their customers.

No alt text provided for this image

Conclusion

An organisation should implement a decision-making framework that aligns with the values and purpose of the company. The framework should balance organisational risk and best practice for cyber security in a well-defined and replicable manner which meets the needs of business along with regulatory and legislative obligations, and ensure that leaders have access to accurate information that is appropriate to ethical decision-making processes.

Ethics and cyber security go hand-in-hand. Organisations must establish its purpose and values and continuously monitor the behaviour of their staff in relation to those values. Customers expect honesty and transparency, and as detailed in the report, the results can be devastating when ethical behaviour is ignored. The protection of data and prevention of harm should be the primary focus in all ethical/cyber decision-making.

The following steps should be established as a minimum standard:

  • Every organisation should consider the data and assets they own and identify what is critical to their business operations and their consumers/customers. It is impossible to protect everything at all times, and there is a limit to the capital available for cyber security budgets. The identification of your critical data and assets, your “crown jewels”, will enable you to implement appropriate security controls where it matters most.
  • Invest in cyber security awareness training for staff. The majority of data breaches occur due to human error, such as clicking on phishing emails or sending information to the wrong recipient. Promoting a risk-aware culture and ensuring your employees are capable of responding to cyber threats is a cost-effective method of reducing your risk.
  • The theft of credentials can compromise an entire organisation’s network. Multi-factor authentication requires the user to enter a password, and then another form of credentials, such as a pin sent as a text to your phone, a fingerprint scan, or Universal 2nd Factor (U2F) security key. When multi-factor authentication is implemented, it is substantially harder for a cyber criminal to gain access to credentials and networks because they have to show they have access to the other authentication factor.
  • Next, and with equally great importance, backup your data. Ransomware is a type of malware that blocks access to your data or systems until a financial payment is made. Many organisations choose to pay the ransom because they do not have their data backed up, and to retrieve it they must decide between making a payment with no guarantee their data will be returned or lose everything.

It is not all “doom and gloom”. There is an “egg in one’s beer” to cyber security. Organisations that invest in cyber security and have high standards of ethical decision-making strengthen their resilience, decrease the likelihood of a successful attack, and subsequently have a higher level of trust with their consumers. The focus on consumer trust is now de rigueur in Australia, particularly after the Hayne Royal Commission. Research shows that over 50% of customers will pay more for a company’s services and products if they trust them.

Essential to determining whether a consumer trusts an organisation is transparency about their cyber security and data use. Through the timely disclosure of data breaches, the design of fit-for-purpose security controls, and the informed consent of the use of user’s data, organisations show they are transparent and therefore elicit a greater level of trust. Australian companies need to make cyber security, ethical decision-making, and data privacy a priority and demonstrate their commitment to the trust of their stakeholders, to remain competitive in the digital age.

Shannon Sedgwick GAICD

Diversity and Success in Cyber Security

On April 4th I had the pleasure of speaking at an event hosted by Preacta Recruitment and Charlotte Osborne. The topic of the event was ‘Challenging the Status Quo in Cyber Security’ and I spoke alongside the talented and loquacious Karissa Breen and Tulin Sevgin. This blog post outlines my speaking notes in full for those that are interested.

Gender Quotas

Now, I am going to say something potentially controversial. Staff gender quotas do not work.

Everyone would agree that the aim of a team or business is to be high-performing and successful. There is no business case for gender quotas. While research shows that a diverse team does increase performance, there is no data to suggest that gender quotas equate to a high-performing team. I recommend you google “golden skirts” and the study of gender quotas in Norway. https://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=248065

A Danish study examined 2,500 firms over eight years, finding that hiring women did indeed improve firms’ performance. Yet the conclusion was still that “the positive effects of women in management depends on the qualifications of female managers.” If quotas force hiring women, and as a result, the wrong women are chosen, there is a reason to be concerned that quotas will give the push for gender parity a bad reputation.

Instead, an organisation should have a gender quota for the pool of candidates! Then from that gender-balanced pool of candidates, you choose the best person for the role and your team. Nobody wants to be selected for a position based on their gender, cultural heritage, sexual orientation, or otherwise. People want to be chosen because they deserve it and they are the best person for the role.

