GDPR – Data breach reporting

September 14, 2017

For this third post on GDPR, we will cover the who and what of data breach reporting obligations. It is a good candidate for building up on existing event and incident activities.

The definition of a data breach within GDPR is:

“Data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. – Art.4(12)

In case of a personal data breach, the controller shall without undue delay, and where feasible, no later than 72 hours after becoming aware of it,  notify the personal data breach to the competent supervisory authority.

The GDPR details mandatory information to be included in the personal data breach notification (check what items comprise that mandatory information at the end of this post).

Regarding timing and completeness of the notification, Recital 85 states: “Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.”

This obligation applies only when the data breach may result in a risk to the rights and freedoms of natural persons I suggest you double check those rights and freedoms with legal. Even better, ask the supervisory authority.

https://commons.wikimedia.org/wiki/File:Retaining_wall_breach._-_geograph.org.uk_-_240821.jpg

Retaining wall breach – by Hefin Richards

Furthermore, the processor shall notify the controller without undue delay after becoming aware of a personal data (the Regulation does not enforce a hard deadline for the processor to controller notification).

Beware that, for the first time, the processors will also now be subject to penalties and civil claims by data subjects.

Operationally, for all this to work, a prior assessment of the impact of processing operations on personal data will provide reliable criteria for which and when to notify data breaches (also, that assessment – known as a Data Protection Impact Assessment  in GDPR  – pinpoints what needs to be monitored for breaches).

What about the affected data subjects?

The controller should, as soon as reasonably possible and in close cooperation with the supervisory authority (for instance, prompt communication for if there’s an immediate risk of damage), communicate to the impacted data subjects:

  • the nature of the personal breach
  • recommendations for the natural person concerned to mitigate potential adverse effects.

Data breaches must be documented

The controller must document any personal data breaches (what happened, effects and remedial action taken). This documentation shall enable the supervisory authority to verify compliance with the data breach notification GDPR article 33. Clearly, there’s a need for people and a management system to support it (both may currently exist in the organization, due to other information security requirements).

Piggybacking on existing practices

If the organization already has procedures for handling information security incidents, then they should be reviewed for specific treatment of the personal data ones, including how to properly documenting them should supervisory authority (or legal authorities) demand it, how to notify the supervisory authority, and getting processor data breach notifications.

From CNIL, the French supervisory authority, Notifications d’incidents de sécurité aux autorités de régulation : comment s’organiser et à qui s’adresser ? provides guidance on notification of security incidents.

Where to start?

Being compliant with what GDPR regulates for data breach notification has a significant impact on organizations, including raising awareness on handling data breaches; procedures for detecting, documenting and notifying data breaches; reviewing and checking on third party entities processing personal data for your organization; communication with both supervisory authority and the data subjects.

Introducing these changes costs money, you will need to build a business case towards a data breach reporting initiative in order to secure funds. Consider this:

Personal data breaches seem to be more damaging to companies than other security breaches.

Campbell et al. (2003) found that security breaches in which personal data was accessed had a significant impact on a company’s stock market valuation (please check References below for source). People relate more with personal data security breaches (“Hey, that could have happened to me!”).

Next post will tackle the reason why GDPR exists: individuals’ rights.

References

Art. 33 GDPR Notification of a personal data breach to the supervisory authority (Recitals 85, 86 and 87 are relevant for further clarification)

Karyda, Maria & Mitrou, Lilian. (2016). DATA BREACH NOTIFICATION: ISSUES AND CHALLENGES FOR SECURITY MANAGEMENT.

Annex – What’s goes into the data breach notification?

The notification shall at least include:

  • the nature of the personal data breach including where possible: the categories of data subjects and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • the likely consequences of the personal data breach;
  • the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Advertisements

GDPR – Privacy by design (PbD)

September 7, 2017

Privacy by design (PbD) is meant to tackle privacy throughout the whole cycle of activities that together allow an organization to handle personal data for their purposes.

The intention is to invest sooner in privacy thus reducing untimely measures to fix personal data misuse.

