01 April 2020

Going shopping in the days of Covid-19

After a full week-plus inside, and with fresh food beginning to run a bit low, I did go out to shop, as I promised myself. The weather contributed just as I had hoped, it is cold (well, cool) and raining, cloudy and a bit of wind. Exactly the right weather to go out in, as everyone else is staying home.

Prepared myself. Glove ready, face mask ready. Shopping list. Everything ready to put my clothes into the washing machine on my return (except for my leather jacket and boots). Sent SMS to say I was going out, and received the SMS response saying ‘go out’. So all the rubbish that I had collected for the past week and a half was ready, and out I went, all gloved and masked.

Here in Greece, if you want to go out of your house, you are required to complete a form and take it with you, or send an SMS to 13033 with the reason code, your name and address, and you will receive a response saying "go out". Without one of these, you can be fined. I really like this system. We each need to consider why we are going out, and prepare, and this also helps authorities to manage volumes.

The pharmacy downstairs did not have a queue, but the money transfer shop a few doors down did. I’m guessing people receiving government income or remittances from family outside Greece. (Queues today mean people standing around in a big semi-circle, very one knowing who is next, so there is no "standing in a line", something that Greeks cannot do in the best of times.) Had a quick chat with the pharmacists. She is a hero as far as I’m concerned, doing her job through all of this, with a smile for everyone. She let me know that everyone in the building received their masks and are very happy and thankful.

Then it was a walk to the shop, which Google tells me is 800 meters away. A nice easy and comfortable was, with very few people out; mostly only people walking their dogs or those obviously shopping.

Entering the supermarket I was greeted by an employee (face masked) who squirted sanitiser on my gloves, and then on the handle of the shopping basket. She then put a plastic sealed number in my basket. I suspect that they are only allowing a limited number of people in at any time, though having picked my time, there were reasonably few people, with plenty of room for distancing.

the store was well stocked, including toilet paper.

So I am now stocked up again.

Arriving home the process was reversed. Jacket and boots at the far end of the apartment in their own quarantine for the next four or five days, hat away, then mask and gloves off and into the rubbish. All clothes off and into the washing machine, and me into the shower. A good soaping and washing, out, and turn on the washing machine on long cycle and 60c, since my reading and watching suggests that temperatures over 55c will kill the virus. Into the kitchen, new gloves and face mask, and all the shopping either wiped down, or removed from packaging and put away. Anything that I could was put in the highest shelf in the cupboard and will not be touched for at least 4 – 5 days, and then with wipes again.

Is that safe enough, or overkill? I have no idea. But it seems to make as much sense as anything else, and seems to make more sense than ignoring. I did see people out without masks, including the fruit and veg guy at the supermarket. Someone who comes in contact with hundreds of people. I feel for him, but there are masks available, and without a mask he increases his chances of catching this, and his chances of spreading it while he is asymptomatic.

I really do think that by the end of summer, not wearing a mask in shops will be seen as poor-form.

17 February 2020

A magical journey, the Panama Canal Railway

A year ago we had the opportunity to take the Panama Canal Railway journey from Panama City to Colon. It was simply enchanting.

The Panama Canal Railway provides a sightseeing trip from Panama City to Colon. The service was excellent, and the views spectacular. The Panama Canal Railway is primarily a freight line, moving containers from Colon to Panama City and back. Economically it can make great sense to off-load contains in one port and load then onto other ships at the other end of the canal. This allows a homogenous shipment to be broken down and distributed to ships going to a range of ports on the other side of the canal, and saves the cost of sending the ship through the canal. 

There is also a daily "commuter" rail service from Panama City to Colon in the morning with a return trip in the evening. This doubles as the tourist train.

The train leaves Panama City promptly at 7:15am (return is at 5:15, promptly). The train travels through the lush forest along the side of the canal, and bursts out at the town of Gamboa (as in the video above, though sadly it was not a sunny day), and the line then passes beside the canal for most of the remainder of the journey.

Possibly the most magical part of the journey is then the train feels like it is gliding over the middle of Lake Gatun, the lake that enables the canal to exist. With no tides, and no danger of the water level rising, the train tracks are flat and straight, and the train seems to float across the lake. It is easy to imagine the train laying floating track in front and rolling it up behind, as it makes its way across.

Sadly at the Colon end of the trip. the train slowly rolls past a stinking acre of rubbish that may be burning depending on the rain, but certainly is being picked over by Panamanians and vultures.

Approaching the northern terminus there are great views of the new bridge, built to open up the Caribean coast west of Colon.

The price is $25 per adult, and is well worth it. 

21 January 2020

Convincing Boards to focus on Cyber Security is no easy task, when...

Convincing Boards to focus on Cyber Security if no easy task, when those working in the business have priorities, responsibilities and rewards specifically structured to make Cyber Security a lower priority. Convincing Boards starts from the "middle" and must work both "down" and "up", and it will not be an easy or fast process.

I recently spoke to the CRSA (Control Risk Self Assessment) Forum in London, hosted at the IRM's offices (with thanks to Carolyn Williams), and very ably organised by Paul Moxey. My desire was to highlight the challenges that management (operational to the C-suite) face, and the decisions that must be taken, many of which lead to a de-prioritisation, or even ignoring, of Information Security.

This is not to suggest that Information Security should be de-prioritised, far from it. But the purpose was to highlight the difficulties that the Risk Professional will have in gaining the internal support to both raise and then to gain resources required for effective InfoSec.

To encourage the participants to consider (and actually, engineer scenarios in which InfoSec would lose out to other priorities) I provided two "role-plays". A very quick caveat; neither case represented a real company or actual situation, but was built from a wide range of situations I have been party to or have been the Internal Auditor or Risk Manager associated with elements of the case.

