Rock and Roll

  • Comments posted to this topic are about the item Rock and Roll

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • It is a lot easier if the company reputation hangs on being seen to do the right thing with regard to customer data.  If the company reputation forms a large part of its value on the stock market is also a boon.  It is also a source of stress and worry.

    GDPR Article 33 requires companies to notify the supervisory authority within 72 hours so hushing it up could work out very expensive.  A serious breach could hit you with €20million or 4% of organisation turnover.  Failure to have or abide by procedures could be €10million or 2% of organisation turnover.  Those sorts of fines are a  big enough stick for most companies.

    As an individual within an organisation it is my duty to know who the data controller is and consult with them if I am in any doubt.  I always suggest that I write any concerns down for two reasons

    • Once it's in writing it's real
    • Writing gives the opportunity to set it out in simple bald language.  A RAID log entry (Risks, Assumptions, Issues, Dependencies) together with situations where the risk can become an issue and the mitigating actions required to prevent it escalating.

    It is also worth asking for a retrospective on GDPR items raised.  Subject Access Requests, Right to be forgotten requests etc.  I'd pitch it as a business opportunity.  In the same way that "abandoned basket" analysis takes place or journey dropout we should be asking if there is anything we should alter to increase consumer confidence such that it reduces the uncertainty that drives the SAR & RTBF requests?

    There's a real skill in finding a way to way "I'm not saying you are wrong, I'm merely offering you an opportunity to be even more right"!

  • David.Poole wrote:

    There's a real skill in finding a way to way "I'm not saying you are wrong, I'm merely offering you an opportunity to be even more right"!

    at a "previous employer" we had a similar technique. it was from a web article about upward management... we called it "dog biscuiting"

    every time your line manager makes a dumb decision then you don't make him a coffee... when he makes a really good call, his coffee comes with chocolate biscuits.

    We told him about it over beers in the pub one day, he told us that he had figured out our trick and was using it on the CTO.

    As for Grant's comment "head in sand, rock uphill" - give a dog a bone, you'll find that senior management will chew anything that tastes nice

    MVDBA

  • Grant, I like your bringing in the analogy of Sisyphus and his endless task of rolling a large rock up a hill, to have it only roll down again as it nears the top. One of my colleagues describes his work that way.

    Some months ago I learn of a sociologist who did research on the structure of organizations. Unfortunately, although I thought I'd written it down somewhere I can't find it. (Man, I wish I could remember his name and the research he did.) Anyway, his research identified 3 types of organization. The most restrictive is more like an antagonistic monarchy, where someone's in charge, makes all of the decisions and doesn't listen to anybody (messengers are censured). The opposite extreme would be an idealized open source group, all opinions are listened to (including all messengers) and given lots of consideration, etc. Then there's the middle group, which is characterized by maintaining the status quo. I remember the thing that struck me most about the middle group, which I'd never seen before, is that the messenger may be listened to, but they are then ignored.

    I suspect that many of us may work for something like that middle group. Even if we go to the business to convey ideas such as the how California's Consumer Privacy Act will eventually filter down to us, they'll ignore it. At least until something drastic happens, such as some compliance that affects only California businesses makes its way to us.

    • This reply was modified 4 years, 10 months ago by  Rod at work.
    • This reply was modified 4 years, 10 months ago by  Rod at work.

    Kindest Regards, Rod Connect with me on LinkedIn.

  • I agree with Rod's comments about 3 groups of companies - particularly with regard to risk assessment.

    I've worked for and consulted with many companies over the years. A few are proactive in assessing their risks, business or IT, and adjusting processes to manage those risks. A few on the other end are willfully blind to those risks and often simply don't care.

    The vast majority in the middle have a hard time visualizing the real magnitude of the risks we discuss. I know most of the owners understand the risk as we describe it, but they can't assign a probability to it. Human nature being what it is, we tend to either downplay risks we don't understand or overreact to them and panic. There's no middle ground for most people.

    Once something happens, suddenly the risk is real and a business owner can understand the real cost of not managing that risk. But if the issue is still theoretical, we're asking them to imagine how often something might happen and the severity of the consequences. That's hard.

  • The thing is, most people have a spare tire (or at least a donut). Most people have insurance. It's possible to communicate risk and get people to take a reasoned response. IT shouldn't be that different. Although, it frequently feels like it is.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • I implemented our organization's process for executing CCPA updates across 100+ production databases. It's meta-data driven - there is a table containing one record for each server/database/schema/table/column that needs to be anonymized and also various other tables for defining update rules, tasks, and execution auditing. The process is driven by a couple thousand lines of PowerShell. We have provided an application where each development team can manage the meta-data and rules for those databases belonging to their application, but still it's a work in progress - even at this late date.

    Really, it takes a village (every developer, DBA, and manager in the IT organization) to make CCPA compliance work. Fortunately, we've been on top of it, but I know there must be other organizations out there much larger than us who think they are too big to fail and havn't even started.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • As for those IT organizations who think that insurance is a substitute for full compliance - that's about as stupid as thinking auto insurance can compensate for drunk driving. The bigger you are - the harder you fail, and they will find that insurance rates are more expensive than actually doing things right.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply