It's Not All About Technology: Leading Human And Business Aspects Of Digital Transformation

November 17, 2021 00:53:27
It's Not All About Technology: Leading Human And Business Aspects Of Digital Transformation
I See What You Mean
It's Not All About Technology: Leading Human And Business Aspects Of Digital Transformation

Nov 17 2021 | 00:53:27


Show Notes

Take cybersecurity, for example. It's natural to think your IT shop is responsible for it because it is. It's less common to think you're responsible for it, but you are. Every time you log on to your work computer you're practicing cyber hygiene, or you're not. In this episode, Ret. Rear Admiral Danelle Barrett talks about how she led large-scale change which depended on people changing behavior, and how she got people on the same page to do it. Here's where I had some of my own ahh-ha! moments:

4:38 - Conventional cyber training isn't as effective as it needs to be because it's disconnected from what people do in their jobs. 

11:06 - Where we talk about what it takes to think differently to behave differently, by talking in terms of an organization's "no-fail" mission.

18:39 - When you present a problem that makes people feel helpless, that doesn't help you solve the problem. 

25:22 - Talking about risks in specific operational terms helps people understand what cybersecurity risk means to them.

31:36 - Where we talk about what it means to embrace change.

38:47 - How Danelle sees and works the adoption curve in a large organization like the Navy.

45:29 - Change is overwhelming and leaders need to take change management on, directly.

