If your organisation is like many, you may not have even realised that you’re on an information journey.

Note: the usual caveats apply to this post.

I can’t think of a single organisation, from tiny to huge, that isn’t a data business of some sort. From the local fruit and veg store to the large corporate; from the community organisation to the not-for-profits - every single one uses data to achieve their goals.

If you use data, you’re on an information journey.

Let’s briefly take a look at what we mean by "the info journey" and some of the elements involved. (Note that these elements are not necessarily on a linear timeline but presented here as such for ease of viewing.)

If you were starting an information journey now (for example, if you were to build a new business from scratch) you’d probably start by looking at what data your organisation is going to handle to meet the outcomes you need to achieve. Most likely, you’ll have client and staff records, accounts and payments information, ICT and development data, and your organisation-specific products and services data (i.e. data from where your income is derived).

All of this data forms part of your organisational information assets.

These examples are just scratching the surface of what you actually have in your organisation. Once you start mapping it out, you might be surprised at what you actually have… remember to check your local laws and regulations to see if you are supposed to have it (or keep it all) – but that’s a story for another post.

So why does all this data exist? Hopefully, it all serves the purpose of allowing your organisation to do its thing – it supports your organisation’s reason for existing. Done right, that data should help generate the income for the organisation too.

You're likely to evaluate the architecture of how this data is linked together – you might even build out a data fields map and interconnections between the various systems, and the data flows and processes at a business level.

Tip: remember to document things and hang onto the artefacts you’ve built, as they’ll form part of your organisation’s intellectual property.

As part of this architecture work, you will likely stray into the governance, management and operational models of how things should function within your org. The actual operational aspects might vary but should also take into account data archival and decommissioning activities, as necessitated by your applicable laws and regulations.

If you’re going to use developers to code your own solutions there’s raft of other things to consider, from things code analysis and securing your source code (more organisational intellectual property!) but even if you’re ‘just’ configuring commercial cloud offerings like SaaS products you may want to consider what assurances and data you need back from the vendor of the product. This will include such things as log files and statements of applicability around where your data is stored, how and where it is encrypted and so on… what will a compliance person or auditor be asking for?

But let's face it - the likelihood is low that you’re in a ‘greenfield’ organisation. You're more likely in a business that has grown organically over time... brought in different software to do different things (maybe even acquired or merged with other businesses, with totally different data, software and culture) and you’re in an operational state.

So how do you approach the information journey?

Step 1

You've had the realisation that you’re on an info journey.
You have a data-related past.
You’re in the information-related present.
You have a knowledge-related future in mind, possibly with a sprinkling of added 'wisdom' derived from your data!
(Note: there's some references here to the DIKW pyramid.)

Step 2

Quantify your organisational outcomes as metrics to be achieved. What do you need to achieve? (Defining requirements as ‘must’, ‘should’ and ‘optional/nice-to-have’ can be very helpful in both the short and longer term; along with the standard numerical approach.) How are you going to measure against these metrics?

Remember that it is difficult to move forward if you don’t know where you are – measure your present, so you can prove your improvement in the future… bringing us to:

Step 3

Perform an assessment in an unbiased way.
Where your journey is strong and where it is weak?
Where it is important to get stronger?
(You may want some outside help for this, unbiased self-assessment is never easy.)

Step 4

Using the requirements from step 2 and the assessment from step 3, plan your information journey ‘upgrade’ – create a roadmap of how to get to there.

Step 5

Plan your how you'll get value from your information.
How do you provide metrics and historical views on performance?
Do you have to put in a lot of effort every month to “generate reports for management” or does everyone simply look at dashboards that show them immediately what they need to know?
Example sales dashboard given below - do you have this level of realtime visibility?

Step 6

Start delivering against your roadmap!
Make sure you reassess progress periodically, both to ensure you’re delivering to the requirements you set (assurance) and also to ensure those requirements are still what you need. Nothing stays static for too long, except data that should have been archived!

Obvious self-promotion time - Adrenalan can assist you with all parts of your information journey – please get in touch.
We work with you to meet your outcomes.

Safe information travels!

A short note here to say this year we're not just attending CrikeyCon but have gone in deeper - volunteering to try and start-up a local car hacking community, and subsequently helping forming Autohackers.org as a specialist group for it.

