Category Archives: technology

Cyber Security 101 for Small Businesses

If you’re a small business, the world of cyber security can be very overwhelming and intimidating.  There are infinite articles you can read about, a long list of cyber security maturity frameworks and concepts you could try to learn, and an overwhelming feeling that you can’t possible actually defend yourself from the hackers all over the place!

Cyber is a big, complex thing that is hard to do — if you’re looking to better defend your organization and you don’t know where to start, I recommend this approach:

  • Read the Center for Internet Security’s (CIS) CIS Controls, as they’re a great list of security controls (fancy way of saying todo items) that are already in priority order — so you start at #1 and just keep working your way down the list.  Here are the top 5:
    1. Maintain a current list of all the IT hardware (equipment) you use
    2. Maintain a current list of all of the software applications you use
    3. Invest in, and use frequently, a vulnerability scanning tool (e.g. Tenable.io) to identify security holes and then go fix them
    4. Limit who within your organization has Administrative Access.  Instead limit the access to only those who must have it, and then track who has it and who is using it to do what when.
    5. Configure IT equipment securely and monitor the configuration to ensure these configurations are being changed — for example, you may use an imaging solution to push out a consistent, pre-configured image of Windows 10 for new employee laptops and then use a device management software (e.g. Microsoft SCCM) to monitor the configuration across your organization
  • If you’re ready to keep digging in, read the NIST Cyber Security Framework (CSF), give yourself a red/yellow/green score on each of the 5 core domains and then focus on improving on the areas you think are the best return on your time and money
Advertisements

How Opinionated are your Tools?

Organizations must intentionally determine how opinionated their collaboration tools (business systems) should be, to align with their culture and business model. Opinionated tools align well with top-down organizational cultures, while non-opinionated tools align well with decentralized, self-organizing cultures.

Organizations struggle at each extreme:

  1. Top-down organizations struggle to scale effectively, creating bottlenecks and issues when decisions constantly require senior leader approvals.  People talk about how our world is more volatile and faster moving (see Half of S&P 500 Companies will be Replaced in next 10 years), and that companies need to be more Agile.  Agility is hard when you need 3 approval signatures to make any changes. scaled-frameworks.PNG
  2. Self-organized teams struggle to stay coordinated, as each team can “wander off” from any centralized approach to things like enterprise priorities, technology architecture, processes.  They struggle to stay aligned with each other, which is why we see so many Scaled Agile frameworks (see icon mosaic to the right) trying to figure out how to keep self-organizing teams aligned with each other.  Self-organizing teams also struggle to stay aligned across an organization related to things like Enterprise Architecture (consistent technologies) and Business Architecture (consistent processes).

Organizations need to find the right balance between these two extremes for their entire organizational culture, and how they select, configure, and maintain tools to align with this approach.  The figure below shows the spectrum I envision, where a company moves the triangle to find the spot they want their organization to be, and then aligns tools with that spot on the spectrum.

opinionated tools spectrum.PNG

Technologies can come out of the box very opinionated (think about a tool like the TurboTax wizard interface, that walks users through a workflow it decides without asking how you want to use the tool) or it can be very flexible (think about Microsoft Word — you can write your letter first, and then format it; or you can setup the page size, orientation, and header before you write your letter).

Technologies can also be configured to be very opinionated — JIRA as an example is an issue/ticket tracking system that has a variety of Agile planning/management capabilities.  Out of the box, the tool comes with a few standard ticket types and workflows, but you could let each team in your organization configure their own ticket types, workflows; leaving all the permissions wide open for the organization.  However, most organizations make JIRA “more opinionated” before they deploy it, only letting a few select leaders/administrators make changes to the system.

On the opinionated this spectrum, I see organizations selecting and configuring tools with a heavy focus on ensuring employees use a tool exactly the way the organization’s senior leaders want them to be used (highly opinionated).   Allan Kelly recently write a great post about how dangerous this power centralization can become for organizations.

On the non-opinionated side, organizations struggle to stay cohesive.  They can become organizations of individual teams or almost a group of consultants who are trying to accomplish things; but can’t leverage the scale of their organization to accomplish great things.  This can devolve into anarchy, where teams don’t help each other.  Think about a team who can’t share talent with other teams, because they’re using different processes or technologies.  Or a leader who isn’t able to report on progress because each of her teams is using their project tracking tool completely differently.

