Must Organisations Be Good?
A question to answer a question.
Good at what? Imagine you’re shopping for a community. What inspires you about its purpose?
If I am only for myself, where am I?
If not now, when?
Bruce Jones, the senior programming director at the Disney Institute, shares a fascinating insight in Talking Point, the Disney Institute journal:
Purpose answers why? and mission answers what?
“A mission is something that describes the organization’s business,” Jones says, “and it projects into the future to provide focus for management and staff.” My take-away from Jones is that missions may change over time, and should, but purpose needs no historical context: if purpose means why then the same answer is as valid now as it was in 1958. Put slightly differently, one does not fulfil a purpose.
One does not fulfil purpose — it is a why, not a what — but it is possible to leave purpose unfulfilled, and to overcome this dilemma we must pose three other questions — who? where? and when?Adding these three questions still leaves the question how unanswered, and we will answer it below. This is Hillel’s riddle (my answers are on the second row):
The riddle, originally stated in Hebrew, poses an interesting dilemma: it’s perfectly sensible to translate the Hebrew of the second question as either “who am I?” or “what am I?”
English questions can sometimes be similarly hard to distinguish. Hebrew asks where but what does “where” mean? Aren’t I here? The simple answer: I cannot be alone in a group but I can be lonely, thus “alone” answers where and “lonely” answer what. Isolation is the consequence either way.
The Reality of Moral Philosophy
I have no idea why moral points need a philosophical basis. Ethics are the rules humans make to get along with each other, and so morality is an expectation that humans can behave ethically. If moral points are an expectation, however, whose expectation are we to meet?
There is no way to avoid G!d. Even Einstein couldn’t avoid G!d.
What To Teach Yourself About Member Service
Loss Prevention Headquarters (LPHQ) has a member service syllabus.1 Use it to decide what your Member Service Officers (MSOs) need to know to effectively serve your membership.
LPHQ emphasizes planning and minimises the importance of a “plan,” but this is an exception: a member service plan is crucial.
Why The Difference?
Member service extends the social mission your organisation is formed to support. You can plan for this: being social is (or should be) part of your culture. You should not need to analyse much (or anything), everyone your organisation reaches deserves courtesy, and you decide what’s important for your MSOs to know.
Your Courtesy Book
A courtesy book deals with interpersonal communications2, behaviour and morals. A courtesy book is the foundation of your MSO curriculum. More often called a book of manners today, your courtesy book makes decisions about only two matters:
- What your member can expect from your MSO, and
- What you expect from your MSO.
Planning MSO Empowerment.
Here is an exception to the exception:
- There is no such thing as an MSO empowerment plan
Service expectations change over time. Your courtesy book must be flexible, but it must also be a plan: not much should change; expectations are one thing, your organisation’s dedication to its mission is another. Conduct is an expectation; even the very smallest organisations must decide what these expectations are.
What To Teach Your Member Service Officers.
In 1744, when he was about 16, George Washington copied a Jesuit manual on eqtiquette as a handwriting exercise. The manual, written in the late 16th C., rings true to moderns. LPHQ has used modern English to re-interpret these rules of civility.
I want to stress that President Washington wrote these rules as a handwriting exercise. Writing what someone else has written is an effective learning tool. The hand copies while the eye remembers each word. This is an effective way to learn and master content.
Every MSO must know your courtesy book by rote. They must able to randomly cite it — and they must know what courtesy policy applies in each situation they encounter. Only if in doubt should they refer a member service issue to a higher authority.
2. Another word for this type of interpersonal communications? “Etiquette.”↩
Member Service vs Customer Service
Businesses support customers through “customer service.” Some businesses form a customer service department, some do not. Either way there is, or should be, someone in the business assigned to support customers.
Membership organisations probably dominate the voluntary sector. This business model is more intensely about service than any other. The members of a voluntary organisation are quite serious about everything the organisation does. Why would they join it otherwise?
Service: A Philosophy? Or A Business Operation?
Many articles stress that service is a philosophy, not a business operation.1 These articles stress that everyone in the organisation is responsible for supporting customers or members.
It’s also common to assert that service is an investment, not an operation. This may be true when your organisation distributes goods. It is nonsense when your organisation distributes services.
Every non-profit forms to distribute services.
Loss Prevention Headquarters (LPHQ) thinks that service is essential to loss prevention. LPHQ curricula emphasize the use of member service officers.
Member Service vs Customer Service.
There is a serious difference between these two similar concepts:
- Customer service is optional: a business decides
- what products it supports, and
- how long such support lasts.
- Member service is not optional.
Customer service is optional and most serious manufacturers provide it. Member service is not optional, and most serious non-profits don’t provide it because they think they already do.
Retention Is A Loss Prevention Strategy. A marketing term, retention means “acts to make a stakeholder’s2 return likely.”
Member service is a form of retention. A form of loyalty, retention means that your member has confidence in the community. Confidence is essential to loss prevention.
Customer service is not a form of retention — and I do not criticise. Manufacturers must innovate, so they limit how long they support the products they make. Product innovations require customers to either upgrade or move to a different supplier.
