Office Speak: “Copying In…”

The other week I was writing about how we describe things in a way that is no longer relevant to what actually happens – like being Out-of-Office.

This is another one a bit like that. Do you know why you cc someone in email? Or, even bcc?

  • cc: Carbon Copy
  • bcc: Blind Carbon Copy

Both of which being from the days of paper when you quite literally sent someone a copy of an original created on a carbon copier. It was convention to put the names of the individuals at the bottom of the front page with the letters cc so that everyone knew who had a copy. No one has to go to the effort of finding a carbon copier anymore, we have email for that and adding people to a distribution list is as easy as hitting reply (or forward) and adding in a few extra names. There’s still plenty of carbon involved, but the carbon copier has become redundant.

This post isn’t just about mechanics and names though, it’s also about office practices.

Here’s the scenario:

You send an email to a colleague asking them a question.

The recipient replies to your email and puts at the bottom – or somewhere else in the email, or sometimes it’s the only content of the email – copying in… followed by a few names.

Then, if it’s really not your day, one of the people who have been copied in sends a reply and again states copying in…

Then some time later you get another reply that says copying in…list of name…for information.

(I could go on, but you get the point. The worst case of this I can remember went through eight iterations of copying in… Imagine how many people that was.)

You still haven’t got the answer to the question you asked at the beginning, you have a list of names, but you’re not any nearer knowing whether any of the people who have received a copy can furnish you with an answer.

Actually, you don’t have a list of names, you have several lists of names. Lists that, over time, become so complicated that people start copying in people who have already been copied in.

There are many times when I’m on the receiving end of a copying in… I’m often completely unaware of what I’ve been copied in to. Looking down the chain of the email doesn’t help my understanding of the question being asked or the issue needing consideration.

The very words copying in… provoke a negative emotional response in me. I’m not sure that I fully understand why, but there’s an odour of dread to every copying in…, a scent of collaboration gone wrong and email overload.

As the people involved escalates there’s also a feeling of guilt at the time being wasted as people church through noisy email chains that mostly says copying in

There’s a point at which I want to say: Stop. But I never do, it’s futile, copying in… has taken on a life of its own. Perhaps it’s my issue and I’m trying to control the conversation too much. I should know better, by now, than to use email for such communication, but old habits and all that.

I know people are just trying to be helpful, but I’d rather they weren’t. If they don’t know the answer that’s fine, I have other ways of finding the answer.

Header image: Sunset above the fields near to where I live. We are still in a lockdown that requires us to stay local.

Office Speak: Out-of-Office (OOO) – is it time for a new name?

One of the things that fascinates me is the etymology of words and phrases – where they have come from. Often the current meaning has little connection with the original meaning. Why do we talk about being in the wheelhouse as an example? In technology we also have a kind of visual etymology where we co-opt visual representations from the real world into the screen world. Why do we talk about files, folders and saving as an example? Below the visual representation that’s not really what’s happening. Ever heard the term skeuomorphism?

One of the phrases that we use is out of office. There was a time when this meant what it says, being out of the office. People would phone your office, speak to someone who would say, “I’m sorry but Mr Chastney is out of the office today, can I leave him a message or find someone else to help you.”

That’s no longer what is happening for most of us. We no longer have an office to be out of, so that part doesn’t make sense. Even when we are away from the place where we normally do work, our office, work isn’t stopping just because our physical location has changed. We talk about setting an out-of-office in our email so that people know that we aren’t in work, although, for many, that’s not what they mean either.

The term is no longer really serving it’s purpose, which is to tell people that you aren’t there for them in quite the same way you normally are. I think we need a new set of terms that say what we really mean. How does these sound, I’ve tried to keep it really simple?

  • Unavailable – unavailable.
    • “Don’t bother contacting me I won’t receive it and you aren’t going to get a response.”
    • “I’ve gone on holiday with my family, or friends. I’m confident enough that while I am away things will be fine.”
  • Limited Availability – I’m not as available as normal.
    • “I am in workshops and focused on that. I’ll contact you in a break if I think it’s important.”
    • “I’m travelling so won’t be my screens at all times, and definitely won’t be looking while I’m driving. I’ll get back to you once I have access to my screen.”
    • “I’ve gone on holiday with my family, or friends, but I don’t believe that the world can survive without me.”

