We live in a transparent world; it is almost impossible to keep secrets. Last time I wrote about The Half-Life of Secrets, and I defined a secret as something that if revealed to the wrong entity could cause harm. The secret could be in a document, or could have been something you did or did not do. The “entity” could be a specific individual (e.g., spouse), a group of people (e.g., your customers), a competitor, an organization that provides services (e.g., your insurance company or health care provider), or a government organization.
The Cloud is the primary enabler of the severe reduction in the half-life of your company’s secrets. If you put your business process applications in the Cloud, then your employees, contractors, partners and maybe your customers can access the critical data they need to do their job or buy your products or services from anywhere at anytime.
Unfortunately, that same information is potentially available to cyber-criminals.
You can reach potential customers via Facebook, Twitter, LinkedIn, text messages, email, or a dozen other social media mechanisms. You can target a specific customer, a class of customers, or reach out to a tailored set of prospects. It all happens “now!” and at small fraction of the cost of doing it via putting a physical letter in a mailbox.
Years ago I had a secretary. Don’t yell; that is what they were called back then. If I needed to send a letter to a customer, I could dictate it to her (and it was always a “her”). In an hour or so I would have a letter for my review and signature. Frequently, she had made changes to my letter, and almost always these changes made it better. More importantly, the process provided a time cushion for me when I reread the letter. For reasons of cost and time, very few people have that option anymore. We just type the email or text message or tweet and ship it. How many messages have you received that contained inappropriate information (i.e., secrets), an inappropriate tone or went to the wrong people (often the “reply all” mistake)? Every such message, once you throw it out there, can be forwarded to anyone anywhere. With a great marketing message, these forwards provide a positive multiplier effect along with an implied recommendation. If the message exposes a secret, it just magnifies the problem.
Just like Las Vegas, what happens in the Cloud, stays in the Cloud. Forever. But, unlike Las Vegas, it remains vulnerable to attack.
In his 2004 book In the Blink of an Eye Andrew Parker describes how about 543 million years ago, the chemistry of Earth’s shallow oceans and the atmosphere suddenly changed to become more transparent. Parker’s theory is that this increased transparency led to the Cambrian explosion, a relatively short (20-25 million years) evolutionary event that produced major diversification in life including most of today’s major animal phyla. Increased transparency led to eyes to see prey or predator, which led to new means of locomotion to chase or escape, claws, jaws, shells and other defensive and offensive body parts. Those species that did not evolve fast enough went extinct.
In a Scientific American article and TED talk, Daniel Dennett and Deb Roy talk about how companies must adapt to today’s new transparency, or go extinct. By analogy, organizations must adapt their external body parts to not only take advantage of the new transparency (e.g., FaceBook, Twitter, text messages), but also must create defensive capabilities. A successful organization must create information-handling organs of control and self-preservation as integral parts of its public relations, marketing, and legal departments.
These defensive organs cannot behave like they did ten years ago, or maybe the way they still do today. Your company must join the conversation on your distractors’ terms. You have to respond intelligently, honestly, and in a conversational way. You can’t deny, obfuscate, or preach. The whiff of a secret, and the carnivores will swarm until they dig it out, make it up, embellish it, and sell their story, not yours. In particular, you cannot let your legal department delay your response by weeks or months while approving a communication strategy, nor can your marketing or PR department spend days or weeks trying to figure out how to respond. You need to respond today.
Thus a significant part of your defensive evolution must be proactive: you have to do everything you can to prevent secrets from escaping in the first place.
- Protect your company data not only in the Cloud but also within your own datacenter. Mostly that means keeping careful track of who should be allowed to access specific types of data, updating each person’s access right every time their role changes, and periodically auditing to ensure that the process works as required.
- Take advantage of any security options that your Cloud Service Provider(s) can offer you. It is far less expensive and usually more effective to rely on them than your own IT department. As part of that, make sure your contract with any CSP includes what they must do to completely remove old archives according to your documentation life-cycle requirements, and audit that process at least annually.
- Write, update frequently and publish your security policy. This policy should cover everybody with physical access to your datacenter(s), everybody who has electronic access to your data. It must cover your own computer equipment and your employee, contractor and partner equipment including personal devices. Everyone with non-public access to your data should be required to review your security policy, pass a test, and certify that they reviewed it at least annually.
- Define who is permitted to “be the voice” of your company through any and all mechanisms. These are the people who can participate in external conversations. Ideally, there should be someone reviewing everything that goes out. This doesn’t have to be a long process, just make sure someone else is looking over the “voice’s” shoulder with the authority to say, “Hold on one minute.” You probably already have such a process for discussions with the press.
- Set guidelines for different types of situations ranging from annoying to disastrous. You will have to define these terms based on your company’s situation, but it might range from an unhappy customer who posted a bad review to a partner leaking that your next major product is facing a significant delay due to a technical glitch. For each type, decide the ideal response time, who has to approve any message, and what documentation should be kept so the event can be reviewed.
- Often, one situation will change its severity over a short period of time. You will not get it right everytime, so give the “voice” people the authority to raise their hand to get help. When things go wrong, the first response should not be to fire the “voice,” but to get the message back on track and learn from the situation.
Don’t count on the government for help – they are fairly helpless themselves, and react far too slowly. Country laws are also way behind the times, not able to even keep up with phone technologies. Even further behind is the ability of a government to prosecute anyone, TV shows like CSI: Cyber aside.
Just like during the Cambrian explosion, it is a jungle out there. Make sure your company survives.
The last word:
Keep your sense of humor.