What does it mean to "never waste a crisis"?

As the world (and particularly the US) began responding to the COVID-19 pandemic, I often heard or read this phrase from leaders of all sectors and stripes: 

"Never waste a crisis." 

On the face of it, this sounds callous and unempathetic, especially in the face of extreme unemployment and personal disruption. An alternative version might be:

"Make sure the outcomes of a crisis include meaningful betterment for [individuals | organizations | society]."

But whichever phrasing you prefer, what does it really mean? And for people in leadership positions, what action does it require?

Let's start with what it really means. In crisis situations, people, for at least some time, put aside day-to-day behaviors and come together to respond to the crisis. UK and US citizens' actions during World War II are often held up as exemplars, from enlisting for the armed services to shoring up manufacturing and embracing rationing at home. Most recently, federal spending packages, community efforts, and businesses enacting temporary pay cuts, to say nothing of all the efforts by healthcare professionals, all serve as examples. Staying at home, maintaining physical distance from others, and wearing masks also count here.

Then there's the outcomes side of the phrase. It's not enough to weather the crisis and return to what was. We should also seek to come out the other side in a better situation than when we entered it. The protests occurring throughout the US and elsewhere speak directly to this by confronting structural inequalities, some of which are exacerbated by COVID-19. News and social media are full of the stories of people taking risks for a chance at meaningful betterment for their society, regardless of how directly those people may benefit.

In general, we pull through crises because of this impulse to help the organizations and communities of which we're a part. But that impulse is not sustainable on its own. The COVID-19 pandemic has shown the limits of counting on individuals' self-sacrifice to see us through a prolonged crisis (and possibly making it even worse). In some cases, people show great capacity for helping society -- again, healthcare professionals are doing their work understanding the risks they take. We're also seeing frustration with restrictions like mask-wearing and restaurant availability result in people discarding those temporary norms in the name of "individual freedoms," which take us away from working together.

That's where the second question comes in. People in leadership positions are expected to guide their charges through a crisis at whatever scope or size they have responsibility. This may include:

• Identifying what changes are necessary to make it to the other side of the crisis (in hopefully an improved place)
• Communicating what the situation demands, why changing behaviors is crucial, and how we'll get through it together
• Reinforcing those with tangible changes, personally modeling behaviors so everyone understands the new norms
• Steering culture change by articulating what is (and isn't) acceptable and holding everyone (including themselves) accountable for change

The change in question depends on the situation. It may be as large-scale as combating a pandemic or as specific as breaking down silos in a business. As long as the change is being demanded, it needs to be considered and acted upon.

It's vital that leaders step up because they're the catalysts for the larger organization or community to follow suit. People want to be part of the organizations and communities they choose and look to leadership for inspiration and guidance so they know they're doing what's best for their organization. Through that leadership, we can pull together and make it through this, or any, crisis.

Confronting our fears on empowerment

I've been writing cover letters lately and the word "empower" keeps coming to mind (I'm doing my best to not use the word more than once per letter). Leadership articles have been talking about the need to empower employees seemingly forever, and yet we still struggle to make that a reality. Why?

To be sure, any number of leaders, when asked, will say they empower their employees. At the same time, employees seem to often lack two key aspects of empowerment:

1. Clarity of decision-making rights -- "do I get to decide what to do or do I have to escalate?"
2. Flow of information -- "do I have access to the information I need to make a decision?"

Not so coincidentally, these are also the top two characteristics found in companies that excel in strategy execution. After all, empowered employees should be implementing the corporate strategy and realizing its goals, right?

So why are we as leaders getting in the way of truly empowering our employees? It seems to come down to fear in multiple forms:

1. Fear of failure -- As leaders, our performance is linked to our employees' performance. If they fail, we fail. So we try to avoid failure by stepping in at what we may think are crucial, but infrequent, intervals to "steer the ship" in the right direction.
2. Fear of losing control -- Related to the previous point, our employees are doing most of the work on which we'll be appraised. What if they do that work differently than we might have when we held their jobs?
3. Fear of not being perfect -- When our employees define and do the work, they may not do it as well as we did when we had that job, and the results might make us look bad to our bosses because it's not as buttoned-up as we might have done.

These fears can be palpable and employees pick up on them from our behavior. Even something as innocuous as "I'd like to review your work before you deliver it to [client|boss]" can convey the message that you don't trust the employee to do the job well. More heavy-handed examples include, "Run that decision by me next time before you act," and, "Loop me in whenever something new comes up." All of these can indicate that we as leaders are afraid, or at least unwilling, to empower employees.

And the impact? At first, a team paralyzed by fear we caused and employees who never learn to take initiative or make a decision. More importantly, an organization dependent on its leadership to make all decision, with everything being escalated. When that happens, the organization can move only at the speed and strength of a handful of people rather than at the speed and strength of everyone.

