PKF AvantEdge

Page 12 of 40

The Criticality of Project Management

May 2, 2019 / / 0 Comments

Project management over the years have gone through somewhat of a bad rap for technology projects, especially. They always seem like a luxury afforded by management, and whenever things go south in a tech project, the first stop for blame is always on the project manager. It’s a tough life. On one hand you need to appease the forces that hold the budget (the business) and on the other, you need to deal with a bunch of geeks who are talking binary stuff and whom you know would rather not have you in the room because you don’t talk tech as much as them.

We used to have a Project Management Office, receiving work from other large projects looking for business analysts, project leaders, program managers etc. It’s not cheap upkeeping these guys, what’s with their PRINCE and PMP certifications and their training and hours. The problem was also when the project ended, then basically we had to go look for other projects to take them on. It’s an expensive affair, unless you have a constant pipeline of internal or external projects to keep them busy. The thing was, we noticed project managers tend to stay as project managers. You couldn’t get them to go into tech audits, or develop software or do compliance work. At least, for the ones we hired.

In the past, Project Managers are fairly agnostic in terms of technical capability. They have a set of domains they are good at (whether they are good at telco projects, compliance projects, migration projects), but overall, the discipline more or less remains constant. Methodologies used by these managers include lean, SCRUM, Agile etc, or simply PMI/PMBOK guidelines, which some of our managers tend to gravitate to. But aside from this basic competency of managers, there is inherently a personality that project managers need to have. Leadership is obvious, decision making capability, the ability to stand strong when being questioned and able to communicate the project properly. The ability to pull people together, from technical to consultants to internal business, and yes, the inherent charisma that one must have to become a successful project manager. He or she needn’t be the most technical in the room, but they must be able to sniff bullshit and weed it out. Time, budget and quality are the basic triangles of forces that need to be met, and good project managers are aware of this.

Due to cost and lack of demand, we shuttered our PMO a few years back, but our guys still practice basic PM work in our compliance project, and in some smaller companies, we actually end up taking the informal role of the project leads. We wouldn’t call ourselves project managers, because not everyone who calls themselves project managers are actually project managers. However, for larger companies, we do defer to the project manager in charge, and in our time we have had some experience with some of the best in the business, and some of the absolute worst. The problem is because being a good PM or absolute garbage is so difficult to assess.

It MAKES A HUGE difference who you put as a project manager. It spells either success or complete doom to your project the moment you assign a good or a garbage project manager.

For a compliance like PCI-DSS, there are some specific traits a manager should have, as PCI is a fairly technical project. And most PCI projects tend to drag on past 4 months or so. Some even a year plus. It does require a fair bit of technical knowledge, persistence and goodwill to successfully manage the project. Here are some of what we observed, and having experience good ones, and the bottom of the barrel type of project managers, we can probably give a fair opinion of what are the points of success (between good manager (GM) and hapless manager (HM)):

a) Technical Capability

This is more of a trait than a skill.

The GM know they don’t need to be experts, but they also know they need to put their backs and time into understanding the whole thing and trying to absorb the technical matters of it. They would attend training sessions and they would ask very good questions. The hapless managers go: OK, everyone knows their spot here. Consultants, I will look to you to answer all PCI related questions. I am here to gather information for all parties, so I want everyone to come for every meeting we are going to have moving forward.

The hapless one basically just comes in, fires off a few questions on project matters, and then sidles down and constantly have a far away look in their eyes when we start talking about the project tasks and updates. Or glued to their phones or laptop, furiously typing out stuff with their brows knotted up. Their strategy is that everyone else will carry their own load so they don’t need to know anything technical because they are too busy with other more important things, like buying food for their cats online. Occasionally, they bark out some orders here and there but you can tell, they know jackshit. After 4 – 5 sessions, they are still clueless and that’s when they start losing grasp of reality, and if the consultants are not available, the whole project is stuck, and then they move into the stage of looking to blame people for their ineptitude. Oh yeah. We have had plenty of these experiences for sure.