It’s a lot simpler than out-of-office or even OOO, don’t you think?

Header image: I decided to go out of the office to get some fresh air and found these snowdrops in the local wood.

Not Crossing the Flood – Laws, Guidelines and Principles

It has been raining for two days, prior to that we had snow and ice, it’s quite wet out there.

Not only is it wet it is very muddy and the number of routes that I can use for my morning walk has become restricted. Thankfully there are still routes open along bridle paths and paved areas so the walking continues.

This morning, in the dark, I set out on one of the routes that I was expecting to be not too muddy and not too wet.

Part way into my walk I headed down a short hill where the two days of rain had turned the tarmacked path into a very shallow stream flowing in from springs on either side. A couple of days ago this was an sheet of ice. At the bottom of the hill is a stream over which a wooden bridge sits before the path ascends again. Just before the bridge is a path off to the left which is always muddy, even in the summer, but in the spring that path is the route to the best bluebells in the area. Straight ahead, though, the tarmac continues.

As a peered through the pre-sunrise gloom I could see that there was something different about the path this morning. A little further along the path seemed to be moving. As I progressed it became clear that the stream which normally travels under the bridge was no longer constrained by its banks and was now covering the path.

It wasn’t clear in the dark how deep the water was, nor how fast it was flowing, a cautious approach was required. I am aware of the perils of fast flowing water and recognised that being swept of my feet was a possibility that needed to be considered.

A couple of steps into the expanse the water was already half way up my boots and I decided that at was time to explore a different route. This required some rethinking and some retracing but no great loss.

I write this at a time when the rate of COVID-19 infection in the UK is rapidly accelerating and we are in a national lockdown.

Every day our news is filled with two types of COVID-19 story; there are stories about the numbers and the lives impacted by this terrible virus, then there are stories about the lockdown regulations.

We like to talk about the lockdown regulations. In England the rules change almost as often as the weather and the only way of keeping up is to talk about it. It’s almost replaced talking about the weather as a pastime. Our current regulations are defined as things that we should not do (guidelines) and things that we must not do (laws). The news outlets are constantly running stories about people breaking the laws and being fined, and stories of celebrities and politicians breaking the guidelines. The radio debate shows must run at least one phone-in a week for people wanting to discuss what is, and isn’t, against the regulations. Much of the reporting and the discussion hinges on how close to breaking the law can people get without being prosecuted. As an example – the guidelines tell us that we can exercise outside which we should do locally and that we can be joined on our exercise by one other person from a different household. So we endlessly debate the definition of locally. Then the police fine someone for traveling a few miles and the papers are full of it for days, the fine is the retracted. The Prime Minister cycles in a location that is several miles away from his home and the papers are again ignited.

Meanwhile the scientists are telling us that all contact with other people is dangerous and that we should stay at home.

As I was out on my wet daily exercise this morning I was thinking about these discussions when I was struck by the parallel with my flood situation.

The flood was a dangerous situation.

Specifically how dangerous, for me, I don’t know, I didn’t push it that far. I decided that there was a greater principle at play which was one of risk and reward. The risk, though likely moderate, wasn’t worth the risk. There are many things that I could do at the edges of the law and against the COVID guidelines that I choose not to do because the same applies, the risk is not worth the reward and I follow the principle of staying at home.

The law gave me the right to cross the flood, likewise the law gives me the legal right to travel 70 miles to one of my favourite places for a walk. I chose not to cross the flood because my knowledge guides me that it is the low risk thing to do. I am allowed to travel for exercise, staying local is a guideline, and so I choose to stay at home because that’s the low risk answer for me and for everyone else who I might come in to contact with.

We shouldn’t be pushing to the edge of the law, we should be walking in the middle of the principle, using the guidelines as guides.

Header Image: This is a fuzzy nightmode picture of the flood.

I’m reading… “The Midnight Library” by Matt Haig

Imagine that our universe is just one of many universes, an infinite number of universes even.

Then imagine that if there are multiple universes that you exist in each of those universes, but it’s a different you, a you that has made different decisions and taken different paths.

Now imagine that you could look back through your life and the decisions that you have made and can travel to the universe where that version of you exists – the you that chose to stay at home the day when they were involved in a fatal car accident, the you that chose to invest in that opportunity, the you that took that job offer.

Which of those lives would you choose? What would you do differently if you could?