Building a successful, diverse, and balanced team is not about pursuing gender quotas. It is about focussing on developing a supportive, high-performing, flexible, revenue-generating, kickass environment that people want to be a part of; where there is a culture built on the trust and respect that your colleague next to you in the trenches is there because they are the best person for the role. To choose someone based on their gender does a disrespect to that person, whether they are the best person for the role or not.

A Golden Ticket

The cyber security industry is still a nascent and rapidly growing industry. Rapid innovation and an extremely high uptake of cyber security services mean that opportunities are proliferating at a breakneck pace. Ladies and gentleman, this is your golden ticket. If you can establish yourself and your brand strongly within the market, you will rise rapidly. Whether building a start-up or climbing the ranks in the corporate world, the same principles apply.

In a world full of fish, be a shark.

I recently had a conversation with a good friend of mine, whom I respect deeply, and she said: “I am going to wait until I have established my credibility and gradually try and become a bigger fish in the market.”

I told her what I am going to tell you now….. Why wait? (repeat).

Don’t do what everyone else is trying to do and expect a different result. Be an outlier! Don’t ‘fit in’ and don’t be swayed by the consensus and the politically correct. You can not differentiate yourself if you try and do the same thing as everyone else, even if you can do it better. There are no rules! Forget being a bigger fish, be a fucking shark. You are the subject matter expert in your chosen field. You are an industry leader. It is the same principle as “dress for the job you want, not the one you have”. You need to act like the job you want. Demand credibility! Of course, you will have to back it up and earn that credibility every day but start now! Which leads me to my next point….

No-one ever built a statue of a critic.

There will be people during your journey who will attempt to rain on your parade. There will be haters. There is no avoiding them or the tall poppy syndrome they cultivate.

Let me tell you something: what they think about you, is none of your business.

In my experience, the only people saying negative things are those who have the time, and those who are too cowardly to put their neck on the line and hustle hard every waking minute of every day.

Truly successful people build each other up and are motivated by others’ success. They help and advise and guide the next generation of ‘hustlers’. They simply don’t have time to gossip and ‘hate’ on others success.

I’m a great believer in luck, and I find the harder I work the more I have of it.” – Thomas Jefferson

There is a common factor that ties everything I have said together. That common factor is hard work. Back-breaking, gritty-eyed, carpal tunnel-having hard work. There will always be someone smarter, better looking, or more talented than you. That is out of your control. But how hard you work IS within your control.

How many cyber or business-related books are you reading each week? What articles, podcasts, videos, TV shows are you ingesting to develop yourself? The only way to succeed far beyond the ‘consensus’ is to work harder than every person in the room. If you are curious and passionate about your chosen field, and you devote every spare moment of your time to your passion, there is no ceiling to your success. “Today I will do what others won’t, so tomorrow I can accomplish what others can’t.”

Now, let me add an “asterisk” to this. You need to rest. You need your “zen” time. For each person it is different. For me, it is exercise and reading heroic fantasy novels (cough. Nerd. cough). For you, it might be yoga or walking the dog or watching Game of Thrones. But if you love your chosen profession, then your work and your life will intertwine and you will love every minute of it.

One last point. Kindness is free. Help each other. Find a mentor, or mentor someone. Network and help people without any thought of reciprocation. You will find opportunities and happiness that you did not think possible. The law of reciprocity is ever-present. You only get back what you give.

Shannon Sedgwick

ssedgwick.com

Cyber Security Trends Opined

It is no secret that cyber is, and will continue to be the hot topic in 2019, with global cyber security spending expected to reach USD 124 billion (Gartner). We have all heard the spiel of “technology is evolving, and security must evolve with it” and “as technology innovation increases so does the cyber security risk”. I am not going to bore you to death by repeating what we all have heard a thousand times. Don’t even get me started on the incessant sharing of the same news story when a breach occurs…..

277269_Papel-de-Parede-Meme-Virando-a-Mesa_1600x1200[1]

But I digress! In this short piece, I lay out my opinion (rant) of the current market trends and nuances I have seen in Australia across both government and private industry.
“Vendor agnostic” does not always mean vendor agnostic.
– This is particularly true in Federal government. CIO/CISOs/whoever (the buyer) will identify a requirement/gap and assess potential solutions that will fit in with their overall business and its architecture. Often, before an RFQ is even issued, the buyer will already have a solution or provider in mind. Of course, probity and abiding by the government’s strict procurement regulations prevent them from going direct in most cases. If an RFQ seems like it has been written with a specific vendor in mind, (some are even written by the preferred vendor, although no one will admit to that), then it probably is. It is a useful skill to be able to spot these types of RFQs, and if you cannot provide that particular brand or solution, then it might be best to pass on that opportunity.