b) Communication

This seems a given, and a good manager ensures everyone is on the ball and the scoreboard is known to all. They know how to manage downlines (the people that need to get things done), horizonlines (the peers who are managing other downlines) and uplines (the business or sponsors pressuring the project). This innate ability isn’t bestowed on the hapless one. The hapless manager’s basic modus operandi is to take whatever the team gives, and being questioned by uplines and peers, decide that they don’t know how to explain it and comes back to the team again to ask for more information on how to deal with the questions. There is a complete lack of awareness in these managers that they are unable to overcome. They are unable to argue their points succinctly and always give in when there is pressure. Because of their lack of skill and understanding, they have no clue what positions to take and often waste the entire project timeline by going back and forth hopelessly like grass (or lalang) swaying in the wind.

c) Responsibility

One of the true strengths of character is when things are not going right, the good ones take up the responsibility of the situation and face the issues head on. The hapless ones find a way out, and find a way to blame others. To them, it’s always someone else at fault and never them. This stems from their utter lack of confidence in the project, that the only way they can reverse the situation is by saying, “It’s not my fault.” They usually will turn to consultants, as they are external to the company, and seek to pin the blame on them. It’s tough, but it is what it is. Most companies, given the choice of an external party and an internal person, would side with their own regardless of facts.

d) Time Management

The LLB (Look Like Busy) Trait is a big problem with these hapless managers. Because of their lack of a), b) and c) above, they are running around like headless chickens, being pulled from one meeting to another, unable to resolve any issues properly. So their heads are constantly in their phones or laptops instead of properly leading the project. Firefighting, or looking to assign blame. You can also tell when they are not able to manage meeting times. Many times, we have received calls from project managers requesting either immediate meeting at their office, or to come onsite within the next day and they wail because we tell them we are either overseas or assigned to other audits and we can do a phone. Most don’t understand that (unless we are properly paid and engaged), we are not their outsourced compliance unit so they blame us for non commitment. We are their consultants and there is no service level that requires us to stay in the clients office all the time for their beck and call. Unless, again, if they pay us, but most don’t pay for consultants to sit down and wait for inept project managers to scramble around looking for ad-hoc meetings.

Because they are scrambling and blaming instead of working,these PMs now think they are utterly important because they are so busy, but the fact is because of the ineptitude, they are being forced to seek responsibility, communicate or have technical explanation of the project – all which they are unable to do. So it’s one excruciating, meaningless and useless meeting after another. It’s horrible to exist in that manner for a career, but we’ve seen this many times.

Once you solve a), b) and c), Time Management solves itself.

Bonus points: While this may not be always true, the way project managers approach meetings and projects can actually say a lot. If a PMP or PRINCE PM comes in, there is usually a methodology on the table, tools and actual project management software they utilise for reporting. They are able to standardise our reports to a point where it goes straight to the point and to what they know their uplines need to know. Some hapless PM comes in, not certified in anything, not having knowledge of any tools, software or methodology, but basically armed with an excel sheet they took from another project manager who took from another project manager who used it to make sandwiches. That’s how senseless we see some of these methods and tools sometimes an we just look at everyone across the table and everyone goes like: “What is going on?”

In conclusion, never underestimate the importance of Project Managers, especially in a long drawn project like PCI-DSS. While we have known some excellent ones in our time, we have also worked with yahoos out there that single-handedly managed to trainwreck projects. From this article, it may seem our experience is more on the latter, but the opposite is true – we have the privilege to have worked with some really excellent ones that have also helped us get better, over these years. They are absolutely precious resources in a project, trust me. It’s just that when we do face one or two hapless PMs, it stands out a little bit more because we are so used to working with good ones!

Yes, we have shuttered our PMO as an advisory a few years back, but we also recognise the need for great PMs that might be able to help us out in our projects. If there is any interest, drop us a note at avantedge@pkfmalaysia.com and we will get in touch wth you.

PCI-DSS: Internal Audit Signoffs

April 17, 2019 / / 0 Comments

After going through previously the nightmare of PCI-DSS Certificates, as described with considerable detail in our writeup previously, we are now faced with a new phenomenon called the Internal Audit Signoff, which is further confusing our clients.

OK, first of all, let’s do a brief recap.

How are 3 ways that PCI-DSS can be validated?