The Midnight Library is a thoroughly enjoyable book that explores choice, regret, happiness, significance and meaning seen through the life of Nora Seed and her encounters with the librarian Mrs. Elm.

Header Image: This is the shoreline at Silverdale on a frosty day in lockdown.

I’m reading… “English Pastoral: An Inheritance” by James Rebanks

I’ve been following a bit of a theme, focussed on the countryside. This wasn’t initially a deliberate act on my behalf it was something I fell into and then continued. It happened like this; while I was part way through listening to “Wilding” by Isabella Tree, “English Pastoral” by James Rebanks was released, having enjoyed “Wilding” and also having previously enjoyed “The Shepherd’s Life” also by James Rebanks I decided to dive in.

In describing Wilding I talked about learning from the mavericks, the people doing things differently. Rebanks is another maverick, but in a different way. Rebanks farms in the northern fells of the Lake District which is a very different context to that of the Knepp Estate in West Sussex, yet both of them are trying to find a different way to treat the land on which they live.

English Pastoral is a biographical commentary on the countryside and the significant changes that have occurred over a relatively short period of time.

I was a boy living through the last days of an ancient farming world. I didn’t know what was coming, or why, and some of it would take years to reach our fields, but I sensed that day might be worth remembering.

This book tells the story of that old world and what it became. It is the story of a global revolution as it played out in the fields of my family’s two small farms.

English Pastoral – James Rebanks

For anyone in doubt, all is not well in the English countryside, and all is not well with farming. In English Pastoral Rebanks talks through the events that led him to the realisation that the ways in which we are currently farming are not sustainable, and that a different path needed to be followed.

The last forty years on the land were revolutionary and disrupted all that had gone before for thousands of years – a radical and ill thought-through experiment that was c0nducted in our fields.

I lived through those years. I was a witness.

English Pastoral – James Rebanks

We have sustainably farmed the English countryside for many generations, but in recent decades the successful farmers have been those who embraced the modern ways of mechanisation, efficient cattle breeds raised in large sheds, large fields, massive farms and extensive use of chemicals. At the same time the rest of us have become “strangers to the fields that feed us” as the supermarket has dominated our buying. Farming is now in the middle of a huge international system of food production in which productivity and efficiency are the measures of success. We each benefit from that system in relatively low cost food, but at what price?

I have come to understand that even good farmers cannot single-handedly determine the fate of their farms. They have to rely on the shopping and voting choices of the rest of us to support and protect nature-friendly sustainable agriculture.

English Pastoral – James Rebanks

Rebanks is trying to learn from the old practices that he was brought up with and to return his farm to something more sustainable. This involves rebuilding some wildness, returning rivers to less straight routes and re-establishing a farming mix that isn’t just focussed on a single product. this inevitably has an impact on productivity, but perhaps not as significant as you might expect, and even if it does perhaps that’s a price worth paying.

We have a tendency to think in terms of blueprints and models. If we see someone doing one thing and being successful at it we try to copy it. What we miss by doing this is the context in which the originator of the idea built their way of doing things. English Pastoral isn’t describing a blueprint, it’s trying to open our minds to the possible.

Having read both Wilding and English Pastoral I am left at a loss as to what to practical steps to take, personally. I am one of those “strangers to the fields that feed us”, but I’m not sure how best to get reacquainted.

Header Image: This is what the northern fells can look like, imagine farming here.

I’m reading… “Wilding” by Isabella Tree

I’m a town boy at heart. I’m not a city boy even though the place I live is called a city, it’s not a very big city and where I live doesn’t feel like a city. I’m not a country boy even though I’ve spent a lot of time in it. All of my life I have lived a town life which, for me, gives a wonderful balance of places and people. I can go to places where there are people (normally) and places where there are few people.

I have what I think is a reasonable understanding of the countryside, I wouldn’t want to claim any expertise, but I have recently been on a bit of a book adventure trying to improve my understanding of what is still the majority of England.

Wilding book cover
Wilding by Isabella Tree

Most of England’s land is cultivated, there is very little that we haven’t dug over or grazed. Having said that, even I have noticed a huge change in the way that we cultivate our land and watched the relative price of our food drop year on year. It was these two thoughts and the third thought of how this had impacted farming that lead me to Wilding by Isabella Tree.