Indian_Chameleon_(Chamaeleo_zeylanicus)_Photograph_By_Shantanu_Kuveskar

A brief lookup on the topic will bring up the goal of having privacy by design done to such extent that you actually won’t need to protect personal data at all (because there won’t be any left). Also, there’s some criticism about PbD vagueness. This stems from its origin as a set of principles as we will see next, which to me is a good sign in favor of its usefulness.

The principles

It started in Canada, with Anne Cavoukian, the former Information & Privacy Commissioner of Ontario, and her Pbd principles, known as the Ontario model:

  1. Proactive not Reactive; Preventative not Remedial
    Focus on anticipating privacy risks.
  2. Privacy as the Default
    Individuals should get maximum possible privacy by default.
  3. Privacy Embedded into Design
    Privacy by Design is an explicit part of design and architecture of IT systems and business practices.
  4. Full Functionality – Positive-Sum, not Zero-Sum
    The goal is to have full functionality, not using security as an excuse for less.
  5. End-to-End Security – Lifecycle Protection
    Secure lifecycle management of information, right from the instant information enters all the way up until is no longer needed.
  6. Visibility and Transparency
    Both users and providers can check on how PbD is achieved.
  7. Respect for User Privacy
    Users first. Meaning strong privacy defaults, appropriate notice, and empowering user-friendly options.

Whenever we go for principles, actually doing it is not immediate – that’s the point (because, hey, they’re generic and meant to keep in mind – not operational, rather supporting operational decisions).

To focus our initiative we can piggyback on data mapping and privacy impact assessments. These are opportunities to identify the parts where there’s a need to intentionally introduce privacy by design.

Privacy by Design moments of truth

The ICO gives concrete examples where privacy by design should be considered and applied. Specifically,  contexts where things change. Both from inside and outside:

  • Building new IT systems for storing or accessing personal data
    • This can be done through a change management process though you may find a better source whenever a funding request comes for new IT systems (or cloud services around your customers).
  • Developing legislation, policy or strategies that have privacy implications
    • Make PbD part of the checklist of topics to check.
  • Embarking on a data sharing initiative
    • Remember sharing data has never been so easy.
  • Using data for new purposes
    • Look out for requests coming from marketing and sales; they know the business, you better know its impact (and express it in such a clear way your family would be proud).

Simplify

Like with security in general, by embedding checks in the right moments we can go a long way without too much extra work. Take these ways to simplify as a starting point in your PbD journey:

  • Data minimization – Collect only what you need.
  • Purpose limitation – Only use personal data in the way you have permission to, and only if necessary.
  • Retention limitation – Don’t store it longer than necessary.
  • Early consideration – Incorporate privacy at the thinking stage of a development life cycle, before doing anything.
  • Start where you are – Use what you have right now.

As with other efforts, it’s sensible to embed these in existing processes and procedures, which include project management, development, and support codified practices (it’s easy to change existing organizational habits than introducing new ones, wouldn’t you agree?).

Next post I will go for breach notification (and yes, GDPR has fines for this too).

 

GDPR – By reading this you are consenting…

August 24, 2017

 

Ensuring explicit consent by the individual is one of the key areas to take into account in the GDPR (your organization may face fines up to 20000000€ or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher).

From a customer perspective, proper application of consent gives individuals autonomy and control over their data, resulting in more trust and reputation of the service provider.

Alas, with GDPR obtaining and maintaining consent is now significantly more difficult to achieve so we’ll look at what challenges it poses, the alternatives, when to use it and how to go about it.

http://maxpixel.freegreatpicture.com/A-Normal-Cat-Tomcat-Pet-Cat-Tabby-Kitten-Charming-1698392

Cats don’t like change without their consent. Roger Caras

Consent challenges

On one hand, consent must be given like in “of free will, specific, informed and unambiguous.” In some cases, the entity’s power position makes it unfeasible to use consent (as in the employee/employer relationship that conditions the free will).

On the other hand, the individual can trigger the right to be forgotten (which will have to be fulfilled unless there is a legal basis justifying the need for processing) or may even request deletion of their data because they are no longer needed.