If you're interesting in hacking things that move, please get involved. This year we've started with a 'CAN bus 101' setup - basically a Raspberry Pi with a CAN bus interface, connected to a vehicle's instrument cluster, to try and replicate the data traffic coming from the engine controllers to the instruments. More details on the Autohackers website.

Hopefully we'll see some of you at the conference next weekend!

This is a post for the attendees of the Fishbowl Elevate 2022 conference, who saw  Zac Harrington from Lucid Multi Cloud presenting on data reporting and "Fishbowl Reporting as a Service" today at the conference.

To briefly explain the relationship between LMC2 and Adrenalan - we provide the information and business process analytics for the LMC2 service offerings for Fishbowl. (As you can read about more on this website, Adrenalan specialises in helping you on your journey through information, identity and your business intent.)

So, let's get on and have a look at some Microsoft PowerBI views that Zac presented. These are views of your data that can be made available with the LMC2 reporting offering. (Please note these example reports are from some modified Fishbowl demo data.)

First up, we have a very high-level view of revenue.

At the high-level, this view is showing you revenue and some breakdowns of that revenue - over time and by delivery area (by postcode).

Clicking on the year allows you to filter by the year - 2022 in this case.

It's the same data. You can filter further, say 2022, Q1.

Maybe you just want to see a month... again, sorted by most revenue but now on a per-day basis.

Nice - you get to see what you want to see, quickly zooming in on your data. We can also change the way you see the graphical data... maybe you want to check our your revenue vs stock, over time.

Why not check out where you're shipping to? It might give you a graphical idea of where your customers are... which could lead to warehouse optimisations and improved shipping processes - lower costs and faster delivery, why wouldn't you?

Maybe zoom in on just the Australian orders... (two different levels of zoom)

Now these views have all been using Microsoft's PowerBI. However if you want to build views without being beholden to Microsoft's cloud products (and licensing), you might want to use Grafana. Grafana can be hosted local to your database... and potentially other data you have in your business that you want to 'mix in' to create far more relevant dashboards for you.

So let's look at Grafana and we'll start with a view of revenue by postcode, inventory and some nice pretty graphs to go along with it.

We can also build you 'drill down' screens and as many views as you need based on your Fishbowl and any other data you have in your business. This will help you visualise your metrics and KPIs... then you can look at optimisation and consolidation, as needed.

Which leads us back to an even higher level concept - the business processes that the tools (in this case, Fishbowl, with PowerBI or Grafana) support. If you follow the old adage "you can't improve upon it, if you can't measure it", mapping out your business processes, where Fishbowl supports those processes and the metrics around delivery of those processes will allow your business to figure out:

• How does your business process actually look? (Hint - if it's convoluted, there's almost no way it is optimised... and you'll likely have quality issues as well, leading to higher costs.)
• What are the metrics associated with the current process? E.g. how long does it take to do to each stage; or costs associated with each stage.
• Then you can map out where you need to improve those processes and raise quality. If you're gathering the metrics along the way, you'll be able to see improvements as they happen and quantify your return on investment.

Above, we've run through some demo data, using live demo views in PowerBI and Grafana. Obviously if we look at your data and what matters to you, we can make far more tailored dashboards for you to obtain a view on your business.

Get in touch if you want to have a conversation about how we can help you.

This was my BrisSEC19 (AISA) '10 min talk' – part of the Cyber 101 series during the conference on 29-Mar-2019.

Conference link: https://www.aisa.org.au/Public/Events/Conferences/BrisSEC-2019/BrisSEC19.aspx

The notes in these pages are to help fill out the slides as the slides were speaking points, rather than complete notes.

The usual start-of-a-talk caveat – this is general advice, I’m not a lawyer, you break anything it is your own fault, copyright/etc belongs to the respective owners…

The premise of this talk is that you’ve got a problem to solve; one that involves “the cyberz”.

Typically, you’ve got a significantly smaller allocation of money or budget with which to solve a bigger problem. The ‘ideal world’ doesn’t exist – you can’t simply find and apply every possible ‘fix’ as this is not feasible.

So, how do you define the problem, in information security terms, so that you can apply cybersecurity related fixes?

Providing some background to myself and how I’m approaching this slide deck.

I’m a consultant. (queue “Boo hiss, etc”) but when I am asked onsite I have a few key questions that need to be addressed to define the problem.