Moving past this doesn't mean letting go of those fears. Rather, we must recognize that they exist, that we have them, and that they need conscious action to work through them. Those actions might include:

• Being open with your team and colleagues about it. Acknowledge you need their help to call you out when your behavior reflects your fears.
• Defining and sticking to new behaviors that change the dynamic. For example, I've struggled with overly wordsmithing documents and communications to the point where my "track changes" are an inside joke. So I started to hold back on "track changes" and focused on using comments to ask questions instead.
• Push your employees to make decisions. Sure, they can come to you; when they do, don't give them the answers! Ask questions that make them work out the best answer for them. By doing it in front of you, you can also assuage your own fears about whether their decision aligns with your thinking. 
• Share information, even if you think it's over-sharing. Yes, information is power, and shouldn't your team be powerful? It also builds trust and confidence, minimizing the risk of sensitive information being inappropriately disclosed.

Over time (usually less than you think), your employees will consistently and confidently make the right call because they learned how to do it and were given the information and space they need for learning. As that solidifies, your team will take care of running things so you can focus on the work only you can do.

---

More information: Empowerment in the Workplace: Definition and Best Practices (Smarp)

Resetting, reaffirming

Historically, I've used this blog to work out some of my own understanding and learning about my professional life. For a while, that was all about working toward a cloud-first approach while at an institution that was very much on-premise. Later, it became more about the role of the CIO and leadership issues overall.

I'm now unemployed for the first time in twenty-five years without knowing what my next opportunity will be. In the meantime, I'm doing a lot of reading, from Google's Site Reliability Engineering book to back issues of Harvard Business Review, all to keep my brain engaged in the kinds of work to which I'll eventually return. This space can then be a scratchpad of sorts -- a place for me to synthesize what I'm reading and form an informed perspective for future reference.

If you happen to read this blog, thanks for indulging this approach. Hopefully some conversations emerge from the topics -- I look forward to it.

What’s your orientation?

I’m inordinately proud of my new ability to do pull-ups from a dead hang. It’s taken me over three years of strength training to go from zero to one to two, and currently to three without a break in-between reps. It reminded me of how, maybe eight years ago, I went from zero push-ups to five push-ups after over a year of daily calisthenics.

Why am I spending time thinking about this, much less telling anyone else? It’s because it made me think about intrinsic motivation, especially self-motivation. Many people I know are motivated by fulfilling a landmark achievement — running the Chicago Marathon, hiking up to Machu Picchu, or completing a full Ironman Triathlon. They train for months to get ready for the moment, and then they achieve! But then what? Hopefully they celebrate the accomplishment, but is it then gone? Do they have to find a new mountain to climb? For some, this is incredibly motivating and they thrive on the cycle of train and achieve.

That cycle is also pervasive in the workplace. Think about any large project that you’ve worked on or knew about. Lots of work and stress over a long period of time, building up to a big launch, release, or opening. High fives all around, and then… find a new large project? It strikes me that this approach has a few challenges in a professional context:

1. Our professional worth is tied up in these “Big Bang” achievements, so we might start inventing them just for the rush of doing them. But the organization might not need all those projects.
2. It crowds out tightening up operations, documenting previous work for future reference, and other “dot the ‘i’s, cross the ‘t’s” activities, because nothing, NOTHING is as exciting as the start of a big project.
3. It prioritizes “new” over “better”, even if “better” would have more impact.

The last one has been on my mind the most of late. A friend and former supervisor loaned me Atul Gawande’s book Better several years ago and it really resonated with me professionally and personally. In the book, Gawande describes situations where attempting to solve problems can obscure the opportunity to incrementally improve, making the situation better in a shorter timeframe than the problem can be solved. More recently, I became a fan of Jason Fried and David Heinemeier Hansson (DHH), the co-founders of Basecamp, and their mindset and values on running a business and leading an organization. In particular, Fried wrote about goals (or not having them):

“When you shift from 1st to 2nd, 1st is behind you. Then from 2nd to 3rd, 2nd is behind you. I approach things continuously, not in stops. I just want to keep going — whatever happens along the way is just what happens.”

That’s not to say they don’t identify and pursue improvement — that’s what they’re doing most of the time. They’re simply not looking for the “Big Bang” that will transform the world or their company. Rather, they’re constantly improving their product and their workplace to make many people’s work lives a little better, a little more effective. As DHH puts it, they’re putting a dent in the universe, not trying to own it.

That approach inspires me. I've spent much of the past couple of years in the “messy middle” of a long-term organizational improvement, but it won’t have a launch or even a moment where we say we’re done. Its entire underpinning is a mindset that focuses at least some of our attention on “better” through clarity, transparency, and reflection. And we’ll be able to see the results — not all in one moment, but every few weeks and months as we get better at what we do and how we do it. Those kinds of results, and our recognition of them, gets me up every Monday morning ready to keep moving.