Note that the initiative to request consent may constitute a violation of the right to privacy, as in the case of Honda in the United Kingdom (consent to request consent by email without having records of previous… consent).

Mechanisms for legal processing

For the above reasons, organizations should first determine the legality, under the RGPD, of the use of personal data. And then assess what the best mechanism to sustain legal processing. Of the six possible mechanisms, consent may not be the easiest to apply or the most correct.

There are five other alternatives to consent, which may be more appropriate for your organization:

  • Processing is required:
    i) In relation to a contract that the individual has accepted; or
    ii) because the individual has asked that something is done so that he can accept a contract.
  • Processing is required due to applicable legal obligation (except an obligation imposed by a contract).
  • Processing is necessary to protect the “vital interests” of the individual. This condition applies only to life and death cases, such as when an individual’s medical history is made available to an emergency department at a hospital for treatment after a major road accident.
  • Processing is necessary to administer justice or to perform statutory, governmental or other public functions.
  • Processing is done according to the “legitimate interests” condition.

Of these alternatives, processing due to legal obligation is a practical approach, identifying existing legal basis that supports the processing needs of the organization is a good starting point. A concrete example, in the area of human resources, derives from the obligation to maintain information about the employee for social security. Just keep in mind that personal data should be limited to the minimum necessary for the processing for which it is intended.

Another alternative is the use “legitimate interests” to justify the processing of personal data, such as keeping the employee’s bank account to use for payment of wages.

When to use the consent mechanism?

Consent is appropriate when:

  • There is use of special categories of data (such as sensitive health data)
  • Processing restriction (there is reason not to process and only store personal data – for example when the individual disputes the accuracy of their data)
  • Automatic decision making (criterion should be transparent)
  • Bank transfers (be careful when existing safeguards are insufficient)

Consent best practices

The GDPR requirements for consent are: being specific, granular, clear, prominent, optin, documented and easily withdrawn.

From ICO (Information Commissioner’s Office) we’ve got the following guidance in the application of the consent mechanism:

  • Separation: Consent requests must be separate from other terms and conditions. Consent cannot be a precondition for subscribing to a service unless it is required for the same service.
  • Explicit subscription: Clear and positive action is required; Pre-filled boxes are not allowed.
  • Granular: Each different form of processing must have its own means of registration.
  • Assignment: It should be specific to all organizations, including other processors that will process the data.
  • Easy to cancel: Provide clear means of canceling consent at any time.
  • Relationship Balance: Obvious imbalances as employers/employees will result in forced consent, which is not acceptable.
  • Documentation: Auditable consent records must be maintained.

For a simple list of support for the use of consent consult the document Consultation: GDPR consent guidance from ICO.

In the next post, we will go through data protection by design, a way of addressing data protection risk at the right time.

Resources

  • An Article on when to use consent
  • The Recitals from EU give insight on consent

Taking the ITIL Practitioner exam: Ins and outs

August 30, 2016

A post at AXELOS forums prompted me to write about my experience while taking the ITIL Practitioner exam. I am posting here based on my reply there.

I’ll write more generic stuff on taking the exam itself, then studying/preparing for it and finally some specifics. Disclaimer: It’s my personal view from my own experience. I tried hard not writing ambiguous stuff. My goal is to help you on getting the certification because you’re prepared for it 🙂 So, adopt and adapt to YOUR way.

The exam is harder (in part because it is different in style and scope) than ITIL exams below ITIL Expert level. It combines relatively large topic coverage with template based questions and the specific scenarios (that you only get to read when you seat the exam) consume precious time. “It is what it is”, like it or not. So reserve the time to study (with more than one pass through all the content please) and have a good night rest the day before the exam.