View Full Transcript

Episode Transcript

Speaker 1 00:00:07 Welcome to, I see what you mean a podcast about how people get on the same page or don't or perhaps should today. My guest is Denelle Barrett did. I was an independent director on several corporate boards. She's also a retired rear Admiral with 30 years service in digital transformation, cyber security, and telecommunications to know, welcome to the show. Speaker 2 00:00:28 Hey, thank you very much for having me. It's an honor to be Speaker 1 00:00:30 Here. Thanks. I'm looking forward to our conversation. Why don't you give listeners a short bio about yourself? Speaker 2 00:00:38 Yeah. Um, so I was fortunate enough privileged enough to serve in the Navy for 30 years, which I really enjoyed. I, uh, joined out of ROTC at Boston university and then went straight into the Navy and spent 30 years. Um, over the course of that time, I did, uh, a lot of started in, uh, communications radio-frequency communication space and then did a more towards the end of my career, uh, the last 10 years or so, a lot of cyber offensive, defensive operations and cybersecurity and digital modernization. So it kind of spans the gamut of what we used to think of and like it, and in communications and things like that. And then, um, after I got out of the Navy, uh, almost two years ago now, um, I actually two years ago, today is a good day. So my Navy retirement birthday. Speaker 1 00:01:23 Right. Speaker 2 00:01:25 And thank you. And, uh, so, uh, since then I felt like you said, I mentioned, like you mentioned, I've been on, on several corporate boards and advisory boards. And then I, um, I published a book called rock the boat this summer and I, uh, uh, have a consulting business and for fun, I am an extra in movies. So there you go. I just keep kind of busy with a bunch of stuff Speaker 1 00:01:43 You do. So what's it mean to be on the same page and some of those areas let's pick cyber security if you want. Speaker 2 00:01:50 Yeah, let's see. Let's talk about cybersecurity that in that context, absolutely. Because, um, you definitely, your organization definitely needs to be on the same page. And honestly, it's throughout the whole nation. I mean, the cybersecurity is a national security concern, not just to, you know what I mean for everybody, whether you're in business and you're worried about ransomware or you're at home, and you're worried about somebody stealing your digital identity or your profile or your data misusing your data or your people are trying to influence you. Like we saw on the elections. I mean the digital world has so many opportunities, but also has so much risk. And so you just need to be savvy about that. And being on the same page means that people have sort of a basic understanding of what it means to have goods, for example, cyber hygiene, you know, how do you protect yourself from those bad guys as best you can and how do you protect your information and you know, how are we even teaching kids in school? You know, we used to teach like home economics and math and everything else. Well, where's our cyber hygiene class from day one. I mean, he has sure kids are smart enough to use their thumbs and text a lot, but that doesn't mean they're cyber smart. Right? So let's repeat some cyber responsibility. Like you said, it's an all hands effort, um, in every industry and throughout Speaker 1 00:02:58 Life, it seems to me that the concerns like that at one time, not very many years ago, were Speaker 2 00:03:04 The responsibility of somebody with a technical job responsibility, technical background, put a tinfoil hat. Absolutely. We call them the dolphin speakers. Speaker 1 00:03:18 Well, but then it then because of the opportunities for bad guys to do things on, uh, in the cyber world, I think, I think the responsibility grew from the, from the it department or a cyber operations department to maybe more management. And now what you just said, I think means it's really everyone's individual responsibility, whether you're at home or at work. I mean, now it's now it's just out there like driving safely or crossing the street safely. Speaker 2 00:03:46 Right. And think about how lines were blurred during COVID where, well, what is working? What is home now? You know, 60% of our workforce now was working from home and probably a good portion of that still continues to, or we'll have the opportunity continue to, so, yeah, so that you're right. It's just like, you know, what are the, what are the rules of the road in a car? What are the rules of the road and cyber and how do I follow those? And, but some of that is a lot of that's education too. I mean, you know, when you drive a car, you get taught how to drive a car or you take a driver's ed course or something, you have to pass a test. I mean, there's no cyber test about how to protect your data. Maybe there should be for folks, you know, before you get your driver's license, you also have to get your cyber card or something too. You know what I mean? Speaker 1 00:04:23 Yeah. Well, you mentioned education a couple of times and, and so tell me a little bit about just generally education in organizations. I think education in organizations seems to mostly occur after an event. Speaker 2 00:04:38 Yeah. Unfortunately I think that is true. What you'll probably see is like in a lot of organizations, they'll give you maybe a little intro to their it policy, right? Like, oh, don't use their it to gamble and surf porn and do bad things on the internet and that kind of thing. And, or, you know, don't misuse. If we give you a go a computer or something, don't misuse that. Right. Um, and so, and then after your initial introduction or your initial, um, uh, indoctrination, uh, you might get like a, a monthly cyber awareness, Hey, don't click on phishing emails or something like that, but it's not really, it's not a couple little reminders or maybe like October with cybersecurity month awareness month. You might get a little more during that month, but you know, it's not like it's integrated with other trainings. So like for example, say you go for your human resource training on, you know, your appraisal system. Well, they could also build in some cybersecurity elements of that. Oh, by the way, when you're doing your appraisal, make sure you're protecting your data by encrypting it, or, you know, whatever, you know, there's ways to build it in. So it's integrated and not necessarily called out, but just becomes a part of everything that we do and there's ways to do that. But a lot of companies aren't there yet Speaker 1 00:05:48 More companies are more aware because of the shocking, uh, affects of, uh, as we learn, as we learn through the news, what cyber attacks are all about, whether they're stealing data or like you said, influencing algorithms, right? It creates maybe it's making more people think, geez, what's this mean in my organization? Or what's this mean in my home? And certainly anyone who's had their identity stolen is thinking about what it means in their home. But we're talking about, we're talking about a tough thing here at the ed at the end of the education trailer journey is behavior change. Speaker 2 00:06:26 Yeah, absolutely. Speaker 1 00:06:27 Which we know, go ahead. Speaker 2 00:06:30 I mean, seriously, that's a tough thing. Cause when you think about it, it's not behavior change for just one group it's behavior change across a diverse group of generational gaps. So you have it comfortability generational gaps, you have cultural generational gaps. You have all sorts of diversity issues that come into how people operate and we just work and interact with others. And now you add that cyber element too. And the risks that companies face, I mean, you know, there was a survey last week that came out that, uh, or a, you know, um, uh, results of a survey that came out last week and they were talking about, uh, 300, um, companies, they talked to an 83 of them had paid a 3% had paid ransomware or yeah. And 72% of those had actually increased their budget after that, because of that. So companies are seeing the result of that in a lot of those ransomware attacks, uh, start with an employee, clicking on a link or a PDF file, for example, and it opens up and it executes some bad code in their computer. Speaker 2 00:07:34 And then all of a sudden they get into your computer, which you don't even know about half the time and most of the time. And then they get from there and they jumped from