“Accept Nothing But All 5s” on Customer Satisfaction Survey?

I recently ran into this situation at my truck dealership after a routine maintenance. I got handed a “How did we do?” customer survey. The service technician looked me in the eye and said in all seriousiness, “Please give us all 5s on our survey. That scoring affects our salary and employment. Anything less than 5 is considered unacceptable.

Sadly, this situation happens far too often. And I would argue hurts performance. The wrong thing is being taught and applied here.

My argument is, if your organization’s goal is for a customer to rate you a 5 every time, you’re actually setting your team up to fail to meet impossible goals.  Why?  Because it’ll be biased.  How do I know?  Experience, doing IT Service Management for 30 years.  Let me explain:

Opinion #1. The minimum acceptable metric should be a 3.   “We met the project requirement, and the engagement was good”.  Most vendors should ask for feedback here as 3 is the “met expectations” rating.  Not a bad rating, but ultimately your wanting to make investments in training and customer service to drive towards a 4.

Opinion #2. When thinking of goal metrics, 4 out of 5-point rating system should be the target.  “We exceeded expectations with the project and the engagement was very good.”

Opinion #3. A 5 should be a rare occurrence.  Heroic-level performance.  “We far exceeded expectations with the project and the engagement was amazing”.  If your people do 5-level work, then reward them with bonus and recognition when it happens.  Handing out 5s should only be rewarded when the team is being exceptional.  Handing out 5s every day diminishes its value.

The way I view CSAT is:

  • 0% = Score 1, Poor  (We failed the customer)
  • 5% = Score 2, Average (We missed the mark, we need to improve)
  • 50% = Score 3, Good (We hit the mark)
  • 40% = Score 4, Very Good (We hit the mark and the customer is very pleased)
  • 5% = Score 5, Excellent (We crushed the mark, the customer loves us, and we are heroes)

If you want people to work harder, incentivize through real feedback and set customers’ expectations appropriately, so you’re driving down the organizations’ desire for bias, such as “We need to be all 5s, all the time”.  I have not encountered a system that expects all five to actually drive human performance, team. Burn out, frustration, and growing distrust of leadership is often accompanied by these expectations.

Do I have this wrong? Let me know where and how.

\\ JMM

Why Are Some MS SQL DBAs Resistant To RBAC?

A question for education purposes.  Historically, MS SQL DBAs are resistant to RBAC strategies involving integration with Active Directory (AD). In other words, controlling permissions to DBs via a AD role based access control groups is met with considerable resistance by DBAs. And some legacy application owners, to be fair.

Why?

Some context:  Microsoft released a video in 2011 during TechDays outlining an RBAC strategy that has worked in previous organizations, both small and large.  Very popular video.  Once decided that is the strategy, getting that philosophy into practice has not been easy.  It usually starts with the on staff seasoned IT pros looking at RBAC with suspicious and doubtful eyes.  “I’ve never done it this way” and “I doubt this will make our jobs any easier”.

Nevertheless, once the concept takes hold RBAC begins to see fulfillment.  Foremost adding predetermined resources to roles accelerates onboarding, easier to audit resources, and scales elegantly as we grow as roles are the focus.  Typically, architects and server teams get on board first.  A standard is born and acceleration begins to be felt, including shifting left where DBAs are doing less security permissions requests as those are now handled by the helpdesk.  In the meantime, slowly and begrudgingly, outliers come on slowly as this strategy does shift stances from caring for the security of their apps like pets to managing access to resources by role.

I posit these reasons, given to me as why DBAs (or application owners) want to go it alone:

5. Microsoft isn’t always right.  “There is more than one way to do it and the “video” isn’t applicable to SQL”.

4. The amount of work to shift to resource-based groups.  “Lots of groups.”

3. The complexity.  “Easier to troubleshoot when I own the DB or application’s security intimately.”

2. Fear what they don’t understand.  “I’ve never done security permissions like this, so it must be wrong.”

1. Territorial control.  “Don’t touch my DBs”.  Uncomfortable shifting left.

This is very much a pets vs. cattle conversation.  I acknowledge and appreciate SQL must be tweaked and tuned to operate at it’s best performance.  However, I disagree that treating ‘access control to resources’ like pets accelerates IT service delivery, provides uniformed information security governance, and ultimately is healthy for the organization.  Especially as organizations’ scale.

What is your opinion?

\\ JMM

PS. More and more companies are using automated access control oversight tools such as Sailpoint. And at a previous company, guess who fought the hardest against that move? DBAs… Why?

