Sunday, September 20, 2020

Proving a Negative

Proving a negative is a tautological impossibility right?

That’s the security business. Prove that you haven’t been hacked. Of course, many vendors realize this is impossible. Fact is, it would require the customer to understand everything they do in total detail so they could call out what was bad behavior. Once again, impossible.

What else could be described this way? Quality Assurance. Prove that the software doesn’t have any unacceptable bugs. Maybe you dedicate people to this function and therefore spend the fixed costs of a sub-department with its own bureaucracy, or maybe you ask developers to spend time on it and therefore move at half speed. Maybe you strike a balance somewhere down the middle. Or you could outsource testing, either to a paid third party or your paying second party. No matter what, you’re more hopeful than certain. Sounds a lot like security.

Security vendors and thought leaders can just flip the argument: you can’t prove you’ll catch the incident of hacking, so we’ll focus on finding bad activity after the incident. Assuming the malicious actors will stay in the system as long as they like and take what they can, there should eventually be a misstep that the security team can see. Still proving a negative, but it’s tipping the scale in defense’s favor a little bit.

What’s the QA equivalent? Fuzzing comes to mind, though there are certainly humans who bring an artful chaos to their manual testing. Long term monitoring of systems can also uncover funny bugs.

In both cases, there is an argument to be made that the cheapest way out of an impossible situation is to buy insurance. The argument goes: “We can’t prove we are free of risk, so we’ll just do the minimum of due diligence for compliance and buy risk coverage.” Or from a vendor perspective, “we’ll offer a cyber warranty that we did due diligence, and caveat emptor past that.”

I am pleased that the majority of organizations I’ve worked with as a long term software monger have been motivated to act beyond the bare minimum. Whether working at a customer or vendor or partner, people want to have some pride in their work. Corners are going to be cut sometimes, but tech debt gets paid down too.

Sunday, September 13, 2020

Conference Giveaways

Remember going to conferences?

When I was a young sales engineer and going to my first conferences, it was clear that an attempt to attract visitors with a freebie or a lottery for a big thing was a strategy. Maybe not a great strategy, but there it is. Notable factors: the thing should be something that the audience would like, and a thing that’s portable for the flight home, right? Computer parts, personal electronics, lightweight clothing. Some link to your product is nice, but slapping a logo on a small toy is fine too. I fondly remember the rubber duckies in space shuttles that the customers threw into the conference center‘s fountain until it was jammed full of them and the organizers came to yell at us. Or the poor guy trying to give away Zunes who had to keep explaining that it was a thing like an iPod. If you’re really desperate, you could just give away software licenses, I suppose.

But the funniest, most bizarre conference give away I’ve ever seen was at one of the first conferences I supported. There are many overlaps between tech conferences and hurricane warning season, something about cheap conference center space I suppose. Imagine if you will, a business casual event in Miami in August with a tropical storm deciding what it wants to do a few miles away. It was hot and miserable, and the conference center was surrounded by construction that helped to keep people away. The sales critter felt that a really interesting draw would be needed. And so, a little unclear on the parameters and yet technically correct, they tried to raffle off a stack of Omaha steaks at a tech conference. 

Traffic was low. We were pitching a service that the already small audience wasn’t very interested in. And so we had plenty of time to stare at this decision and think about it, chatting with the occasional puzzled conference goer who would stop by to ask why we had a pile of vacuum packed meat in the booth. “Shouldn’t that be in a refrigerator or something?” Good question. Seems the sales critter thought that vacuum sealing was sufficient to stop spoilage. (It is not.) Some of those people would stop and chat about grills and cookouts, conversations that never went anywhere close to business.

Sometimes I think of that when people pitch their conference ideas — a couple of dozen chunks of plastic wrapped meat in cardboard boxes piled on a tiny podium in a half-empty conference center, zero connection to the intended purpose. Could be far worse though, one of these days I’ll write about my experiences with team building in the late 90s.

Monday, September 7, 2020

Consulting’s Bad Rap

 


Naming no names... but there’s a type of management consulting shop with an unsavory reputation among middle managers and individual contributors. Let’s look at how the reputation is earned: by training to a model that produces failure as often as not, but always successfully deflects blame.

It’s easy to find problems, and easy to sell impractical solutions to those problems. A lot harder to execute, but if you can deflect blame for unsatisfying outcomes, there’s good money to be made for a very long time.

