Retailers & Manufacturers Beware Customer Exposure Fatigue…and the Lures of the Data Mafia

How would you really react if on entering an unfamiliar store while on vacation, you were simultaneously accosted with coupons for the sunscreen, jet lag remedy, and black truffle paste you researched online yesterday after lunch booked by Open Table at an obscure café half a continent away, while models in a visual display of your tomorrow’s beach destination, clipped just this morning to Evernote, directed you to your own gender’s department for a bathing suit, made by the same designer as last year’s summer’s purchase, and then across the floor for a belt embedded with an RFID chip that the belt’s designer’s display will recognize on contact next spring? With facial recognition cameras, locational databasing, online browsing collation, checking in, checking out, research note collection pending sharing out online, your customers face much more than Andy Warhol’s “15 minutes” of fame: collated, cross-referenced, shared, and archived personally identifying information could make users pseudo-celebrities for life.

People complain about the NSA. Do they really want you as retailer or manufacturer to know–or to presume to know–all about them? Do your customers really want you, your app developers, your app developers’ other clients, and your app developers’ other partners knowing where your customers have been and plan to go and what your customers think, buy, read, write, and plan, all archived over time? Even if your customers adopt and adapt, will they want constant reminders of what you know, what you may know, and how much more you might know?  At what point will even the early adopters and database-sharing inured burn out and tune you out, turn you off, and avoid your space?

How significant is all that data databased, analyzed, shared, and archived?  People change, thoughts change; passing thoughts and impulse browsing make datapoints look as though those datapoints pertain to your customer when they actually reflect the concerns of your customer’s family, friends, co-workers, communities, odd news items, strange ads, and celebrities and other strangers.  Is video-archiving the unique floor paths of your different locations worth alienating customers already on camera in changing rooms and at check-outs?Do you get that much meaningful data to subject customers, employees, and vendors to facial recognition imaging integrated with the web browsing and locational history you can find on their smart phones and online browsing histories?

Even internally, who should know who is doing what and meeting with whom, why, about what, and when, and where?  What of your trade secrets do your developers’ apps and your personnel’s apps on their own devices capture and archive as Google, FaceBook, LinkedIn, EverNote, FourSquare, Turn, OpenTable, Instagram, TripIt, SalesForce Chatter and Yammer?  40,000 developers have combined Foursquare alone into their apps, including Evernote and Instagram, even as Foursquare has gone global. How much data seeps through the company?   Once the data is out there, it’s impossible to claw it back. How much information leaks out externally– where it can be read and scraped and databased and recombined when, with what, for context? Where do your trade secrets go?

Wouldn’t the legendary personal touch of a Nordstrom clerk do more to please your customers  and shorten your checkout lines to the ‘point of sale’?

© 2013. S. Caroline Schroder. All rights reserved.

Reputational Incident? Don’t Default To Crisis

Companies would do better investing in good products and service, solid intellectual property, and employee quality, ethics, training, and conditions than in PR disaster planning and plotting and reactive campaigns.

C-teams should pick their battles in many contexts and reputational risk is one of them. C-teams should be careful not to prolong and deepen a transitory reputational incident into full-blown crisis but focus on doing good and performing well while reserving their bench strength for real problems.

Brands of good companies are, in fact, resilient. Every company has reputational incidents, whether social media idiocy committed by low level workers or major safety disasters such as those of Asiana, Boeing, and Toyota. Most reputational incidents, such the fast food chains’ experiences, are self-limiting and, these days, result in more ego-driven swivet in the C-suite than actual threat.

Keeping a company’s trade secrets secret will yield more real returns in market-leading innovation, competitive advantage, and persistent excellence of brand than will hitting a reputational incident and immediately defaulting to crisis and brand triage. As successful and troubled companies have found, employees very much own or control a company’s brand, most obviously in social media exposure, but fundamentally in how well they execute the company’s business model, from C-suite to coding, cooking, or simply coping. when a brand takes a hit because of the egregiously bad behavior of employees in one location or one silo, it then springs back because customers are driven by the company’s real world product and service and not mere brand. That is, brand springs back if the company is fundamentally sound, products good, and service reliable.