11697618

Organisations want a silver bullet, or as close to it as possible
– CIO/CISO/buyers are not overly interested in what “value-adding” vendors can provide or their capabilities. They don’t want your “spray and pray” spam emails and cold calls. That’s rookie s@$t man! They want to know if a vendor can identify and solve more than one of their problems at once. Procurement preference has shifted from deeply specialised providers to a vendor that can provide a platform that performs a wide range of functions adequately. A “one-stop-shop” if you will. The focus is largely now on the following:
o Does the solution solve multiple problems?
o Will the solution integrate with the current architecture and is it easy for staff to manage?
o Can it be automated?
Consider the above before you start marketing your solution and pitching to the CIO/CISO/whoever.

what-if-i-told-you-there-is-no-silver-bullet

IoT is not going away. Ever.
– IoT devices are proliferating like, well, rabbits… I and many others like @Lani Refiti have spoken about this issue many times. There is no sign of slowing down, and the lack of enforceable standards means security is not baked into the product lifecycle from the beginning. They are notoriously difficult, if not impossible, to update/patch, and to respond effectively to the threats posed by IoT, an iterative and adaptive approach is needed. Organisations are gradually becoming more aware of the risk and have taken a more considered approach to their use of IoT devices. Considerations like “do we really need a connected fridge that informs us when we are out of milk?” or “is it possible that my toaster is a Decepticon?” (The answer is “Yes” by the way).

iotJackson

There will be some (see “many”) that still have not implemented basic security standards
– There are security standards which should be common across all organisations by now. If your organisation (particularly mid to large size organisations) has not implemented the following, you should give yourself a swift uppercut (figuratively… or literally. Up to you.) This is obviously a non-exhaustive list. I just picked a few.
o Cyber awareness training for all staff and contractors. The majority of breaches are caused by human error so this one is a “no-brainer”. There is great training available for as little as $50/person. It will be cheaper than a breach. I promise.
o Cyber security as an ongoing topic of discussion at board/leadership meetings. A top-down focus on cyber will flow through the rest of the organisation.
o Backups. PLEASE, PLEASE back up your organisation’s data. Daily preferably. It is fairly straightforward and cost-effective to set up. Should the worst happen, then you won’t lose everything.
o Encrypt your data, including data at rest. This goes a long way to preventing unauthorised users from being able to view your data, even if they are able to get their mitts on it.
o Multi-factor authentication. Enable it on all applications. On every device. Even your Tinder account has MFA, for all you single people.

a2b5247a7df4fa62fd6965676dc4275a
Final thoughts (see “disclaimer”)
– This piece is just my weekend thoughts on paper and does not reflect the beliefs of my employer etc. etc. Take it with a grain of salt and some humour. I welcome constructive feedback and opinions on any or all of the topics I have discussed.

For more of my thoughts/ramblings, visit ssedgwick.com

But-Im-Not-Ready-To-Say-Good-Bye-Meme

Business development and the “human element”

I was prompted to write this short piece after receiving the 11,000,000th  (an actual statistic…. probably) ham-handed marketing in-mail /email from a services provider that: A. had nothing to do with my role or my industry, and B. was written exceptionally poorly. To be blunt, I believe shot-in-the-dark cold emailing is a fool’s errand. Perhaps at some point, this might have been an effective tool, but with the flood of providers available, particularly in the cybersecurity industry, it just does not cut the mustard.

Effective marketing, in my opinion, is about identifying a client’s pain point and offering a solution to solve the problem that is both time and resource efficient. You need to establish and continue to build a relationship with that client that is built on trust and mutual benefit. If you approach a potential client putting in the hard sell immediately, nine times out of 10, they won’t engage. That is why people in business development that have a higher level of emotional intelligence are more successful than their less “clue-ey” counterparts. You need to be able to read a person, read a room, and understand how the majority of people think and act, and shape your approach and demeanour to suit, often in an instant.

Remember; generally, most people enjoy talking about themselves more than any other subject. It’s why social media is so popular. It is entirely inwards focused. Use that to your advantage. Do your research on the target client (see reconnaissance) and identify something about that person or their company that is either good or bad so you can either congratulate them or empathise with them. For example, “Hi Potential Client, I saw that you just won a prize for promoting diversity in the workplace. That is brilliant to see. What motivated you to get involved in that space?”.

Don’t get me wrong, your interest must be genuine because people can instinctually spot a fake. But this type of introduction opens up a conversation that will inevitably lead to you describing the work you do and offering a catch-up over coffee to continue discussing theirs and your interests, which is the perfect opportunity to offer to assist them with their problem.

Of course, this is just one small part of business development, and I am not going to give away every play, but I think it is worth considering how you approach your BD strategy and whether it is designed with emotional intelligence and the “human element” in mind.

On a related note, ensure that your solution does, in fact, solve their problem. If it only addresses part of their problem, then you should not waste yours or their time. This leads to my next post (coming soon!) on why cybersecurity companies should consider offering a broader offering. Specialisation in just one area makes it increasingly difficult to remain competitive. I’ll explain further in my next post.

If you enjoyed this post, please share on LinkedIn or your preferred platform. If you agree or disagree with me, please leave a comment! Keep it constructive!

increase-emotional-intelligence

Legislation and Cyber Security

Data privacy and cyber security legislation have been a hot topic in Australia of late, with the implementation of the European GDPR, the Notifiable Data Breach Scheme under the Privacy Act 1988, and more recently, the Australian Government’s proposed Assistance and Access Bill (2018). The Assistance and Access Bill, in particular, is causing concern amongst the wider Australian public, privacy watchdogs, technology giants, and telecommunications providers about the level of government access to encrypted information. Aided by an international media “frenzy”, there is an increasing fear of over-regulation and unintended consequences for the privacy of individuals or organisations.

The new laws announced in August of this year are focused on cybercrime and aiding police and intelligence services investigating cybercriminals. I believe they’re a step in the right direction towards achieving a balance between privacy and the practical safeguarding of national security. In our dealings with the public sector, it’s clear that there is a lack of legislation and regulation in Australia that is industry specific. Many within the Australian industry view cyber security as something they have to “put up with”, which means that it may not be allocated sufficient budget or regarded as the business enabler that it is. One of the most effective ways to encourage compliance with recognised standards (NIST, ISO27001, ISM, Essential 8 etc.) is to mandate it with legislation. Legislated compliance provides confidence to end-users and business stakeholders. (Greenwald, 2015)

Consider healthcare as an example. The industry is notoriously immature in cyber security maturity with more breaches suffered than any other sector (OAIC 2018). Statistically, over 50% of their data breaches occur due to human error (Verizon 2018), which speaks to a lack of training and enforced standards. By comparison, the US has healthcare-specific legislation in the form of the Health Insurance Portability and Accountability Act (HIPAA) that provides data privacy and security provisions for safeguarding medical information. Almost 1 million people have elected to opt out of the Australian Digital health Agency’s My Health Record due to a perceived lack of appropriate security measures. (ABC News, 2018) Australia’s adoption of a similar approach to the US’ HIPAA would go a long way towards improving the cyber maturity of Australian healthcare and the trust of the Australian public.

Another issue with the lack of industry-specific regulation and legislation is that organisations are not aware of their data privacy obligations. If an organisation suffers a data breach, non-compliance with their legal and regulatory obligations could equal large fines, greater financial loss, and potential loss of trust with their customers/stakeholders. For organisations and industries to thrive and grow they need to be digitally enabled and digitally driven to keep pace with competitors, both domestic and international. Organisations using cutting-edge technologies can create new products and services, and create better end-user experiences.

To innovate rapidly, cyber security must be prioritised and viewed as a business enabler rather than an expensive anchor. Legislation that has been drafted in cooperation with industry stakeholders will aid cybersecurity maturity and compliance in digital transformation and increase the resilience and performance of Australia on the world stage.

Do you think legislatively mandated compliance with cyber security standards is a good idea? Please feel free to comment your thoughts on this issue below. You can read more of my writing or discuss speaking requests at ssedgwick.com