Nathan Levis Joins Trility as Senior Sales Engineer

Nathan Levis will help identify and craft solution engagements to simplify, automate, and secure their paths forward.

Trility Consulting® is proud to announce Nathan Levis has joined the Trility team as a Senior Sales Engineer. In this role, Levis will help identify and craft solution engagements for clients to simplify, automate, and secure their paths forward.

Leveraging his breadth of technical expertise and an open-minded approach, Levis will focus on building partnerships to ensure organizations defend or extend their market share in an era of rapid disruption.

Nathan Levis Joins Trility as Senior Sales Engineer

A Holistic View of Business

Nathan brings invaluable Cloud, DevOps, Software Engineering, and agile experience, coupled with a keen interest in holistic business impact to help companies deliver on their most important technology-enabled priorities. He will be a great asset for our clients and for the Trility team.”

Brody Deren, Chief Strategy Officer for Trility

Trility’s outcome-based delivery method means clients receive observations, recommendations, and options to iterate for the best, highest-priority outcome. Levis will help build upon this proven approach and ensure we continue to deliver over and over again on our promises – meeting time, budget, and defined scopes that align with business and technical requirements. 

Comprised of technologists and business consultants, Trility helps organizations of all sizes achieve business and technology outcomes while equipping them for the next iteration in these areas of focus:

  • Cloud and Infrastructure
  • Product Design and Development
  • Information Security
  • Data Strategy and Management
  • Internet of Things (IoT)
  • Operational Modernization

About Trility

For those wanting to defend or extend their market share in an era of rapid disruption, Trility simplifies, automates, and secures the journey and has a proven history of reliable delivery results.

Headquartered in Des Moines, Iowa, with teams in Omaha, Neb., and Chicago, Ill., our people live everywhere and work where needed to help clients navigate their business evolution with certainty.

A Basis for Automation: Predictable, Repeatable, Auditable Work Flow

To consider automation, we have to first understand the work. Otherwise, we are just taking bad things and making them go faster.

This article was previously published on LinkedIn.

I remember a math teacher from long ago telling the class, “Until you know how to do the math with a pencil and eraser, you cannot use a calculator.” And I have subscribed to this logic my entire life journey. Learn everything at the most basic level. Understand why not just what. Optimize the information after I understand so I can then learn even more. This is one of the great experiences that made me want to be a lifelong learner.

Another was a physics teacher sitting beside me, walking me through a book from the Smithsonian Institute on space. His questions to me, as we thumbed through the pages looking at high-resolution pictures of the planet were simple, “Can you imagine what it would take to travel to that planet?” “What do you think it would take to live on that planet?” And I, thereafter, sought to understand what it would take to solve these problems. This experience taught me, “Think very big and do not be intimidated by large, opaque, complex, high-risk problems.”

I also remember, with great sadness, when I realized there was more to learn than I would live long enough to understand and value.

All Big Things Become Small Things

So, I looked for methods of discovering, organizing, and leveraging greater volumes of information in my everyday life. I needed a way to discover and appreciate the depth and breadth of a seemingly infinite set of bodies of knowledge while accepting I only have one lifetime to do it. I needed a way to take big things and break them into small things so I could choose what, when, where, why, and under what circumstances they may directly apply, or cross-apply, to other endeavors in my life.

Common words for organizing big things into little things and so on include paradigms, frameworks, patterns, templates, reference architectures, taxonomy, decomposition, configuration management, deconstruction, classifications and even Table of Contents.

Figure 1. Big things decompose into small things.

To the dismay of all logophiles out there, I’m going to condense this discussion to one word – patterns.

I look for reusable patterns in everything. Patterns to understand things around me. Patterns to organize. Patterns to do work. Patterns to assess risk. Patterns to deliver. Life is full of reusable patterns.

Life is full of reusable patterns.

So, when you’re trying to understand something big, break it down into parts and pieces. It will be easier to understand, organize, prioritize, and build back up again at scale because you will discover one or more patterns. Whether something is broken down to the atomic level or to user classes, epics and user story threads depends upon your project.

Work Has A Predictable Pattern

Most people understand the idea of work. I am cold. I put on a coat. I am warm. I have dirty dishes. I wash them. I have clean dishes.

State A. Do something. State B.

And many people want to see the results they want to see – right now.

I want pecan pie right now. I want it to look and taste just like what my Grandmother used to make for me on holidays and birthdays. My Grandmother has passed away, I don’t have her recipe and I failed to ask her to teach me how to make the pie. I want it nonetheless. Now. Exactly the way she used to make it. With whipped cream. Do not fail me, maker of pecan pie.