Social media have become a lens through which not just customers but the supply chain and government agencies from the National Labor Relations Board to the SEC keep tabs on company action, ethics, reaction, and now even disclosure. Companies may win the battle but won’t win the war if their overblown reactions to trivial incidents invite even more scrutiny and cross-reaction than the original incidents would have normally triggered. Companies may win the battle but won’t win the war if their overblown reactions to trivial incidents are cited far into the future as examples of successful PR fixes of brand disasters. Essentially trivial incidents would have been forgotten in weeks had they not been singled out, honored, and archived in magazines, textbooks, and videos —for posterity.

Risk management and oversight must keep brand and reputational risk in perspective, crediting the company for the real world quality of its products and services as larger than an isolated incident and crediting the company’s customers with the intelligence and compassion to recognize the distinction.

© 2013 S. Caroline Schroder. All rights reserved.

Where Are The Women To Buy Saks 5th Ave? And Neiman Marcus?

What woman wouldn’t want to buy Saks 5th Avenue?   Lock, stock,and crown jewels.   Where are the women to do this deal? 

And an attractive deal it is:  Saks not only has cut its debt but owns many of its stores, including its 5th Ave flagship store at the center of the global fashion world. On the other hand, the Saks image, quality, design choices, and service are not what they were under Rose Marie Bravo.   What an opportunity for a luxury turn around!

According to The Economist at the time, Proffitt’s bought Saks for 1.3 times sales from Investcorp (before changing its own name to Saks) in 1998.  The Economist’s analysis of that acquisition is here:

And a fascinating business history of Saks is here:

Just days ago, Hudson’s Bay Trading Company of Canada emerged as an interested party.

Hudson’s Bay seems to have done rather well with its Lord & Taylor acquisition, turning it around nicely so far, but its own IPO priced at the low end in the wake of that acquisition, and Saks is a very different creature, up there in the high end luxury market. The inventory is very expensive, the discounting and marketing rules complex. Does anyone remember how Brad and Brian Martin nearly did Saks in with their vendor allowance fraud and deferral of markdowns? Played right, a store like Saks can drive vendor styles and make fashion and profit, played wrong, it can destroy a market niche as Saks did with designer and bridge Petites and executive dressing and can quickly destroy itself. It’s a very complex business.

Saks Vendor allowances, other fraud Influence and destruction of Petite niche across industry

As for Rose Marie Bravo, if popularly ‘elected’, would she serve?

© 2013 Copyright. S Caroline Schroder. All rights reserved.

This Does Not Compute: Oops, Cray + Hadoop

Sometimes “innovation” simply does not compute.  Cray’s supercomputers would seem the last word in secure computational power. Apache Hadoop, on the other hand, has, among other inherent vulnerabilities, design errors that make it vulnerable to information disclosure, according to Security Focus and other sources (identified by Cloudera). In fact, as quoted by Data Informed, James Vogt of Zettaset has pointed out that in distributing big data jobs across clustered computers, Hadoop “shares data and conducts batch processing of data across nodes,… [creating] a different set of security challenges that you can’t really address with perimeter security.” According to Information Week, Cray promotes Hadoop distribution as bringing “greater security” to Cray’s clusters of half a million dollar, and up, supercomputers. Somehow it seems that for healthcare, finance, and other highly sensitive sectors the combination actually puts designed-in vulnerabilities on steroids and kicks security holes all through Cray’s supercomputing solution. A Cray cluster coupled with a suite of open source software applications written by a community not committed to high security performance would seem destined to lead to unintended consequences —and most unfortunate lessons to be learned. Again. Has hype put the “Cloud” right on the edge of super-disaster, yet again?

© 2013 Copyright. S Caroline Schroder. All rights reserved.

Cloud Convection: Reality through the Prism

Although the net effect of Prism is not clear, the scare is timely, coming in a year when CXO’s, and boards are swamped with pitches to adopt the cloud, wholesale. Many had just turned their attention to cybersecurity. That attention comes a decade late. Too many companies have thought nothing of adopting the ‘cloud’ even though it is less secure than their own networks. At too many companies IT has warned for years of network intrusions, data thefts, malware injections, and diversions of IP while being forced to beg for budget. Only the avalanche of billions of dollars in stolen value finally got the message across. As billions more are poised to diffuse into the cloud, now would be a good time for CXO’s and boards to shed more light on why and how and where the data go.

