Project Management Judo
In It’s not about risk, Shrdlu got me thinking about the problem of perception. A few years back, I noticed one of my IT staff doing something odd. Every couple weeks, over a period of many months, I would see this person walk into a room with marketing and sales people to attend a half-hour meeting. I was pretty sure the IT staffer did not know these people and had nothing to do with marketing or sales efforts. We were not running any joint projects at the time, so I could not figure out why he was meeting with these other teams. At some point curiosity overcame me and I asked what was going on and the IT guy told me they were figuring out how to set up credit card purchases for online software sales. Uh, what?
It had started innocently enough. Someone in sales asked the IT guy if they could have some space on a public FTP server, outside the firewall, to host customer reference documents and user guides. Just benign PDF files. Eager to help, IT made it happen. And it was a success. Soon a sales manager asked for a ‘help’ email account, so an email server was set up on the same box. Marketing got wind of this, and placed their own sales support docs on the server, but asked for a web interface to the documents. Done. A few months later the VP of sales thought there was a lead generation opportunity, so he asked for a sign-in page with logins forwarded to the sales team. Marketing asked if it was possible to simply share the marketing folder to the collateral server to make it easier to push content, and it was finished by day’s end. Each new request was completed as asked. Customers said it would be great if they could pay for some of our upgrades online, so someone in sales said “Absolutely!” and asked the IT guy how quickly taking credit cards could be set up. This is the point I enter the story.
I call this a “lose-lose, with a side of bad news” situation. I found that I had an unsecured server outside the firewall, with FTP, email, file sharing, and a web server, opening a gaping hole into the network. Worse, the service was already a success, with several groups dependent upon it. I was about to shut down this entire unsanctioned and insecure operation and piss off sales and marketing, and gently admonish an employee who really did nothing but try to be helpful. To further tweak everyone involved, I am playing scrooge, and killing off their Christmas dreams of generating Internet sales before the end of Q4.
What started as a simple repository rapidly evolved into a full-service portal, with each step introducing visible benefits, but security threats not entirely obvious to those requesting the services. And honestly, they did not care, as the customers were happy. Marketing was happy. Sales was happy. IT Guy was happy. Me? Not so much.
Shrdlu points out that “The onus to demonstrate benefit is on those who propose the action be taken.” I get this. In spades. The side of the coin opposite “Mr. Happy Go-getter” is “Mr. Negative Boat-anchor”. It sucks to be the boat anchor. But someone has to be the adult and say ‘No’. Or maybe not say ‘No’ out loud, but make someone else say it for you. There are ways to do this without being labelled “not a team player”. It’s really quite easy to dream up new ways to generate revenue, and everyone wants to make more money. You want to make more money for the company, don’t you? (Try answering that Porcupine Question , in front of your CEO, when a sales guy drops it into your lap). Pointing out the flaws and telling people this is a bad idea makes you the bad guy who keeps the company from being successful. Or you are positioned as the impediment to success. But asking the right questions or providing alternative perspectives – in a positive way – can make you seem like the smart, cautious person who saved the company from serious problems. It’s tough to sit through project scoping meetings and think about what could go wrong when your peers are all wide-eyed and dreamy about some cool new web service.
Based on some hard-learned lesions, I would modify Shrdlu’s point to say you need to find clever ways to make the presenter of the action address the risks. You need to develop some IT Project Judo moves to place both the good and the bad at the feet of those who propose the actions. It’s all in how you go about it.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian at Dark Reading on PCI Token Alternatives.
Favorite Securosis Posts
- Mike Rothman: Symantec Bets on Data Protection with PGP and GuardianEdge.
- Rich: FireStarter: Centralize or Decentralize the Security Organization?
- Adrian Lane: Incite 4/27/2010: Dishwasher Tales. I was re-arranging just before I read this post.
- David Mortman: Understanding and Selecting SIEM/Log Management: Introduction.
Other Securosis Posts
Favorite Outside Posts
- Mike Rothman: 10 Quick, Dirty and Cheap Things to Improve Enterprise Security.
- Rich Mogull: Wozniak, Apple Security, Employee Termination and Gray Powell.
- Adrian Lane: The Narcissistic Vulnerability Pimp post, along with responses from Robert Graham and David “Did someone say Pimp?” Maynor and Russ McRee, purely for their imagery and subtexts.
Project Quant Posts
Research Reports and Presentations
Top News and Posts
- Texas Botnet Herder caught.
- Metasploit Express.
- Ponemon Study on Web App Security (registration required). Personally, I need a survey on Ponemon surveys just to keep track. Seems like every time I turn around there is a new one.
- Brokerage firm fined for data breach.
- Surgeon goes to prison for HIPAA violation.
- Flaw in MS SharePoint.
- Blippy Promises Security Improvements.
- What’s Wrong with the PCI Standard?
- Funny take on the Apple-Gizmodo Feud. Downloading the “Ram-IT” app for my iTazer.
- Apple: Flash has major technical drawbacks. Why am I surprised when one large company tells the truth about another large company’s product?
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Anton Chuvakin, answering Adrian’s comment on Understanding and Selecting SIEM/Log Management: Introduction.
Do you know of a SIEM vendor that does not offer Log Management today?
No, there isn’t any. They all learned the lessons and build/bought LM (all except vendor N, I think :-)). Everything else you say is 100% true, IMHO. However, the opposite is just not true. A lot of smaller log mgt tools vendors have truly nothing to do with a grand vision of SIEM. Think Prism, GFI, even Sawmill, and many others. So, there is no credible SIEM without LM, but there is plenty of LM without SIEM. As I said in the recent paper, “everybody who has logs needs LM”, but not everybody is mature enough to use a SIEM. Even splunk is very useful for LM and is clearly not a SIEM.
Reader interactions
3 Replies to “Friday Summary: April 30, 2010”
@Iyta – I learned it from watching sales people. I learned people like options, and if you present additional options they can be steered into the right direction. I learned that walking people through the idea that they proposed illuminates the problems they did not see at first. I learned that sometime people ask for things they don’t want or need to shift focus off themselves. Yes, sales people do this. Executives do this. I learned that nobody likes to hear ‘No’, which is one of the reasons sales people start off with ‘Yes Answer’ questions; it alters the mindset of the person you are talking to. It gets them to take the first step. “You do want a free vacation, don’t you? Then come by our lovey time share condominiums … ”
Sales people have to sell an idea _every day_, so they come up with creative approaches to getting people to buy into what they are selling. It’s really the same thing to show teammates that a proposal is the wrong choice, but there are other alternatives that are better. I am not saying it is easy as it takes practice, but the alternative is being marginalized as someone who finds ways to not try something new. Or, as you call it, a ‘wet blanket’.
Like, you’ve been following me for the past 10 years? Where does one learn this IT Project Judo? I’m serious. I am SO tired of being the “No” guy, the boat anchor, the “We never invite her to meetings, because she’s always a wet blanket.”
Aww, thanks Adrian! Must resist doing Sally Fields impression right about now.
IT Project Judo is an excellent description of what you need to do — kind of like facilitation with an agenda.