Monday, June 28, 2010

What Can Revenue Assurance Learn From Military Signals?

Because I am a Revenue Assurance guy, I would like to think that I am someone who believes in rationality. I think decisions made in the telco should be based on facts and logic, rather than internal politics. Decisions should be about what is best for the telco, not who the most powerful person is in the company. In saying that I am not trying to be naive - I understand that politics is part of how corporations work.

But I also know that the more business decision come to be based on politics rather than logic and facts, the less likely it is that those decisions will be the right ones for the telco. While I am not saying I have some secret answer that will solve this problem, I am going to say this problem reminds me of something I used to encounter when I was in the army.

Can You Hear Me Now?

One of the things the army taught me, especially when I was an officer, was how to use what they called "signals." Basically most people nowadays would understand this as high powered walkie talkies - though the technical term for it is half-duplex radio.

This means that only one person on a given frequency can broadcast at any given point in time. When you are not broadcasting, you can listen to what others are saying, but when you are talking, you cannot hear anyone else.

This is old technology and it was very easy to disrupt - if you knew the right frequency, you could jam it. All you had to do as the enemy was broadcast on that frequency, and no one would be able to talk to anyone else. But while this kind of jamming was easy, it also meant we knew when the enemy was doing it.

Playing with Fire, and Live Ammunition

If the enemy was being more more sneaky, however, and especially if they had the intelligence capability to find out more about the culture of your unit and how it worked, they could very easily use what we might nowadays call "social engineering" to disrupt the unit and cause problems.

And these would not be small problems. Army signals are used to order artillery and air strikes. It is used to tell large numbers of troops where to go and what to do. If a unit's signals were to get compromised, it often meant many of your best friends end up in harms way, or being the target of friendly fire, bombs or shelling.

The thing is that people in the army are not stupid, so they develop ways to ensure this does not happen, or at least ways to make sure it can't happen so easily. But because they were using relatively simple technology, most of these controls involved personal discipline and following procedure.

Procedure Has Reason, Discipline is Not Optional

If you work in IT, or IT auditing, you know what triple-A/AAA is - Authentication, Authorization and Accounting, and that is basically what "signals" discipline involves (maybe not so much the accounting, but certainly the first two).

Whenever someone wants to contact you or give you an order, you need to challenge them, and they need to authenticate themselves - they need to prove they are who they say they are. Based on that authentication, you know what they are authorized to tell you to do (send air strikes, move to a new location, etc.)

The problem happens when that discipline breaks down. And you know as well as I do - the people who most often break rules or fail to follow discipline can be the ones with the highest rank (ie: top management!). Sometimes you get unit commanders who don't care about signals discipline and who just start yelling into their radios, "don't waste my time," "just do it," or "you know who this is, don't be stupid"

Bad Habits Make Bad Things Happen

And when that happens, what these commanders are doing is bypassing authentication - we cannot be sure if you are who you say you are. And if this becomes a habit, everyone gets trained to do exactly the wrong thing - accept peoples voices and shouting as authentication.

Enemy intelligence agents start to figure these patterns out really fast. And if this culture exists in a unit, you are suddenly going to get this shouting commander asking you to do strange and stupid things - orders you have to obey. And it is only later everyone realizes those commands are coming from the enemy. Usually by then it is too late.

The Role of Professionals in Controlling Management

What does this have to do with telecoms and corporate culture? A lot. Most companies have standards of professional behavior, and they also have policies and procedures designed to prevent bad things from happening. These things don't just apply to professionals - they have to apply to management and executives.

Why? Because professionals can only cause so much damage - it is the executives and top managers who can end up making catastrophic decisions to bypass controls, decisions that hurt everyone who works in the company. That was what happened in companies like Enron - and it was the professionals, a small group of internal auditors, who eventually found out the truth.

To me, that is part of what being a professional is really about - having respect for rules that helps keep everyone a little safer. Just imagine if someone in your telco managed, because they are an executive, and because of the force of their personality, to bypass logical controls such as those around procurement etc., the damage they could do not just to the telco, but everyone who works there.

Listening to Logic, Decisions Based on Facts

But just on a more day to day basis, what I am talking about is making sure that the Revenue Assurance function, one that exists purely to look for risk and to calculate how big the risk is, is never taken for granted. Their facts should never be pushed aside just because people do not want to or cannot handle the reality of a situation - that a deployment is not cost-effective or a campaign is too risky.

It is usually when the professionals give in and fail to enforce policies and procedures that exist for everyone, even the CEO, that some of the worst things happen to telcos. But I know that Revenue Assurance professionals know better.

And that is why I LOVE Revenue Assurance.

No comments:

Post a Comment