somebody or somewhere else on the network where they can kind of escalate privileges and do other bad things. And so it's so important for everybody to understand, you know, the financial, the reputational impact of all those things. I mean, of those companies 41%, or excuse me, 42% of those said they had lost business because of that. I mean, that's, yeah, that's huge. And so, um, you know, people just need to understand that this could be existential for some of their companies if they aren't participating and doing it right. You know what I mean? And so, um, it's, this is not fun and games and, uh, it's interesting. Um, the threats are getting worse and worse. Speaker 2 00:08:20 I mean, not just from nation states, you know, as a nation, from a cyber perspective, we're most worried about China, Russia, North Korea and Iran. Um, and there's other players too, but those are kind of your bed boys in the neighborhood, right? And then, then you worry about all sorts of, you know, the, the craziness out there, you know, ISIS threads and all that. But, but, but what we're seeing increasingly what we're most worried about and that most companies see is ransomware attacks from cyber criminals, because it's become so easy. I mean, I can download a password cracking software on the internet, on the dark web for about $2 and 50 cents for a whole hacking manual for $9. Wow. And they're increasingly, you know, and it's so funny because there a lot of, um, there's, uh, hackers now who are doing ransomware as a service, you know, so they'll like break in for you and then charge you to get, give you the access, but they're doing it just like a company might like software as a service or infrastructure reserves. Speaker 2 00:09:14 So these guys are creative and they're in, they're out there and into every employee, like you said, it has to be every training opportunity, every opportunity to reinforce good cybersecurity, good cyber hygiene at the lowest level, and then protect your networks. So we, as an industry, we're moving to a zero trust environment where nobody's trusted on the network. So all those kind of technologies revolved around looking at the person and what they're having access to. So if you think about it, like we used to protect our networks, like if you were in a castle and there was a moat around the castle and the moat protected you. Right? So in, in the past, we used to have like firewalls and all this kind of stuff, which we still do. But now we're more interested in the guy walking in and out of the castle with a backpack on that's where you, you know, you check the backpack to check the person. Okay. He can come in. Right. So now we're doing that more with cybersecurity. That's sort of the framework that reason everybody's adopting, it's called zero trust where you don't trust anybody and you, you check what everybody is doing on the network, as well as your, your mode. If you will Speaker 1 00:10:13 Assume that they're inside the network. Speaker 2 00:10:15 Yeah. You do have to assume an inside threat. And at all times honestly, and behave as if someone may be already in there, because if they're really sophisticated, they will be in there and you won't even know it. So that's the concern. Speaker 1 00:10:28 So clearly this is a, this is a cause for some technical solutions, which is part what you were just describing. But, but it really, the front lines are really in one, one, frontline is with people which we would, we said every employee, right? You, you, you, you click on something in an email that you shouldn't have clicked on and you might not know that you shouldn't have that. That's just the start of something. And, and the work from home of the last cup of last year or so, which, which continues in many organizations, I think probably gave a lot of CIOs and CTOs and cyber officer's heart attacks because Speaker 2 00:11:05 Geez, Speaker 1 00:11:06 You know, now everybody's coming in through their own internet, their own, you know, internet connection to, uh, to their, to their, from their provider. And yes, you're going to get into the network of the D of the organization. But now, now the entry points are all, or many were entry points were outside the organism, uh, the network, right? Not, not, not going to an office and you're inside the network, right? So if we're not on the same page and we have a moment where we have an, we have an aha moment and we realize something and get on the same page. I won't, I'm always, I'm fascinated by that perspective shift. So I think one way to get a perspective shift in employees to help people think differently and therefore behave differently is if you've been attacked, if there's been an event that just wakes everybody up and you look at something with new eyes and you re you considered a new way, shorter, that, what, what did you do that was effect you found effective? Speaker 2 00:12:06 Well, in cyber, what you need to do is make it relatable to them. So you have to talk to the audience. So for example, if it's a finance company or whatever, you have to show them like the impact, like we just talked about ransomware, okay. It's not just the, like you said, also the CIO or the chief technology officer, chief information, officer's responsibility to the chief information, security officer's responsibility in the C-suite, it's the chief financial officer, the chief risk officer, the chief operations officer, right? Because it's their business. That's going to be impacted if there's a cyber incident. I mean, people don't do things, you know, do cyber attacks for cyber tech sake. They do it cause they want to make money and bring your business down, right. Or in the military, they want to stop your operations for something, you know, prevent you from doing something, deny you access to something. Speaker 2 00:12:51 And so you have to make sure that when you're talking about cyber, it's integrated on the operational side of whatever it is you're doing again, whether it's the military or the business of your business in a commercial world. And so you have to say in term, you talked to them in terms of the risk to their opportunity to con to complete their no fail missions in air quotes, right? So each organization has a mission that can't fail. If your Levi's it's making jeans, if you're Walmart, it's selling whatever they're selling, you know, in their stores, right. If you're in the military, it's, you know, executing your next ballistic missile, defense operation or whatever. Right. But that's your no-fail mission. That is the mission can cannot fail. And so every organization needs to take a hard look at what is their no fail mission and then pull the string back about, okay, what are the things that we do to support that? Speaker 2 00:13:38 What are the systems that we use? Where's the data coming from? How is it protected? Who has access to it? How are those people checked and vetted and given appropriate levels of access to information or systems. And, and, you know, and again, like you, we talked about that could be in a COVID environment, working from home or working from a building, what are the additional protections you may need in place to protect the employee as they work from home, doing those missions. Right? And so you really have to pull understand what that whole framework is within the context of your organization, and then build in some resiliency and backup. And some of the resiliency, like we talked about, it's going to be technology solutions. Like we say, firewalls and software on your computer that looks for viruses or things like that. And then you're going to need way more sophisticated things, um, on the network and other places to help. And then you're gonna need process and people. So processes, what, you know, how do people get access? Who approves it? You know, why, why do they have that access? And then technically, you know, then give them some sort of little tokens or software that allows them to do that securely or encrypt their data. And you have to make it easy if you make cybersecurity hard for nobody going to do it. Right. So you got to make this like Coco, the monkey could do it. You know what I mean? Speaker 1 00:14:55 Well, I liked what you said there. So you went through a set of things and I think all the important when you began with, um, what I jotted down as you were speaking was taught, you have to talk to people in terms about what matters to them and, and, and that's an option. So