I need ‘facts’ to work with. (Technically observations – they may well be perceived facts or even facts, but we’ll lump them together simply as ‘facts’ to avoid lengthy discussion on the topic of ‘observations, findings and recommendations’.)

Regardless of the type of role I do when I go onsite (it could be security-, enterprise- or even data-architect; as well as ‘consultant’) I will always need to collaborate with many different roles inside the organisation, from Business Analysts through ‘Subject Matter Experts’ (SME) as initially I need the view of the organisation, not the views of IT.

Note that there is not singular generic ‘right answer’ – the correct answer for your organisation will depend wholly on its context.

A side benefit of getting out there and talking to many roles inside of the organisation is potentially getting more people interested in information security!

If you ask for help (eg internal or external consultants) and you have already answered these questions you’ll be many steps ahead. Obviously ask for help where and when it is needed… but you may find better ways or areas to implement controls if you understand the organisation better (not just the technology layer).

Beware the ‘pre-canned answer’ – the worst is when a solution is immediately sought, without properly defining the problem. Never ends well, except for the vendors!

Ref: http://www.adrenalan.com/the-problem-is-already-knowing-the-answer/

Going to use Adrenalan’s “three I” because it gives us the 6W (who, what, when, where, why & how) with a cyber slant.

See http://www.adrenalan.com/infoidintent/

Why lets you ask for more money to solve, if needs be. If it’s outside your usual operational scope, (eg new regulation) then you’re better able to articulate the problem (and beg for $)

Why lets you find the correct stakeholders and obtain support from them (when ‘why’ is put back to them as it affects their parts of the organisation)

Further ‘root cause’ reasons:

•        Mandatory… if it’s not mandatory it’s optional, thus a choice to be made. (‘how’ mandatory something mandatory is, is an ownership level discussion, ie Board) Alt: What are the key requirements? Any MUST vs SHOULD? (If $ for it can change in the decision process, it is likely a SHOULD!)

•        Privacy Act, specifically notifiable data breach (NDB) rules having effect, plus GDPR effects (either perceived or real)

•        Remember that Security != Privacy... but you can use a lot of the same controls to maintain both

•        Be able to answer the “mix it with other budget” or inverse

Whatever you find as the root cause ‘why’ is what you need to remember throughout. Write it down. Stick it on your wall, if not too sensitive!

After why the ‘what are you protecting’ is the most important thing for information security people to get their heads around.

This is an area that the organisation needs to be heavily involved in to provide an accurate view of what is important to the org, along with the value of those assets.

Example: you’re not protecting a user’s laptop– you’re protecting the information assets stored on or accessed via that user’s laptop.

Open question for audience – (assume Office365 email sync’d to Outlook running on a device) is the best place to spend money for security controls on the laptop or … where?

This is another way of looking at the ‘what are you protecting’ slide:

What would your competitors most want?

What is valuable to criminals?

Wear your evil hat!

Rule of thumb: don’t spend more to protect assets than they are worth or will cost you if you lose them.

Who needs access to the ‘what’ assets?

Typically: it’s staff, partners, customers… but frequently includes regulators, developers (does that include open sharing to github?).

What’s the full lifecycle (recruitment, onboarding, ‘operations’, leaving, tombstoning, etc) of the ‘who’?

Everything is time bound. An imagined thing delivered in 6 months’ time is just that … imagined – it will do nothing to help you until it actually exists and does its thing. (It may still fail but that’s another story!)

Purposefully not going to use a particular framework here… just the basics – create / operate / destroy.

Can you do it staggered – often referred to as ‘horizons’ or ‘phases’ of a longer project or programme of works. The important part isn’t how it is staggered but that you get the needed security controls in place by the time you need them. (More on security controls later in these slides.)

What are the factors that need to be in place for you to be successful?

Who are the stakeholders that are your keystones for success? (execs, directors/board, regulator, customers… no one is off the stakeholders list)

If putting a stakeholder on the list scares you, then it may just be the correct stakeholder – turn your weaknesses into strengths.

Build trust with your stakeholders must be part of success.

How do you define the ‘right answer’? – speculate: if it ethically enables the org to reach its goals.

Wear your evil hat again – how would you break your organisation?

Run a business red-team exercise (‘desktop’ or paper is a good starting point) – SMEs can often tell you exactly how to break things within your processes.

