Sony hack and Risk Management.

The hacking of Sony pictures computer systems is only the latest of a long series of hacking attacks on commercial and government systems. This one became “big” news because it resulted in the release of derogatory comments about celebrities and culminated in the withdrawal of a movie because of threats to cinema chains. 

What has been overlooked in all of the public furore about who the hackers actually were, who slagged who off, and the cancellation of the film’s launch, is the reported poor state of Sony’s computer systems security. Some 3 years ago hackers gained access to the accounts of 77 million paying users of their Play Station network. Improvements were promised. This year both their German and Brazilian networks have been penetrated. Also they allegedly stored all their key passwords in a file called, wait for it, “Passwords” - ‘oh deary me’ as my grandmother would have said - talk about making the hackers job easy! Computer security would appear to have been a low priority for someone at Sony. 

Bad enough that sophisticated hackers should attack your system without you aiding and abetting their efforts with poor security.

The alarming fact is that Sony are probably no better or worse than most large companies. The lack of basic encryption, poor password standards, and lack of effective system monitoring are common place. Any decent risk plan should address hacking and have detailed actions of how the system is to be protected. 

I would not be surprised if somewhere in all of these corporations there are reports that show that these problems exist and also Potemkin spreadsheets that also show that there is no problem. No prizes for guessing which documents the Board has been seeing!

Risk and its consequences

This week I came across two examples of risk. One avoidable, one happenstance.

My wife is a ceramic artist and she shares studio space in an old factory building. This week she received the news that the water main supplying the sprinkler system had burst and flooded her studio to a depth of thirteen inches. Partially submerging her potters wheel and her electric kiln. To compound her misfortune she'd left her laptop on the floor, only the third time she'd left it in the studio. As I write we are drying it out: more in hope than expectation. The rupture of the main and the damage to the laptop come under the heading of happenstance or sh*t happens.

The second incident was reported in the UK and it concerned the computer system failure of the Royal Bank of Scotland (RBS). This failure resulted in some of its customers being unable to gain access to their accounts for up to three weeks. This week the bank was fined $90M by the UK's financial regulator. This fine was in addition to the $112M it paid out in compensation to bank customers and $168M cost of staff overtime to fix the problems. All told the error cost the bank $1.2B!

The reported cause of the error was deemed to be the incompatibility of their old, as in ancient, computer code and their new mainframes, an issue that had apparently been highlighted in a previous audit report but not fully addressed. Now this organization has an annual IT budget of $1B. So money wasn’t necessarily the prime cause, but poor risk assessment surely was. This incident definitely comes under the heading of avoidable. The worrying thing is that there are an awful lot of corporations who are in the same boat, with old code and a lack of willingness to fix it. Tick Tock, Tick Tock, goes the time bomb.

Project Managers and the Goldfish Syndrome

There is an analogy that uses the supposed fact that Goldfish have such a limited short-term memory that for them every trip around their bowl is a new experience. Nothing from the previous short trip is remembered. This analogy can be used for certain sectors of the project management profession: where many projects are a trip around the fish bowl.

This doesn’t apply to projects in the construction and manufacturing industries where they are using known methods and technologies. Most skyscrapers and bridges follow known techniques and industry standards are widely accepted. Only when they start using new technologies are the benefits of the familiar reduced. The vast majority of construction projects are finished, not always on time or budget but they are completed. Our cities are not riddled with partially built structures. Only the collapse of the developer’s finances, as in 2008/9, stops the work once it is started.

Not so in the software world where the analogy is very apposite. Many projects are launched on the expectation of fair winds and favorable tides and with shifting requirements. They are always the children of the victory of hope over experience. The result is a computer landscape littered with abandoned projects. The largest consultancy companies all have multiple failed mega projects on their resumes. But does it stop them and their clients from repeating the same mistakes again? No it doesn’t. The UK Health Service has had a number of mega projects aimed at consolidation patient records, all failed with huge amounts of sunk costs written off. In fact the only thing that has improved on these projects is the size of the losses.

No management discipline can consider itself to be professional when, in significant sectors, the Goldfish syndrome afflicts its practitioners.

Old economic paradigms don't die, or fade away; their believers get awards.

In the past few months the Institute of Economic Affairs in the UK announced it's annual award to the person who made great contributions to free enterprise during their working life. The recipient of this honour was Viscount Ridley, the Brits do love a Lord, who's main claim to notoriety in the UK was to be Chairman of The Northern Rock Bank, an institution that had existed since 1850. It started life has a building society and converted to a bank in 1997, following the trend advocated by the IEA and Thatcherite economic theology.

As a bank it adopted the prevailing economic ideology, and then some, and followed a highly risky loan strategy, which included giving borrowers mortgages of up to 125% of their properties value! The end result was that in 2007 it suffered the first run on a British bank in 150 years. It had customers lining up outside it branches demanding their money back! Over a few days they had to pay out $3B. But it wasn't enough and the Bank had to be nationalized at a cost of $40B to the UK taxpayer.

Yet the man who presided over this debacle, the 5th Viscount Ridley, instead of facing any sanctions or censure ends up, seven years later, being given an award for economic achievement! A decision that would beggar's belief in rational world. Lose billions and get an award. The epitome of failing upwards.

So what does this mean in the project management world? We have an entrenched paradigm that is waterfall, and we have contending methods such as Critical Chain (which is a variation of waterfall) and Agile. Like the failed “efficient market” model in conventional economic theory education, waterfall is considered to be mandatory on all project courses, especially for beginners. So any “new or improved” PM model has to overthrow decades of conditioning and also to get the PM establishment to demote waterfall to a subset of models that only deal with well established technologies and methods. As the financial example above indicates getting any establishment to change is difficult even when the evidence of failure is over whelming.

OODA Loop and Six Honest Working men.

The famous British writer Rudyard Kipling wrote that in carrying out his work he used “six honest working men”: Who, What, When, Why, Where, and How. By asking these questions he could write an article for a newspaper, a poem, a story. They were the starting point for his exploration of a subject.

Similarly they should be the foundation for all project managers combating bias and the tendency to believe that “What you see is all there is” (WYSIATI). Forcing yourself to ask these six questions when you reach the Decide portion of the Observe, Orient, Decide, Act (OODA) loop will prevent you from rushing to a premature conclusion because your mind’s system 1 (the reptilian part) overrides your lazy system 2 (the rational analytical part). 

Certainly after every new piece of information you should ask yourself “so what?” What does this piece of information mean? What is its impact on the current situation? What should I do with it? And so on with the other “honest working men”. It doesn’t mean you’ll always come to the right conclusion, but you are certainly more likely to avoid a rushed one.