The model is: interview, sell, train, disengage. In another post, I’d like to go into the outsourcing services variation of this model, but today’s focus is on management consulting.

Interview playbook goes like this:

  1. find the bright and moderately disgruntled. No organization is perfect, and there are respected voices with wasted cycles in every team, observing imperfections and thinking about alternatives. If they’ve discussed these ideas, they may also feel resentful or unheard. The consultant’s job is to find them and amplify their feelings.
  2. unify a group of them behind an idea. There will be a common thread or cluster of complaints, just keep digging until it appears. Remember, the most consulting friendly problems are actually problems with people communicating, so look for breakdowns between teams: process gaps, slow transactions, rework from mistakes.
  3. document and present. The artful step is now to make the problem you’ve discovered seem generally soluble, something that other organizations have faced and conquered. We need a deck chock full of industry statistics, colorful graphs, and quotes from your own organization’s respected voices. The kill slides will present estimated losses from the discovered problems.

Enterprise sales is a two-step operation: produce desire, then conclude the transaction. 

Sales playbook goes: 

  1. As my first sales weasel explained it, “find their pain”.  The interview process and presentation have produced the desire, but a good salesperson will double check that this hook is set. In consulting sales, they’re also hunting for the internal stakeholders who will champion this project, sign the purchase order, and consummate the sale.
  2. magnify the problem. Steve again: “jam your thumb into that pain and twist it around”. The salesperson is working to produce a compelling call to action, a feeling that opportunity is going to pass the organization by. The clock is ticking. How much longer can you afford to let this problem persist? “What’s it going to take to put you in a Cadillac today?”
  3. offer tools and procedure. “Sell ‘em a bandaid.” And now we are back to the consulting side of the house: what is the deliverable that the customer organization will actually get?

Suddenly our analysis deck has returned as a set of recommendations for proposed changes! Process, tools, re-organization, and suddenly your creaky old org could be shiny and new. What if you simply did better?

Some notably missing bits in this deck: 

  • why will people start behaving differently than they have in the past? 
  • How will the organization adopt this tool, process, or organizational structure without stopping the revenue stream?  
  • how will we get clean data to drive the KPIs or OKRs we’re expecting to improve?
  • do we have room from customers and competition to make this change?

Perhaps these questions are asked. Perhaps there are answers. Maybe your organization pulls back from the proposal. But if it does go forward, the next link in the chain comes into play.

Training playbook is wheels within wheels... it goes:

  1. let’s get started! The consulting leaders and consulting  juniors meet with the organization to plan. How will the proposal be made real? Typically by reduction of scope, hand off of the hard parts, and distracting preliminary projects.
  2. let’s do some stuff! Once a regular cadence of activities is established, the leaders vanish and some even more junior juniors are brought in to fill the gaps. Software is purchased, presentations are given, teams spend weeks in training and reforming to their new organization. Critically, this is where responsibility is handed from the consulting firm to the organization, if that wasn’t already clear.
  3. book-cooking. Now it’s time for another deck, showing that progress was made. Numbers, charts, at least flat with hints of improvement if not rocketing skyward. This one will be delivered by the internal stakeholder who bought the consulting engagement, finishing the process of tying their reputation to the consultant’s work. Project better work out, because bills are getting paid and other work has been impacted already.


And now, disengagement... can’t guarantee that the internal organization will be successful at this change they’ve taken on, so it’s only in the consulting team’s best interests to make some distance, and give that little fledgling project room to leap from the nest! Maybe it will succeed - after all, there’s a motivated internal champion now, possibly with a job on the line. Maybe it won’t... but the magic lies in this statement: the consulting organization is no longer connected to the project’s outcome. It’s all on the organization to sink or swim. Meanwhile, there’s another problem to investigate...


How does this model continue to find customers? Shouldn’t the marks dry up? Well, it’s a deeply interconnected web in the enterprise...

  • Appearances matter: like the mark in three card monte, the customer stakeholders left holding the bag are easily convinced to hide their mistake, or even shill with a good reference. Mixed with the base of customers who actually have a good outcome, these voices overwhelm the bitter complainers.
  • Pressure from above: the consulting organization may have pull in unexpected places, making their selection for projects a foregone conclusion
  • Potential opportunity: relationships matter, and the consulting organization could be a vein to recruit from, or a place to jump to in the event of hard times.

And so, there’s good money to be made selling clothes to the miners.