Product innovation, however, degrades customer service if manufacturers do not keep their customer service teams up-to-date and empower them to empower the customer. This is a serious service failure, and it’s an opportunity for the gray market3 or the black market 4
Member-based communities are always “frontline” organisations: staff, except in the largest communities, regularly have direct contact with members. Some staff will have more contact than others, even in smaller communities, but everyone at some point has regular contact. Every staffer, at some point, will impact every member.
We’ll learn more of this in the next article.
1. An operation is an activity used to earn revenue for the organisation. ↩
2. Stakeholders include everyone who either affects an organisation or is affected by it. Key stakeholders include creditors, directors, employees, governments, regulators, members, shareholders, suppliers, and labour unions. By far the most important stakeholder? The community from which a business or membership community draws its resources.↩
3. Gray Market means a legal market that sells legal goods. The market, however, has no relationship with the producer of the goods. ↩
4. Black Market means an illegal underground market formed to circumvent legal restrictions. ↩
What Planet Do You Live On?
Plan B became a regularly scheduled journal in May, 2018. Two-thirds of the articles published to this point deal with cybersecurity in one way or another, most especially the last four articles in June. It’s a fallacy to think that cybersecurity is different than physical security.
What Planet Do You Live On?
Cybersecurity is about people. The common segregation of security into “cyber” or “physical” is not useful. Jasvir Gill thinks that cybersecurity is from Mars and physical security is from Venus.
The founder and CEO of AlertEnterprise, Jasvir initially focussed his security practice on governance, risk and compliance (GRC). Loss Prevention Headquarters agrees entirely with this approach: GRC does not allow for “silos.” A silo, according to BusinessDictionary.Com (a new tab will open in your browser) is …
A mind-set present in some companies when certain departments or sectors do not wish to share information with others in the same company.
Reasons To Silo
There are a few good reasons to silo. Marketing may want to keep certain information proprietary before a launch, or even thereafter. Finance certainly wants to separate receivables from payables. Human Resources must protect the privacy of its employees.
None of this applies to us here.
Marketing, Finance and Human Resources are important to business operations — but are not themselves operations: they don’t make money, they support units that make money. Departments or sectors who do not wish to share information, continues Business Dictionary…
… reduce the efficiency of the overall operation, reduce morale, and may contribute to the demise of a productive company culture.
Life On Planet Earth
Gill thinks that corporate security is one planet. The silos of Mars and Venus, cybersecurity and physical security, must be pulled into Earth’s orbit. Far too many organisations segregate IT security from physical security.
Security professionals in the organisation need some of the same training, and as they acquire it they must be allowed to move forward. At some point what your security professionals know will diverge: some will have advanced skills useful to cybersecurity, some will have advanced skills useful to general life safety — and all will have advanced skills.
Gill’s expertise is in critical infrastructure, where the distintion between cybersecurity and physical is quite thin.
“Bad guys attack where they see the biggest gap,” he asserts. “They won’t wait until you are prepared.” He’s right, and smaller organisations must learn from him.
How Deep Is The Talent Pool?
Cybersecurity is a type of continuous improvement. This is true of all security planning, actually.
Cybersecurity competency demands social, interpersonal skills. A good cubersecurity expert attracts organisations, and the people who hold them dear; promotion simply doesn’t work:
Everyone already knows security is important:
- No one leaves home with their doors wide open.
- No one leaves the car in the parking lot without locking the doors.
What is there to promote?
The Talent Pool Is Shallow
The best cybersecurity expert is an educator. She (he) probably speaks at least two languages. This is important, for digital crime is transnational.
The world population is perhaps 7.5 billion. Fewer than 500 million people live in the Anglosphere (Australia, Canada, New Zealand, the United Kingdom, and the United States) — scarcely 7% of the world population. The chances are superb that digital criminals speak a first language other than English.
Questions to Ask
- Describe your experience with other, similar organisations. (It’s reasonable to assume they’ll have some or much enterprise experience but little or no SME experience.)
- What is the single, most simple solution for our cybersecurity? (There isn’t one. If they suggest otherwise, move on.)
- Have you a plan to keep everyone in the organisation well-informed and secure? (There is no way to plan this. None. Planning is crucial; a plan is useless.)
The Three P’s
Policy. Even the smallest organisation is now subject to a compliance framework. The distinction between compliance and law enforcement is basic, and your cybersecurity consultant needs to be aware of it. Cybersecurity expertise ideally includes policy analysis.
Procedures. How do you implement your compliance framework? Drafting policy is one thing. Implementing it is something else.
Planning. Cybersecurity is one type of security, and security is a type of continuous improvement. Threats change routinely. Plans don’t because plans can’t, so avoid plans and invest in planning.
One more rant
On Monday, June 25: Swimming In The Talent Pool. (This link opens a new tab in your browser.)
Who Is Qualified For Cybersecurity?
It’s always complicated to find good help. It’s more difficult in some fields than in others. It’s certainly difficult when it comes to cybersecurity. Organisations find it difficult to acquire the professionals qualified to effectively protect networks from outside threats.