What I want and what I can get is dependent upon an ability to:

  • See the big thing (pecan pie);
  • See the parts and pieces (ingredients); and
  • Understand the method (order and method of operations).

Whether I’m making Grandmother’s pecan pie, building a barn or implementing a continuous delivery pipeline in the cloud, they all require the same steps, in the same order, to begin and complete the work.

The basic pattern of work looks like this:

  • a request for work,
  • entry criteria (criteria by which we agree to start work),
  • a method of doing and a method of checking work,
  • exit criteria (criteria defining “done and acceptable”),
  • and a deliverable.
Figure 2. “Do Work” – A simple view of how work happens for one person.

People Do Not Perform Consistently

The unpredictable, non-conforming, variability of people is one of the things that makes life an adventure. People and their culture are rich and unique, and our memories and the stories we tell about them form a vibrant tapestry.

When it comes to work, if we know the pattern of work, then why do so many hard-working teams fail to deliver, let alone deliver well?

Humans are not automatons. Humans are, by nature, variably behaved, expressed and experienced. For 100 people to complete 50 individual tasks 100 times in a predictable, repeatable and auditable manner is a pretty tall order. Which may explain why a grande caramel macchiato retrieved from the same chain store in different cities tastes different so often. There is a recipe, an order of steps and method. Nonetheless, sometimes the coffee tastes like the highly caffeinated liquid weight gain I expected and other times a painful waste of money.

If there is a pattern and the work is human and manual, there will be variable results. Human results are variable. Why does only one team win the annual football bowl game while others do not? More interestingly for our conversation, explain why that same team doesn’t win every single year of their existence. Variability.

We know what a predictable, repeatable pattern of work looks like and we know how human variability can impact that pattern in everyday life.

Now let’s look at what happens when we have many people.

Work Patterns Get Complicated As They Scale

Assembling around an objective to achieve a result is seen in all of nature. It isn’t unique to humans.

Bees. Ants. Animal packs. Sports teams. Military units. Projects.

For Humans, work becomes more complicated as the number of people involved increases. With more people come more units of work, more steps and more latency between steps.

Consider the following behavioral pattern many of us see in organizations, “This team does work, then this team does work, then this team does work.” Have you seen this before?

Queue work, start work, do work, hand-off. Repeat.

When we watch ants decompose food, there appears to be a constant flow of activity. When we watch bees collect honey, we see the same characteristics. Flow.

When we watch people on projects, it simply isn’t the same.

Imagine being in the passenger seat of an old 1968 F-150 pickup while a teenager is learning to drive a stick-shift. Now imagine every time said teen pops the clutch, taps the accelerator, hits the brakes, or all of them at the same time, your head rocks back and forth between the glass behind you and dash in front of you. There was no padding in the dashboard. Learning to control the clutch is a practiced, learned behavior. Learning to push the accelerator while letting off the clutch is also a learned behavior.

Flow is a learned behavior. Flow must be sought on-purpose.

Now, imagine smacking your face on the dashboard, glass or both every time work moves from person to person on a project in your company. Start. Go fast. Stop. Start. Stop suddenly. Kiss the dashboard.

What if your face was the barometer of your organization’s flow? Imagine increasing the number of people, concurrent projects and tasks to span the company and you are the only person who hits glass and dashboard for all projects, all people, all steps, all starts and stops. Need a helmet?

If you think I’m exaggerating to make a point, I am. A little. The stick shift story is real. I feel bad for my dad and all the watermelons we ran over in the field that day. He ended up sitting in the seat sideways with arms against the seat and dash in a self-defense position. If there had been predictable start and stop patterns that day, perhaps he could have navigated the situation more enjoyably. I still remember the look on his face.

Figure 3. “Do Work and Wait” – A simple view of work for multiple people.

When it comes to performing work and delivering results, the ideal experience achieves a smooth flow of work being performed, with little to no wait times in between steps, and smooth transitions.

Wait time and unpredictable transitions likely cost my dad time on this earth realized as dynamic, premature aging. Wait time and unpredictable transitions cost companies time and money.

The “start and stop” method is also known by some as the “throw it over the wall” principle.

“My part is done. Worked for me. Good luck!”

We want flow like ants and bees. We more likely experience starting, stopping and pain like my dad while teaching me to drive a stick-shift.

Manufacturing Controls Flow-Through Batch Sizes

If you and I are on the same page regarding the value of flow versus kissing a dashboard with your face, let’s talk about how to get there.