Farming has become increasingly industrialised since the end of the Second World war in the 1940s and this has produced a society that expects food to always be available and there are now generations, including myself, who have never known food shortages. We purchase our food food from large stores and expect it to be affordable. At the same time we’ve seen a huge drop in wildlife and there’s a growing sense that all is not well with farming.

Wilding tells the story of an estate caught in the middle of the pressures of modern farming. One of the best ways to understand how we get out of a problem is to watch the mavericks and to learn from them, that’s where Wilding comes in. Isabella and her husband Charles decided that the industrialisation of farming wasn’t working and went in the opposite direction letting the wildness back in.

Wilding is the biographical story of how the Knepp Wildland was established and the impact that it has had. It’s also a commentary on the many ways in which we drive farmers to do things that aren’t good for the land on which they live and shines a light into a world that each of us are dependent upon.

Without giving too much of the story away the Knepp Wildland shows that an alternative approach for farming can, and needs, to be found. I’m not saying that Wilding can be used as a blueprint for the future of farming but there are many lessons to be learnt.

This book got me thinking and opened my eyes to see different things around me, it also set me reading other books about the British countryside…

Header Image: This farm gate features in several of my walks, either side of it are fields of grass which have recently been ploughed.

Out of Office & Decline All Meetings – Outlook on the Web

As we approach this holiday season I thought I would share with you a productivity trick that you should absolutely use – assuming you are an Office 365 user.

Here’s the scenario.

You are about to take some days off and you want to block out your calendar, you also want to decline all of the meetings that people have decided are important to you, what’s more, you’d like to decline any meeting invitation for those precious days and to cancel any recurring meeting that you have set up.

In Outlook on the web, the Office 365 client that you use through a browser, Microsoft have made this really, really easy to do, right there in the Automatic Replies interface.

Automatic Replies on Outlook on the web

The Automatic Replies interface isn’t the easiest thing to find, so let’s start there.

  • Click on the gear icon in the top right corner.
  • Click on “View All Outlook Settings” at the bottom of this interface.
  • Select the “email” section where you’ll find “Automatic Replies”.

Once you turn on automatic replies and “Send replies only during a time period” it will show you three extra options.

  • “Block my calendar for this period” – is self explanatory and will create an “away” event in your calendar for the dates defined.
  • “Automatically decline new invitations for events that occur during this period” – again, self explanatory, if a little wordy.
  • “Decline and cancel my meetings during this period” – this is where the gold is. Select this and you’ll get another dialogue asking how you would like the meetings declined including the response text. You also get a full list of the scheduled meetings so you can selectively retain some meetings, but why you would want to do that is beyond me.

Be warned though, I’ve found that people aren’t used to others actually declining meetings, so when they get a flood of emails for the 50 meetings that they have scheduled with you it can lead to some frustration.

For anyone wondering why this feature isn’t in the “full client” then it’s worth understanding that Outlook on the web is the target for all of these innovations. Browser based development is quicker and far easier to deploy, the “full client” is always going to be further behind.

Header image: a misty morning walk on one of my regular routes.

The Messy Art of Communication

We are creatures of communication, we do it so naturally that many of us barely think about it, in most situations, or so it seems.

True communication is a two way activity, it requires transmission and receipt sadly something that we regularly forget. We all know the person who uses 1,000 words to say nothing at all. Likewise I suspect that we all know a person who is a lean communicator who uses very few words, but every word is golden.

We flick between communication modes throughout our days – words and pictures, vocalised and written, fact and fiction, formal and informal, emotional and intellectual, simple and complex. We are communication omnivores.

The reason that we communicate is normally for a purpose – we want to induce a reaction, a response, an action.

In my head, communication is a simple process. I have an expectation of how things work that regularly leads to frustration and I don’t think I’m the only one with this expectation. Let me illustrate from the perspective of written communications in a work context but I think it also applies in other contexts.

How I imagine we communicate

In my simple process something is created, people read and understand it. They provide feedback in a sensible way and then they act upon the contents. In six simple steps we have communicated in a way that results in action.

Anyone reading this who’s ever produced anything in a work context will recognise that this isn’t generally the reality. We don’t communicate like computers, we communicate like humans and that’s a far more fluid thing.

How we really communicate – this is also a fiction

While my simple process had a single entry point, the reality is that there are many entry points, people are joining the conversation from a vast array of perspectives and desired outcomes.

