Get Rid of That Silly Form!

Forms don't fix processes.

It seems as though every time someone gets a promotion, the first thing they do is create a form you have to fill out in order to talk to them.  They say this helps them organize the work, but it sure feels like they're trying to stop work from getting to them in the first place.

Say I want a new widget - I'll have to fill out the New Widget form.  Of course, I need to provide some technical details that I don't know off the top of my head, but that the New Widget Department does.  The dates and details have to be consistent or the form will get rejected. I can't predict the dates, because I don't know how long this opaque "process" takes.  Why can't I just tell the widget people what I want, and have them fill in the blanks, based on their experience, and follow up with me to fill in any gaps.

This isn't a process - it's a speed bump, a barrier to slow down the flow of inbound work.  High-performing organizations make it easy for you to get work done - call them, tweet them, visit the website.  They tell you when the work will be done, and you trust that date, because you trust the organization and keeping their promises is a core value.

I think a lot of people try to use paperwork to try and manage their process.  With apps and web pages, anyone can create an imposing-looking form.  Putting another step in your process won't fix it - it actually complicates it - it adds friction and gives you a bunch of data that probably doesn't have much value.

Before you design a new form, try breaking your current process down into the smallest components.  What does it feel like as a customer?

Next, ask yourself what it would look like if you were to start all over again.  What is the minimum information you need to do the work successfully?  What steps can you streamline or eliminate altogether?    How can you make the hard parts easier? Where do the most mistakes happen?

Now that you have done some analysis, fix your process.  And get rid of that silly form!

Tension, Desire, Fear

We're going about cybersecurity all wrong.

I just read a blog post by the ever-inspiring Seth Godin, and this part made me think about what's missing from cybersecurity:

Alas, awareness is not action.
Everyone reading this is aware that Peru is a country. But that doesn’t mean you’ve visited recently, or have plans to go soon.
Everyone reading this is aware that turnips are a root vegetable. But knowing they exist doesn’t mean you’re going to have them for dinner.
Awareness is important, but it is insufficient.
Action comes from tension, desire and fear. Action is the hard part.

By now, everyone in your organization has gotten the cybersecurity memo.  Everyone from the CEO to the person who maintains the grounds knows security is important, and want to do the right thing. It's condescending, maybe even counter-productive to treat our colleagues as though they've never heard about security.  Take it to the next level by building the right combination of tension, desire, and fear to inspire our organizations to execute on security.

Most of us security people have the fear part down pat: if you don't do all the security things I tell you to, something really bad is going to happen.  The problem is that we've probably been saying that for years, and nothing bad happened.  The wolf never came, and even if it did, the bite didn't hurt that badly, so everybody stopped listening to to the Little Security Boy.  We need to employ other strategies to inspire our leadership and colleagues to action.

One way to create tension is to make it easier to do the right thing than it is to keep doing the same, wrong thing.   Try breaking the problem down into the smallest possible components.  Analyze the work you want done.  What is the logical first step?  What would this process look like if it were easy?  Identify the easy parts, the cheap parts, the fast parts. Once we've done a few small things, we can build on our success.  Remember that it took years for things get to where they are now, so it's naive to think we can fix them overnight.  What we can do is do something.  We must do something. Today.  Tomorrow.  Every day.  Start the ball rolling - if we can keep it rolling, pretty soon it will gain its own momentum.  First we create the tension by making the work seem easy.

When we think of security, the term desire doesn't exactly jump out. Desire is a positive emotion, and we all have plenty of it.  We desire to do a good job, to be recognized, to do the right thing. We desire less stress, less distraction, more wins.  Everybody knows things could be better, security-wise - they want them to be better.  But they don't know where to start until you create the tension by getting the ball rolling.  Making progress - any progress, even if all we've done is stop the bleeding - starts a virtuous cycle in which the team starts to want to do more. Let's celebrate the work that's been done, no matter how tiny, and try not to remind the team about the mountain of work that still needs to be done.  By focusing on the success, we create the desire to build on that success.

Let's stop talking to people as though they've never heard about cybersecurity.  Let's stop playing the fear card, and build tension to fuel the desire to start moving our organization toward a more secure place.