All DR events I’ve been called into have been process failures, at root cause level, not technology failures. It may have been a technical failure that was the visible ‘bang’ but it’s the process that will have failed to adequately deal with the tech failure.

How’s your recruitment and vetting ‘people’ process? Offboarding? Do you have a ‘walking the staff member out the door’ process that immediately locks that person out of allaccess? (Can you prove it? When did you audit that process with a developer or system admin, just to check it works?)

A few more thoughts on security controls:

Where are the best places to put controls?

-        Peoplecontrols are the most flexible and ‘stick’with the people throughout changes in process and technology. Invest in your people.

-        Processcontrols are changes in how the organisation works and are the most effectivecontrols, overall. (And can enable people empowerment, more than technology controls.)

-        Technologycontrols should generally be as invisible as possible.

When you ‘stick it in the cloud’ it should still conform to your organisational rules… eg build yourself an org-wide-agreed access decision model (this is a whole other talk topic!)

Remember the most expensive part of controls is monitoring them effectively!

Remember we spoke about lifecycle? Infosec has the NIST cybersecurity lifecycle to refer to…

…so here’s a view of some example security controls at the people / process / technology layers, with a ‘matrix view’ across identify / detect / protect / respond / recover.

Since you’re now reading this talk, rather than listening in real time, please review the 6W. Remember – answer ‘why’ and ‘what’ and you can work the rest out from there!

You must contend with the whole lifecycle – create / operate / destroy.

Cultural change will beat tech change.
Process is your org.
People run your org.
Tech supports it.

So, you have decided your organisation needs a SIEM. What happens next?

As a consolidated view of security threats, a SIEM can be of great value to almost any organisation. However, a lot of organisations don’t get sufficient value from their SIEM, or it’s just a way for them to tick a box on a compliance form. Don’t you really want to get the most out of that expensive new tool?

Once deployed, a lot of organisations think the job is done, but this couldn’t be further from the truth. The SIEM will require constant and ongoing maintenance and improvements to continue to provide value. Otherwise it risks falling into disrepair and might become an even larger task to fix than the original deployment. I have seen organisations where it is easier to install a new SIEM rather than fix up the old one!

What are the first things to consider?

The first thing to consider is why the decision to use a SIEM has been made. Ensure that the business requirements are known and what goals the organisation wishes to achieve by embarking on the SIEM journey. Begin with the end in mind. Ensure that the goals of the project are aligned with the original business requirements.

Take some time to consider the best product for your needs. SIEM solutions come in many flavours. There are open source products, a multitude of vendors that offer SIEMs, or even home-grown options if you have the skills and desire in house to do this. Be careful with the home-grown option however due to increased time to value.

Review the various hosting options for your selected SIEM. Do you want to host the SIEM in-house, or does your organisation have a cloud first strategy, in which it is a requirement to use a fully hosted option?

If you have settled on a SIEM product that you will be purchasing from a vendor, review the licensing model in use, as a lot of work will go into ensuring that you have the right type, and number, of licenses for your organisation. Licensing can be complex and expensive, depending on the licensing model for the SIEM selected. Right sizing the license is important, but this can be expanded later on, providing there is budget remaining. You will need to consider your logging requirements at this stage as well since most licensing schemes work by number or size of logs being imported. I’ll talk more about determining logging requirements later on.

Remember to consider also the ongoing support and maintenance costs, as the higher the license cost, the higher the annual renewal bill that comes with it.

Review the architecture options available for your implementation. If you are hosting the SIEM in house then this will be very important, as it can mean the difference between a poorly performing SIEM and an incident ready SIEM at the end of the day. This is easier if you have decided on a cloud implementation, as less thought needs to go into the SIEM itself and more into ensuring secure, reliable and timely data transmission to the SIEM. There are many decisions to be made here and most likely the vendor you have selected will be able to offer you the best advice for your specific needs.

Which logs do I need?

Now that some of the decisions have already been made around the SIEM, its important to start thinking about what the logging requirements are. As any technology professional knows, there are a huge abundance of logs available in any organisation. Do you want all of them? I’d suggest not, or at the very least take a prioritised approach to adding logs to your SIEM. Onboarding everything in one hit is just asking for trouble.

Firstly, decide on some use cases for your SIEM. Use cases can help to prioritise which logs are going to provide you with the most value. Start with thinking about some likely attack scenarios for your organisation, from both internal and external threat actors. Then try to determine how you would detect these events, and which logs are going to be able to help you the most.