Just because I’ve started by writing something doesn’t mean that I have created what’s needed; it’s likely that people don’t know what they need to be created and that creating it is part of gaining understanding.

Meetings provide mechanisms for responding and reacting, but they also provide opportunities to debate and reconsider. They also provide opportunities for people to divert and disrupt, sometime deliberately but more often not. Meetings also create a fertile ground in which to spin off other meetings, discussions and actions.

Information gets created, rehashed and recut many times to help people gain a comprehension of what can be complicated subjects. The words that I use are likely to be different to the words that they use. The analogies and metaphors that I use speak to some and not to others. A single question can be asked in a thousand different ways and each one can elicit a different answering. We need to help people cross the chasm of understanding and that can take many, many words, diagrams, analogies, metaphors, graphs and numbers. The inevitable duplication that this brings should be both celebrated and cautioned against.

In many organisations there is still the culture of the template straightjacket; outlines of content that needs to be completed before a phase or activity can be regarded as completed. This leads to high levels of content duplication making version control an impossible task. Duplicated content would be far better as referenced content, but that requires people to think outside the template-document-mindset. The template-document-mindset being that way of thinking that transacts at the document level and hence requires all of the content to be in the document for the transaction to take place. I once deliberately putting an error in a glossary of terms to see whether anyone read it, they didn’t, years later I read a document that had a familiar looking glossary of terms in the back – yes, including the deliberate error. I hate to think how many trees had died to create that useless glossary.

Let’s spend a bit of time thinking about content and the questions people ask. How many times have you said the words “It’s in the document” or “It’s in the pages” only to give up once you’ve realised that people aren’t going to the content? I have done this many times and I still do it although now I have a new way of doing it. As most meetings are online I now point people to content by sending them the link in the meeting chat. It’s no more successful than telling people that there’s content available, but it feels less frustrating.

Once content has been created I love to see it evolve as people review and contribute to it but this is such a rare experience. In far too many situations people want to play at editing and contributing. It’s helpful to know that I’ve got the wrong their, they’re or there but it’s far more helpful if you tell me that I’ve overcomplicated something that could be done in a far better way. I’m not arrogant enough to expect my ideas to always be correct, but the number of times that people have fundamentally changed something that I have written are very rare – that’s not a good thing.

If communication is a science then it’s a complex one with many aspects, I prefer to think of it as a messy artistic endeavour that we all get to play our part in.

Header Image: This is Dunham Massey which is a local National Trust house with gardens to visit, and a deer park. I’ve never been in the house, the deer park is always wonderful.

Productivity Anti-Patterns: Video as Meeting Notes

Sometimes you need to see a poor way of doing something to see a better way – that’s the point of an anti-pattern. The purpose is to teach us how not to do something.

We sometime forget that productivity is a shared responsibility and a collective value. There’s no point in one person being hyper-productive if their practices cause significant pain to others. So much of what I see as productivity practices are precisely that – people optimising for the one and causing significant problems for the many.

In recent years recording meetings has become effectively free. All of the major video conferencing/collaboration platforms include the capability and most of them also include free storage for meeting recordings. In many circles, it has become standard practice to record almost every meeting.

Why wouldn’t you? It’s free and gives a full record of the meeting.

There’s more: some of the collaboration tools now include, as standard, an automated transcript of the meeting. Brilliant? You don’t have to trawl the whole video to find what you are looking for, you can search the transcript for the relevant part. Everyone who was invited to the meeting has all of the information available whether they were able to attend or not.

This is where the productivity anti-pattern starts

If we have a video of the meeting and a transcript of it then we don’t need to take notes or minutes for the meeting? We have all of the information automatically, why burden the secretary (remember them?) of the meeting with typing something up and distributing it? Wrong.