Answer :

  1. Full Report of Compliance (RoC) from QSA – Level 1 Service Providers, Level 1 Merchants
  2. Self Assessment Questionnaire (SAQ) signed off by QSA/ISA – Level 2 Merchants, (Maybe) Level 2 Service Providers
  3. Self Assessment Questionnaire (SAQ) signed off only by Merchant/Service provider – Level 3,4 Merchant, (Maybe) Level 2 Service providers

Those are the 3 endgames for PCI. And of course, the end scenario called Failure, or non-Compliance. But that isn’t cool, unless you are the type who is happy with Thanos snapping his fingers being the definite end to all things.

Now we all know item 1) requires the participation of a third party QSA/ISA to signoff on the Report of Compliance and the Attestation of Compliance. ISA here is internal security auditor. We won’t touch it this round, because this requires a whole new library of articles to discuss.

Item 2) likewise requires a third party QSA/ISA to signoff on the Self Assessment Questionnaire and the Attestation of Compliance.

Item 3) is basically, self signed – not a lot of acquirers take this seriously as basically, its anyone signing off anything they feel like. There is no validation, and sometimes, it’s akin to the CxO sticking a finger to the tongue and putting it up in the air and going, “Yeah, that feels ’bout right. Let’s sign off and say we have these controls!”

Let’s talk about item 1 and item 2.

In item 1, it’s a gimme that the QSA needs to go onsite to the locations to do an audit. I have never heard of any QSA signing off on a full RoC without actually going onsite. Maybe when our tech reaches a point where the QSA can be holographically present in a location and see what’s there without being physically there like a Jedi Force Ghost, that the PCI-SSC would accept the signoff. But by then, we could probably just tell PCI-SSC that these aren’t the companies they are looking for, and then there’s no need to do PCI.

Until then – the question is for item 2, for the QSA to signoff the SAQ, must they be onsite or they can provide a remote signoff?

Now if you ask a QSA what is the difference between 1) and 2), they would say, not much – except they don’t have to waste their time writing the tome called the Report of Compliance (ROC) for level 2. Level 2 is basically a judgement made by the QSA based on existing evidences that what is stated in the SAQ is true, or at least as much as they can have reasonable assurance on. The SAQ is not a document written by the QSA, although they can help, but in this case they are validating it. For Level 1, it’s a different story. They have to write the RoC and the work put into that reporting phase is surprisingly a lot. In comparison, it’s probably like reviewing a first term essay paper written by your senior students (SAQ Validation) versus writing the Silmarillion including the index (RoC).

However, for QSAs to conduct their audit and provide a fair opinion on the controls, they will still want to be onsite for option 2), much to the chagrin of many of my customers. Their argument here is: “Hey I am level 2, why must you come onsite??” And again, the crescendo grows that a Level 2 should have less things to worry about than Level 1 – another myth as old as us telling our children not to sleep with wet hair or else they will wake up with a storming headache.

To get to the bottom of this, we got directly from the horse’s mouth (in this case from Mastercard SDP program response: “In this scenario (describing item 2) the QSA has to be onsite. The QSA cannot simply review a RoC or SAQ without being at the location to validate that controls are actually in place.”

To be fair, the above discussion was applied to L2 Merchants (Level 2 Merchants) – those making more than 1 million volume card transactions per annum. Whether the QSA is willing to take the risk and perform an offsite review for a Level 3 or level 4, I wouldn’t know – that’s up to the QSA and the card brands I suppose. But to be absolutely safe, we would advice that all levels should be treated as such – if you need a QSA to signoff, that QSA needs to be onsite to get it done. Or use the Jedi Force Ghost. Both are acceptable to PCI-SSC I am pretty sure.

So, as an illustration, we had a request from a company, requesting us, for their location, to get the QSA to signoff remotely. Because “The Other QSA did it for us and certified us”. The other QSA meaning someone they engaged earlier.

OK – this certification term again. I am sure that did not happen – but many use the word certification for anything: actual RoC, doing the SAQ with QSA, signoff on SAQ by themselves, getting ASV scan etc…those are typical scenarios we see this certification word being thrown.

Digging further, we received a worksheet which was a typical ‘Scope’ document (you know, where they ask what sort of merchant you are, what business, how many locations, devices, whether you store card etc), and the instruction was to fill this up, send it over to the QSA and the QSA will ‘sign off’ their PCI-DSS compliance, all within 2 weeks.