Pro Tips On How To Do Tactical Meetings…

From the mailbag, here is an old email given to team members, old and new, pro-tips for how to approach the Tactical meeting every Monday.

Why?

If your curious where this comes from, check out the book Death By Meeting, by Patrick Lencioni.  His suggested meeting structure mentally optimizes and focuses on the tactical subjects of the week.  It’s far too easy to stray into the strategic or get into the weeds, which traditional meetings suffer from.

How?

Here are my tips for team members

1.    Lightening Round – Round table allowing 2 minutes per speaker to give what was accomplished last week and what is on your task list for this week.

The lightening round asks two questions:  What you got accomplished last week and What you have on your plate for this week.

  • Come prepared before the meeting. Don’t muddle through.  It’s obvious when it happens and doesn’t reflect well.
  • Talk about the top 5 or most significant things you accomplished during this round.  Think about your audience and what you would like the team members to know. Especially if it’s project work, client-related work, or tasks of high importance.
  • Don’t waste the teams’ time by telling the teams the obvious things, like “Did my security training” or “Cleaned up my tickets”, or “Went to Team Meeting”. This is what is expected of you.
  • It’s ok to say “Tickets” and/or “BAU” (Business as Usual).  This indicates you were head down focusing on what’s in your queue and don’t have anything of significance to share.

2.    Metrics/KPI Review – 10 minutes to review last week’s SLAs and KPI performance.

The teams leaders are responsible for asking team members what is important to measure.  If you’ve been asked to create a slide for KPI review, consider these points:

  • What is your KPI trying to communicate? What is “good” performance?  What is our current performance?  State the “good” on your slide.
  • Avoid busy or cluttered slides. Jamming a bunch of charts and graphs on your slide does not communicate or relay the message well.
  • Don’t “Wing It”.  KPIs are designed to get everyone on the teams aligned, goal in hand, and hitting targets.  If the KPI isn’t relevant to those ends, then skip it.
  • Use KPI’s to communicate problems. Got a particular problem you need to communicate but no one is taking notice?  Use KPIs to measure the “bad”.

3.   Adhoc-Agenda – Group comes up with an agenda on the spot based on time remaining.  Keep topics tactically focused.  No strategic discussions during this meeting.

Adhoc is where questions, answers, or announcements that pertain to the coming week are had.  Key goals are ensuring alignment and communication between our two teams!

  • This is not the venue to vent or rail against “something”.  Again, show professionalism by using time wisely, refrain from bloviation, and overly wordy.  Straight, to the point, and informative/questioning.
  • This is not the venue to challenge or have academic debate.  Take those topics offline, if needed.
  • Keep Adhoc discussion focused on items needing to be discussed tactically this week.  Shift “strategic” items somewhere else and talk to your manager about when/where.

Always forward, team!

\\ JMM

Understanding the Why Behind Blocking Social Media

Below is an article I republished to our internal employees via our monthly news letter, which I felt is very applicable these days. The why is an interesting topic. Companies operating today varying opinion on social media in the work place is truly a mixed bag. Ultimately, it depends on culture. Internet access and social media coupled with privacy data equal a degree of risk. This article highlights the legitimate reasons, where privacy and risk collide.


Data loss (i.e. data exfiltration, data extrusion, data leakage) is the unauthorized transmission of sensitive information from inside a privileged access point. Because it can closely resemble the normal flow of data traffic, it is difficult in practice to detect and therefore right the sinking ship. Traditionally viewed in the context of the network, endpoint or email, data exfiltration can enact huge financial and reputational losses upon victimized organizations and individuals.

Social media is a formidable and porous attack surface due to its sheer size. With ever-increasing volumes of data being poured across different networks on a daily basis, detecting data exfiltration posts can be like finding a needle at the bottom of the ocean. The tides have shifted even for the largest and most talented security teams, as it’s become humanly impossible to navigate through this information to identify harmful threats. Social media poses additional risks that are not typically encountered on traditional points of access like email. From hashtags to mentions to lists, it provides a flood of different ways for users to instantly broadcast data to large global audiences. Social media also lacks any industry security precedent as a platform like email, which has weathered wave after wave of high-profile attack.

It comes as no surprise then that organizations both large and small are woefully unequipped to address data loss prevention when it comes to social media. The security industry readily admits these shortcomings too, with 43% of fraud prevention managers and IT directors recently reporting that employee access to social media websites and services is their biggest obstacle when it comes to data loss prevention.

Fig 1 outlines three different ways that data loss can occur through social media. At a high level from left to right, we identify 1) Inadvertent data loss involving sensitive information posted directly to the social network, 2) The Insider Threat involving a disgruntled employee divulging company secrets through encoded social channel data, and 3) Intentional data exfiltration by bad actors looking to hack into the corporate network and establish Command and Control (C&C) to maintain their data siphon.

Such accidental social media data loss is an all-too-common occurrence for employees who take selfies at the workplace, which may display personally identifiable information (PII) or sensitive organizational information like product roadmaps, architecture diagrams, software stacks or customer information. The cost of social media data loss can multiply when culprits unknowingly violate industry-wide compliance mandates, potentially resulting in hefty financial penalties for the organization in question. Embarrassing moments have affected one of Instagram’s most followed users and the Twitter CFO. Indeed, if one of social media’s own executives isn’t even immune to this risk, this demonstrates the realistic situation every organization faces.

** This article was republished.

\\ JMM

Infraguard: Protected Voices Videos…

FBI’s volunteer organization InfraGuard is a wonderful resource for cyber security.  Connectivity is not just federal, but a community of people who contribute to this group.  Highly recommended.

The FBI released videos on YouTube covering the gamut of security topics.  Although, targeted specifically on organizations running political campaigns, much of the content is applicable to any organization.

Protected Voices Video Links

Social Engineering

YouTube: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DOtf2CHqWcrg&data=02%7C01%7C%7C214a3ac6da0b4da2c36008d6176d6a35%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636722156024637744&sdata=rlR%2FafGiWGTrwCfY4IUIbQih0tpUdtuDgBn%2FpmaqJ%2FU%3D&reserved=0

Patching, Firewalls, and Anti-Virus Software

YouTube: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DEZRaAPLpnOk&data=02%7C01%7C%7C214a3ac6da0b4da2c36008d6176d6a35%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636722156024637744&sdata=JZGgWUVyBXwKzbIfwvsaksKTWTE6ZipMuJ%2FQpARne8A%3D&reserved=0

Passwords

YouTube: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Dm9YAIrJHQ5A&data=02%7C01%7C%7C214a3ac6da0b4da2c36008d6176d6a35%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636722156024637744&sdata=GfOfXB1Ahi6kG3moq9YjW2%2BG99nzsMu0KrfC%2B5ckq28%3D&reserved=0

Information Security (InfoSec)

YouTube: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DipTvQ5reUr8&data=02%7C01%7C%7C214a3ac6da0b4da2c36008d6176d6a35%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636722156024637744&sdata=ShZJIrEcU1j81ccKjWWh84XLAjDvY5kxozsWVrpog8I%3D&reserved=0

Browser and App Safety

YouTube: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DpL-Ck2x68Mw&data=02%7C01%7C%7C214a3ac6da0b4da2c36008d6176d6a35%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636722156024637744&sdata=pl54J5hf58B6U4du0b%2BrXc2Pnql7Sw8KzhFp2DqQR%2Bo%3D&reserved=0

Safer Campaign Communications

YouTube: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DhlwwI5xwDvQ&data=02%7C01%7C%7C214a3ac6da0b4da2c36008d6176d6a35%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636722156024637744&sdata=JC5fC2el1X%2FD6lupjV0Bf93yzx4oB%2BYeWl86hkoAocQ%3D&reserved=0

Wi-Fi

YouTube: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DluXZ1hUEKtY&data=02%7C01%7C%7C214a3ac6da0b4da2c36008d6176d6a35%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636722156024637744&sdata=Ik238uxHj0tNyquIlflKYXFglcKQZ16dkgnp5FTITMw%3D&reserved=0

Router Hardening

YouTube: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DvNOU13WfHaQ&data=02%7C01%7C%7C214a3ac6da0b4da2c36008d6176d6a35%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636722156024637744&sdata=8zkcp5XDzo7uAP0vb%2FfmhyJ2bIGaIhLaYz6u%2FcmF5jI%3D&reserved=0

Cloud-Based Services

YouTube: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DPkHhLeaLGCc&data=02%7C01%7C%7C214a3ac6da0b4da2c36008d6176d6a35%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636722156024637744&sdata=xwZ6jz1i%2F3qE6NbHacMTcow6hpW0eHrLvzzvJKh3zV0%3D&reserved=0

Virtual Private Networks

YouTube: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DbzD6paYozGI&data=02%7C01%7C%7C214a3ac6da0b4da2c36008d6176d6a35%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636722156024637744&sdata=XH1nJOZBu4Aya%2Bk%2FKirvG%2FKygJp8%2FbpPqy4Tb%2FpayyA%3D&reserved=0

Have You Been Hacked?