Decades ago, the manufacturing industry began the use of assembly lines (automation) to increase flow, throughput, predictability, quality and manage their scaling economics. They received another boost in productivity and value when they moved from large to small batches along the same assembly line. Wait times decreased and flow increased.

And due to batch sizes, their ability to adapt to change increased.

In the manufacturing world, wait times (inventory in a wait state) are considered unrealized revenue and therefore waste. Manufacturing supply chains, therefore, seek to eliminate waste. They build things to make money. They do not build things to store them in the supply chain. The key? Flow.

Figure 4. Too much in-flight, undelivered work is unrealized revenue.

If warehouses full of product are considered unrealized revenue and therefore waste in the manufacturing industry, how do we then categorize in-flight, incomplete, undelivered or otherwise unfinished software solutions in companies? What do you think that implies with regards to the numbers of in-flight user stories or numbers of in-flight software projects?

What do you think happens when we introduce the idea of rework?

Work Always Has Rework

Ideally, when we run projects, things always go as planned. And when they don’t? We end up dealing with two subjects that weren’t in the original plan – technical debt and refactoring.

Technical debt is defined by work you know you need to do now, but decide to kick down the road until later. This creates additional work in the backlog. Just like interest rates on debt, the longer it sits there, the more time, complexity and/or cost it will take to address. Technical debt is work.

Refactoring is defined by changing, modifying or otherwise evolving something from a previously acceptable state of existence to a new and improved state of existence for the purposes of delivering desired value. Refactoring is also work.

Figure 5. Rework – “I found a problem. What do I do with it?”

When John finishes his task, the deliverables move down-line for Jane to complete her task. Jane finds a problem with the inherited deliverable and either fixes it, ignores it or sends it back up-line for John’s eventual attention.

If Jane fixes it on behalf of John, was it correct and complete? If she ignores it, will it be found and addressed later? By whom? If she sends it back up-line, how will John know? And when will John get to the refactoring work given his existing backlog of prioritized work?

The problem discovered by Jane impacts her ability to complete planned work. And depending upon her decision, it will become work for one or more others.

Now multiply John’s and Jane’s experience by the numbers of people, teams, projects, stories, and associative decisions to acknowledge, fix, send it back up-line to someone else’s queue or ignore it altogether.

This churn contributes to wait times between steps. And if a person doesn’t plan for rework, it also contributes to cranky people.

Rework happens. Plan for it. Manage impact to flow by decomposing all work into small, edible pieces. Manage your batch sizes. Seek flow.

How Do We Achieve Flow?

To consider automation, we have to first understand work, batch sizes, and flow. Otherwise, with automation, all we’re really doing is taking bad things, making them go faster and calling it digital transformation.

Steps to achieve flow:

  1. Manage batch sizes. Break big things down into small things.
  2. Minimize and eliminate wait times between steps and people.
  3. Plan for, invite, and accept rework. Manage it through batch sizes.
  4. Automate.
  5. Repeat.

Automation is not the goal. Predictable, repeatable, auditable flow is the goal.

Automation is only the medium.

My math teacher has made sense for a very long time.

Pencil first. TI-88 programmable calculator second.

I drink a lot of caffeinated coffee and tea. And I’m on airplanes a lot. Drinking coffee and tea. I’ve made a commitment to write more articles in 2020 – and increase the number of speaking engagements at which I drink coffee and tea. It is material we discuss every day at Trility and with our clients. It is material that you may find helpful as well. If you’d like to keep informed, and even interact, please connect or follow me on LinkedIn. Or we can send you an email

We are also always looking for system thinkers to join us – those who can see the larger landscape and do the work as well. If this resembles you, email us.

Defining Key Attributes of Exceptional Delivery Managers

How to find Delivery Managers who predictably and repeatably deliver value

This article was originally published on LinkedIn.

Monster team sizes, long delivery timelines, embarrassing expenditures, more headaches than deliverables, hypothetical and yet intangible value, unknown compliance and team attrition. You thought you had the right leadership team in place to deliver your desired outcomes. Now you’re wondering.

Reliable delivery is something we all seek in our organizations. We all face the same questions when approving priorities and efforts, allocating money, forming projects, teams and, in particular, appointing leaders.

We all ask: “What problem do I actually need to solve?” And, “Who can I depend upon to make sure this happens?”

It always comes down to leadership. While it seems like it should be easy, finding the right person is actually hard. We don’t know we’re staffed incorrectly until we’re already heading off the road (or in the ditch).