QSA certified within 2 weeks, remotely, and with just the scope document, without validating any controls? No penetration testing or ASV? No Risk assessment? No review of information security policy? How?

We asked for the copy of the official signoff page (Section 3c of the AoC) but instead we got a signoff on a report from QSA stating what was scoped in and what was scoped out of PCI-DSS. A typical scope document. It’s a useful document, but it’s not a document required by the PCI SSC. In fact it doesn’t serve any purpose other than to simply state what is in scope for PCI-DSS based on the scope questionnaire (not the SAQ) provided by the QSA.

I am 100% sure the QSA meant well by this, but the problem was, there are interpretation issues. We cannot expect clients to right off the bat understand PCI-DSS and all it’s seemingly malarkey documents – the AoC, the RoC, the 9 different SAQs, the ASV scans, the partridge in the pear tree etc. So when we asked for a SAQ signed off by QSA, of course, clients will fall back to any document being signed off by QSAs. That’s why we are not big fans of the practice where clients are provided by ASV certificates just because they passed their ASV scans. They all think they are PCI certified because they have a QSA signed off document which is the ASV ‘certificate’! And the same here goes, this is simply a scope review document – almost like an internal audit report, that does not make a company PCI compliant. In fact, it is just confirming that the company MUST be PCI compliant according to the scope set.

So the moral of this story is: Not all QSA-signed off documents are valid documents for PCI-DSS. ASV scans, while valid, doesn’t make you PCI compliant. It’s only a small percentage of what you must do. Internal Audits or scope reviews like the one we saw, even signed off by the QSA, are not valid PCI-DSS documents. They do not make you PCI compliant. As PCI has explicitly stated before, the only valid PCI-SSC documentation are the AoC, SAQ, RoC and ASV scan reports (not certificates, with flowery borders and impressive cursive fonts in gold). Anything else are supplementary materials used to support the compliance, not to validate it.

For more clarity on PCI, drop us an email at pcidss@pkfmalaysia.com. We will try to sort any issues you have, and yes, we are the company you are looking for.

The Service Provider Conundrum

March 28, 2019 / / 0 Comments

This is probably the umpteenth time I am writing this, but again we need to clarify once more on how Service Providers that do not store, process or transmit credit cards come in scope for PCI-DSS.

I just finished a very testy call with a multi-factor authentication cloud provider (actually he is a reseller/distributor), who called us back on our enquiry whether his cloud service is PCI compliant or not. He said he doesn’t need to be but their solution will help our clients in becoming compliant. If I get a dollar everytime this argument is punched out, I will be retired in the Bahamas by now.

Now, to be fair, almost everyone thinks like this. “If we do not store, process or have any credit card processes, we don’t need to be PCI compliant.” It may be like this in the past, but unfortunately, QSAs are tightening up their definitions of service providers and cover what we now deem as having ‘security influence’ over CDE .

So yes, you technically have nothing to do with credit card of your clients, but let’s say your client authenticates to your CLOUD solution to get multi factor authentication to access their CDE. Let’s say you are having a bad day and you get compromised, and the attacker hijacks your cloud and provide a counterfeit token attack similar to what was suspected to have occured on the RSA SecurID breach in 2011. Would a scenario like this equate to a CDE compromise? Would this mean your service is actually having security influence over CDE?

I could have explained this to the earnest reseller on the other end of the call. But I was fighting a fever, cough and flu all thrown in one large ball of crappiness that made my mood not so great. And the fact that he sounded a little patronizing when he said, “Oh, you are very confused. We don’t need PCI-DSS, so maybe you need to understand the standard a bit more.”

Hey, Captain, I’ve been living in this PCI crap for the past 8 years. I wish I didn’t understand it as much as I do right now to be honest because then I can always plead ignorance when questions like these pop up. As it is with all who are cursed with knowledge, I now have to trudge this lonely path of patronizing, condescending and almost pitiful responses to my queries as I had to on this very sick morning.

So, QSAs are lumping MFAs cloud solutions as critical security functions. To be fair to these QSAs, PCI did identify the following to be in scope:

“At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of its PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or, if compromised, could impact the CDE (for example, authentication servers) to ensure they are included in PCI DSS scope.”

