Just Make the Check Out To Anonymous

There has been a rash of sites and applications getting hacked lately. From Sony's PlayStation Network to Lockheed Martin to PBS. The group, Anonymous has been linked to several of these incidents. But here is the thing, they aren't trying to get and sell people's credit card information. They are merely working to expose weaknesses and vulnerabilities that some organizations have. By exposing these issues in a very public way they force the organization to get serious about implementing a security program.

I'm not going to go so far and say that they are performing a service or a public good. By targeting a production system they are causing harm. But these organizations can recover, and in my opinion, that is Anonymous's point. They aren't trying to put Sony out of business, they probably love playing on a PlayStation as much as anyone. Their point though is that if Sony is going to operate the PlayStation Network they need to do so in a responsible way.

While Sony, Lockheed Marting and PBS are probably still stinging from the systems that Anonymous brought down, they would have paid big bucks to learn these same lessons in a less public way. In the continuum of hacker ethics, Anonymous is tilted over to the unethical side, but not so far. There are other groups who are working to get data and use that data to do bad things. Anonymous, from my perspective, is only after public embarrassment. It is painful, and nobody wants to live through it, but it is survivable.

Is there a gap in our government? Is Anonymous filling that gap? Maybe. The gap that I'm thinking about is the cop, or maybe a better analogy would be the insurance broker who comes to your store and says, "I see that you are open for business. I'd like to insure your business. Here's the rate per month for your business [really big number], but if you put a lock on that door and secure it when you leave for the night, and get an alarm system and video camera over the cash register I could insure it for this [slightly lower number]."

The problem is, or the gap is that there is no person objectively looking at the risk of online businesses. The Internet has tons of opportunity for people to compete against the giants of the industry on relatively equal footing. But like anything, if you cut corners then sometimes the risk gets you. Could there be some company out there to perform an assessment and tell you what you need to do to harden your defenses? Sure, I'm friends with a lot of those people, but it isn't cheap. Could this be a service from a good insurance company? Yes, that would be the insurance company I would choose. But until the people who comprise Anonymous decide that they want the regular 9-5 lifestyle and lend their considerable skills to the corporate world, we have them as the watchdog of the regular consumer, goading organizations into enacting reasonable security defenses.

New FAI Website

The Federal Acquisition Institute Training Application System (FAITAS) website is getting a face-lift and that is a good thing. Don't get me wrong, it wasn't horrible by any stretch of the imagination, or at least much worse is available. The problem is that they really do have a mountain of good content, but it is buried beneath layers of junk. Many of the classes that they offer are free to federal employees. I've taken a few, which is why I'm on their mailing list.

For me, I always had a hard time seeing where FAI stopped and where DAU started. I don't have anything against the DAU content, it's just that some of it was not as relevant to me since I'm not in that space. Anyway, if the FAITAS site is good, I hope that FAI can focus on ACMIS next. The Acquisition Career Management Information System was built just a few years ago, and it is not usable. I don't even bother trying anymore, and my Agency tracks our certifications internally now.

Out and About

There is a great new program at my Agency and I had an opportunity to get in and see it first-hand last week. We call it 'Out and About'. Our version may be new, but it isn't a new concept. The idea is to create situations in which people get to see and experience the good work our programs do for themselves.

I have tried to participate in previous Out and About adventures, but it is really hard to get in to one; everyone wants to go and they fill-up quick. So I consider myself lucky to be one of the six people who went on a visit to see the TEFAP program IRL (in real life). We went to the Capital Area Food Bank in DC. It was a good experience for two reasons:

1. It was great to see the distribution system as USDA foods come in, and then go out into the communities
2. It was good to see them in their completely cramped facility. They are packed to the gills in there and moving to a much larger facility in 2012.

Often times people who work in headquarters offices or who perform administrative program support, like IT, become alienated from the good work our programs do every day. TEFAP is a great program that helps countless thousands of people with a little bag of groceries. The portion TEFAP provides is just a small part, but when it is combined with other contributions it helps to provide a meal or two for a family.

For me, the best part of this experience was when the woman from the food bank broke down the budget for a man and his wife living in DC on a $32,000 salary. When she broke out the expenses for rent and gas and everything else it was easy to see how food would be the 1 thing that people will cut back on. We think of $32,000 as a livable wage but when you look at it and build a budget, there simply isn't enough money for everything. This experience taught me how critical our programs are for people who are right there on the edge. If there is an unscheduled expense, like if someone gets sick, then this family is going to go hungry.

How to Succeed at Failure

I read a good post by Steve Kelman, How to Succeed at Failure. I'm a little disappointed that he failed to hit on a couple of issues. First, anything that is difficult is likely to have failures along the way. Even more important, anything worthwhile is going to have to overcome those failures. So if you want to do something that is both difficult and value-adding, you have to plan for failures. People get freaked out when I say that. Here is what I mean...

First, you have to have a safety valve, or some formal mechanism that helps you to stop the loss at a certain point. Contracts are a convenient entity in this regard. Your ability, my ability, anyone's ability to plan is limited by the horizon of what they can effectively see. The more variable you introduce, the closer that horizon gets. Plan for what you can accomplish in one year. You can have a longer term strategy and aspirations, but tactically stick to a year or less. Get to the finish line in yearly increments. If you do this, and things start going off course, then at least every year you have an opportunity to recalibrate and implement corrections. Don't lock in to some 5-year behemoth.

When you fail, and realize that you will fail all the time, take time to learn something. I personally beat myself up over failures. Read this blog, almost every topic that I write about, from BVAs to Quality Management to Contract Types are all born out of failures. In those cases, something didn't go as well as I expected it to, so I needed to come up with a new method. The point is, that failures need to be constructive. Make a point out of learning something from them. A failure is an investment, your future actions will decide whether the investment paid off.

Lastly, organizationally, you have to walk a fine line. First, you want to centralize A&R (Accountability and Responsibility) on a single person, but you need to expect that things happen and failures are likely. So you need to foster a learning organization. You want to hold people accountable for certain levels or performance but you don't want to be so harsh that a failure here and there is the end of the world to a person. The point to make from an organizational perspective is that the same person or team won't experience the same cause of a failure.

The Fitness Challenge

Through the end of July my Agency is running a Fitness Challenge. Every two weeks people send in their log of how many minutes and which physical activities you did during that period. Going to the gym before work has been a part of my routine for a while now, but it is interesting to see how long you are working out and what you are doing. In the first two-week cycle I logged more than 7 hours of exercise, and I was a little disappointed in that number. I think that for 2-weeks that needs to be higher. I'm already over 8 hours in just one week in this reporting period.

Anyway, businesses realize that people who exercise regularly are better able to perform their jobs. I feel like I have better focus after working out, and that is with getting up at 4:45 in the morning. While I haven't lost much weight, I have great cardio conditioning and I've lost two inches on my waist, so that's good.

So this past Saturday with a sunny day for the first time in a long time, I was motivated to take the kids trail running. I am always amazed at how much energy they have. We went to a couple parks along the Potomac River and I put my daughter in the lead, setting the pace. You can go to their site to see a map of the place. We ran until we were tired, then we walked, then we ran again. It was a good time, as you can see.

I just looked up how far we went, wups, 8.6 miles. Sophia did great. I asked if any of their muscles hurt the next day. Everyone was great except for allergies. Anyway, everyone should exercise regularly.