YouTube: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DTM1Bm8HOdmE&data=02%7C01%7C%7C214a3ac6da0b4da2c36008d6176d6a35%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636722156024637744&sdata=XOrv5i98td4YDdKe6geAvoEiUpuPZVNDF1CnSbwHV1w%3D&reserved=0

Incident Response

YouTube: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DNCene65EJww&data=02%7C01%7C%7C214a3ac6da0b4da2c36008d6176d6a35%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636722156024637744&sdata=z1UfUjJVNhxekpW1%2FRmKamMkzv9v6WBXSVDbESKYZDE%3D&reserved=0

\\JMM

Does Network Cabling Matter ?

Cabling is important. Its need to be good enough. The problem I have with cabling is that people spend way to much time fussing, fretting and fooling themselves that having nice cabling actually has value.

You should be spending time in meetings, writing scripts or buffing up your excel skills to work out the software subscription licensing costs.

Q. Want your advice on a cabling colour scheme for our new data centre ?
A. I DO NOT CARE. IT JUST HAS TO WORK. NO REALLY. I JUST DONT CARE

From Blog Ethermind, June 2018

I read Greg Ferro. I have read his blog for many years. I feel his pain and acknowledge it.  And, although this argument is well written, it is worthy of comment for those who choose to think different.

You see, I do fall in the camp that cabling is important. It’s representative of many things that exist in Information Technology that are under the covers.  Cabling determines how serious you are, how disciplined your IT show is, and the attention to detail your team has.  Yes, cabling says all that.  And when you invite me over to see your data center, it’s what I am thinking when you show off your hard work.

“Network cabling usually only represents 10% of the total technology spend.” – Bill Atkins, during his time at Panduit

Yet, we run the production IT show on that cabling.

“Sometimes you have to do IT two or three times to get it right.” – Former CTO (Name Witheld)

Ouch.  Doing the same things two or three times is not cost efficient and often indicative of culture.  Did you hire the right people and put them in the right seats?  Did we listen to our wiring experts or follow the misguided advice of “this is how we’ve done it for 20 years”?  Two or three times in the wire business is great for the manufacturer and installer, bad for the organization writing the check.

Why Cabling Should Be Important To IT People

I didn’t say critical.  But there should be a standard to hit, as IT craftsmen.  A guide to follow.  Here is my top 5 things I recommend peers to consider when cabling.

#1.  Wiring should be easy to understand.  Color codes and design.  BICSI.  ANSI/TIA/EIA-606-A, Administration Standard for the Telecommunications Infrastructure of Commercial Buildings, or the updated ANSI/TIA/EIA-606-B documents these standards.

#2.  Wiring should be easy to troubleshoot.  As-Builts in all data centers and cable plants.  Consistent labeling throughout the facility.  Velcro over zip-ties.  Basket tray versus cable tray.  Combined wire with slack vs. just letting it hang.

#3.  Quality versus Crap.  Mid-grade wire versus minimally compliant.  Wire for the 20 year plan vs. no plan.  1GB is often plenty.  10GB is overkill if your back end can’t support it.  Think hard about plenum vs. non-plenum.

#4.  Manufacturer and installer proud.  When the manufacturer wants to show your work to their prospects, that’s a good sign they’ve done it right.  Choose certified installers.  Ask the question.  Then choose quality products that align with your team’s standards.

#5.  Wire once.  Your ROI is far better achieved when the installer comes out to do the big job versus coming out multiple times over 2-3 years.  Multiple times often equates to two times the labor cost.  Your not saving money and the chances of mistakes are actually higher.  Wire once, if at all possible.  And then ask the manufacturer to QA your job during your walk through.

\\ JMM

Why You Are Being Asked To Be in CAB

Today’s blog is from the mailbag of notables.  The context of this email is when I was “leading by walking around” and overhearing a few employes not wanting to go to CAB.  Not wanting is putting it nicely.  CAB is “Change Approval Board”, which is mostly a call to talk about the changes happening to the production environment.