We always assumed we were talking about authentication as in AD, or LDAP and never thought of lumping multi factor ‘authentication’ into authentication servers. But think about it. If you have an onpremise MFA solution in your data center, would that be under scope for PCI-DSS, if its used for access to get into CDE? How different would it be from AD or LDAP, which manages one factor of authentication (something you know). Wouldn’t the other factor also need to be looked into? (Something you have or something you are).

In the same argument, thus QSAs conclude that if there is an authentication in the cloud, regardless of which factor, that authentication service is in scope of PCI-DSS. Same goes for logging and monitoring service providers.

So what’s there left for customers using MFAs cloud providers to do?

Well, there are two options.

  • For providers that have undergone their own PCI DSS assessment: request and review the Attestation of compliance, scope, date
  • For providers that have not undergone their own PCI DSS assessment: include the provider’s environment as part of the entity PCI DSS assessment (increase your own assessment scope). You may need to request your own QSA to perform the provider’s review (tough… preferred solution is to work with providers able to demonstrate their PCI DSS compliance with their own assessment)

I am afraid it is what it is.

After getting sermonized by the (I believe, well intentioned, though somewhat with such poor communication skills) cloud MFA reseller, I thought writing all this down will save me the agony of going through over the phone to explain this particular situation. In that conversation, I just asked him, “Is your solution PCI Compliant or not?” and never really got him to answer properly because he kept arguing the fact that I am completely missing what PCI-DSS is all about.

Knowing it was impossible to argue on this point, I finally said, “Thank you so much for your time, I will let you know when I need more clarifications.” And away his solution went, lumped within the 20 others in my bin called “Non Compliant MFAs”. The search goes on, and looking forward to more patronizing put-downs from well-intentioned resellers. Hopefully this article goes some was in clarifying without anyone getting jumpy on us.

If you need more information on PCI-DSS or any other compliance standards for that matter, let us know and drop us an email at avantedge@pkfmalaysia.com

PCI-DSS Service Provider SAQ

March 7, 2019 / / 0 Comments

Recently, we have had quite a number of requests from service providers requesting us for clarifications on PCI-DSS. Some comes from way of reference by other clients; while some just cold calls me and starts firing questions away. I don’t mind actually. I’ve done many ad-hoc advisory in my car as I am always driving from one place to another.

Recently I had a discussion with a potential client and I went on to do my normal explanation of SAQ options available for him. He was more animated than normal and from our conversation, I could tell that he has done some reading.

The first thing he insisted was that he was doing less than 6 million of transactions, so therefore he doesn’t quality for level 1 PCI-DSS, to avoid the controls for Level 1.

Firstly, just to be clear, the controls for Level 1, 2, 3 and 4 (for merchants) are EXACTLY the same. It doesn’t mean that you are going through Level 1 you end up doing more than other levels. The levels are guidelines on HOW you get PCI (either you do a self-sign or get a QSA/ISA to signoff for you).

Secondly, these Levels are generally defined by the card brands. You won’t see level definitions in PCI-DSS officially. The reason how we ended up with these 1,2,3 and 4 is the common levels from Visa and Mastercard in their merchant program. Those numbers you often associate with PCI (6 million for level 1 etc) are associated to Visa and Mastercard programs. Go ahead to https://www.americanexpress.com/content/dam/amex/hk/en/staticassets/merchant/pdf/support-and-services/data-rsecurity/DataSecurityOperationPolicyMerchants.pdf 

Amex has different definitions! Surprise! Their merchant definition of level 1 is much lower than the 6 million we see. It’s 2.5 million transactions per year. But I guess the number of people actually using Amex is probably the same number of people who understands the rules of winter curling, we end up just falling back to Visa and Mastercard’s definition .

Thirdly though – because this person was considered a service provider, these merchant numbers are moot. They need to look at service provider numbers which is much lower – Level 1 Service Providers are 300,000 or above transactions yearly for Visa and Mastercard (Amex incidentally just keeps it at 2.5 million consistently for merchants and service providers).

So, if you are a service provider, don’t look at the merchant numbers for Level definitions!

It was hard enough to explain that on the phone. He kept insisting he was a PCI Level 3. I kept resisting the urge to correct him to say Level 3 definitions are mainly for e-Commerce merchants.