Organizations, and the Office of the CIO organizations that should be enabling them, need find the balance, like a train station where the rules of engagement are clear (Where do I get a ticket? Where do I get on the train? Where do I get food?), but different people can get to their trains in different ways.  Organizations don’t have to be the wild west with teams doing whatever they want (think about a SharePoint site with no governance where you can’t find anything) and organizations don’t need to be top-down culture where no work gets done because everyone has given up on requesting approvals and resigns themselves to the slow-moving status-quo.

Using JIRA to Scale your Business

I recently spoke at the 2017 Capability Counts conference, put on by the CMMI Institute. David Anderson Keynote 2017.PNG It’s an interesting event that isn’t focused just on CMMI maturity models — instead it’s a conference where a few hundred people get together to discuss process improvement, Agile, software engineering processes, and a variety of other related topics.

The keynote (shown in the picture above) is David Anderson of LeanKanban University talking about the core concepts of Kanban, which go far beyond most people’s understanding of 3 column boards.

I spoke on using Atlassian’s JIRA product to help an organize scale — sharing some best practices/recommendations on how to use a tool like JIRA to get information out of email, hallway conversations, and meetings and into a system where work can be clarified, prioritized and tracked.

CIO 101 for Entrepreneurs

This morning I got to share IT infrastructure, business strategy, and business
architecture tips and recommendations with some local current and future entrepreneurs at The Capitol Post in Old Town Alexandria.  Capitol Post is a great organization focused on inspiring Veteran entrepreneurs to find professional clarity and scale those visions.  They offer several great things, including  a cool co-working space right in North Old Town Alexandria, classes, and a startup accelerator program.

img_9850

Here are the slides and strategy template I went through with the group this morning, helping entrepreneurs deal with IT.   We talked about:

We talked about how IT for non-technical entrepreneurs can be like personal finance for non-financial people — it’s very important, but it’s hard to motivate yourself to invest the time you need to understand it, make some solid plans, automate it, and then move on to creating value.

It’s been a year since I last taught at Capitol Post (https://mikehking.com/2015/09/11/talking-technology-bunker-labs/), and it’s great to see how much they’ve grown (the office is beautiful and their getting ready for their next cohort to go through the Bunker Labs DC accelerator.

How to Pick IT Systems for your Small Business

If you’re the CIO, Director of Technology, IT Person, or Only Person (Solopreneur) at your organization, here are 5 areas of questions areas to consider when determining if a specific IT system or process would align with your small company’s needs:

  1. Alignment:  Does this system align with your business model (how you do business) and your current infrastructure?
  2. Lock In:  Would this system lock you (Vendor lock-in) into this vendor or system long-term?  Could you export your data and move to another system as you grow?
  3. Investment-worthy:  Is this system worth the investment of money and time (your time, your employees’ time, your customers’ time?
  4. Get Traction:  Would this system get traction with your employees and/or customers?  Does it align with how you do business, or would you spend your time forcing people to use it?
  5. No Huge Risks:  Are there any significant risks (red flags, deal-breakers) that should drive you away from this system? (e.g. cyber security, loss or productivity, removes future options you want)

align-framework

Shameless plug:  If you’re interested in learning more about setting up the technology for your company, or future startup, check out this free class I’m teaching next week (Thursday, Sept 10, 2015), sponsored by Capitol Post, in Old Town Alexandria:  Technology 101 for Entrepreneurs (How to Choose to the Best Systems for your Business).

How does a CTO Spend Time?

I’ve recently realized that I’ve been drawing a similar pie graph several times recently, explaining how I spend my time as a Chief Technology Officer (CTO) at a small business.  I thought I’d share for those interested in how I spend my time juggling the demands of CTO across various company priorities.

CTO_time

If you’re interested in learning more about small business CTO activities, including technology strategy when you’re too small to have a dedicated CTO, check out this free, upcoming training in Old Town Alexandria, sponsored by Capitol Post, that I’m teaching next month (Sept 2015):  Technology 101 for Entrepreneurs (How to Choose to the Best Systems for your Business).

Small Business Cyber Security 101

Way back in 2009, NIST released a 20 page document that is a great set of fundamental
recommendations for small business cyber/information security.

There’s certainly many more things you should be doing, but it’s a great place to start if you’re an IT Director or CIO at a small business and you’re not sure what you should be doing to secure your company’s information and systems.

There’s plenty of ways to spend money on shiny cyber security software and devices, but this is a great foundation to build your company’s defenses on before start buying Intrusion Detection Systems or hiring Penetration Testers or Social Engineers.