Summarising a meeting in notes and minutes is a skill with immense value to the reader, and also to the producer. Here’s a list of just a few:

  • The summary is far easier to reference than the transcript. In a transcript you have to make sure that you understand the full context, this often requires reading the whole transcript. You can’t read, or watch, just a few minutes because you can’t be confident that a subject was revisited later in the meeting.
  • Minutes, including actions, allowing people to understand what is expected of them quickly and easily. The act of writing the action out helps with understanding the action.
  • A summary can be revisited at the start of a meeting to get people up to speed a transcript never can.
  • A summary allows people to take a meeting out of their head, where it is using up useful cycles, and put it to one side until the next time it is needed. A video or transcript doesn’t do this in the same way, for me at least.
  • Notes of a meeting outline the conclusions of the meeting, not all of the working-out. Often the working out is of no value to the people responsible for taking actions from the meeting. Sometimes the working-out has value, but that’s normally as people progress the actions trying to understand context.
  • Producing notes and minutes are an opportunity for the meeting secretary to be review whether the meeting fulfilled its objective. It’s so easy to finish a meeting thinking that everything has been covered only to discover that something vital was missed.

I’m not saying that we shouldn’t video and transcribe meetings, but I am saying that using these as a replacement for good meeting practices including notes and minutes is a productivity anti-pattern.

One aspect that I haven’t covered is the psychological impact of videoing a meeting. There are many occasions where this isn’t an issue, but there are still many where people feel constrained by the thought that there words are going to be available for everyone to listen to. Video is great for the active vocal participants, it’s not good for the quiet contemplative.

Using the video of a meeting as the minutes may optimise the world of the meeting organiser (who is the de-facto secretary), it significantly decreases the productivity of everyone else in the meeting.

As a footnote: I’m not sure that continuing to optimise the organisation of meetings is a good thing. It leads to more poorly organised meetings – it’s experiencing the washing machine effect (more on that another time).

Header image: Sitting out for a pub meal on the Kirkstone pass.

Process and Technology “Hefting” – What will it take for you to change?

In response to my last blog which revisited the theme of Password Expiry Chris Swan tweeted this:

This got me rethinking about the idea of “hefting”. Let me explain by returning to some words I wrote a little while ago (2016):

I love to walk in the hills of the English Lake District. This area of the country is famous for a particular variety of sheep, the Herdwick, which have been indigenous in this area for over 1,000 years. Almost anywhere you go you’ll encounter sheep – they occupy vast areas of moorland. Have you ever wondered how the farmers know where their sheep are so that they can retrieve them from the hills for winter, for lambing and shearing? The answer to the question is hefting – also known as heafing in this part of the country, but known as many other things across the UK.

I’m no expert on hefting but the way I understand it to work, from a friend who does know, is that when shepherds want to establish a new flock, they take the sheep up onto the moorland where they want them to graze and they constrain them on that land. This is sometimes done with fencing, but is also done by physical shepherding. The flock gets to know where it can, and can’t, go because of the constraints. Eventually the shepherd removes the constraint, but the sheep don’t drift off. They stay where they have been hefted. They’ve learnt to live within their current constraints.

Once a flock has been established within its heft, the shepherd can add new sheep to the flock and they will take on the heft of the rest of the sheep, as long as too many fresh ideas aren’t introduced. The hefting is passed from generation to generation without the need for the constraints to be put back in place. That’s how strong the constraints are in the minds of the rest of the flock.

We’re not dissimilar to sheep. We pick a way of doing things, or a technology, based on what our tribe is doing. Having chosen a technology, we stay with it, we invest in it, and we live within its constraints. We become comfortable in our place of pasture. There used to be a saying:

“No one ever got fired for buying IBM.”

Over time that got replaced with:

“No one ever got fired for buying Microsoft.”

We are rapidly moving to the era of:

“No one ever got fired for buying Amazon Web Services.”

These transitions don’t happen overnight. They take a long time and, for some, they are still being played out. IBM still makes good revenue from mainframe, and Microsoft is still a pretty safe bet. Looking at what they are doing in cloud, they are likely to remain so – but it’s not certain. People become hefted to the technology they and their flock know, both the good parts and the constraints. Technology moves on, but people stay with the flock. Alternative technologies become available, but people stay hefted to what they know. When it comes to technology, though, that’s often a dangerous place to be.

There’s another tradition in English moorland communities – shepherd meets. These are the times when the shepherds from the community get together to trade sheep, show off their best ones and get to have a good time. There’s another reason for these meets, though. This is the time when the shepherds return their neighbour’s sheep. That’s because some sheep are mavericks. They aren’t happy with the place they’ve been hefted and wander off exploring, looking for somewhere better. I’ve certainly been through a number of technology changes in my career. I’ve made the move from one flock to another. Sometimes I saw that the flock I was in was not going well. But I have to admit, at other times, I’ve been pushed. I’ve also, at times, chosen to follow the maverick and found myself in a better place. I’ve also watched some businesses stay too long with their current technology, eventually getting caught out by a change in their market. Where’s your technology hefting? Is it still relevant? Do you know your mavericks? Are they going to a better place? Perhaps you should follow them.