After a while and after he had somewhat calmed down, he then went on the trajectory that he wasn’t storing any card data and he was outsourcing the storage and processing over to another payment provider. This is possible. Many providers or aggregators utilise other payment gateways or third party facilitators to assist in the connectivity to the banks. But they use this argument to say PCI doesn’t apply.

Again – PCI applies regardless of whether you store or not. If you process, transmit, or even have security influence over those that handles card data – boom, PCI technically hits you. How it hits you is the question. If there is no storage for instance, you may be able to escape the dreaded Requirement 3 and the Mystery of the Key Management Nonsense. But yes, some controls will still hit you regardless.

After a lull in the conversation, he started his engine again by claiming that OK, he might be a Level 2 as discussed, but he is definitely an SAQ A because he has outsourced everything to another gateway and he only redirects to the payment gateway for card processing.

Again, while appreciating his enthusiasm, I have to say again, SAQ A is applicable to merchants. If you are a service provider, you generally only have one – SAQ D. To which I became the receiving end of some colourful expletives (not aimed at me in particular). However, depending on his scope, some of the SAQ D controls may be marked off as NON APPLICABLE, so at least I have some good news for him – if what he told me was actually in place.

Then he went on a different tangent – so how often will Bank Negara (Malaysia’s Central Bank) ask us for this? I paused for a while unsure if I heard it correctly. When reconfirmed, I mentioned that our Central Bank has no mandate on PCI-DSS (as far as I know). PCI is a contractual obligation. To which I was then queried: So who do I pass this PCI document to? (in more colourful language). And I simply say: Pass it upwards! If your bank requires it, send to them. If your customer requires it, send it to them. If God Almighty requires it, send it to Him.

And then he asked the common question: Wait, if it’s a self signed, who will believe me?

Well, here’s the thing. Probably no-one. But apparently, that’s how PCI works. If you are doing an SAQ and its allowed by your bank or customer, it is perfectly fine for you to do a sign off in Section 3b of the SAQ and AoC. It is after all a Self Signed Self Assessment Questionnaire. Based on his stunned silence, I imagined he thought I was kidding. So he repeated: “So if I hung up now, and just sign off everything, does that mean I am compliant to PCI?”

“Well, yes, it would mean you have attested that you are compliant.”

“What if I didn’t do what the PCI needed me to do?”

“Then you are non-compliant.”

“Wait but I already signed off on it!”

“Well, that’s you attesting and saying you are compliant.”

The self assessment concept is very difficult to understand to some. It’s like trying to explain time dilation formula or something. And this is also the reason why I think, in 2012, the council decided that in the SAQ there would be an option to have an ISA/QSA to validate the SAQ (Section 3c). This means, your SAQ is no longer “Self Assessment” but rather “Self Assessed with an Auditor verifying it”. It’s not mandatory for level 2 Service Providers, but usually clients or banks will want to see some other guy other than the executive signing off on the SAQ.

I had to end the call then as I had reached my destination, so I offered to go over to his office to see if he needed any help on his Self Assessment. I haven’t heard back from him since, so I guess he is still evaluating his options or something.

But the above conversation is more common than you think: Mixing up the levels, the SAQs between merchant and service providers and grasping the concept of the SAQ. If you need any clarifications, drop us a note at pcidss@pkfmalaysia.com and we will call you back. We are always looking forward to colourful conversations!

The Sickness of Busyness

February 6, 2019 / / 0 Comments

I’ll admit it.

Like any other companies, or culture within the company, we have our own little sayings to describe certain situations, certain issues or certain people. There is the often used phrase of FOMO – Fear of Missing Out, a situation where a person is so afraid to be losing out on things that they need to be involved with everything. There is the usual phrase of NRS – New Recruit Syndrome, where a newcomer becomes so enamored with making things ‘happen’ in the company that suddenly everything seems to be moving — until it stops again. There is also the term LLB, not to be confused with the Bachelor of Law – “Look Like Busy”. It’s basically to describe someone who always seem to be rushing, to be going someplace, to be doing something, to be typing things in their handphone, to be always sitting down as if their ass is on fire, to be talking on the phone with their bluetooth headset while walking around, making them look like they are doing a soliloquy in Shakespeare’s Hamlet.