that's kind of a duh of course, but, but it's easy to overlook that because what that means is very specific terms about what matters to them. That's what you said about the no-fail mission. So you don't talk to 10 organizations in one way, because at that level, there's one message to 10 organizations. But if you don't make it specific different for, like you said, a financial, um, let's say it's a wealth management company, or like you said, Levi jeans, there's a different articulation of the message. There's a different honing of the message about what will, what matters to them and what will affect, what could hurt you. Speaker 1 00:16:00 It's the same basic risk. You're going to get attacked plan on getting attacked. People are banging on your network all the time, and someone's going to get in, you can plan on that, right? And the question is how much damage is going to occur and that's, you made a great, you just kind of slipped it in. I want to call it out there. Risk management officer or the risk management team, the risk management operation of an organization, because the question become, if we're going to get hit and we are, if someone's going to get in and they will, or if they come in through one of our people, um, how much gambling gets done. And, and so, you know, again, we can always end up in the conversation going down the road to some technical part of a solution. But I love to think about the conversations that people have in organizations that aren't about the technical things. It's, it's these, it's these chiefs in some manner, VP somebody's PC sitting around a conference table talking about how do we, um, control some amount of harm. And those are business conversations right now. Those aren't cyber conversations. Speaker 2 00:17:05 That's absolutely right. Cyber is a critical supporting element of it. And it's sometimes the, you can't do it without that, right? So you have to have not just the resiliency or all the preparation then, but the resiliency. So like when you are attacked, how are you going to continue doing their mission? Are you going to go back to paper or are you going to do alternative alternate systems you can use or alternate locations or people, and what are the, how do you practice those processes so that when you do have to execute them, it's not like the Keystone cops are just like, oh my God, break out dust off the manual. Let's read up on it. Meanwhile, you're raising money on your business or operations. Aren't happening. If it's in the military, Speaker 1 00:17:43 If you're thinking about it the right way in an organization, it's a category or a sub category of risk that you should be talking about pretty much all the time. There's risks to your supply chain. There's risks to there's, there's maybe there's risks to your customers have nothing to do with you that you should be thinking about, because if customer is impacted by something that has nothing to do with you, but it affects their buying behavior, it affects you, right? There's all kinds of risks that management in an organism leadership in an organization should be thinking about. And this is one that's emerged over the web, the last 10 or 20 years as really big. Okay. So you put it on the list and you have an ongoing conversation about it. And I think it's smart. I think you'd probably go a long way toward getting people on the same page. If you flip this into a business conversation a little bit away from the technical conversation, Speaker 2 00:18:39 Right? Because when you think about it too, the technical conversation can get really intimidating for folks and scary and depressing, and you feel like, oh my God, you just feel like you can't do anything. And so when you present a problem to people, which, for which they feel helpless, it doesn't help. Right? And so if you put it in a context, like we talked about that is operationally, that that shows them operations in the context of why it matters and what they needed, and then be specific about what they can do to help, you know, what are those good cyber hygiene procedures that they can do to prevent somebody from getting in? And then once they are in, you know, walking them through the drill of what is our resiliency, how are we going to do, uh, continue our business. If we do get like, hacked on something or get some malware or ransomware or whatever it happens to be, and, and, you know, walk them through the process. So they feel comfortable about their role and what they would individually execute, um, and do in support of the organization to continue their no film mission should that happen. And if you do that, then people feel like part of the solution, not like they're just some helpless bystander, and they're just going to wait until, you know, the, the ransomware ferry comes in and helps them. Speaker 1 00:19:46 Right. Or they don't think about it as someone else's responsibility. Speaker 2 00:19:50 Right. It's an all hands Speaker 1 00:19:51 Thing. It's easy to do that, man. It's easy to do that. Men. It's kind of a mental accounting. Oh, well, it does that. I don't have to worry about that. Speaker 2 00:20:00 Right. So Speaker 1 00:20:02 Let's just tweak this, how's this conversation going, what are, what are, what are the stumbling blocks to this conversation? What are the enablers to this conversation when you see it work? Well, what happened when you see it fall apart or stall or what, what happened? And you did that probably for most of your careers, a leader in the Navy, you were leading those conversations. What'd you see? Speaker 2 00:20:27 Yeah. I mean, you know, when you're in a big bureaucracy and the Navy obviously is a big bureaucracy, has there some corporations and stuff. I mean, you just find that people can be bogged down in some process or something that moves really slow and, and, uh, an it and internet and technology moves super fast. And so there's that, there's that rub there. Right? Right. So you have to get people to think faster, to move faster too, and not fast in a reckless way, fast in a deliberate way. So you have to get them to think through what their choices are and then understand what their risks are. So you could choose to not do something because it's too costly to your operation. Like if you're in the military, like, Hey, I can't bring that system down to apply security patches because I'm in the middle of an operation. Speaker 2 00:21:10 Well, someone could hack me during the middle of that operation. Well, okay. That could happen. But you know, you have to kind of weigh which one is worse and which one's more likely to happen. So there's a propellers, they likelihood issue. And then there's a, okay, what would happen if it didn't harm? Right. That's right. That's right. So as, as a manager leader, you have to look at okay, with the operations people and talk to them about, okay, what is the likelihood of this happening? What is the w is this something that we can invest in right now? And then that becomes a CEO, CFO, or chief financial officer, or when the Navy logistics and supply and the money folks. Right. And you ask, you have to kind of determine, can I afford to do whatever that is. The resource sponsors in the Navy. Can I afford to do whatever that is right now? And if I don't do it, what's the risk of not doing it. What's the potential financial or operational impact of not doing it or reputational impact if something happens. So there's all sorts of risks that you have to weigh as a leader and manager. So you have to understand the whole context of the risk, not just on one little small sliver of your organization, but what's the impact of the whole organization, because a lot of it crosses over horizontally. Speaker 1 00:22:16 It's a really fair point because there's lots of trade-offs in those decisions that have to be made. Right? I mean, that's what leadership does is make trade offs and decisions all the time. Right? Speaker 2 00:22:26 It's tough decisions. Speaker 1 00:22:28 My brother and I, we started a business together a long time ago. And you think you can't afford an attorney. You think you can't afford a, you know, a CFO, well, you can't afford to, uh, to, you can't afford to have an attorney until you can't afford to not have one. You can't afford to have it. Right. So you can't afford to invest in some thing, like we're talking about security until you can't afford not to. And then, you know, if you're cut, cut, you get caught in the wrong place. In that