The other approach which goes hand in hand with the above is to rate servers or applications by risk, i.e. figure out which assets would be of the most value to attackers and start by collecting logs for your most critical assets.

By now you will have a pretty good idea of the order in which you want to start importing logs. Some others to think about are:

• Active Directory, Kerberos, LDAP
• Identity management and authentication data
• IDS/IPS, Web/Email filters, WAF, Anti-Virus, Anti-Malware
• DNS, DHCP, switch, router, firewall
• Database (be sure to configure auditing in the databases, as most are not enabled by default)
• Network flow data
• Cloud data
• Physical building security logs (e.g. door access)
• Vulnerability scanners
• System or policy change data

Other things to think about before installation

Make sure you consider who is going to have access to your brand new SIEM. Once the SIEM is running you might find a lot of people within the organisation want access. You need to decide up front what makes sense, and what doesn’t. For example, operations teams might want to investigate locked accounts using the SIEM, especially if they don’t have their own logging solution in place for authentication logs.

Ensure you have a plan for the permissions scheme you want to use. If you are going to have various teams other than the Security Team accessing your SIEM, you will want to have the appropriate permissions structure in place as to not allow access to data by team that don’t need it. You may not want your Operations team having access to the web browsing data for the entire organisation for example.

Also think about who is going to be responsible for the ongoing maintenance of the SIEM. Are the security staff who the primary users of the SIEM, also the ones that are going to be required to maintain it, and log support calls to the vendor when something goes wrong? Document these support requirements up-front so that when something goes wrong, you don’t have to start conversations about who is going to get it resolved.

This is also the time when you want to start thinking about which sources of threat intelligence are going to bring you the most value. There are plenty of free ones out there, and many paid ones exist as well. Something industry specific, if it is available, will likely bring you the most value. Do a web search for “threat intelligence feeds” if you aren’t sure where to start. But beware, some threat intel feeds will fire more alerts than you know what to do with, so significant tuning may be required.

Purchasing and Installation

At this stage (or possibly even slightly earlier), you can start the procurement process for the required hardware, software and licenses. Make sure you contact multiple vendors to ensure you are getting the best deal on the SIEM that you want.

OK, its crunch time. The hosting model is decided, maybe hardware has been purchased, software is ready to go, and licensing is all sorted. Time to get the thing up and running! Set up the hardware and software, or don’t if you have selected a cloud model. The point is to make sure the SIEM is ready to start accepting logs.

Now you can start working through your prioritised log source lists and start adding them one by one, or in batches if your workflow allows for this. Make sure you watch the performance of your SIEM during this time, as this is where architecture and planning issues can start to show themselves.

The Never-Ending Cycle of SIEM

Now comes the fun part, the operationalisation of continuous SIEM improvement. The following steps are not things that need to be done just once, as much as you might wish it were that way. For a SIEM to be truly effective there needs to be an ongoing cycle of evaluation and refinement.

Continuously evaluate required log sources. Log sources change all the time. New systems are added, old systems are decommissioned, log sizes grow and diminish, and sometimes just stop working altogether. Ensure that you are on the lookout for any of these events, so that the SIEM has the right log sources needed to achieve your goals.

Evaluate threat intelligence. Are you getting value from your threat intel sources? Are there some new sources of threat intel that may potentially be useful? The other thing to consider here is if you are able to contribute your own threat intelligence to help others, although this does require a certain level of maturity within your operations that you won’t have straight away.

Review your use cases on a regular basis. Are there some new ones based on new products the organisation is offering, or is the evolving threat landscape showing up new and different types of threats than in the past. Keeping on top of new use cases will help your SIEM continue to perform and meet business objectives.

Now for one of the most important tasks, without which, your SIEM will be much more difficult and onerous to operate. Write, evaluate, and tune the rules. A lot (if not all) of SIEMs come with out of the box rules you can use, which may or may not be suitable for your organisation. Apply the use cases that you have generated to ensure you have rules for each and every one of them.

This next task goes hand in hand with writing rules. Watch for and tune false positives constantly. If there has been an alert generated, and it is proven to be a false positive, then that rule should be tuned, so that you’re not spending time on the same false positives more than once.