The exam
– You need to know really well the ITIL Practitioner book and where topics are. I think it’s a good idea to use little post its to help find the chapters. Use the Table of Contents and the word index at the end, it’s good and faster than your memory. It works. Some topics are touched in more than one place like stakeholder analysis or reporting (these are just examples; there’s naturally lots of cross-referencing between the main topics like OCM with communication for instance). So it’s more efficient wasting as little time as possible looking for context in the book.
– I find one or two questions really difficult to understand. So don’t dwell too much on those. Tough decision because of the way the exam is organized (specific scenarios give context and at least for me it was hard coming back to a different block without re-reading the scenario again). I establish a half-way goal (like half the questions at half time or a bit earlier for buffer). I tend to be faster and review as little as possible but this time I reviewed a lot! So, make the time for it.
– It takes time to read the specific scenario, the question, then think on the right answer and/or eliminate the wrong ones. So it’s not efficient jumping around the questions; it’s more effective doing them by specific scenario blocks of questions.

The study
– I recommend reading The whole ITIL Practitioner book in one go first so you know what’s harder for you. Use different ways to review the content. For me it worked writing summaries, lists and – to a lesser extent than usual – mindmaps. Writing it down makes me notice patterns and think on it in a different way (good because my memory is bad 😉 I’ve used as a rule of thumb the weight of the questions per main topic as a guidance on how long I’ve studied for each (I studied first the heavy ones – did not follow exactly the book sequence for deeper study.
– Study really well the Introduction of the book; most of the easier questions come from here (it’s really good and has new stuff there. I like the way the Service definition is deconstructed in value, outcome, cost and risk as a way of explaining what a service is), you can thank me after passing the exam for this one.
– Try the mock exams officially available, they do reflect the kind of questions in the real exam.
– Go beyond the questions available within the mock exams. Especially the ones using the templates at the end of the book (the Toolkit chapter). You will certainly have questions made on top of practical examples using those templates.

Specific tips (please take them with salt; it’s my perception of my exam)
– For the measurement and metrics… The questions on this main topic used frequently templates from the appendix. So it’s good to review the specific templates and mock exam questions using templates.
– For CSI Approach you’ll have to be careful with outputs from each step (it really shows on the mock exam – I stress this again: study the mock exams),
– As for the Guiding principles, I suggest you take note whenever you find references of one or more of them on the other chapters; they do not show up always in a clear way in the book.
– Beware of the deceptive communication chapter. It’s quite easy to understand while reading it but I found the questions hard. That being said maybe it’s just the case this is the part I need to learn and practice the most 😉 [I’ve been doing that by the way]

Hope this helps! In the end of the day, you’ll have to approach the ITIL Practitioner exam in a systematic way. Reserve the time, plan for it… and just do it.

Resume – Books, doing and breathing

June 7, 2016

Summer Sky near by Alqueva

Summer Sky near by Alqueva

I want you to benefit from some starting points below. I’ll get better at it, promise.

Books

Two half a meter book piles are now beside my bed. I may need shelves before they dangerously rival Pisa’s tower. Better have less books around I guess. Three quite different suggestions:

  • (To read) The new Kevin Kelly: The inevitable. His “What Technology Wants” book had so much to think upon I had to stop reading it because I was reading too fast.
  • (Reread) 18 minutes (shot video on this wonderful run-walk “tip”) from Peter Bregman.
  • (Reading) I keep coming book to Terry Pratchett. I started with Wyrd sisters and reading his books keep jolting my “new bark“. This is delicious (from Moving Pictures, I think it’s at page 35 at the paperback edition – It’s my current non-technical read and I’ve been learning a lot):

“Of course, it is very important to be sober when you take an exam. Many worthwhile careers in the street-cleansing, fruit-picking and subway-guitar-playing industries have been founded on a lack of understanding of this simple fact.”

Doing

Things I am doing and… improving:

  • (Drawing) A drawing a day. Started back in 29th February (it is a leap… year). Almost 100 hundred drawings now ranging from 10 seconds fast and furious drafts to one page comics that took me rewarding hours.
  • (Habits) Getting good at acquiring and letting go habits (drawing is one I’ve acquired). They say it’s easier to change existing habits. I found it true at least for eating and reading (Duhigg’s book is an excellent read and may prompt you to tackle habits in a purposeful and conscious way).
  • (Second life) I think it has to do with aging; I am now less tolerant with entropy and actively looking for ways to make significant change happen (yes I am talking about myself – seems a sensible place to start). I understand way better now what Peter Drucker wrote on this (the “second life” and beyond daily work-as-usual, whatever that is for each of us).

