Research Portfolio Patricia Ensworth Harborlight Management Services LLC May 2015

Research Portfolio

Patricia EnsworthHarborlight Management Services LLC

May 2015

2

Introduction

Hello, and welcome to my portfolio. I’m a business anthropologist, a researcher and project manager.

Typically my projects focus upon the development of new products and services, or the modification of existing products and services to improve user acceptance and reduce risk. I enjoy learning about the perspectives of diverse stakeholders and understanding the needs of complex work process communities. Here are three examples.

Patricia Ensworth, Harborlight Management Services LLC

3

Three sample research projects

• Investment bank new IT Security service for urgent break-the-rules requests

• Financial institution new governance process for e-commerce in mobile digital environment

• Sailing club new race management procedures after sinking of club boat in a sudden squall


4

IT Security: the background

In January 2011, for the first time Google reported that Chinese government hackers had broken into Google’s servers and stolen source code for Google’s search engine. Because many U.S. companies in critical industries had installed the source code as part of their own intranets, this act of cyberwarfare imperiled their business operations and data security. On orders from the Department of Homeland Security, senior leaders of a global investment bank immediately initiated a $1.2MM one-year project to fortify their defenses.

Bloomberg News:http://www.bloomberg.com/news/2011-02-28/morgan-stanley-network-hacked-in-same-china-based-attacks-that-hit-google.htmlVanity Fair, “Enter the Cyber-Dragon”http://www.vanityfair.com/culture/features/2011/09/chinese-hacking-201109


http://www.bloomberg.com/news/2011-02-28/morgan-stanley-network-hacked-in-same-china-based-attacks-that-hit-google.html

http://www.bloomberg.com/news/2011-02-28/morgan-stanley-network-hacked-in-same-china-based-attacks-that-hit-google.html

http://www.vanityfair.com/culture/features/2011/09/chinese-hacking-201109

5

IT Security: the research goalUsers of information systems receive privileges from qualified administrators to access data and IT functions based upon the requirements of their jobs. The official approved model of privileged access does not always match the actual human network of interactions within the organization.

This discrepancy often occurs because the business needs change faster than the compliance review process. Informal trust relationships also evolve among colleagues, leading to an alternative undocumented set of workarounds.

To reduce the risk from both external hackers and internal miscreants, research will discover actual user behavior when an urgent need arises to break the rules for privileged access on several critical systems.


6

IT Security: the research methods• Snowball sampling of informal trust networks to identify key participants in

systems’ user communities.• Analysis of data logs to determine ordinary and unusual behavior patterns.• Interviews of internal subject matter experts in security issues to document ideal

roles, responsibilities, and practices for privileged access.• Interviews of user community members to document their experience during

actual “break-the-glass” cases.• Task analysis and card sorting with users to clarify decisions made, information

required, and resources employed.• Process mapping through user-generated flowcharts to map the “break-the-glass”

cases within the technology and data infrastructure.• Co-design sessions with user community members to validate findings and review

proposed new service designs.


7

IT Security: the results• New user interface for several system monitoring tools.• New workflow for administrators granting privileged access to information

systems.• Modifications to supplier contracts limiting conditions under which suppliers’

employees could receive privileged access to client’s information systems. • Mandatory regular training for system administrators about ongoing revisions to

privileged access procedures.• Mandatory annual training for all employees on emerging cybersecurity threats.• New IT security unit dedicated to reviewing and approving urgent “break-the-

glass” privileged access requests.• Additional operational responsibilities for Risk Officers and Internal Audit to

monitor IT staff compliance with privileged access procedures.• Additional financial responsibilities for business unit management to incorporate

improved security architecture into designs for new system functionality.


8

E-commerce: the background

A leading financial institution whose primary businesses were investment banking and wealth management acquired a large retail brokerage firm. Although the three businesses had separate IT organizations, different marketing strategies, and unique security challenges, all were subject to strict rules from multiple government authorities regulating e-commerce activities. Senior management of the financial institution wanted to decide whether they should centralize the governance of e-commerce at both the executive and the technical levels across the three business units.


9

E-commerce: the research goalMore customers are now doing business with all three business units. They expect the systems to be integrated and the user journey to reflect a consistent brand.

Within the organization, the concept of “e-commerce” has a wide range of interpretations, and the meaning affects the identification of stakeholders. Because Managing Directors and technical SMEs are very busy, they want to focus their attention on initiatives that will have a measurable impact on their unit’s business results. For political reasons leaders of the different business units are often reluctant to collaborate.

