More thoughts triggered by Target, because I can’t resist:

Just because they’re the bad guys, that doesn’t mean we have nothing to learn from them.

For example, hackers have a more modern management structure than most corporations, which is one reason they have no trouble staying a step ahead.

Most people think “management structure” means the organizational chart. They aren’t exactly wrong. They’re just looking in the wrong direction.

The organizational chart describes how the work of the corporation has been delegated. It starts with the CEO, who’s accountable for everything. The next layer, called the Executive Leadership Team or something like it (and it’s rarely a “team” in the sense of its members truly trusting each other and being aligned to a common purpose, but I’ll let it go) … where was I? Oh, yes, the ELT. Each member is accountable for a slice of the organization’s work. In theory, and it’s a bad theory because it’s always wrong, they each have their own, mutually exclusive partition. Add them up and you have the company as a whole.

It’s a bad theory because the organizational chart also describes decision-making authority, because as we all know, you’re supposed to match authority and responsibility.

Except you can’t, because so many important decisions cross organizational boundaries no matter how you design the org chart (“Hierarchy is dead. Long live hierarchy, KJR, 6/15/2009).

Which is why leaders should encourage anyone to collaborate with anyone else, no matter where they sit or who they report to, to figure out whatever needs figuring out that day and to reach a reasonable decision no matter which parts of the organizational chart are supposed to have authority.

This is how you keep the organizational chart from turning into a bunch of warring siloes.

The community of data thieves is organized more or less like this. It’s a bunch of autonomous actors who collaborate when it’s useful and convenient. They more or less trust each other, and are aligned to a common purpose … intrusion and theft.

Maybe loose aggregation vs hierarchy is the inevitable difference between organizing for offense and organizing for defense. So never mind information security. Businesses as a whole should be organized to play offense, which means traditional CEOs — those who prefer hierarchical decision-making at least — have something to learn from the data thieves.

Your vendors are you

In case you haven’t been paying attention, Target’s problems seem to have started with a phishing attack on one of Target’s vendors — one that provides refrigeration units to its supermarket section. The phishing attack gave the data thieves login credentials to a Target vendor portal.

First thought: We don’t know how a vendor portal could have provided access to the rest of Target’s network. Seems to me, limiting a portal’s access to the rest of the network to a small set of predefined transactions shouldn’t be all that difficult, but as I continue to emphasize, I’m not an infosec specialist.

Second thought: Electronic Data Interchange (EDI) is more secure than vendor portals. Want vendors to invoice you electronically? Have them deposit electronic invoices on a server that’s disconnected from the rest of your network. Disconnect it from the Internet before importing the invoices.

Third thought: The vendor in question’s primary line of defense against Trojan horses and phishing attacks was the freeware version of Malwarebytes, a product that doesn’t provide protection against Trojan horses and phishing attacks. Click the link for details.

You’re Target. You have lots of vendors. You can’t perform an information security audit on all of them. For the minor ones, like your refrigeration vendor, you publish your requirements and trust your vendors to respond honestly on your surveys. What else can you afford to do?

At the risk of dancing beyond my bounds of expertise, a thought:

  • Right now, phishing attacks and Trojan horses are the greatest infosec threats.
  • Insider threats — disgruntled, careless, and former employees, both yours and your vendors, contractors, consultants and outsourcers who have access to your internal systems — pose bigger risks than outsiders.
  • The bad guys have no trouble flooding your employees and your vendors’ employees with phishing attacks.
  • Do it first.

I’m not suggesting you try to get employees’ on-line banking login credentials, profitable though that might be. I’m suggesting you emulate a phishing attack that tries to get vendor and employee login credentials to your own systems.

White hat phishing isn’t a new idea. Usually, it’s used to discover internal vulnerabilities.

But in 2014, as businesses increasingly source externally with portals aplenty, the distinction between inside and outside has become quite blurry.

Intruders are phishing your vendors all the time.

If you can’t beat ’em, join ’em.

* * *

Two years ago in KJR, some thoughts about the world being less than entirely flat, courtesy of a trip to Morocco, in “The world is bumpy.”