With the advent of the mobile phone, the ultimate personal and intimate device, this LLB has taken into another dimension. Admittedly, as consultants, we do fall into the trap of being busy many times over. There are often remarks made to me: “You seem to be busy all the time.” The truth is, yes, sometimes I am rushing from one meeting to the next. Sometimes, I need to just get into my car, and in between meetings, I am on the phone to finish off another meeting. Yes, sometimes, we overbook ourselves because client A doesn’t come back to me and I booked in Client B and then Client A says OK, let’s do a meeting and I go, Ah Crap, can we move yours an hour later. Client A goes, “Wah So busy one ah?” and Client B, when I am rushing to finish off the meeting so I can go to Client A, goes “Wah So busy one ah?”. I think 80% of this LLB occurs because my daily schedule sometimes end up so dynamic, as in, random clients may need to meet for whatever reason – and to top it off, we don’t have dedicated sales, so many times we are doing marketing, meeting, administration, auditing, operational support etc.

But LLB isn’t about actually being busy – it’s about looking or being busy even when we are not. And that’s the truth. We are sometimes accustomed with being so caught up with things, we just think it’s unnatural to actually have….time.

Think about it. How often do we actually sit down over lunch/dinner and not whip our phone out, even when we are not working on anything? Or at the traffic lights or caught in a jam? Or when we are having coffee alone? Or when we are waiting for the one guy who is always late for meeting and we all sit around tapping away our phone. Truth: I’ve actually seen a client who, while waiting for the meeting to start, take up his phone and just started tracing his finger over his phone in circles while staring at it. He wasn’t reading anything. He didn’t have any app started. He wasn’t listening to Spotify. He was, in a trancelike way, just tracing his finder in tiny circles over his LOCKED screen.

What?

How dependent have we become to this tiny little device we always have in our pocket? How often do we go absolutely ape*hit when we cannot find our phone? How often do we actually place this guy on the table in our meetings, in our lunches, in our time even with our family? Have we become so consumed with the idea that WE ARE NEEDED that we think we are needed even when WE ARE NOT?

Once, during an interview, a guy I was talking to kept checking his phone. Maybe he was nervous, OK, I’ll hand him that. But he kept looking at his phone until I finally asked: “Is your boss looking for you?” and he looked at me in a confused manner and I just shook his hands, said, “Thank you for your time to sit down with me” and I left. Oh, yeah, I was the one interviewing and he was the interviewee.

What is wrong with us? Are we so disillusioned with our own importance that we can’t even for a single minute stop this nonsense of tapping on the phone, writing an email, drafting a report, reviewing a document or composing a stupid blog post and just look up and find that we are still human?

One of the things we need to change, starting from our own, in this LLB business:

a) Meetings – if you are meeting a client, or meeting a service provider, or meeting a colleague, make it a point to limit the phone usage. It’s highly insulting that during a one on one meeting, while it’s going on, that you whip our your phone and tap an email or a reply to a chat. If you have to do so, such as answer a call, excuse yourself and say, “I am so sorry. I need to take this just for a while” and then tell the other side that you would call them back. Don’t take any longer than necessary. Of course, there are exceptions. Once I was with an important client and my mother called. She never calls during work hours unless it was an emergency, so these were exceptional circumstances. I took it, but I apologised first to the client. The concept is simple: if someone actually takes time to spend time with you, give them the due courtesy of your own time with them. Except for these exceptional circumstances, let’s have conversations and connections, as opposed to emailing or texting.

Another irritating habit (of which sometimes I am also culpable) is the constant tapping of the laptop during a meeting. This is usually done by non-leads (the guy in the meeting that is not participating much in terms of discussion). Unless they are doing minutes or capturing the discussion, this is strictly banned in our company. I had a client once who told off his executive to get out when he was tapping furiously on the keyboard while the meeting was going on, and it wasn’t related at all to the discussion. He was thinking to solve an operational issue or sending out an email to another client. No, his boss was saying. You aren’t that important. Get that in your head and sit down and shut the hell up and listen and learn. Good lesson, that one.