Title history, degrees, professional certifications, training programs and certificates of completion should, in theory, weed out people who can deliver from people who might not or cannot. In my experience, all of those things point to someone who desires learning, advancement and success, yet doesn’t always equate to great attitudes, aptitudes, abilities or results. In other words, often those things are false positives.

Then how do we increase the probability of finding someone who will predictably and repeatably deliver value for our organizations?

If you’re looking for a shortcut, I don’t have one. I do, however, have some experienced recommendations. And if you take the time to follow these steps, the return on investment window is long.

Your company is on a journey of growth, opportunity, change, aggressive pursuits, adaptation, highs, lows, easy days, hard days and sometimes ludicrous days. You need someone leading your projects who is on a journey just like your company. In the fight, not just studying it over a weekend for a two-day certificate of completion and calling it good enough.

For me and my teams, there are three classes of information I explore when considering teammates as members of our delivery teams. It isn’t foolproof. However, it has been very reliable. I have found great people who delight our teams and clients. I ask and research the following areas:

  • What behavioral attributes do we want exhibited in our company and people?
  • What knowledge attributes do we expect leaders to gain or bring with them?
  • What experience attributes do we expect leaders to gain or bring with them?

A challenge for anyone trying to find the right people is with so many titles, words, certifications, methods, philosophies, influencers, founders, books, conferences, etc., how do we know which ones are meaningful at all, let alone for our unique context?

For example, what is the meaningful difference between a Program, Project or Product Manager? When do we use a Scrum Master or Product Owner versus a Delivery Manager? If I have a Scrum Master on my delivery team, am I good? Do today’s Agile titles mean we’re doing things new and better? Are pre-Agile ideas less valuable? Are PMI certifications outdated while Scaled Agile certifications are actually the best solutions for our tomorrow?

I believe these are all interesting philosophical conversations we can have over a pot of tea, but not the most important problem to solve. We want to hire a great person, not a great bowl of word soup.

We want great people who predictably, repeatably deliver value in our teams, across our projects, in our companies, and with our clients. If we’re debating certifications and titles, let alone hiring based upon them, we’re discussing the wrong subject. We want people who illustrate themselves by their past and desired journey versus define themselves by their past alone.

The below attribute lists are our ideal target lists. Given everyone is on a journey, we’re looking for people who bring these attributes with them, are on a journey to attain them, or have the right attitude and aptitude to be taught.

1. Look for People with Healthy Behaviors

At the end of the day, our teams, projects, and clients will be a reflection of the people we hire. We want people who want to win. People who never quit. People who regularly bring out the best in themselves and everyone around them. People who will never stop yearning to become more today than they were yesterday and expect the same of everyone around them.

2. Look for Diverse Bodies of Knowledge Awareness

It is fine to be an expert in a body of knowledge. Even expected. However, to believe that body of knowledge will transcend industry, context, and time is small, limited thinking. We look for people capable of more than one thing; else our results will be limited by the one thing that person knows. Find people who pursue knowledge, have broad interests and are life-learners. If you don’t know what all of these things are, why you care, or when you would use them, get busy.

3. Look for Diverse Experience

There is value in experience. For a life-long learner, experience is the ultimate teacher. We look for people who have breadth and depth of experience because we like people with larger and larger experiential data sets upon which to reflect, learn, and apply their realizations.

4. Log Aggregation, Machine Learning, and Artificial Intelligence

Using one too many redundant and/or popular terms of the day, companies increasingly pursue the ideas of log aggregation, data lakes, data warehouses, and data cubes on a regular basis.

  • How do I get the data out?
  • How do I put it all in the same place?
  • How do I correlate, corroborate or otherwise discover patterns and relationships which reveal new ways of seeing, thinking, deciding and acting thereafter?
  • If I put all of my data in one place and start using machine learning to process, organize, and extrapolate meaning as my data set grows, how do I use it?
  • And, if I want an artificial intelligence (AI) to begin making decisions for me where it makes sense, how do I leverage that as well?

I submit to you that an exceptional delivery manager encompasses all of these things including data aggregation, constant learning, and an intelligent decision layer.

At the same time companies pursue these ideas in modern technology, they are overlooking these qualities in experienced Delivery Managers.

Look at the below picture. Consider that the knowledge, behavioral and experiential attributes are the ever-growing data pool of a great Delivery Manager. Consider that your Delivery Manager is your machine learning solution which continues to derive patterns and possibilities by constantly increasing the data pool with new knowledge while continually churning the data, relationships, realizations, and decision possibilities thereafter. Consider that your Delivery Manager becomes an increasingly valuable AI seeing, hearing, learning, thinking, deciding AND thereafter acting on your behalf.