Hard to choose this week, too — lots of past columns tempted me. I couldn’t even live with just one runner up.

And so, from 2001, advice for newly hired managers on “Dealing with rivals” that wouldn’t change a bit if I were to write it today.

And from 2006 some “IT leadership musings” that wouldn’t change if I wrote them next week.

I have a new set of hearing aids. In the instruction manual, well before the explanation of how to change amplification and programming, is this:

You are not allowed to operate the equipment within 20 km of the centre of Ny Ålesund, Norway.

There’s no explanation for the rule, just the fact, which is why my wife and I were briefly tempted to burn some frequent flier miles, just to break it.

But cooler heads prevailed. Actually, colder heads — we live in Minnesota, which we figured is bad enough (Google Maps reveals Ny Ålesund is on an island roughly 1,000 km due north of Lapland).

Which gets us to another disadvantage of relying on policies, standards, and enforcement to make sure how you want everyone to do things around here becomes how everyone actually does do things around here, beyond those mentioned last week: You have to explain your reasons, which makes your policies and standards burdensomely long. If you don’t, you’ll tempt employees to violate the ones that make no apparent sense, just to see what happens.

Changing the culture simply works better. When enough people internalize how we do things around here, peer pressure becomes your primary means of enforcement.

How to change it? You’ll find a detailed account in Leading IT: <Still> The Toughest Job in the World. Glad you asked.

The short version is to change your own behavior, because culture is the learned behavior people exhibit in response to their environment, and leader behavior is the dominant aspect of their environment.

Before you do, you have to describe the culture you want, and there’s a gotcha. The temptation in describing “how we do things around here” is to be procedural: “When someone contacts the service desk, we first identify the caller, next assign a ticket number, then get a description of their issue,” and so on.

But culture isn’t a matter of procedure. It’s a reflection of shared attitudes. Your behavioral description of culture should reflect this — something like, “When someone contacts the service desk we assume they’re experiencing a real problem, and we take ownership of it.”

<SnideComment>Given my experience with service desks, and in particular with my current mailing service after many subscribers received five copies of last week’s column, I’d say this would represent a radical cultural shift in far too many.</SnideComment>

To change your culture you have to describe both the culture you have and the culture you want. You have to figure out what about how you currently behave results in the culture you currently have, and how you’ll need to behave to get the culture you want.

If there are other managers between you and the employees whose behavior you want to change, you have to pay close attention to how those managers are behaving, how you want them to behave, and what you have to do so they’ll behave that way.

A few subscribers asked if there’s a way to change the culture quickly.

The answer is yes. Actually, there are two.

The first is to lay off a significant number of the employees you have and hire to the new culture. It’s unpleasant to say the least — unpleasant for you, more unpleasant for the surviving employees, and … and I hope this is obvious … even more unpleasant for the dear departed.

Although to be fair, on the pleasantness scale the employees you hire as replacements might very well find the change quite positive, all in all.

Anyway, massive layoffs are quick-culture-change tactic #1. The second one is slightly less draconian — fire all of the managers whose behavior seems to be driving the old culture and replace them with managers who seem to have the attitude you’re looking for.

Yes, it’s ugly. No, I don’t generally recommend it. But if you need to turn around a seriously dysfunctional culture quickly, this is your most efficient alternative.

Start with the ringleader, and perhaps his/her chief acolyte. Reason #1: Fire all the managers at once and the disruption will be too great. Reason #2: Persuading HR to go along will be a challenge. Reason #3: Do you really want to be that kind of person? And most important, Reason #4: Once you’ve fired one or two, the rest will usually figure out you’re serious and change their behavior to match what you’re looking for.

And, in case this isn’t clear, you still have to change your behavior (and attitudes) too. Otherwise, the culture will gradually revert back to the one you say you don’t like.

And you’ll have to go through the unpleasantness all over again.

* * *

Four years ago in Keep the Joint Running, Gartner predicted that in just two short years, 20% of all companies would have no IT assets of their own — it will all have moved to third parties and the cloud. KJR’s rebuttal was suitably pungent.

And eight years ago you read about a popular technique for manipulating people.