Performance monitoring and ensuring SIEM is performing up to scratch. In order to maintain your SIEM in a good state of health, it is important to perform preventative maintenance checks on a regular basis. As above, display metrics regarding the health of your SIEM on a dashboard. Ensure that the team who is responsible for the maintenance of the SIEM can see these dashboards, and receive the required alerts to provide a quick response when something goes wrong.

Develop meaningful dashboards. Dashboards are of critical importance to any well-functioning SIEM. They can display near real time status of the operational health of the SIEM, as well as important information about the security posture and compliance level of the organisation.

Try and automate as much as possible. If you are performing a task manually every time a specific alert comes in, can that task be automated or scripted in some way to reduce the workload on your analysts?

Now it’s time to perform a review. Have you met your original goals and aligned with the business requirements?

Using the above continuous improvement cycle will allow your SIEM to be ready when the inevitable security incident arrives. Your SIEM will allow your incident response process to operate efficiently and effectively when the time comes. Ensure that your incident response processes are reflected in your SIEM processes and vice versa, and review these on a regular basis as well.

Ready for a Security Incident?

There is a lot to think about during the implementation of a SIEM, and many mistakes that can be made along the way. Hopefully this article has given you something to think about when it comes to your next SIEM implementation.

Is there anything that you think I have missed? Let me know in the comments. Good luck with your SIEM implementation!

Welcome to the new Adrenalan website. It was definitely time to get a coffee and grow a new home for our web based content! And just like the three seedlings in the image, I aim to grow Adrenalan around the "three I's" - information, identity and intent.

(Note: I aim to provide credit and citation/links wherever possible... to that end - cover photo credit for this post is by Daniel Hjalmarsson via Unsplash. The espresso shot below is my own.)

This website is about providing both a view on what Adrenalan does (consulting and advisory) but also as a publishing platform for content, mostly in the subject area of information security and privacy as it relates to organisations and businesses of today.

Personally, I’ve found one of the more annoying issues in the advisory and consultancy field being when Consultants listen to a Client’s problem and already know the Answer. And by ‘Answer’ (big ‘A’) I mean that the Consultants already have a pre-packaged, templated and ready-to-go piece of work that the Client will receive. The Answer is almost a product in its own right – it may even have a product code in the Consultancy’s billing/profit-tracking system!

The Client will not necessarily know that they’re getting a pre-everythinged Answer – they may even have been told that everything “is bespoke” or “custom made for you” and it will still take time and lots of money to deliver (because it “tailor made”).

Essentially, the thought process of a pre-canned Answer coming from a Consultancy is like the following sketch... plus or minus a little ‘sprinkle’ of customisation (or copying/combining from other Answers).

...tell-tale signs... the most senior Consultant only talking to the most senior Client Stakeholders...

Some tell-tale signs of a pre-canned Answer are when the delivery follows a delivery pattern similar to the following:

• The most senior Consultant (often Partner/Director level) initially spends maybe 60-80% of their available time onsite, usually only talking to the most senior Client stakeholders available (C-level or reporting directly to C-level). This often shows that the Consultant is most interested in relationship building and not discovering the actual problem or the Client’s needs. Soon this senior Consultant begins to match their visits with the senior stakeholder’s schedule and is rarely seen otherwise.
• A team of ‘senior juniors’ shows up (aka the ‘worker bees’), dealing with the daily work cycle. As the delivery carries on (assuming it takes more than a few weeks) the level of seniority of worker-bees drops and there is a noticeable increase of ‘on-the-job training’ of newer junior worker-bees.
• Some of the more senior worker bees have made good relationships with their Client-side peers and will be actively taking over duties from the most senior Consultant wherever possible.
• The most senior Consultant will be ‘visible’ only to their Client stakeholders; only appearing otherwise if there are delivery issues.

Note that nothing in the above list indicates the Client will not receive what they signed up for – they will most probably receive exactly that! - but is it what they actually need?

...the Consultancy will have templated output that simply needs input...

Unless the Client is a ‘first’ for a particular job style (which means you’re on the bleeding edge of whatever you’re trying to do – a different topic for discussion), the Client has signed up to receive a copy of something the Consultancy has previously delivered (and they’re now making “money for old rope”). Typically, the Consultancy will have templated output that simply needs input gathered from the Client and massaged into the right format to fit the output template.

Hence, the worker-bees (the junior staff) are tasked with gathering all the input and getting it massaged/sorted/aligned/etc for the templates. And there the Client get their Answer; the Answer the leading Consultant imagined when they first listened the Client recount their problem...