b) Mealtimes– Even lunch or dinner with colleagues, It’s very irritating to have the phone out the whole time. Don’t. Everytime you do that, it states that the people around you are unimportant. In our family, we try never to do have that. Yes. Even when I am bored stiff staring while my 3 year old is taking his own sweet time eating his food (he likes to eat on his own but by the time he finishes, fishes have actually evolved into birds) – and my wife and my other kid are no where to be found in the shopping mall, I have to refrain from whipping out my phone, unless it’s a call. Mealtimes are no-no for phones for us in our family. Why not during our corporate lunches/mealtimes as well? Why not interact without the laptop?

c) Travelling– Yes, I admit, caught in horrendous traffic, it is very enticing to catch up on things. I’ve avoided this (because of traffic summonses) primarily by either having a meeting in the car (yes, I am theoretically still using the phone) or just listening to Spotify, which is a God Sent to road warriors who spend half their day stuck in traffic. If I am with another colleague in the car, then getting on the phone is a no-no (also because some meetings are obviously confidential). Let’s interact instead! In the lift, don’t whip out your phone and tap around or continue talking. In the toilet, for God’s gracious sakes, don’t talk on the phone while you take a dump! I’ve heard this many times before. There are practical reasons not to do these things – primarily because of confidential information being accidentally leaked out – but also – come on, it’s crazy having to chit chat while doing something in the toilet.

Tell ourselves: I am not that important. Yes. This goes against all the motivation, self improvement philosophies that keep saying to us how important we are etc. No. We are not that important. Life for other people will still continue on if I don’t respond in an hour or so. While it is common courtesy to respond to a text or email within a reasonable time, nobody is saying you need to respond immediately. I mean, back in our father’s time, they didn’t have email. How on earth are they supposed to reply “yes” to lunch immediately? So unless it’s life and death and remarkably exceptional circumstances, sometimes it’s ok to put the phone down.

But take note. Many times, busy-ness occurs to us because we are poor time managers. When we promise a deadline and we miss it, and we complain because now our boss is calling us, and we go: well, family time more important, let me tell him to screw off. That’s also stupid, and will probably cost you your job. If you don’t do something or did not hand in something, then take ownership of it and do it. And doing something doesn’t mean just finishing it. It means finishing it with the proper quality required. I’ve seen many so-called reports on my table that could have been better written by llamas. As in the animal in Tibet. If you can’t get your work done, then be prepared to work over time, over weekend to fix or finish it and don’t complain about it. Deadlines are deadlines. It has nothing to do with looking like busy – it’s our own fault for not being good time and quality managers.

LLB isn’t about that. It’s about Looking Like Busy even when we are not. It’s about: Oh, let me stay up late tonight just to show everyone I am working late and send out an email at 4 am to impress my boss. It doesn’t matter what time you work until – some people like me work best between midnight at 4 am, so that’s when we get stuff done. It doesn’t mean that I send an email out at 5 am, I immediately get my morning off!

We should take our time to look around us. Observe. Even in our workplace – it’s almost like a family since that’s where we spend most of our daily hours. We can observe nuances of a person, how someone reacts, the way he or she speaks – human connection is being lost in the new generation of logical and virtual connectivity. Crack a joke. Laugh. Remind ourselves of the humanity of life.

I am often reminded of how precious little time we have on earth when I am with my children. I am reminded of a time not very long ago when I was their age, looking up at my dad as he waited for me to finish my damn meal, but (because there were no mobile phones back then I guess), still grinning at me as I attempted the foolish task of manipulating noodles into my mouth with a spoon. And suddenly I am here. Same situation, looking at a mini version of me doing the same thing and taking so much of my precious LLB time.

Are we really, truly that busy, or are we just needing to vindicate our importance on this planet before our clock is up? Our importance isn’t in the glowing screen of emails or Whatsapp messages or Facebook Likes. Our importance is in the reflection of ourselves in the eyes of our children. Our parents. Our spouses. Our friends. Or in many cases, even our pets. It doesn’t matter “who”, as long as it’s not a “what” that’s reflecting back at us.

So, enough of writing this blog post for now. I am not busy now and I don’t want to appear to be busy. There will be times when I am, for sure, so I’ll enjoy the times I am not. It’s time to get some coffee and converse with someone – or just look at my kid and wait for fishes to evolve to birds. Say no to LLB this year! Happy new year!

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