Why is this?
Qehilla ARM-LP is less a security consultant than it is a security integrator. The organisations ARM-LP anticipates serving are small-to-medium enterprises (SMEs), typically (though not always) community-based cultural, learning, or religious communities.
ARM-LP communities will almost always run small business networks. A few will have a dedicated IT department, but likely not most. The resources to manage network security will be minimal, if any exist at all.
Cyber Degrees has an interesting (though flawed) perspective. Cyber Degrees lists five types of cybersecurity program:
The sample syllabi that Cyber Degree lists for each option have one significant flaw: people are not considered. Each syllabus stresses technology. None stresses people.
That’s ridiculous. Here are some of the non-essential duties Cyber Degrees lists:
- Determining the most effective ways to protect endpoints and the network from attacks
- Responding to breaches and other emergencies
- Assessing security risks
- Interviewing staff on security preparedness
- Researching and preparing for new security threats
- Provide reports to management.
- Compose cost estimates for necessary security expenses to management
These duties only seem essential. Each would be except for the fact that people are missing from the list in all but one instance — and that instance is absurd:
Interviewing staff on security preparedness? What on Earth does that mean?!
Cyber Degrees insists that these are some of the “specific skills” a cybersecurity position requires:
|Secure Coding Practices||Firewall Protocols||Intrusion Prevention||SQL and other security frameworks|
Technical skills are important. They are not more important than a good grasp of marketing, and they are far less important than knowing how to meet the basic needs of any SME.
I’ll continue this rant in the next post, How Deep Is The Talent Pool?
An Encyclopedia of Cybersecurity
An Encyclopedic Dictionary of Cybsersecurity (EDoC) is ready for your perusal. The links on this page open a new tab in your browser.
Useful vs Informative
It’s much to difficult to find really useful content on cybersecurity.
Encyclopedic Dictionary of Cybersecurity (EDoC)
My head is not buried in the sand. I know there’s a lot of information on cybersecurity. Is this useful content? No, I’d say not.
Cybsersecurity information mostly reaches across to teach. That’s not useful for most of us. We need information that reaches down. The difference:
The vast majority of cybersecurity information reaches across — it finds coders, network admins, and vendors. This helps them help us. Most of us are not coders, network admins, and vendors.
Cybsersecurity information that reaches across does not help us — and that means…
It does not help us help the people we hire to help us.
Executive directors and CEOs almost always know how to read a balance statement.
They commonly know enough accounting concepts and terms to understand what the experts say — and some of them are themselves such experts.
This is not so when it comes to computers generally, and certainly not with respect to cybersecurity.
I understand why general managers are not adept at computing: a computer is a tool — and I need not be a locksmith to use a key.
Locking the door, though, makes me more secure. So does understanding cybersecurity.
I do not understand why most GMs do not understand cybersecurity better. Cybersecurity is about only one matter, which every GM should be well-informed about:
Organisations cannot function without confidence — and no one is attracted to an organisation that does not inspire them with confidence. Markets behave best when they attract people rather than promote to them.
- Markets rise and fall on the confidence people place in the goods and services they purchase.
- Every organisation occupies a marketplace.
Markets are people who gather to buy and sell, and people behave best when they are confident.
Are you confident about cybersecurity? Probably not. To be confident, to instill confidence in others, you need to understand cybersecurity the same way you understand a monthly balance sheet.
With you in mind, I compiled the Encyclopedic Dictionary of Cybsersecurity (EDoC). It’s concise, it’s informative, and it’s useful.
The smallest useful unit of information is called data. It’s barely useful without context.
A 16 digit number, for example, conveys nothing useful to the person who reads it — unless it accompanies a name. Other data may be necessary to provide further context, such as a verification code, but this only provides additional context.
When data collected includes context it is information.
Modern criminals have profitable information if they have a name accompanied by a 16 digit number.
The community you serve generates a lot of data: names, birthdates, addresses, marital status, credit card numbers. Birthdates, names and addresses provide context for credit card numbers.
Data is an asset in a digital economy. Data loss can only ever be horrifying for your community — and catastrophic if the data cannot be recovered. Organisations must…
|Choose the backup media||Regularly test the backup||Conveniently schedule backups||Audit their data needs||Prioritize
A single server is typical in small office computing environments. Audits are essential. Small office networks are no less vulnerable to data loss than enterprise networks — and they are far less prepared to overcome the chaos or catastrophe that occurs.
Security is a priority. It’s ridiculous to…
- back up data and leave it in a insecure location, such as sitting on the same desk as the workstation
- leave a computer on and open to hackers
- back up data and leave it where it can be destroyed by fire, flood or human stupidity.
Have I made my point?
Business continuity requires accessible data.
Perhaps 50% of organisations will survive if the data they store is inaccessible for some length of time. The ones that survive will be the ones who have spent time, effort and money to ensure their continuity. It needs to cost money. It does not need to be expensive: an 8 terabyte external hard drive is roughly $225.