My biggest issue... without rigour of process... no scientific method was used

So, what’s the issue with this? Let’s go with a little list:

• Unless the Client’s problem is exactly what the Consultant thought they heard in the initial conversation, the Client is getting something that is not fully aligned with their problem. It might be close… and then again it might only look close.
• The Client is paying for what they may believe is a ‘custom’ solution to their problem. What they’re actually getting is a complex copy and paste. There are a bunch of junior Consultancy staff collecting what they honestly believe to be the correct data, for a templated solution they were not part of generating.
• But my biggest issue with this is that usually a single person has made up their mind on what the problem is (sometimes even before talking to them) without any rigour of process; i.e. no scientific method was used, or even abused, in the making of the Client’s Answer!

To be clear:

• Not every Consultancy does this; I have seen and worked with some great Consultants who will see an answer up front but will strive hard to ensure it is the right one for the Client. Bi-directional transparency between Consultancy and Client can help alleviate this issue.
• Onsite/on-the-job training is a good thing, when it doesn’t detract from the outcome for the client.
• Templates, blueprints and frameworks - when used correctly (i.e. for modular components of the complete final answer or when developing internal-use blueprints for a client’s deployment) are a good thing. However, when used in what is often termed ‘cookie cutter style’ on multiple client accounts is, at best, providing the client with a thin veneer of customisation on top of a commoditised solution.
• At the highest level, the answer to the Client’s problem should always directly match the their needs and be traceable to those needs. At a lower level, templates / blueprints / frameworks are all good at maintaining a level of quality for the solution delivery.

As the client, how do you avoid being sold a pre-canned answer? And do you need to avoid it at all?

(Let’s go with an IF … THEN … ELSE style for my answer.)

IF

• First, is a pre-canned answer is acceptable to your needs? At a technological level, this is what most cloud offerings deliver, after all – Commercial Off The Shelf (COTS) is a key point procurement departments everywhere are looking for (for the right or wrong reasons is a different discussion).

THEN

• If you’re happy that your combined people, process and technology needs can be met with a minimally customised commodity Answer then go for it – just be fully aware of what you’re asking for and any short and longer term pitfalls.

ELSE

• Be a little suspicious (but not paranoid) if the initial discussion results in too quick of an ‘answer’; this could indicate the Consultancy is using a pre-canned response.
• Ask about method, about the process the Consultancy will use to arrive at your answer; know how your actual answer will be determined.
• Have a procurement method that allows for some flexibility between phases and milestones. For example, the classic planning-discovery-analysis-delivery doesn’t necessarily allow for re-planning pending the output of discovery; a more agile approach, with fixed constraints (time, budget, quality), can allow for the output to self-align without requiring a full ‘go/no-go’ decision and a full project reset.

END IF

Consider using a Trusted Advisor to help define your problem and needs... choose someone who has nothing directly to gain from any solution

Lastly, if you’re a Client, consider using a Trusted Advisor to help define your problem and, more specifically, your needs. Choose someone who has nothing directly to gain from any solution to your problem other than having performed their job well. In the context of this article, I’d suggest a good Advisor would help you define your problem in the context of your business outcomes and help define SMART project outcomes that Consultancy could use to define their answer to your problem.

Remember, one size doesn't fit all

Maybe your problem definition should look a little more like the following… remembering one size doesn’t fit all!

As always, I’m happy to discuss… whether you’re Client-side or in a Consultancy/Advisory, please get in touch.

Some follow-up questions for you:

• Have you seen pre-canned Answers delivered like this before?
• If so, has it worked well for you or not, from the win-win viewpoint (i.e. both the Consultancy and Client got what they needed)?

(I originally posted this story as a LinkedIn article, 28-Mar-2017 - ).

I’ve been around a lot of different projects, work sites and employer types… and I’ve spoken to even more people, at all levels of business, about what they like, and do not like, in their working lives. And it boils down to three basic factors and one amplifying factor.

Money. This factor is a pretty easy one to explain – how much you’re paid for what you do. There is a threshold to this factor though – the amount you need to survive, i.e. costs for food, clothing, shelter, health, education, etc. Below this threshold, increasing your income is your primary driving factor - not much else matters except survival. However, once you’re happily above the threshold amount, deciding whether to move job is more about the other two factors than just money.