Boards and CXO’s who have dismissed IT as “too technical” for them to understand have yet endorsed edge strategies as “necessary change”. Already the cloud like social media has come back to bite early adopters, whether through outages, abuses, or unexpected legal consequences. Not only does it matter who does what for whom but where in the world a company’s data lands, as we have seen, giving governments and other parties direct, and indirect, access to your information. Big data has attracted open source software and the open cloud developer community. A company does not really know what is built into the software and with what motives. Security is a problem from Hadoop (Java based) to Ruby on Rails. While even the Department of Homeland Security has been warning the public to turn off Java in browsers, Hadoop has suffered from, for example, “information-disclosure” issues and shares data across its system. Rails had been harboring critical vulnerabilities, including the ability to execute malicious data stealing code remotely on the servers running programs built with, say, Ruby on Rails. So, to what is your company exposing its data?

Before a company makes the shift to the cloud, it would do well to ask some questions:

What do we have out in the cloud? Data? Software? Platforms? Infrastructure? Do we understand what we are going to do next?

Are we looking at the public or private cloud? Do we own our data centers or does someone else?

Are the data centers secure and how do you know? Have they been audited by an independent third party? Are we and anyone else involved members of the Cloud Security Alliance? Who sets the standards these data center meet?

Is the power for our data centers secure? How much power do our data centers draw? How well does the grid support that draw? Do our data centers have a history of power outages? Is the power reliable or do you have plans to make it reliable? Do we understand our corner of the grid? Do we understand what would happen if someone builds a data center down the street or across the road? How long could we stay up if the grid goes down? And what happens next?

Have our data center capital investments kept up with power demands? Technology demands? Competitive demands? How long and what dollars would it take us to build out a data center for expansion? Are you expecting us to give you funding for expansion or redundancy on which we cannot deliver?

How secure are our power costs? How much are we paying for the power we use and the power we only might but might not use? Who pays if the price of power should spike? Have we assessed the possibility of power price spikes? What happens to our model if power prices go up and stay up and continue to rise? Have we hedged our bets?

How redundant are we? Have we considered the geo and geographic risks, from storm to earthquake, terrorism to malicious cyber attack, provider outage to utility blackout, interconnections to interdependencies? If the datacenter fails, to where do our systems fail over? What is our liability for failure?

And what about the software?

For too many years the greatest cyber challenge CXO’s and boards thought their companies faced was the lone black hat hacker. It has taken years for IT to get the message of organized and even nation-state threat through, even as IT itself moved towards software of unclear provenance often built by a community with mixed and unknowable motives. As companies have increasing embraced a free-lunch model of free code, free services, free work, free movement, and free information, and free work, they have ignored the oft proved truth: there’s no free lunch.

Copyright 2013. S Caroline Schroder. All Rights Reserved.

Good Risk News: Reversing Paralysis, Healing MRSA?

Tel Aviv University:  Gel May Reverse Paralysis, Even Parkinson’s
Researchers have developed a gel composed of anti-oxidants,synthetic laminin peptides, and hyaluronic acid to coax peripheral nerves back to health. The researchers bridge damaged nerve ends with a soft, biodegradable tube lined with the new gel to promotes fiber regrowth. The researchers report success in coaxing animal nerve fibers to reconnect, even in cases with “massive” nerve damage.

Journal Reference:
American Friends of Tel Aviv University (2013, May 13). “Reversing paralysis with a restorative gel.” ScienceDaily­/releases/2013/05/130513123339.htm
Arizona State: Natural Clay Mixtures Having Specific Metal Ions Are Highly Effective Against MRSA and E. coli
Researchers, noting, traditional uses of clay for infection, healing, and pain management, experimented with exchangeable metal ions, pH, and other properties to identify clays with greatest antibacterial effectiveness. They concluded that Zn2+, Co2+, and Cu2+ concentrations were most effective against MRSA and Zn2+, Ni2+, Co2+, and Cu2+ concentrations were most effective against E. coli.

Journal Reference:
Caitlin C. Otto, Shelley E. Haydel. Exchangeable Ions Are Responsible for the In Vitro Antibacterial Properties of Natural Clay Mixtures. PLoS ONE, 2013; 8 (5): e64068 DOI: 10.1371/journal.pone.0064068
University of Southern Denmark: Old Drug, New Anti-MRSA Tricks
Danish researchers have discovered that thioridazine can boost the effects of antibiotics by weakening bacteria’s cell wall, allowing antibiotics to attack the cell wall and kill staph bacteria. Thioridazine weakens the cell wall by removing glycine, an amino acid.