Breathing

I’ve used the word fast too many times in this post. I suggest you try this if you ever feel like going too fast and under too much stress than you can handle.

I will be doing this with a [non-frequent] newsletter format (so one can either keep them coming or opt-out!). Working on topics and focus so it’s beyond a ego-list of things I love  (like what really has worked for me).

Be Well. Até já.

Online learning by yourself – what are you waiting for?

February 23, 2016

Do not let it pass. You have available resources as never seen before.

I’ve just finished Seth’s Godin online course at Udemy. This one is particularly good for those thinking (but not having decided) on being your own boss.

I took it in my own pace and wherever I wanted to (including at subway – these online learning platforms now allow you to download the videos).

It’s not a matter of available time on your side. It’s a matter of choosing to improve yourself step by step, consistently.

Some starters that I have used:

  • www.udemy.com (browse the categories and explore classes and feedback)
  • www.skillshare.com (plenty of IT and arts to learn. By the way, when you teach you really have to know your stuff. This and the previous site allow you to publish your own courses)
  • www.coursera.com (the Duke University course on Gamification is… rewarding! Some happen at specific dates)
  • www.youtube.com (yes, although it will be harder to thing good stuff and you’ll be own your own regarding discipline to learn)

Little suggestion: Don’t pick more than you can handle. I did that at Coursera because I was so eager to take it all (many courses are free and damn good). Pick one and commit to finish it.

Know more resources? Please comment them in.

Certificate for Seth Godin's - Freelancer Course at Udemy

Certificate for Seth Godin’s – Freelancer Course at Udemy

Storytelling – Keep it short

December 18, 2015

Despite nowadays trend for bigger novels, I cherish short, straight to the point narratives.  A nice definition for short story is one that you can read in one sitting.

Stories told in a few words may have a huge impact and are adequate for communicating ideas.

Some well known really short forms are proverbs (Around the world in 52 proverbs), haiku and phrases by well known people. For the latter a good place to start is goodreads.

Another form is the flash fiction like this one attributed to Emingway: “For sale: baby shoes, never worn”.

But… Be careful not to abuse the original sense of those little gems.

Mush and Room: Gamification

March 12, 2015

Gamification according to Mush & Room

Gamification according to Mush & Room

An Interview with Carlos Casanova

June 3, 2014

Carlos Casanova is a well-known expert on CMDB/CMS, born in São Miguel, Açores, Portugal (the Azores islands is a paradise halfway between Europe and North America) and comes from the United States. I’ve enjoyed his thoughts and insights on the not so easy Configuration Management and CMDB/CMS topic. His book “The CMDB Imperative” (co-written with Glenn O’Donnell) is a reference for all who want to embark on CMDB/CMS.

CarlosCasanova-interview_03-06-2014_RuiSoares-SomeRightsReserved

1. I love your surname, it means “new house” in Portuguese. What is its origin?

My nationality is Portuguese. I was born in the Azores and moved to the United States as an infant with my family. Since then, some of my family members have worked on our family genealogy and have found ancestors outside of Portugal several generations back in Spain and Argentina. The name translates into “New House” in many languages including Italian. I am not sure if the basis comes from the stories of the famous lover or not but given the spread of the name across the world, it just might be the case. 🙂

 

