All Posts in Business Ethics

|In: Business Ethics|Last Updated:

A quick poll: Which recent disaster was the worst: (A) Hurricane Harvey; (B) Hurricane Irma; (C) the Equifax data breach?

Equifax said its systems were breached starting in mid-May until it discovered the hack on July 29. It informed the public on September 7.

The United States is home to about 240 million adults. Equifax provided enough personal details to make 143 million of them vulnerable to identity theft. Add all the other remaining big breaches, account for overlap, carry the one, and you end up with, in round numbers, everyone.

The bad guys have something in common with the Social Security Administration: They both know your social security number.

It’s long past time to fix this mess. And since nobody is stepping up to the plate, it’s time for a modest proposal from the Keep the Joint Running Think Tank, otherwise known as yours truly with a bottle of beer in his hand and a keyboard in front of him.

Okay, “fix” might be going too far, but there are some steps we could take that, if not simple, would at least be straightforward. Share them with your senators and congressperson. Starting with the most obvious and working our way down through the list of nearly-as-obvious:

> SSN 2.0: The Social Security Administration should issue each of us a brand-spanking-new social security number that nobody other than it and you know about. Except, that is …

> Business access to SSN 2.0: Some businesses do have a specific need for some individuals’ social security numbers. SSN 2.0 redefines business use of social security numbers. As of now it’s a right. Under SSN 2.0 it becomes a privilege — soliciting and storing an individual’s social security number will be illegal, except for businesses that have a demonstrable need. Any other company caught storing social security numbers in any company database will be immediately liquidated.

> SSN 2.0 certification: In order to be awarded the right to store social security numbers, applicants must prove compliance with the agency’s data protection requirements. Chief among these:

Universal encryption of every bit of stored data. No, not just personally identifiable information (PII). Everything. That eliminates the possibility of the “Oops — we missed that one! Sorry …” factor. Too expensive? Don’t be ridiculous. Compare this expense to the cost of fixing the massive level of identity theft we’re in for.

Oh, by the way … does anyone reading this think the data Equifax lost was encrypted? Me neither. Which leads to this question: What? And this one: Seriously?

AI-based intrusion detection: Companies that encrypt all their data can still be breached, and decryption keys can be stolen — through social engineering techniques if not hacking.

Even with stolen decryption keys a breach isn’t that big a deal. An undetected breach is a big deal. The use of AI techniques to detect intrusions is in play right now. There’s simply no valid reason other than bad budget priorities for failing to detect and address a breach for a month or more.

The fundamentals: Keeping current with patches, rotating encryption keys, role-based identity management applied to all employee transitions, white-hat hacking … you know, not even best practices, as if there was such a thing. Just the minimum standards of basic professionalism.

Keep the PR department out of it: I don’t care if the breach makes the company look bad. The company’s image really isn’t the issue.

> FBMA: For hurricanes, tornadoes, floods, and earthquakes we have FEMA. For massive data breaches we have bupkis. It’s time to create the Federal Breach Management Administration. FEMA in Houston has, I think, demonstrated the validity of federal government intervention in disasters of a certain size and scope. This is just as logical in the virtual world as the physical one.

I know many of KJR’s subscribers have a libertarian bent, and don’t think the Federal government has any business regulating or involving itself in the financial transactions between two parties.

After all, immediately after reporting the breach (which is to say about four months after the breach itself), Equifax offered everyone affected a free identity theft monitoring service.

Because of course I’m going to trust the company that lost my data to let me know my data has been stolen.

And oh, by the way, as reported by The Denver Post’s Tamara Chuang, (“Clearing up confusion on the Equifax data breach, no thanks to Equifax,” 9/8/2017) those foolish enough to sign up inadvertently gave up their right to sue.

Just an opinion here: One important role for government is evening out a hopelessly asymmetrical balance of power.

Like, for example, the imbalance between Equifax’s power to collect data about you and your power to avoid doing business with it.

Comments

|In: Business Ethics|Last Updated:

Empathy is widely misunderstood.

We’re told, for example, that psychopaths lack it. And yet we’re also told they’re able to figure out their victims’ emotional buttons and levers, exploiting them to achieve their nefarious goals.

Accurately figuring out someone’s emotional buttons and levers sure sounds like empathy to me.

I’m just messin’ with you. True empathy means vicariously feeling what someone else feels. Psychopaths don’t experience the feeling. They infer it.

If you want to be a mensch, true empathy is pretty useful. But if you want to be an effective leader, psychopathic empathy is the way to go.

Oh, now, don’t look so horrified. I’m not suggesting you become an out-and-out psychopath. Just to emulate this one ability.

See, something leaders have to accomplish from time to time is organizational change, “time to time” meaning every single day. Sometimes we’re talking about the micro level of getting a bit more out of an employee whose performance is currently just an increment better than adequate. Other times the change might be a complete transformation of how an organization gets its work done.

Inept leaders, of the when-I-say-frog-you-jump variety, rely on their authority to make change happen.

Inevitably, they fail … not in making any change happen, but in making the intended change happen. Put leaders like this in charge of some dog sleds and they’ll end up pulling not only the sleds themselves, but also dragging their huskies behind them as they complain to each other about how lazy their dogs are.

Effective leaders, in contrast, don’t only get their huskies to pull the sleds. Their canine followers think pulling the sled is their idea, and an excellent idea it is, too.

But enough. If I keep this up the metaphor police will hunt me down like a dog. And so …

Effective leaders of organizations don’t say “frog” expecting their minions to immediately jump. Effective leaders rely on persuasion. They do everything they can to encourage the men and women who do the work of their organization to understand the intended change and why it’s a good idea. More than that they encourage them to participate in figuring out what the change should look like.

Much of which requires empathy. Not empathy of the I-feel-your-pain variety. I-feel-your-pain empathy might, in fact, lead to unproductive management hand-wringing — regret over the pain the change will inflict on members of the workforce.

Nope. Effective leaders have developed their inner psychopath — their ability to analytically figure out how different individuals and groups are likely to respond to what they have in mind, and why. It’s this insight that lets them adjust their plans and their communications so as to minimize resistance and maximize active participation.

Example: Quite a few years back I facilitated a discussion about resistance to the implementation of electronic medical records (EMR) systems. One participant vented his frustration that of all people, it was the doctors who were most actively resisting this obviously important change in how hospitals and clinics do their work. He just couldn’t understand how the best-educated members of his workforce could be such Luddites.

And so, we applied some psychopathic empathy to the situation.

What, I asked, motivates doctors? Why did they choose their profession? Answer: They want to cure patients of what ails them.

And were doctors (I asked) likely to consider the planned EMR system something that helps them cure patients, or a distraction when compared to clipboards at the foot of the bed?

This having happened in the pre-tablet era, the new EMR system meant walking over to a new and unfamiliar application running on a PC that wasn’t as conveniently located as a clipboard at the foot of the bed. Distraction it was.

Second example: Back in the day, when IT leaders were trying to pry their batch COBOL programmers loose from their old habits to embrace object-oriented programming and on-line, real-time systems, many refused to be pried. Why might that be? Shouldn’t a bunch of techies love new and shiny tech?

Well … no. The combination of OO and designing and programming on-line systems was a change that invalided the COBOLites’ hard-won expertise and turned them back into novices. Why would they like that?

We’re talking about a clear-eyed thought process, not a complicated one. Just look at the change you have in mind through the eyes of different stakeholders and stakeholder groups and figure out how it will affect them.

Psychopaths use their ability to infer motivation to manipulate people. You could use the same ability to persuade them to follow your lead.

What’s the difference? Good question, for which I’m not sure there’s a good answer.

Comments