Why not be the "IT person"?

I was recently asked why I shy away from being labeled as the “IT person” when talking about my role or career path. I had an answer at the time but it wasn’t fully thought out. So here goes...

(I fully recognize this has been covered by many people. I appreciate your bearing with me as I attempt to make sense of it as well.)

I’ve been in IT for twenty years, and my path has taking me from support through systems infrastructure to management and leadership roles. Throughout this time, the industry’s notion of what IT is to an organization has evolved, but the emphasis has always been on the idea of technology as a strategic asset or partner to the business. Magazines and websites publish plenty of case studies on success stories along these lines. 

However, I’ve mostly found that an organization's notion of what IT is has more to do with keeping the lights on than on helping the organization propel itself forward. Computers need to be fixed, servers need to be running, and applications need to be available. And these are important, indeed critical, to a business functioning. They also tend to be static and can even inhibit necessary transformation as the business (or industry) evolves. The impact of IT stasis is twofold:

1. IT loses its ability to explore and innovate, instead staying in the comfortable rut of maintenance.
2. Non-IT folks stop thinking of IT as a team that can help solve their bigger problems, instead deciding to go it alone and “make it work."

These are both exacerbated by the reality that IT is no longer needed to stand up the basic technologies needed to run a business. It’s even easier now for IT to retreat into its cocoon and non-IT to find what they need and bring it into the workplace, increasing the divide. So being the “IT person” becomes being forgotten or uninvolved at times when their expertise is most needed, and then resentful when new services or systems are dropped on them (even though the situation is partly of IT’s making). It’s a truly vicious circle, resulting in a culture that doesn’t even think about IT when a need arises. 

Okay, so that’s all depressing if you work in or are responsible for IT. What can be done about it?

The IT leadership literature has long asked questions like, “how does IT reach across to the business?” and, “how do CIOs show their CEO and peers that they’re business-focused?” These are aimed at proving IT is ready to be at the table, which is important. A CIO/CTO needs to demonstrate and be seen as at least “IT leader, plus business”, if not “business leader, plus IT” by their CEO, peers, and colleagues to be effective.

But it’s not enough. For example, ideas are generated and decisions are made in day-to-day conversations in hallways and doorways (or the virtual versions of those), not in the big meetings. The IT leader needs to be in those as well, which is a combination of being invited and asking to join. The level of agency varies by situation, so each IT leader needs to determine the right balance for their organization. Otherwise, the leader and IT department will be relegated to the sidelines, called on only when needed for a specific task.

IT leaders also need to make a compelling case to define clear lines of priority and accountability for projects they champion, and avoid having a project classified as an "IT thing." "IT things" often drop to the bottom of everyone else’s priority list, which can make them difficult to complete due to lack of business partner availability. Security, policy compliance, and process improvements often arise from IT, and easily slide into the “IT thing” category. It’s on us to contextualize those projects and build the necessary partnerships to make them both relevant and successful. 

The opportunity is usually there for the CIO/CTO. But it’s never easy and it always, ALWAYS requires more time and energy than you’d think.  

It's 2017 - why are we still spreading FUD about data security in the cloud?

I was looking into document management options to build upon Google Drive earlier this week. A quick search of document management with google drive yielded, among other results, a post called Google Drive is No Substitute for Document Management. Reading this took me back to conversations years ago about how you can't trust the cloud for your sensitive information and how having your own servers is more secure for your data.

(The post was written in February 2016, so I understand if the post doesn't account for service advancements since then. However, leaving this as is, especially given its high page rank, isn't doing readers a service.)

There are certainly reasons to not rely on Google Drive (or Dropbox, Box, or other cloud file sharing options) for workflow-driven, automation-aided document management, which is discussed in the post. But the first two reasons are just plain inaccurate, and taken at face value, can inhibit organizations who have complex needs and limited resources from taking advantage of commonly used cloud offerings.

Let's start with reason #1 ("Google Drive is Difficult to Administrate"). The basic premise here is that IT administrators don't have the control over folder and file access that they do in more centrally controlled systems, and that control is exceedingly important to maintaining data security. While that sounds bad, let's consider that once someone has access to download a file or folder, they can then share it with whomever they want via email, some other file sharing mechanism, or by printing it out. Further, people are more likely than ever to find the best tools for their work, especially if IT is clinging to admin-centric rather than user-centric services. Data protection and security, absent an environment that is so restrictive that it allows only the most basic functionality at all, is often a combination of technical capabilities, corporate policies, and user training to provide a secure and productive environment.