Interest. What interests you? Are you a process person, enjoy running a business or system? Or are you a thinker – good at finding and solving problems? Love reading and research? Everyone’s interests are different and you need to know yours as they are important in how you successfully grow your career, as well as which interests enrich your non- or semi-work life.

So, the initial two factors above are pretty straight forward and unique to each person. Keep in mind that both will wane over time – what is interesting to you now will be boring if you’re doing it every day for the next year; and if you’re paid the same money for the next five years it will no longer feel of the same value to you. Both money and interest are positive factors… so what’s the negative that balances this out?

Bullshit. Each one of us has a measure of what we internally class as the ‘BS’ of the job; it’s the negative influence. It could be filling in those time-recording sheets on three different systems, all in triplicate; or it could be dodging the office politics. Everyone’s BS factor is different – and one person’s BS may be another’s interest!

How do these three factors fit together? Imagine that the money, interest and bullshit factors are represented by three pillars holding up a large plate, with a ball (representing your work-happiness) rolling around on top of the plate. If the three pillars are balanced and even, the ball can continue to roll around on the plate and all is well. If the factors are skewed, the ball will roll off the plate… and you’re unhappy at work and probably looking for another job.

There is one more factor (the “+1” in the title) that I need to mention - I call it the GASfactor. It’s your drive, your enthusiasm… it’s the 'gas' you have in your tank, your fuel to get things done. Your GAS is comprised of all the little things that influence you on a daily basis. E.g. how tired you are, how your kids are behaving, are you getting on well with your partner, are you eating well and feeling good about yourself… the list goes on.

Have you ever noticed that if you’ve ‘had enough’ of any one thing (maybe you’re feeling really unfit and getting up in the mornings for the commute is a chore?) the money you’re being paid doesn’t feel as ‘good’ as it did, or the really interesting thing you’re working on has suddenly lost its shine… this is how the GAS factor influences the other factors – it’s an amplifier of the positive or the negative depending on how you feel.

If you’re low on GAS, the money and interest factors seem less and the bullshit seems smellier. But if you’re rested, happy at home and all is good (your GAS is high)… then the BS feels like less, the money is good-enough and the interesting stuff is satisfying.

It’s not actually mathematical but you could visualise the 3+1 as follows:

(Money + Interest - Bullshit) * GAS

Isn’t this a bit of an over-simplification? Yes, I guess it is. But show me something that doesn’t fit into these factors and is a significant influence on you? I’d be happy to hear it (honestly!) as all the people I’ve discussed the 3+1 with over the years haven’t been able to come up with anything that doesn’t fit.

What makes up your 3+1 ?

Here’s a quick action plan for you. Whether you’re happy at work or not, start noting downwhat makes up your 3+1. Consciousness about what makes up your factors will help you when the time comes to make the next choice. With your cool-headed knowledge of what makes you tick, you can face the uncertainty of work changes with the certainty of knowing yourself and what will suit you best.

Employers: What are your employees' 3+1?

Finally, if you’re an employer the 3+1 is even more important to understand. What makes your employees' 3+1? If you’re advertising for a vacancy in your organisation, don’t just think about the skills needed but what it offers people. If a prospective employee evaluates a position you’re offering, what do you want them to be motivated about? What will make them apply? What will you offer once the initial interest has become routine? (Tip: if it’s just the money you think they’ll go for, they’ll leave once the money isn’t their motivator anymore or if someone offers them a bit more money.)

The 3+1 may be a bit of an over-simplification of the complexities of the mix of working and life but I hope my 3+1 helps clarify your thinking a little and assists with your next career decision.

Some footnotes:

• ‘Bullshit’ - I’ve tried hard to find another word for this factor and have discussed it far and wide… but ‘bullshit’ still seems to describes it best! I’m open to better suggestions.
• GAS: You could also think of this as your Give-A-S*** factor. Same end result.
• Originally, I had just the 3 factors. These factors kept things nice and simple, and everything ‘work’ fit into the 3. This was until a few years ago, when I realised the importance and unconscious influence the rest of your life has on the working part of your life, which actually takes up most of your time. You can’t separate work and 'the rest', despite all the ‘work-life balance’ thoughts that seem to suggest there can be a clear separation. Your brain is a singular whole – you can’t ask it to simply switch on/off the work/home parts. Hence, the 3 factors became the 3+1.