Research will discover the linguistic operational models for classifying activities as e-commerce, the urgent problems caused by conflicts between implementing a competitive UX for the mobile digital environment and complying with government regulations, the executive and technical representatives most qualified to serve on central steering committees, and the pertinent issues about which a team of rivals is most likely to reach a consensus.


10

E-commerce: the research methods• Analysis of formal organizational charts and informal communication networks to

identify appropriate steering committee members.• Participant observation of key systems, software, and mobile apps to understand

the user experience.• Interviews with UX, marketing, and development managers and staff in each

business unit to prioritize customer issues and establish usage patterns.• Interviews with Managing Directors to clarify business strategies and understand

the political landscape, and with legal and regulatory SMEs to create a network map of current communications.

• Task analysis and process mapping with representatives of IT Security, Risk Management, and Internal Audit to identify opportunities for leveraging existing assets and procedures.

• Co-design sessions with the Executive Steering Committee and the Technical Steering Committee to define the vision for the governance process, create an agenda, establish levels of authority, and develop communication protocols.


11

E-commerce: the results

• Decision not to centralize e-commerce governance at the executive level, but to maintain a separate steering committee for each business unit.

• Decision to centralize e-commerce governance at the technical level, establishing one permanent steering committee with members from each business unit.

• Additional responsibilities for several existing executive committees that monitored technology, data, and regulatory risks.

• New intranet website for technical steering committee to share information, report problems, prioritize remediation, and arrange collaborative work on solutions.


12

Sailboat racing: the background

A popular sailing club in New York Harbor conducts races on club-owned 24-foot sloops. One summer evening when the weather forecast seemed favorable, an unexpected squall arrived. A boat with an experienced crew capsized, quickly sank, and vanished. Because the accident occurred near shore the crew was rescued, but they were lucky. Officers of the sailing club wanted to find out why that one boat out of the entire fleet was lost in the storm, and what modifications should be made to racing protocols and maintenance procedures to reduce risk in the future.


13

Sailboat racing: the research goalA fleet of a dozen sailboats races in the Hudson River between the Statue of Liberty, Governor’s Island, and the Erie-Lackawanna Terminal. The Race Committee manages the logistics from a floating clubhouse anchored off Ellis Island, assisted by two small dinghies with outboard motors. The floating clubhouse has internet access to weather websites and also receives NOAA weather bulletins by VHF radio.Races are conducted according to the rules of the International Sailing Federation.

All racing captains are required to have a VHF radio on board and to monitor communications from both the Race Committee and NOAA weather updates. The sailboats receive regular maintenance to ensure that they comply with Coast Guard safety standards. Racing crew are experienced sailors familiar with local waters.

Research will determine whether the boat sank due to problems with race management, miscommunication of weather updates, equipment malfunction, crew error, or other factors. Crew and staff reports will be anonymized and confidential.


14

Sailboat racing: research methods• Participant observation on racing crews and Race Committees under different

weather conditions at different sailing clubs.• Task analysis of Race Committee procedures for monitoring NOAA weather

updates and canceling a race due to bad weather.• Task analysis of the accident boat crew’s normal procedures for reducing risk in

bad weather.• Documentation review of accounts of similar boats capsizing and sinking.• Inspection of maintenance logs for all race boats in the fleet.• Inspection of photographs taken at accident site before and during the storm.• Diary narratives written by individual crew members of the accident boat.• Unstructured interviews of the accident boat captain and crew, Race Committee

members, captains and crews of the rescue boats, club maintenance staff and club support staff.

• Structured interviews of the accident boat captain and crew.


15

Sailboat racing: the results• Relocation of key Race Committee members from the floating clubhouse to a

powerboat on the race course.

• New rule for race boat captains to carry rigging knives on their persons at all times.

• New required briefing by race boat captains to their crews for every race before they leave the dock.

• Modifications to signal flag protocols for communicating race cancellations.

• Replacement of certain equipment on older boats.

• Enhancements to training provided to apprentice skippers in the Mentor Program.


16

…and may I help you?These three examples illustrate a range of goals and methods. For more than twenty years I have been conducting research and managing projects to deliver products, systems, and services in fields such as financial services, health care, media/telecommunications, and government. I have worked on local initiatives where colleagues communicate face-to-face and global programs where virtual team members overcome the challenges of multiple languages and time zones.

For more details about my practice, please visit: www.harborlightmanagement.com or contact me: [email protected]


http://www.harborlightmanagement.com/

mailto:[email protected]

Documents

Research Portfolio Patricia Ensworth Harborlight Management Services LLC May 2015