2. Why writing “The CMDB imperative”?

Prior to writing the book, I was the Director of Configuration Management for a global Financial Services firm based in the United States. I had been asked by the CIO to take on the effort but it was apparent that early on, after the magnitude and potential risk of the effort was clear to leadership, that nobody really wanted to take on the task themselves. For the next 4 years, I kept pushing the initiative forward as best as I could with limited resources and even less senior leadership support. What kept me going however was my vast background across the IT Operational areas, which developed in me a deep-rooted belief that this was the right thing to do for the company. My years working in Enterprise Architecture, IT Security, Disaster Recovery and Business Continuity helped me to develop a vision for a comprehensive entity that could support and deliver tremendous value to most operational area across any organization. Internally, I was losing the battle against Senior Management but externally, across the industry, I was getting a considerable amount of recognition for my accomplishments at the firm. At one point, I even had an industry expert come into my organization to assess our achievements and she was amazed at not only how much the team had achieved, but more so at the vision we had in mind for this enterprise wide entity. Unfortunately, my senior leadership decided to eliminate the remaining budget on the initiative shortly thereafter and I was faced with the decision to keep fighting to help a company who obviously was not ready to accept it or, write a book to help those companies that were ready to grow and build an incredibly valuable resource like the CMDB/CMS.

 

3. Is Configuration Management success at organizations hindered because IT people focus on the tech-centric CMDB? Why is there such a bad fame on its implementation feasibility and benefit?

I perform formal Configuration Management Assessments for companies and one of the questions in the assessment asks the interviewee to rank three items (People, Process, Technology) in terms of which is the biggest challenge to the success of a Configuration Management Solution. In every assessment so far, when the individual questionnaires are collected across the company from all the interviewees, “People” has always been ranked as the biggest challenge with “Process” in second place. “Technology” has never reached the second ranked position in an assessment at a company. In fact, very few interviewees ever rank “Technology” as the biggest challenge on their individual questionnaire. The issue however is that in the same questionnaire, I ask questions to determine the level of knowledge about Configuration Management and sadly, the answers reflect why there are so many failures. Glenn O’Donnell, my co-author, and I personally hate the term CMDB. Configuration Management System (CMS) was better but still didn’t convey the full view in our opinion. Our preferred term is Service Information System (SIS) which we think better describes the broad objective and capability of the system. In our book, we dedicated a subsection of Chapter 1 to explain “Why the term CMDB must go away”. A major issue is that CMDB implies a single monolithic repository where EVERYTHING is collected and stored and this is not reality. Logically and philosophically, it is a single entity but the CMDB is not really a database in the true sense of a database. The real solution is where the “CMDB” ( aka SIS ) is the portal through which you get your logical perspective even when the pieces are spread out across various departments or regions in the company. It should be the vehicle that helps you get a singular view but it does not need to be the singular keeper of date and information.

Because of the confusion of what a “CMDB” really is and frankly, the push by tool vendors selling a “CMDB” ( aka: relational DB that can store data you put in it ), most efforts fail at least once and typically twice before achieving any level of success. The third attempt comes after resetting expectations based on education and knowledge. Taking on the effort with a better understanding of what they are REALLY trying to accomplish and what problems they are trying to solve is far more likely to succeed. One of the first questions I ask every one of my clients is, Why do you want a “CMDB”? Strangely enough, most answer the questions with reasons for why you might implement an Inventory or Asset Management System. Few ever can fully articulate a reason that is truly in line with why you put in place a Configuration Management solution. Lastly, the fact that the term “CMDB” is used far more often than Configuration Management is a big reason why everyone at some point in time thinks if it as a pure technology effort. Once again, when they enter into it with this mindset, they will fail because they will not have addressed the biggest issues around data quality and people circumventing process. The CMDB will NOT fix these issues.

 

4. How can we sell Configuration Management to top management in a compelling way?

When I have the opportunity to speak with Senior Management that is knowledgeable about security and risk management, I explain to them that a Configuration Management solution can enable and/or directly support 11 of SANS Top 20 Critical Security Controls. The case studies around reduced call time, reduced MTTR and increased MTBF are great however, they address what I refer to as “soft money”. This is money that if saved, does not actually end up on the bottom line and hence, the senior executive cannot claim it as a real savings. For Senior Management that does not fully understand and appreciate Returned Value on Investment versus just Return On Investment, they won’t see the “soft money” savings as tangible and hence will not provide lots of support.

Now, with more and more pressure on IT Hardening, and bigger budgets in that sector versus the Service Management sector, Senior Managers might be better suited to understand the value that something like a Configuration Management solution brings to IT Hardening. The key is to relate the investment being made to value being delivered to the end users and business customers. You must put it in terms of the positive impact that it will have on the company’s customers and how it will drive better business outcomes.