curve. You could already be hurt and be an investing African what's that saying about closing the barn door after the horses have escaped. Right. Right. Okay. So we've talked about putting it in terms that matter to not isn't it business business, right. Aristotle know your audience, business, business terms, operational terms, right. Speaker 1 00:23:20 We talked about behavior change and some, I wrote down a word and I forget what you said when I wrote it down, nudge. If you've had an event, what follows might be is a, is, is just sort of a disruptive and dislodging, right? Um, if you're, if you're trying to prevent an event and your normal operations today, this week, this month, this quarter, you might be nudging some people along with some of these conversations. And there's a popular book about behavior change called nudge. That made me think of something. You said something that made me think of, of, of, of nudging. My, my guess is as a leader in an organization, you need to keep this conversation, quote, unquote, the kind of conversation. And we were talking about going kind of all the time, right? Not constantly, but you can't, this is not something it's not like, you know, we'll do some spring cleaning or some fall cleaning and we're good for six months. You can't think of it that Speaker 2 00:24:20 Way. Speaker 1 00:24:22 Episodic is a good word. So those, so keeping this in front of people, nudges, nudges them in the right direction. Did you set as a leader, have you seen, have you recommended as a director or as a consultant ways that breaking this down into some smaller pieces that were more actionable to people that maybe you could measure the results of so that people feel like, like you said, they don't feel helpless. They feel like there's an action they can take that has an, a positive result. How have you seen a huge concept, like cyber security and managing cybersecurity threats, broken down across an organization into some things that were actionable that were planned actions and things that could be measured. So people could report back to you or report back to someone, Hey, we are on this every constantly and here's how we're doing it. Speaker 2 00:25:22 Yeah. So what I think he needed to do is like, that really goes back to again, the risk decision and the risk discussion, because the risk is different in different parts of the organization. For example, if you work in a medical field and you, you know, all your medical data has additional requirements for HIPAA security and protection of the data. So you may have actually more things that you need to do from a people process and technology side, if you work on the medical administration side than if you're a doctor. Right. And so, um, I think that understanding the context within the organization of what your role is, is really important. And then what are those things that are related to risk, um, with the it, or the cyber that you have in your organization? You know, the technology and, you know, what are the measures that you could put into place to protect those things in a preemptive way, and then to respond in a reactive way, should something happen then around those processes, you build, uh, things that you can measure, how well they're doing to execute those processes, whether it's practicing a restorative, the database, for example, if you're a medical illustration database person, you know, practice once a month, restoring your database and getting the data you need or say, it's a, you're, you're the guy, who's the security officer at the building, making sure that your system is properly biometrically, scanning, people who come in and come out, um, or things like that. Speaker 2 00:26:47 Right. And so there's, there's things that you could actually put into place within even the lowest level. Like we just talked about context of an organization and then at the higher level too, how are they looking at, for example, return on investment on cybersecurity investments, and then communicating that to the board of directors and to shareholders or stakeholders, or in an organization like the Navy to the resource sponsors up at the Pentagon, like, you know, Hey, we, you paid for, or to Congress, how you guys are allocated money for, uh, uh, comply to connect to technologies. And, and here's how we executed that. And here's how we're monitoring that those are working. And here's how we know they're we think we know they're improving the network and with cyber, it's a little bit challenging sometimes because those metrics aren't easy and it's hard to prove a negative. Speaker 2 00:27:34 It's hard to say, Hey, because I implemented this process or because I implemented this technology, I wasn't hacked. Well, no, maybe they just, weren't interested in you this month. Right. You know what I mean? Or something else, or maybe it did help, you know, so, and understanding what your baseline is, and being able to S to sense and see what's going on in your network and understand your network and where is there a very nuanced change, something really slight, and what might have caused that, those kinds of, that kind of telemetry or that kind of data that, that you would get about your network and understanding your network. What is normal helps you determine what's not normal, and then you can figure out, okay, well, why was it not normal? Was it because we did this, we didn't do this process we should have, or we didn't invest in this technology. Or somebody did something stupid, had their tongue stuck in the keyboard, who knows what, you know, so you gotta have to peel the onion back that way. Speaker 1 00:28:24 I like that because if he, if he think about it from, like you said, context within the, of the organization, within the organization, if you are a nightwatchman and you're, I mean, let's take a physical security example just to illustrate you're making rounds. And you know, that the door in the back corner has been, you know, the locks not worked right on it for, for, for 60 days. Right. And you've been reporting that and someone was going to change it. You know how things happen in organizations? It's not, it's not, it's not malicious somebody put the, didn't put the order in, or somebody put the order in and the part didn't come in, you know what I mean? There's always more to the story, but what it results in is a weakness, a potential point of entry for somebody. So I liked how you broke it down into something that could be done at any, or every level of an organization that everybody had a piece of. Speaker 1 00:29:23 And if they take care of their piece, the ideas, we all take care of our piece. Um, and we, and we, and we approve, uh, you know, a security posture by all that collective action. Or if there's a process to taking care of your piece, that involves an investment that the CFO has to make, that they have it right there. Then you have different, the conversation shifts into a different lane or a different level of the organization, but that's appropriate because if what you're saying is we're not getting the database backed up because fill in the blank. Some reason, not enough time, it hangs up and locks up, whatever. Um, well, you know, there's a, there's a cost to that. What's the cause. Is it known? Have we, have we identified it? If we're not acting on it, we haven't identified it, but we, we are now, are we going to act on it? You're just always forcing some other part of the conversation that probably Tommy, if I'm wrong, Denelle probably goes to somebody with somebody else. Like, it's not just me, the database administrator. I need someone else to do something maybe different so I can get my job done. Right. And I keep telling you all that, but it's not happening. Right. Right. Speaker 2 00:30:33 So a team or horizontal effort in your organization, Speaker 1 00:30:36 Then you could have chronic, um, situations. I won't call them problems, but chronic situations that could be something breaks down, we're an attack enters or, you know, perfect storm two or three things just come together the wrong way. Right. So, um, let's shift this again. I did a little sneak peek at your book by the way, which sounds really cool. Oh, okay. Uh, yeah, yeah, yeah. I love, I love it. And I like, cause I, I've got a little bit of background in innovation, so I like this embrace change, encourage innovation and be a successful leader. So let's shift this again a little bit. I've done, I've done a lot of work in my