Journal Reference:
Mette Thorsing, Janne K. Klitgaard, Magda L. Atilano, Marianne N. Skov, Hans Jørn Kolmos, Sérgio R. Filipe, Birgitte H. Kallipolitis. Thioridazine Induces Major Changes in Global Gene Expression and Cell Wall Composition in Methicillin-Resistant Staphylococcus aureus USA300. PLoS ONE, 2013; 8 (5): e64518 DOI: 10.1371/journal.pone.0064518

Innovation, Thought Through, Works: The Telework Example

Telework is a perfect example of how innovation works if thought through-and the costs if not. Contrast the commitment to telework at the USPTO with its end at Yahoo. While most discussions of telework program success tend to focus on the commitment of the teleworkers, I have observed over time that the performance of the communications and security technologies is of primary importance. Given good technology and responsive back and home office support, teleworkers are more inclined to work too much than too little. Any innovative program needs tweaking, but rather examine the roots of teleworker inefficiency and detachment Mayer simply cashiered the program, wasting the sunk costs and her talent’s goodwill. Will Yahoo lose critical talent? Could Yahoo have overcome the glitches, vulnerabilities, and dysfunctions?  What might have been done to save this popular innovation?

Technology: Teleworkers should not have to be electrical engineers unless they are electrical engineers and hired for this reason. The technology has to work. For good telework, the voice and data communications must work consistently, reliably, daily, and hour to hour, and at any given hour. Equipment should be pre-tested, regularly maintained, replaced on schedule, and made available or delivered out promptly, agreeably, and reliably. Bad equipment should not just be shuffled back out to the field to make some other teleworker miserable. Technology should be upgraded as the technology advances and as vulnerabilities are exposed. Teleworkers should not have to make sure the pipes and bandwidth work. Teleworkers should not have to interrupt work to play technician or work through diagnostic steps and time consuming fixes with remote technicians. Give them functional architecture and infrastructure.

Schedule: The network should be up and working when the teleworkers are reasonably expected to be working. There should be sufficient warning of regularly and conveniently scheduled maintenance, updates, upgrades, integrations of systems, and other notorious interrupters so that teleworkers can get done what they have to do during reasonable work hours. Don’t let IT schedule a major system upgrade or integration of two systems when a major work project is coming due or in the peak workflow days or seasons. The point of establishing a telework environment is not to establish department dominance but to get the work of the business done.

Security: Teleworkers should not have to choose between a secure work environment and getting the work of the business done. Security should be tested, maintained, audited, and upgraded, and it, like the technology, should work, and work well with the technology. Equipment should not grind to a halt with every upgrade, scan, or change in settings and software. Teleworkers should not have to interrupt their daily work to troubleshoot yet another software, or hardware problem. IT security seems often to become the primary security concern of the telework environment, but the protocols of the work should not be ignored. Insiders as well as outsiders may decide to profit through theft. Beyond IT security, management must be vigilant for teleworker breaches of protocol. Mistakes do result in risk of loss or loss. Breaches of protocol may actually be deliberate acts to steal or otherwise misuse the work of the business.

Teleworker Culture: The back office and ‘home office’ must facilitate the flow of teleworker production, physically and substantively. ‘Home office’ oversight should be sufficient to generally know who is working when, set milestones and goals, provide both pace and quality feedback verifiably, remotely and in person. Management must provide for and integrate teleworkers into a remote and ‘home office’ culture, neither isolating the teleworkers nor letting the teleworkers isolate themselves as individuals keep up with the daily workloads and peak periods. IT should see itself as the telework accelerator, rewarded for the efficiencies it provides and the headaches it eliminates, and not as the gatekeeper disciplining or manipulating teleworkers. Unless teleworkers actually do work for IT, they are the employees of the business, and not IT, after all.

Teleworker-IT Conflict: IT controls a multiple chokepoints in the flow of teleworker progress. Not only does IT thus have prominent power over the individual teleworker, including teams, projects, and departments, IT personnel have been known to scorn those whose technology skills do not match their own. Whether in envy or disdain, some IT personnel have indeed made mischief and others have crossed the line into crime. Critically, the ‘home office’ should watch for and take seriously indications of and complaints about IT resistance, interference, obstruction, and breaches of security and protocol.

Commit to overcoming glitches, vulnerabilities, and downright dysfunctions. Where the innovation brings real benefits, attracts talent, and reduces costs, work to resolve the negatives. Improve it don’t trash it. Expect to tweak.

© 2013 Copyright. S Caroline Schroder. All Rights Reserved.