Tuesday, March 18, 2008

CIO Magazine 20 Minute Miracles and Real Risks

I liked CIO Magazine's article 20 Things You Can Do In 20 Minutes to Be More Successful at Work by Stephanie Overby. Several excerpts follow.

  • Grab the annual 10-K reports that your top competitors have filed with the Securities and Exchange Commission and read the section called "Management's Discussion and Analysis." That's where the CEO (through corporate lawyers) describes what happened to the company in the past year, good and bad.

    By scanning that material, you can immediately get a better understanding of the competition.

  • Sit down right now and reschedule all your internal IT meetings for just 20 minutes...

    "There's only about 15 minutes to 30 minutes of true productivity in most meetings, even though meetings are typically set up for an hour," says Michael Hites, CIO of New Mexico State University, who once placed a 30-minute limit on all meetings. "The idea is that it forces you and your meeting buddies to prepare and focus." Hites found that shorter meetings were more effective and left more time to actually accomplish things.

    If you like that idea, consider this even more sweeping suggestion from Direct Energy CIO Kumud Kalia: Cancel all recurring meetings with your subordinate staff. "Ask them to come to you with major issues, not every little decision," Kalia advises.

  • Take your own company's 10-K and pay attention to the bad stuff that happened in the past year. Think about how technology affects such events, then figure out what you can do about them. For example, in its latest 10-K, Owens Corning, the $6.5 billion maker of construction materials, talks about how the decline in U.S. home building hurt sales. Could better business intelligence have predicted how steeply new construction would fall and have helped Owens prepare?

    Think also about how IT can mitigate the scary possibilities cited in the "risk factors" section.

  • Ask yourself if you're working toward something or just working.

  • [S]end an e-mail to your staff to encourage them to pick up on something new. And tell them they are expected to spend one day a month learning. Make it an official day on everyone's calendar...

    One no-cost way to do this is to encourage participation in computer user group meetings and industry associations.


Speaking of 10-K forms, I looked at the latest from Owens Corning, specifically the Risk Factors section. It reminded me that the idea of creating a "Chief Risk Officer" out of the ranks of the information security staff is generally a bad idea. Why? All of the risks that businesses care about have little to do with information or security. Here's what Owens Corning cites:

  • Downturns in residential and commercial construction activity or general business conditions could materially negatively impact our business and results of operations.

  • Our cost-reduction projects may not result in anticipated savings in operating costs.

  • Adverse weather conditions and the level of severe storms could materially negatively impact our results of operations.

  • We may be exposed to increases in costs of energy, materials and transportation and reductions in availability of materials and transportation, which could reduce our margins and harm our results of operations.

  • Our hedging activities to address energy price fluctuations may not be successful in offsetting future increases in those costs or may reduce or eliminate the benefits of any decreases in those costs.

  • And the list continues...


Do you see what I mean? At the top levels of business, risk is all about business. It has little or nothing to do with anything we in the information security space manage on a day-to-day basis. I'm fine with that. My major role is to protect my company, our users, and to the extent possible, our customers and peers from digital threats... without them worrying about it. My company makes money, and I try to keep us safe.

If you do aspire to be a CRO, work for a financial or insurance firm, get a MBA, and lead a business line after being a security person. The companies popularly cited as having CROs are all insurance and financial in nature. These industries internalize risk via financial calculations and models on a daily basis, but it's risks involving capital and not data.

4 comments:

stacy said...

Great article; right up to the point you said "At the top levels of business, risk is all about business. It has little or nothing to do with anything we in the information security space manage on a day-to-day basis. I'm fine with that. My major role is to protect my company, our users, and to the extent possible, our customers and peers from digital threats... without them worrying about it."

How do you know what to protect or how much protection is appropriate without input from the business? I agree that they should not have to worry about information security, but they should be aware of it. They should also be comfortable that your activities are aligned with business objectives. (Gack! I'm starting to sound like a vision statement!) Seriously, companies don't have IT resources for the sake of having IT resources; they have them for business reasons. Therefore IT objectives (security or otherwise) are (or should be) business objectives.

Craig Balding said...

@Richard: I couldn't agree more with some of Stephanie's observations. This also happens when we get too bogged down in the trivia - "sweating the small stuff". I recently carried out a small survey of some technical security peers that showed some depressing stats just around time spent on email vs getting actual projects done that can actually make a difference (post to come soon). Sidenote: The other tip of 10-K reports is to check out your supplier R&D figures - always interesting to see who is investing in capability and who is not.

@Stacy: I didn't interpret Richard suggesting that there is no need to take input from the business. It was more that at the board level, IT security issues are rarely on the agenda (if things are going well that is ;-).

xczc said...
This comment has been removed by a blog administrator.
G said...

Boy do I love the 20 minute meeting idea. A former manager (with Army background) used to say, "meetings are for making decisions. Schedule a 1x1 if you need to discuss something." Unfortunately, too much of that can lead to "not being engaged," but old habits are hard to break. Which is why I still love concluding a 90-minute staff meeting in 25 minutes. :)