Monthly Archive April 2013

Oscar O’Connor: Cyber Security as a Tool for Business Transformation

The news media carry stories relating to cyber security on a daily basis and it is no exaggeration to state that the topic is now part of the mainstream debate. But what is cyber security? It seems to mean different things to different people. Most concerning, to those of us who spend our working lives on this topic, is an apparent assumption in many organisations that the issue is not one that requires urgent attention. My goal is to examine why that might be the case and to offer some suggestions as to how to address the lack of urgency whilst recognising that there are more urgent and more important priorities into which the cyber security and information assurance agenda must fit.

I am hoping that you are at least mildly curious as to why I have entitled this piece ‘Cyber security as a tool for business transformation’? The primary reason is to encourage a change in our mindset as cyber security and information assurance professionals. Over the past 15 years, I have attended numerous meetings, seminars, and conferences and participated in debates both formal and informal on the topic of how to get the message across to senior executives that this field is one that requires their attention. The specifics vary and whether the conversation be about risk-based controls, business continuity, information assurance or cyber security the general theme has remained constant… “they don’t get it”. And it matters not whether you are seeking the opinion of the professional or the executive, the view is the same. This indicates to me that there is a fundamental failure of both understanding and communication on both sides.

I make no claim to a rigorous scientific basis for my hypothesis, but after 15 years of active observation I am confident that there is at least a strong anecdotal basis for drawing the conclusion that one of the key factors in creating this problematic communication is our educational tradition of specialisation. We have built professions of various hues in this general field where the emphasis is clearly and consistently on the ‘pure’ rather than the ‘applied’. It is my belief that unless we cross this divide we will continue to struggle to gain acceptance of the need for robust cyber security and information assurance – primarily because we are approaching the issue from the perspective of the pure scientist rather than the applied technologist.

It is my belief that unless we cross this divide we will continue to struggle to gain acceptance of the need for robust cyber security and information assurance – primarily because we are approaching the issue from the perspective of the pure scientist rather than the applied technologist.

As a profession, and as subject matter experts, it is incumbent upon us to address the very real needs of our customers (internal or external) in terms of normal business operations. We have no God given right to be heard on our specialist subject. We can express the benefits of adopting good security practice in terms that our customers can relate to and it is vital that we do. If we are not making a positive contribution to the performance of the organisation, it is entirely valid to question the relevance of what we aim to achieve. We must not lose sight of our customers’ business objectives and must ensure that the security regime we propose is appropriate, effective, sustainable and most importantly makes a tangible and measurable contribution to the ongoing improvement to business performance.

Oscar O’Connor: Do Service Level Agreements guarantee Service Quality

Do Service Level Agreements guarantee Service Quality?

My first instinct is to say “no” – and to do so with quite a heavy emphasis. In my experience of transformation programmes and outsourced services (on both sides of the fence), the service level agreement seems to me to be more about giving both sides a stick with which to beat each other and has little to do with the user experience. I have been involved with contracts where service levels have been met and yet the user community has been not only unhappy but positively litigious, and this cannot be good for our industry, not to mention our blood pressure.

So what to do? What if we had a means of measuring service quality? I don’t mean availability because that’s easy. I mean a scientific measure of end-user perception of the quality of service. Would that not be a good thing? At least from the customer perspective? I can think of many objections from the suppliers’ perspective but choose to discount them as self-interest. As a user of many services, both physical and online, my sole interest is in making the use of these services as easy and pain-free as possible from my own point of view. I believe that most users of corporate or government services feel the same.

It may be difficult to assess the quality of a service that is delivered in person except by asking the user – though how difficult is it really? I have worked for a number of service providers with very different attitudes to this issue… some refused to countenance asking those questions because they genuinely did not want to know the answers. Others have embraced the concept and as a result grew their businesses by taking their customer feedback on board.

So, looking at the world as it is, rather than as it was a decade or so ago… social media have taken off in a way that only a few visionaries would have imagined, and they are now all unimaginably wealthy as a result. Should we perhaps stop to think about why that is? They have given us all the ability to talk to each other in non-intrusive and global ways that previously involved either inter-personal email or long-distance telephone calls… and not only can we do so for free but we can talk to many people at once. So when we start to talk about our experiences of service providers, services or systems, there is a good chance that not only will many people hear us, but they will share our thoughts with many, many others. If your service is fabulous, that’s a great thing. If it is less than fabulous, then you might have problems. After all, service quality is all about perception, is it not?

Would it not be marvellous if we could have a means of measuring the quality of an online service in real-time so that we could identify issues in the technical delivery supply chain – even in the elements we don’t directly control – so as to act before issues become problems?

I for one do not wish to be told that my service is meeting its service level agreements if my customers are unhappy. I want to know what is making them unhappy with my service, regardless of who is responsible for that link in the chain. I want to deliver excellence in all of my company’s services and I will only be able to guarantee that if I can measure the end-user experience.

My second reason for opening this debate is that I am in the consultancy business and it is a business which has more than its fair share of problems in terms of customer perception. My belief is that when a customer engages a consultant they should not only get good, sound and experience-based advice but they should be able to measure the improvement to their business of taking that advice. For that to be possible (and the IT industry has been wrestling with this issue for decades) it must be possible to establish a baseline against which improvements can be measured. The customer should then be able to use the same measurements to determine whether the implementation of the consultant’s advice has made matters better or worse. Now, would that not be a game-changer if rewards were based not on effort expended but improvements delivered?