own consulting on organizational change management and, and I'm sure that you've had a lifetime full service career full of that, uh, in the service. How do you see it? How do you view change? What's what's your idea about embrace change? Speaker 2 00:31:36 Well, I mean, you know, change is going to happen whether you want it or not. Right. So you can either embrace it or you can get drug along behind it, resisting it, but you're going to get there. Right. Um, and so, and the people who embrace it too early can have access. And the people who embrace it too late can have axed. And there's a big crunch in the middle. And that's really kind of like the focus, uh, when changing your big change management efforts. And when you think about the world that we're living in today, it's a world of exponentially accelerating and converging technology, meaning that, you know, there's a lot of cool technologies out there and they're moving at such a rapid, rapid, fast pace that people feel overwhelmed. They feel they can't keep up and they feel like the changes that are affecting their lives are both good and bad. Speaker 2 00:32:18 So when you think about it, you know, 10 years ago, 15 years ago, nobody had a smartphone in their pocket. Now you can't live without it. Right. I mean, it's a crazy if you don't have a smartphone you're like from another planet, but when you think about let's, so let's give the example of three, three hugely transformational technologies, autonomous vehicles. So a vehicle that drives without a driver, right. Uh, electric cars, you know, we've seen those with Tesla and, you know, Toyota, and everybody's making some form of an electric car. Right. And then, um, rideshare like Uber or Lyft, I mean, you know, 10 years ago, it's the only time you ever heard of Uber was if you were German and everything, so fantastic. Right. But now every Uber Lyft on there, that's how you get around. And so think about each of those and how they've radically transformed each of those industries, you know, like, so, you know, self-driving trucks, self-driving cars and autonomous vehicles. Speaker 2 00:33:09 What about Uber, Lyft? How that's changed the whole taxi industry. I mean, they used to buy these medallion things that were, you know, worth hundreds of thousands of dollars now. Nope. Nobody cares about that anymore. And all those people had invested a whole infrastructure and those kinds of things in the taxi business. Right. And so when you think about all three of those now converging those three technologies. Now you get huge transformation right now. You get, now you get, I walk out of my house in the morning and there's a hovercraft or a PA you know, something pods sitting in front of my house. And it knows based on my Horace mystics of what I do every day, that you know, my patterns that I'm going to go to work for Pentagon. And so it scans the little RFID tag in my head or my arm. Speaker 2 00:33:53 When I get in charges, my bank two bucks takes me to the Pentagon, drops me off and is there to pick me up at night and bring me home. And I don't have to think about it. I don't have to worry about it. Right. And it, and, and so what that means though, is blue, is that kids born today will never learn how to drive a car. They will never own a car. There'll be no pep boys or car dealerships or rental car companies that we know today. That's all going to be gone. And within probably five to 10 years. And so that makes people really uncomfortable because they're like, well, I like to drive a car. I want a kid to learn how to drive a car. Right. And you know, what if I need a car, what if there's an apocalypse or every night. Speaker 2 00:34:29 Right. But the reality is people probably like to drive horsing buggies to when 14 mass produced cars and you, Hey, you can still drive a horse and buggy people do it all the time, but Hey, not everybody's primary mode of transportation and nor will the way we do things today be so when you're looking at change, you have to really look at what is the opportunity there with that convergence, particularly of technologies, not just technologies and among themselves, like those three pillars, we talked about, you converge them. Now you're really being transforming crazy things. Right. And then you look at the risk of not doing it. You know, do you want to be Sears in an Amazon world, right? No. Do you want to be blockbuster in a Netflix world? No, you don't. So you can lose a huge opportunity to, or from a military perspective, you know, if everybody's building hypersonics and you're not, yeah. That's a problem, you know? Speaker 1 00:35:20 So tell me a story. I'm going to ask you this question, this way, everybody in an organization, let's say they've got a job to do. And, and we've got our heads down to do our job. And sometimes we need to pick our heads up. And, but, but let's just say we're focused on a job, the higher up, the higher, higher up you are. And especially in a organization, the more you rely on everybody to get their job done for you to get your dog dropped on. Right. And, but the higher up you are in an organization, especially a large organization, the more view of what you just described, you should have, it should be your job to be looking out and seeing those things, right? Speaker 2 00:35:57 You have some vision for the Speaker 1 00:35:58 Organization. Exactly. It's not the job of somebody halfway down an org chart or very forward-facing to customers to, to do that. They could do their piece of it. But it's your job at the, at the top to be seeing these kinds of things and asking the question what's that mean for us and our mission, Speaker 2 00:36:16 Right? The strategic vision for it. Right. Speaker 1 00:36:18 So tell me a story of how 30 years spans a lot of change in the, in, in, in technology and, and the areas you were in digital transformation, telecommunications, telecom, cyber, how did you lead conversations that that accomplished what you were just describing? Speaker 2 00:36:37 Well, I think you're being very kind and generous in the way you're describing it. I'd be a little more harsh. I would say that there are the evil twins of institutional resistance and institutional institutional inertia that will try to bring you down at any turn. Right? Um, it's the people who are entrenched in potentially their power base or their authority or their job is revolved around something that's going to disappear. And that just scares the heck out of them. And you want to try to show them that, Hey, be part of the solution, get a board here, you know, help us be present. You're an expert at this, right. Um, help us get it, get this done. Right. What I tell people in any kind of change manager thing, particularly technology, when like we talked about it is so fast paced. So, so fleeting and, and moving quickly. Speaker 2 00:37:25 And you know, you're going to make a decision based on maybe in the past, you could wait until you had a 90% of the solution. You may have 40% of the facts, but you've got to make a decision as a leader and move out and then, you know, monitor closely if you've made a bad decision. Okay. Adjust course. But you can't wring your hands and wire the problem, sit on your Duff and wait, you know? And so what you need to do, I think in my opinion, is look at those forces of institutional resistance and inertia and say, okay, look, it, I'm not going to put all my time after those guys, because what happens is in any big change management effort, like at a strategic level, even at a small level, but at a strategic level, you're going to have 20% of your, your audience or group. Speaker 2 00:38:04 That's all in. I mean, these guys are liquored up. They're jazzed about it. They're in there doing whatever they can do, evangelism they're out helping they're ready to go. Right. They see the benefit. Then you got your bottom dwellers, the 20% that are, you know, uh, just it hardcore resistors. They're gonna make it hard for you on every turn they're going to build. They're going to see bed information or, you know, make nefarious moves to make it hard for you to get this done obstacles, whatever. And then you got your 60% in the middle. And so always tell my people, the folks that I work with in the teams, I'm on, Hey, let's focus on that 60% in the middle. Cause they're like, Hey, your idea sounds really good, but I got a little bit of nervousness, but I'm sitting on the fence posts. I'm willing to go with you, but guys show