The roles of policy and training in protecting an organization's data cannot be emphasized highly enough (but here's a few links for your reading pleasure):

• http://www.enterprise-cio.com/news/2016/jan/22/importance-security-awareness-training-enterprise-it-governance/
• http://www.information-age.com/importance-creating-cyber-security-culture-123465778/
• https://nces.ed.gov/programs/ptac/pdf/issue-brief-security-training.pdf

Seeing a viewpoint represented by a statement like the one below not only frustrates me, but also indicates policy and training aren't being considered:

For example, your HR employees need to store sensitive information like social security numbers, names, birthdates, and direct deposit banking information. If they store this information in Google Drive, there is a good chance that other employees can see it, too. Obviously, that’s not a good idea.

Storing this data in a spreadsheet in any location is ill-advised and no technology is going to fully protect against it happening. In a security-aware culture, though, the data steward would more likely consult with IT on the best way to store that data and prevent inappropriate disclosures.

On to reason #2 ("Google Drive Only Uses SSL Encryption"). When considering your data security, it's certainly crucial to consider data at rest as well as data in motion. This post asserts that data stored in Google Drive are encrypted in motion, but not at rest, linking to an article that says the same thing. That would be disconcerting and likely put people off using G-Suite. However, Google is fairly upfront about their encryption, making a topic-specific whitepaper available for public view. It articulates how data are encrypted at rest and in motion, as well as how encryption keys are managed. The short version is that with the possible exception of video files, data uploaded to or created in Google Drive/Docs/Slides/Sheets are encrypted. It's also one part of Google's overall security approach. Dropbox and Box have similar information available about their security and encryption approaches.

When considering cloud storage for your organization, security and risk management should be right alongside usability and collaboration in your priority list, and doing your research is important to making a sound decision. The major cloud service providers get it, and have embraced data security and protection as cornerstones of their storage services. Saying otherwise is outdated and unhelpful.

The CEO-CIO Connect

My social media feed recently included an article from Maven Wave Partners' Fusion Blog titled, "CIO vs. CEO: Finding Middle Ground." (note: I used to work at Maven Wave several years ago.) As it was my former employer and I'm a new CIO, I had to read it. And it was thought-provoking indeed -- I didn't necessarily agree with many of the premises, the primary conclusion was spot-on:

"When the CEO and CIO can find middle ground and work together as true partners, the enterprise will achieve true competitive advantage..."

Within the article, the points that stood out to me were (1) the disconnect between the CEO and CIO, and (2) the CIO as a business commodity. Each deserves further consideration, especially at at time where fewer people want to be a CIO.

The disconnect between the CEO and CIO

The article states, "Clearly, the CIO and CEO have roles with notably contrasting job responsibilities... The CEO often understands the core business and customer demands better than the CIO." I'm not going to disagree with these on principle, and it's easy to see this as the world as is. At the same time, we in IT leadership have been told again and again that we must, MUST understand the business in which we operate in order to be a strategic partner and not a business commodity. Virtually every CIO success story I've read can be summarized as follows:

1. CIO meets CxO
2. CIO and CxO form partnership around common cause
3. CIO and CxO make big initiative happen, increasing visibility for both

One of the reasons I was attracted to my current position is the shared idea that the CIO and CEO in fact have roles with notably comparable job responsibilities. Yes, we do different things for the organization (and I'm still figuring out mine). But we share the broad responsibility of both taking the "across the organization" strategic view and enabling ongoing operations. This dual responsibility distinguishes the CIO from a director of IT, who focuses more on operational excellence and continuous improvement within the technology function.

CEOs and CIOs both have the responsibility and opportunity to span the organization.

CIO as a business commodity

So what about the CIO being a business commodity? This is certainly one way to be perceived, especially if the CIO presents as tactical rather than strategic. It's tempting to create an IT strategy, but that helps separate technology from the business. IT strategy also tends to focus on things IT thinks is important, which rarely match what the CEO is trying to do and gives the impression IT isn't part of the team. 

Instead, the CIO's goal should be to ensure technology is part of each facet of the corporate strategy. Ideally, meeting this goal involves the CIO having candid, business-focused conversations with the CEO and being at the strategic table, and doesn't involve the intricacies of platform as a service or network segmentation. However, the world is far from ideal, and the CIO may have to work hard and long to get to that point, possibly exerting influence less directly to get to the table.

This all sounds great in theory.

Doesn't it? That doesn't mean it's an impossibility in practice. Where a CIO begins has everything to do with context -- not every CEO is ready to integrate technology into their everyday thinking. But they don't have to, at least not in detail. If the CEO is willing to consider technology in terms of the same goals as everything else -- help the top line, help the bottom line, and mitigate risks -- then perhaps the conversation can get underway.