 

5. Right now what is the role and impact you see for the Service Management Congress?

I am very disappointed that more did not come of the effort at the 2013 itSMF Fusion Conference in the United States. I am still in full support of the basic ideas that our industry is not functioning at the level of quality and efficiency that I feel it needs to and secondly that far too many so-called certified professionals are promoting utopian approaches to solutions that never deliver value to the business. Many of our peers and many organizations have lost focus on what the intention is and instead focus far too much on the letters and words in the books and try to emulate it word for word in their companies. This DOES NOT WORK! I was hopeful that our effort with SM Congress would be the catalyst to get more people in the industry coming to this awareness. Unfortunately, some individuals across the world, who based on their public stances prior to SM Congress were proponents of similar ideas and concepts, decided to personally attack some individuals in the SM Congress and this drove a major wedge into the effort. We are now more than 6 months removed from the conference and it appears to have been wasted. I still believe in the concepts and have incorporated them into my client work but as an entity, I don’t know if the SM Congress will be intact much by the time the next conference arrives.

 

Once a upon a time in the East (Notes from itSMF Singapore 2014)

March 28, 2014

It was a pleasure being at itSMF Singapore 2014 for speaking on Storytelling.

Presenting Storytelling -itSMF Singapore

Presenting Storytelling at itSMF Singapore 2014

First of all, I thank the organization for great experience and smooth experience there. Rama and Vinay from the board, Joanne and Marco and all good people from itSMF Singapore made this event a joy for me.

I finally met Suresh GP who curated and pushed it all.

My notes on the event follow without further delay!

Ferocious twetting

Even with such timezone difference for other geographies we had sometimes little ITSM haiku, other times a vivid perception on what was happening during the conference. I think this trend for extending the conference reach is excellent.

The Twitter pack for itSMF Singapore 2014

The Twitter pack for itSMF Singapore 2014

The People

Couldn’t attend to all sessions – I did take worthy insights from them all. I’ll share notes on three:

Peter Brooks (excellent meeting THE Peter Brooks – wonderfully accessible and stimulating talks off the sessions)

  • Service Governance is key (Hello top management accountability?)
  • ITIL has tons of excellent material scarcely used
  • We need an ontology, precise meaning for ITSM concepts (Adaptive Service Model initiative)

Peter Hepworth (met for the first time the man leading Axelos)

  • Portrayed Axelos as a startup – coming to Singapore is part of strategy to talk with local stakeholders and he got feedback from them the day before the conference (and from us too)
  • Regarding trainer certifications, there are more than 1000 ATOS, training orgs and affiliates combined. Huge task. So Axelos will be grandfathering the trainers.
  • On cybersecurity, is asked on next step but it’s still soon to reveal what’s under the hood for this hot topic

Matt Fourie (pleasant surprise!)

  • Leadership is about telling the what and let people be responsible for the who (this is deeper and seldom found)
  • If you dont find the solution in a few hours you dont have the right people solving it
  • Manage stakeholders, pursue collaboration with all and carefully pursue requirement analysis

The Conference

I sensed a pattern on people being part of the service management equation. Yes, still ITIL core with one session on transitioning the service (this always reminds me of DevOps approach – which has lots of people in it too), more on empowering the end-users; a trend supported/pushed by vendors.

It was great meeting so many interesting people from Singapore and also from Australia. I had the opportunity to meet Kathryn Heaton from itSMF Australia who gave insight on how service management has an opportunity in an unexpected market due to Australia’s digital initiative at schools.

My session on Storytelling went really well – people were groking the stories on changing, got engaging questions at the end and I had the chance to give away some of my specially drawn for the occasion cartoons.

I was there! cartoon for itSMF Singapore 2014 - A torn cartoon

I was there! cartoon for itSMF Singapore 2014 – One of the cartoons I wanted to give way (torn paper… did a newer version 🙂 )

Hope I come back with more time. Well worth the trip!