From: Jonathan Merrill
Sent: From My Desk
Subject: Why You Are Being Asked To Be in CAB
Importance: High

Just overheard “Why do I need to be at CAB. I don’t have changes”. Not the first time this has been said. And it’s not unnoticed those team members who don’t show up. Before you say, “busy”, I know everyone is busy. We are all busy. Nevertheless, here is why I encourage you to be at CAB every time:

1. If you do have a change, you need to explain to CAB what the change is, what it will impact, and allow architects and SMEs to chime in. We’ve had one over-ride since we started CAB, which saved us from an embarrassing situation.

2. You listen in on what’s changing in our environment. Operations teams must have the pulse on what’s going on. If you don’t know, how can you react? Putting things together is a skill, just like listening and comprehending. All three should be applied in CAB.

3. Opportunities to sharpen your saw putting in changes. Once we get some consistent muscle memory on non-standard changes, let’s talk about standard changes. Until then, let’s learn from each other and ensure we understand the why about change management. I’ll need your help to train other teams once they get incorporated into our change system.

If you’re working on a critical ticket, production outage in flight, or anything affecting a client ability to process, then your at least armed with what changed.

If your actively engaged in a production issue, clear it with your manager and let him or another team member represent your change in CAB.

Any other reason… eh, no. Knowledge culture, folks. Root word is “Know”. We need you to know. I need you to know. This is the culture we are building. Please participate. Everyone…

\\ JMM

Constraints, Asking for Money, and Kristin Cox…

“Everyone runs to technology for the answer” – Kristin Cox, Executive Director of the Governor’s Office of Management and Budget

I don’t think she meant that in a good way… Maybe if we used our brain versus technology to solve our problems.  Wow!  That’s crazy talk!

Nevertheless, I stumbled across her articles and posts in my Linkedin thread.  An “Expert at Constraints”, here is the highlights on her video, which I would recommend you go watch:  Kristin Cox’s “How to Ask for Money”.

Four questions:

1. What do you do? What services do I produce?
2. How well do you do that? (Quality – Couple of things: Faster, Outcomes better, etc.)
3. What is your operating expense? (What does it cost to make it)
4. What is my ambitious target? (What % quality for I want? Better Outcomes)
– Get clear on what we are really focused on.

Government is lucky to have her.

\\ JMM

Spinning plates as hard as I can…

Routinely, it’s easy to get into deep water with tickets and projects.  Here is an email exchange between one of my team members, JC Foster, and I.


Jon Foster

Where does this fall on my priority list?

  • Tickets
  • AD Project
  • PBX Project
  • Office 365 Project
  • Visual Studio Project
  • Teams rollout

I am spinning plates as hard as I can here.


Jonathan Merrill

Thank you for asking.  My own list is overwhelming.  The organization is hustling.  Projects are piling up and plates are falling as only so much can be done to keep those spun.  Let me turn you onto a recent EntreLeadership podcast, #263 – Thriving in the Age of Overload.  Skip to the Daniel Tardy’s talk about, “The Tyranny of the Urgent”.

Questions Needing Answered When Looking At Your Workload

  1. Does it have to be done?  Can we eliminate it?
  2. If I can’t eliminate, can I automate it?  ß This is where I feel the most work needs to be done.
  3. If I can’t automate it, can I delegate it?  Let someone else do it.
  4. If I can’t delegate it, is it urgent?  Is it a fire?
  5. If it is urgent, how do we approach, getting the right people in the room?   Most often, someone’s fire is not a fire to the organization.

Our temptation is everything is on the list is a fire.  We need to prioritize on impact and urgency based on the most impact to the most people.

If you’ve listened to the pod cast, tasks (or WIP) should be limited 3.  So, looking at this list, here is my recommendation where your head should be at:

  1. Tickets – I agree.  Although take care against this taking up 100% of your day.  Handle Critical and Highs only.  Sometimes, that means contacting customers, negotiating and adjusting the criticality.
  2. Visual Studio Project – Most impact.  Most urgent.  Key to our business.
  3. Office 365 Project  – Most impact.  Most urgent.

This is an exercise everyone can do.  And should be aligned to what is on our team Kanban.

\\ JMM

DrawToast – A simple and fun introduction to Systems Thinking…

DrawToast workshops are a great way to get groups to think freshly about mental models. In just 3 minutes, each person sketches a diagram of how to make toast. When comparing diagrams, people are shocked at how diverse the diagrams are, revealing a wide range of models of what’s important in making toast. It’s a great launch pad for  drawing out what’s really important to the group.

Link:  www.drawtoast.com

A+

\\ JMM