me, you know, what's my role. Speaker 2 00:38:47 How can I help? You know? So that's the, that's where you put your juice. That's where you put your effort. But what I always see is I see a lot of people going after that 20% of the bond dwellers, they want to convince everybody and get consensus and get everybody aboard. I don't care that everybody's bored. Right? I don't care about that. Bottom 20%. The only reason I care about them is if they can go out and cause damage through bad information about what I'm doing. Right? And so you have to kind of know who they're connected with and who they might be, you know, plot, do an evil plots against your with, right. So we can counter that, but I'll give him like usually one or two shots to come aboard. Then I cut them loose in the colder world of wherever they're living and let them be Sears in an Amazon world. Cause they're going to get drug along, whether they like it or not. And if you'd have your team spending a thousand hours trying to convince somebody who will never be convinced, you are wasting time, that you could, you could potentially spend on that 60% and get them over. Speaker 1 00:39:38 That's a great point, folks in the middle of that bell curve, I don't know if it's a skewed curve, but let's just say, it's just a bell curve during the middle and they've got, they could be ambivalent, right? They might, they might see some good things in it, but they've got some questions or some concerns. And they're the ones that are more likely to, if you have a conversation with them to have their own little aha moment to, oh, okay. That's how you want to address that. Or you're asking me to help solve this particular problem because I it's, that's our area of expertise. Okay. We can do that. Right. They'd have that conversation and maybe be more likely to engage, engage, uh, as opposed to someone who, because there are some people and there are, there are a minority and you've, you've identified that there are some people who sort of get their identity from being the naysayer right. From being right. And, and, and, and, and so they keep nay-saying because that's, that's how they're seeing. That's how they're known. That's what they, you know, what, they get some juice from. Speaker 2 00:40:41 I listen to them too. You have to be careful because they, they have to hear the boss or key influencers. Speaker 1 00:40:46 Right. And what you're saying is especially true in a larger organization. I mean, I, and on a small team, one time I managed to bring a naysayer on board, but a small team, it was easier to do. Cause I could talk to them right directly. You can't talk to 20% of a large organization, not really Speaker 2 00:41:04 Same way, but you can communicate to them through others and make sure you have consistent themes and messages. That's very important. So that your message is in all over the place. Right? Right. You can communicate through them, to them, through people who, you know, can influence them. Speaker 1 00:41:19 Yeah. The influencers is a great point. And then one of the questions I always think about is what you do when someone won't get on the same page and you, you know, you addressed that. You said, you know, you try a couple of times and if you can't, it can be a sinkhole. You can't keep putting time into them or to that part of an organization because you get no return on it. And then you're not using the same amount of time to do something else that you ought to be doing and effort. Uh, so you, you, you make a couple of temps. If they don't get on board, you said you cut them loose in the cold dark world where they're living because the organizations or the environment is going to change no matter what you do and I'm going to what they do. So you're what you're kind of doing is some tough love saying fine. You made your choice. The consequences of your decision are, you know, you will con you will operate in the world. That's changing. You're going to see the change and get on board yourself. Or you're not, you're gonna make yourself irrelevant. Speaker 2 00:42:20 Exactly. Oh, and you know, and that's why you do give them one or two chances and you show them how they can be part of the solution. And if they're not part of the solution, what the alternative is. Speaker 1 00:42:30 Yeah. That's an important part of the message. What the alternative is. I think sometimes people in organizations see the leader as having made a choice of moving in a direction. You know, you got to go five degrees to the right as something that's, uh, it might be personalize. It that's what that leader wants. That's what Denelle wants. That's what she wants. That's she, that's, that's her thing. But what you're talking about is you're responsible for an organization. You're, you're looking at it in the context of its environment. And, you know, the environment's changing. If you make a decision to take an organization, five degrees to the right from where it's going, it's because you think it comes out at a better place at some point in the future. And it's for the better it's for the, I guess, you know, in the military, you can always talk about it in terms of the mission. Speaker 1 00:43:21 What's, what's the best for mission achievement, not just now, but in the future, not very far away in the future, because you can't imagine too clearly, but you can, you can think ahead some number of months or quarters or years. That's not that that people can picture. What's the effect of something on the mission. The notion of mission, I think, has become more common and more talked about outside of the military in the last, I don't know, I've not studied it 10 or 10 or 15 years. I wasn't a word I always heard you as outside the military military always talked about the mission. Sure. Now I hear that talked about in non military organizations, and I think it's a great shift. I think it's a great change. Because as you said earlier about the no-fail mission, what is it that we re cause it makes you hone, it makes you focus your thinking, what is it that we're really about to circle back to the cyber security? What is it that could really get hurt? Is it our brand? Is it our reputation? Is it our customers? Is that our sales? What are we really about? What are we really protecting? And what is the no-fail mission? There may not be one right answer. And if you're never having that conversation explicitly, you're, you're going with any answer, you know what I mean? Speaker 2 00:44:37 Right, right. You have to be deliberate. Speaker 1 00:44:39 If you have that conversation, you're making yourself at least face up to it and potentially be deliberate. That's I think that's, that's a better, that's a better path to, to, to a successful outcome. And again, whether it's about a cyber risk or some non-cyber risk, because circling back to where we started, it is the responsibility of leadership to be doing risk management, enabling the mission and protecting it from failure at all times, whether you're in the military or you're not right. Absolutely. Nonprofit running some. Speaker 2 00:45:12 Yeah. And it's, it's, everybody's, you know, everybody's responsibility, but at the top you own it, right? Yeah, Speaker 1 00:45:17 Yeah, yeah. Everybody is responsible for a piece of it, but yeah, at the top, you, you really do own it. What else? Anything else you want to talk about and cover? We could just turn to it and, and, and dig in. Speaker 2 00:45:29 No, I think, you know, your points on change management are important just because, like I said, it's almost overwhelming for people today. So I think hitting that when you, when, when, when it comes out is important, but just because, like I said, people just feel kind of overwhelmed and that's only going to get worse. That technology is only going to be more exponentially changing as you go. So you just have to have people who get comfortable with being uncomfortable in no matter what field they're in and look for opportunities and, and manage risk in a way that's, it's a little more aggressive than they maybe had done in the past, or we're comfortable with Speaker 1 00:46:01 It is overwhelming. It's a good, it's, it's a great observation. It is overwhelming. And in some of the work I've done where I've was able to, I worked with people in organizations, most of the civilian that were, um, let's say reported up to a senior career official. Okay. But re but reported underneath them were people who were really doing the