ManagementSpeak: Manage

Translation: Control. Don’t let employees breathe unless you’ve developed formal oxygen-consumption/CO2-exhalation metrics.

And thanks to this week’s contributor for helping me management ManagementSpeak.

More thoughts triggered by Target, because I can’t resist:

Just because they’re the bad guys, that doesn’t mean we have nothing to learn from them.

For example, hackers have a more modern management structure than most corporations, which is one reason they have no trouble staying a step ahead.

Most people think “management structure” means the organizational chart. They aren’t exactly wrong. They’re just looking in the wrong direction.

The organizational chart describes how the work of the corporation has been delegated. It starts with the CEO, who’s accountable for everything. The next layer, called the Executive Leadership Team or something like it (and it’s rarely a “team” in the sense of its members truly trusting each other and being aligned to a common purpose, but I’ll let it go) … where was I? Oh, yes, the ELT. Each member is accountable for a slice of the organization’s work. In theory, and it’s a bad theory because it’s always wrong, they each have their own, mutually exclusive partition. Add them up and you have the company as a whole.

It’s a bad theory because the organizational chart also describes decision-making authority, because as we all know, you’re supposed to match authority and responsibility.

Except you can’t, because so many important decisions cross organizational boundaries no matter how you design the org chart (“Hierarchy is dead. Long live hierarchy, KJR, 6/15/2009).

Which is why leaders should encourage anyone to collaborate with anyone else, no matter where they sit or who they report to, to figure out whatever needs figuring out that day and to reach a reasonable decision no matter which parts of the organizational chart are supposed to have authority.

This is how you keep the organizational chart from turning into a bunch of warring siloes.

The community of data thieves is organized more or less like this. It’s a bunch of autonomous actors who collaborate when it’s useful and convenient. They more or less trust each other, and are aligned to a common purpose … intrusion and theft.

Maybe loose aggregation vs hierarchy is the inevitable difference between organizing for offense and organizing for defense. So never mind information security. Businesses as a whole should be organized to play offense, which means traditional CEOs — those who prefer hierarchical decision-making at least — have something to learn from the data thieves.

Your vendors are you

In case you haven’t been paying attention, Target’s problems seem to have started with a phishing attack on one of Target’s vendors — one that provides refrigeration units to its supermarket section. The phishing attack gave the data thieves login credentials to a Target vendor portal.

First thought: We don’t know how a vendor portal could have provided access to the rest of Target’s network. Seems to me, limiting a portal’s access to the rest of the network to a small set of predefined transactions shouldn’t be all that difficult, but as I continue to emphasize, I’m not an infosec specialist.

Second thought: Electronic Data Interchange (EDI) is more secure than vendor portals. Want vendors to invoice you electronically? Have them deposit electronic invoices on a server that’s disconnected from the rest of your network. Disconnect it from the Internet before importing the invoices.

Third thought: The vendor in question’s primary line of defense against Trojan horses and phishing attacks was the freeware version of Malwarebytes, a product that doesn’t provide protection against Trojan horses and phishing attacks. Click the link for details.

You’re Target. You have lots of vendors. You can’t perform an information security audit on all of them. For the minor ones, like your refrigeration vendor, you publish your requirements and trust your vendors to respond honestly on your surveys. What else can you afford to do?

At the risk of dancing beyond my bounds of expertise, a thought:

  • Right now, phishing attacks and Trojan horses are the greatest infosec threats.
  • Insider threats — disgruntled, careless, and former employees, both yours and your vendors, contractors, consultants and outsourcers who have access to your internal systems — pose bigger risks than outsiders.
  • The bad guys have no trouble flooding your employees and your vendors’ employees with phishing attacks.
  • Do it first.

I’m not suggesting you try to get employees’ on-line banking login credentials, profitable though that might be. I’m suggesting you emulate a phishing attack that tries to get vendor and employee login credentials to your own systems.

White hat phishing isn’t a new idea. Usually, it’s used to discover internal vulnerabilities.

But in 2014, as businesses increasingly source externally with portals aplenty, the distinction between inside and outside has become quite blurry.

Intruders are phishing your vendors all the time.

If you can’t beat ’em, join ’em.

* * *

Two years ago in KJR, some thoughts about the world being less than entirely flat, courtesy of a trip to Morocco, in “The world is bumpy.”

Hard to choose this week, too — lots of past columns tempted me. I couldn’t even live with just one runner up.

And so, from 2001, advice for newly hired managers on “Dealing with rivals” that wouldn’t change a bit if I were to write it today.

And from 2006 some “IT leadership musings” that wouldn’t change if I wrote them next week.