Role-Play 1: "Complex project choices"

The first looked at project level issues and delivery concerns leading to a situation in which InfoSec, while critical, was actually "pushed into the long grass" by each group that considered the case.

You can "enjoy" the role-play case study here.

The constructed problem centres around the competing constraints facing any business when it comes to systems implementation. The various strains on all members of a project team, including the leadership, sponsor, and steering committee, require to balancing of resources and priorities. Sometimes individual incentives outweigh the needs of the business. While this is not acceptable, it is a reflection of the reality of motivating people, and in some cases, focusing those people on outcomes that they are responsible to deliver.

When participants received the "role-play", there were more than a few people saying "I've worked on this project".

The premise was fairly simple; the project is in its final stages but has run over budget (Quelle surprise) and over time: and the user community's level of frustration is rising to breaking point. The infrastructure model is not adequately integrated into the corporations secure environment, and the additional time and cost will push the project further over budget and time.

The groups were then asked, each playing a specific role, to provide a recommendation, as a group.

As expected (and constructed), not one of the groups said that project implementation should be delayed until security concerns were addressed. In one group, the person playing the role of the IT Infrastructure representative threatened to "call Internal Audit" to which there was a response, "So you plan to stab your colleagues in the back?"

Others proposed setting up a working group to assess and recommend addressing the security and infrastructure issues after the project, while acknowledging that this would become, in effect, a new project fight for resources against all other projects. But it wouldn't impact their ability to deliver what they were required to deliver.

The final takeaway for participants was that it will be difficult to gain the internal allies required to address security if their support will be counter to their own needs, responsibilities and rewards.

Role-Play 2: "The C-Suite and External Expectations"

Likewise, at the C-Suite level, internal and external expectations can be such that investment in Cyber Security becomes a secondary consideration behind meeting the short-term demands of shareholders, markets or owners. This Role-Play set out to demonstrate the push and pull of competing requirements, again against a backdrop of systems implementation coupled with quarterly reporting needs, in challenging market conditions.

Take a look at the Role-Play here.

The four participants (the COO, CFO, CIO and Director of Communications) each have competing priorities, yet all are also keenly interested in ensuring company success.

Read the Role-Play and decide for yourself how these individuals should respond, and challenge yourself to find a way for them to agree to invest in greater Cyber Security, or to make a recommendation to the Board to do so.

Once again, while all but one of the groups could bring themselves to abandon their roles' self-interest, they did all recommend that the CIO push Cyber Security to the top of his or her agenda for the coming quarter. The outlier group suggested that the business "take the hit" this quarter and focus on Cyber Security, while also communicating the markets that they were doing so to improve the company's ability to protect and server customers in the future (though they did not agree fully on how to avoid the potential ramifications of announcing that they would focus on Cyber Security and the potentially associated assumption that their systems were not secure).

Summing up:

In both, or either case, do you recognise your company, or a company you have worked with in the past?

If so, be assured that it is possible to convince Boards, but only once the required groundwork has been completed. In the two Role-Plays above, it is too early, and there are too many competing priorities. But there is hope in each, in that the need is recognised, and there are ways out.

Gaining Board agreement on Cyber Security requires time and planning, with careful messaging along the way. In addition, before the Board can "buy-in" to investment in Cyber Security, key stakeholders within the business must also "buy-in", as it will be their alternative expenditure and investment plans and programmes that may suffer or be put on hold to accomplish improved security.

Role Play 2: "Shareholder Expectations"

Shareholder expectation generally revolves around the meeting of targets, primarily revenue and profitability targets that ensure either a dividend flow (private companies and utilities) or sustained growth in the share price. Senior managers, "C-Suite" executives and Directors know this and know that their bonuses and futures (in this company and in any others) depend on a track record of delivering to shareholders' expectations.

Welcome to the mid-year session of the Exco as it prepares for the upcoming earnings release season. Things seem to be on track, and the 1st Qtr results were in-line with expectations. The share price has responded roughly as expected. This quarter however, could be a little more difficult. Trading conditions are worrying the Marketing director, while internal costs are not dropping as quickly as budgeted. The new system is going to be at least two months late, possibly three, pushing benefits into the 4th Qtr.

You now have to make some decisions:

1. The COO. You have numbers to make, promises to keep. The numbers that you received from your senior managers are promising, but you don't believe them "I've seen numbers like these before, and they are always overly optimistic". Your CIO is constantly late with delivery, system outages have become too frequent, and the IVRs never seem to match the problem. To compound things, someone in IT changed the “404” error page to redirect to the Dictionary.com definition for “liars”.

2. Head of Corporate Communications. When dealing with crises and missed targets in the past, your motto has been "Bad news is good news, good news is no news" and the spin spin spin. But you feel things are reaching a point where your own credibility is coming into question. If things continue as they are, you're afraid the only professional option left to you will be to apply to become the Director of Communications at the White House in Washington.
3. CFO. You've managed to, just, get the numbers right for the 1st Qtr results, but this quarter will take a small miracle, and missed targets have been shown to severely limit the longevity of CFOs. The numbers expected by the markets (or owners) are possible, but there better not be any down-side surprises. There are costs that can be shifted into out-quarters, and revenue that can be brought forward, if we tweak our revenue recognition policy.

4. CIO. You know that the existing systems need replacing, that infrastructure is supporting the users, but the Security guy(s) are telling you that a serious architecture review is needed (again, "review" means they know there are problems but are too afraid to tell you everything), and the company simply cannot continue to avoid significant new investment. Your proposals for Security investment themselves will increase the overall IT budget to the equivalent of 12% of revenue from the current 10% of revenue, a level that is already at the high end of the scale for this kind of business.

Time to have your conversation, and come to an agreement that the CEO will be able to defend at the next earning call/shareholders meeting.