operations of a, of a, of a mission in a forest service or in FEMA. Right. And what I saw so often to now was conditioned as they worked in, which were pretty antiquated. I knew organizations who were looking to the central office for some support on, uh, some basically what was some data management that they weren't getting. So they, in, in local look and localities and local offices, local places, they made up their own solution to a problem, right. As Oregon people and organizations do Speaker 2 00:47:07 Fill Speaker 1 00:47:08 The void. Exactly. And then they learned that what they had done, that's this say it was creating a spreadsheet just to manage some data, had to be FISMA compliant, like what? Speaker 2 00:47:22 Right. They had no training on it. Right. They just knew they had an operational problem. Speaker 1 00:47:25 Exactly. In the end, they took the initiative to solve it, which is really what you want from people. But they didn't know that under the definition of FISMA, they, what they had created was quote a system. Right. So you see. And so that led to, uh, you know, that led to other consequences and effects down a path that, that a CIO had to take them to, to fix some things. But the organization, I see, I see so many organizations that are, I'm trying to find a different word than broken. It just seems. And I don't know if it really communicates everything I want to communicate, but you know what I, what I noticed, have you ever heard the term? Speaker 2 00:48:02 It's like the lagging, you know what I mean? And they, they have to become more agile and they they're so stuck in the way things are, as opposed to like, you know, when you, when you S when, like, for example, the example you were talking about, those folks, if you look at a problem, you don't start with what you have and tweak what you have. You start with, what is my end state need to look like? And how do I get there? And you may end up reusing some of your same processes and stuff. But if you tie, try to pave the cow path and jam some new process into some old process, you have, you're going to end up like what you talked about with, well, you're not, you know, where's your TSP cover sheet. You're not FISMA compliant. You're not does your ex, well, Hey, maybe those processes don't apply in this world anymore and we need to change those. Maybe that's the problem. Speaker 1 00:48:46 But these kinds of these are places where leadership is not having the kind of conversation that you and I are talking about. And, and it makes people feel overwhelmed by the change because lacking Speaker 2 00:48:59 Should be doing is having that conversation, though, if you're not doing it, that's bad leadership. Speaker 1 00:49:04 Yeah, you're right. But, but sometimes these are the, like the nuts and bolts, you know, the, the, the nitty gritty of organizational operations that, that, um, I sometimes I think Speaker 2 00:49:16 I got it. I got it. But you know what Speaker 1 00:49:18 Leaders think someone else Speaker 2 00:49:20 Versus Amazon keep repeating it? No, you're right. Yeah. You can go ahead and be Sears the rest of your time. So you die. Go ahead. So you will die a quick death. You know what I mean? Speaker 1 00:49:31 You're right. And, you know, in, in, in government, relevance is an important part of any government mission, right? If we've got, if we set up programs, government programs that we're supposed to serve some public policy, and they're either going to remain relevant over time, or they're going to become irrelevant. Right. And, and that's a mission function. That's a mission critical kind of, kind of concept. Are we, are we remaining relevant to our customers? Our customer's lives are changing. Are we tracking that, are we using technology? Like you just said a second ago, to think ahead to what we want, some, our systems, our operations, our practices to look like and moving, but, but the whole thing is overwhelming to people in the middle of, and down org chart who don't, who really aren't part of a proper conversation. Did you manage to set up like circles or rings or levels of conversations people could have in a big organization? And how did you do that? So that people really were having the right conversation, where they worked. There was part of a bigger conversation that you were having. Speaker 2 00:50:38 Yeah. So like, again, you find people who have certain roles and moving some and effort forward, and then you have the constant communication with them both top down and across your organization and from the bottom up, frankly, but, you know, feedback wise about how things are going, where you're going, rather checking their behavior, giving them positive or negative feedback, whatever, then they need to hear, you know what I mean? And then making sure things, like, for example, when you have those smaller groups, you can address issues like, Hey, do you have all the resources you need to do that? Cause sometimes that won't bubble up unless you pull that thread back. So you have to ask those kinds of questions and, and, you know, keep people focused on common goals at a high level. And then the specific things that they're doing to support, because some of the things they have to do to support maybe a serial dependencies where they don't get it done on time, then someone else can't do their job in the organization. So you have to spin a lot of place Speaker 1 00:51:30 Very much, so. Very much. So one of my favorite management books is titled no, what you don't know. Speaker 2 00:51:37 Oh, that's great. I like Speaker 1 00:51:38 That. Yeah. I'll send us any of the titles. Um, last name, Roberto. I forget his first name. Uh, yeah. Know what you don't know? Well, you know, this has been fun and I've learned a lot. Thank you. Speaker 2 00:51:52 Um, thank you very much. It's really been a nice conversation. I appreciate it. Speaker 1 00:51:55 But on a Monday morning, I'm going to a good start to the week. I'm going to read your book and then have your back, and we'll talk about some more specific things in it. Oh Speaker 2 00:52:03 Yeah, sure. I mean, it's, it's written to be a light. Um, you know, more of a fun read than a lot of leadership books can be kind of heavy tones. This has see stories in it and stories will make you cringe about things that I've done. That I just am trying to tell people, Hey, try to avoid doing this. You'll save yourself some pain. Speaker 1 00:52:17 Learn from me. That's okay. It's okay. There's a, w w we can, all, we can all look at Harvard business review and MIT Sloan school and, you know, and, and, and the studies and the case studies, and sometimes those are pretty ponderous. It's nice to, it's nice to read something that is readable and flows, and it kind of grabs you in a different way. So good for you for, for, uh, publishing that Speaker 2 00:52:42 And no mathematical formulas. I hate management leadership books that have a mathematical formula. So no calculators were broken in the, uh, in the Speaker 1 00:52:53 Thank you. Denelle I enjoyed it. Appreciate it very much. Speaker 2 00:52:57 Okay. Well, thanks to you. Speaker 1 00:52:59 You bet. Bye-bye and that's how we see it. My friends, I want to thank the NOAA for recording today's episode. You can find it at, I see what you mean dot <inaudible> dot com or any of the places that you usually listen to your podcast, send a questions and suggestions through the app. Subscribe and give me a five star rating unless you can't. And then tell me why and join me next week. When we take another look at how to get on the same page and stay there, unless we shouldn't.

Other Episodes


March 02, 2022 00:41:34
Episode Cover

Communicating Across Generations - Or What A Boardgame Might Teach The Boardroom

My friend and colleague, Brenda Blackman, opens this episode with a funny story about how the communication of clues in a card and boardgame...



April 06, 2022 00:33:20
Episode Cover

We've Talked Politics, Religion, Work and Relationships. With Rum. And Lived To Tell About It.

Political discussions can be unenlightening and uninspiring. Two or more yammer on sounding vaguely like Charlie Brown's teacher.... loving the sound of their our...


Episode 0

December 08, 2021 00:36:31
Episode Cover

The Important "Same Page" That Is Federal Government Acquisition - Part 1

Getting on the same page is a significant challenge in Federal government contracting. Experts from government and industry - numbering from a few to...