These words were written from the perspective of technical hefting, but process hefting, or process debt, is just as prevalent and is more difficult to move out of. Once you’ve changed technology it’s changed, processes don’t change in the same way because of their human operators. Even for the simplest of processes humans really struggle to switch from one way of doing something to another. Organisations amass thousands of processes, some official, others more ad-hoc, these combine together into a spider’s web of function that define the organisation. The impact of many of these processes is unknown, they are followed because that’s the way things have always been done. As a piece of machinery within the overall mesh of business capability few organisation know which pieces are working well and which pieces need replacing. People have become hefted to their process and moving them out of it is a difficult thing to do.

Header Image: The Herdwick sheep in her environment.


Why are we STILL expiring passwords?

Back in 2018 I wrote this:

Picture the scene: You’ve just been on a wonderful vacation it’s been a great time to relax and do something you love, but now you are walking into your place of work. Waiting for you is a mountain of emails and you want to get right to it. You take out your iPad, Android tablet or open up your laptop and turn it on. Then it hits you, those words you dread: “Your password has expired”. Today is the last day you want to be changing your password. You’ve got enough to think about, but you have little choice. You wonder whether you should have reset your password before you went on vacation but you’re not sure that would have made any difference.

After fighting with the complicated set of rules that define what your password can be, you eventually pick a new one. For the rest of the day, and the next few, you try to remember to type the new password rather than the old one. I characterise this as The Four Ages of Remembering a New Password. Recently, the UK governments IT security advisor, the CESG, reiterated and gave further explanation for advice it gave in September 2015:

Regular password expiry is a common requirement in many security policies. However, in CESG’s Password Guidance published in 2015, we explicitly advised against it. (Read more: The problems with forcing regular password expiry)

Scheduled password expiry has been a dogma of enterprise IT security for many decades. It’s so embedded into the fabric of the IT landscape that it sounds scandalous for an organization as esteemed as the CESG to challenge it, but challenge it they have. The argument that they make, in summary, is that the “usability costs” of regular password changes makes people adopt mechanisms to cope with the changes that themselves lead to other security vulnerabilities:

It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.

The CESG isn’t recommending that organizations don’t worry about password vulnerabilities; they are recommending that organizations use other measures that do not involve scheduled password expiry and have a lower “usability cost.” They are proposing measures that they believe match better to the modern vulnerabilities that passwords experience.

I concluded with these words:

Whilst the approach of regular password expiry is embedded in corporate IT, it isn’t in places where you might expect it to be if it were such a good approach. My bank doesn’t ask me to change my password regularly; it makes sure that I have a complicated password that I can understand by making me use a password and a pin. For sensitive transactions, it makes me use two-factor authentication. Amazon doesn’t make me change my password regularly. When I log on to twitter from a new device, it sends me a message to let me know and to confirm that it’s really me. All of these approaches have a far lower “usability cost” than the regular password change, and it’s those approaches that the CESG is advising UK government organisations to adopt. It really is time to stop regular password expiry.

In the two years since I wrote my post, and the 5 years since the initial advice was given, little has changed in most corporate security environments. Challenging the dogma of password expiry is a short walk to a frustrating day. Many organisations now sanction password stores to alleviate the problem of multiple passwords and to ease the pain of password expiry, this doesn’t fix the problem it just makes it a little easier. Ironically, few of these password stores require the individual user to change their password.

In these days of increased home working many organisations have seen their password and security management challenged by the need to keep their people working. Perhaps this is another area where a crisis precipitates a change that seemed far too difficult in normal times.

It’s worth noting here that the CESG no longer exists and has since been replaced by the NCSC is the UK, but the advice hasn’t changed, although I did have to update the links in the above.

Other organisations have given the same and similar advice:

and for balance someone who’s standard still says every 90 days:

I am hoping for the days when we look back on passwords as a strange thing from our past, a bit like flared jeans, but I suspect that I’m not going to see it in my lifetime 😉.

Header Image: This is the view from Martindale towards Ulswater.