A two-day “how-to-deliver” certification course will not get you, your Delivery Manager, or your company and clients where you want to go. It is only a blip in the data pool. A valid experience that led to specific acquired knowledge. A very small, singular, moment of data on a long journey. Do it anyway. And then do 10 more.

5. Do Your Job to Enable Exceptional Delivery Managers

No matter who you hire, all Delivery Managers will need to know your desired outcomes and any particular constraints that matter to you and your organization. Look at it as defining done (desired outcomes) and the parameters of the game (methods and tools).

Your company and teams need to know where they are meant to go and under what conditions they can travel and arrive there.

An experienced Delivery Manager will notice if you have them in place, if they are clear and achievable, and help create, modify, manage, and complete them accordingly. Their job is to see the entire company, not just the problem of the moment.

What does that look like? Let’s look at a snippet of a conversation between a senior leader at your company and an exception Delivery Manager being considered for hire.

Senior Leader at your company speaking: “Hello Janice. I’m happy you’ve considered ABZ Company for your next adventure. We’re currently a USD 50MM pharmaceutical company on track to be an 80MM company in the next five years. We have adopted Scaled Agile for our preferred technology delivery framework, love the Agile space, but need help becoming more educated, experienced, and successful along the way. Most of our tool-sets are modern, our folks have been training on many things in the last three years and we have clear goals we’d like achieved over the next 18 months. We’ve been having quality and compliance problems with our deliverables, and I’m not sure how we need to fix this using our current tools and methods. What are your thoughts?”

Exceptional Delivery Manager Janice: “It sounds like you are experiencing quite a bit of success regarding the company, as well as, cultural transformation. Those are both hard alone; but doing them both at the same time and well, says a lot about the leadership and people in this company. Impressive.

It is outstanding that you know where you are and where you want to go. And it is outstanding that you know how you’d like to get there using the Agile body of knowledge, new tools, and retraining your people for the future. Well done.

You mentioned you’ve been having challenges with quality and compliance. Of course, I have very many questions and cannot pretend to fully understand your company in such a short period of time. However, I wonder, since your company has adopted Scaled Agile to help with delivery behaviors, have you also introduced evolutionary ideas for the engineering and information security teams? In other words, while Scaled Agile is designed as a delivery framework, it is not itself, and it is not designed to be so, an engineering and information security body of knowledge. You have to look elsewhere for those things. Teach me about the engineering changes that have been introduced to date.”

You, as a senior leader, are continually faced with more questions than you have answers, and always looking for options and recommendations which lead to choices. If you don’t know something, you tend to look in places where the data pool is deeper and wider than you currently possess.

Look to and hire exceptional Delivery Managers. They are the embodiment of ever-increasing pools of aggregated data with the machine learning and AI you seek. Just like no software is ever done, so too is it with exceptional Delivery Managers. Yesterday was good. Today will be better. Tomorrow, better again.

I drink a lot of caffeinated coffee and tea. And I’m on airplanes a lot. Drinking coffee and tea. I’m making a commitment to write more articles in 2020 – and increase the number of speaking engagements at which I drink coffee and tea. It is material we discuss every day at Trility and with our clients. It is material that you may find helpful as well. If you’d like to keep informed, and even interact, please connect or follow me on LinkedIn. Or we can send you an email

We are also always looking for system thinkers to join us – those who can see the larger landscape and do the work as well. If this resembles you, email us

Gerard Forbes Joins Team

Gerard Forbes has joined the Trility team as Director of Business Development in Omaha, Neb.

Trility Consulting® is proud to announce Gerard Forbes has joined the Trility team as Director of Business Development in Omaha. In this role, Gerard is responsible for business development, strategic and client partnerships in Nebraska. His focus is to build trusted relationships by understanding when and how our team can help organizations create predictable, repeatable, and auditable digital solutions – one iteration at a time.

Gerard Forbes, Director of Business Development in Omaha

A Proven Approach

Forbes relies on his diverse professional and technology background to help clients understand and define challenges and align services to outcomes that help those clients take leaps forward. 

“Gerard is going to be a great asset for Trility and our clients,” said Brody Deren, Chief Strategy Officer for Trility. “He has a great ability to meet clients where they are, understand both their business and technical challenges and opportunities, and help them find the best approach to solving their most critical problems.”

Gerard will leverage his experience working for a technology consulting and recruiting services firm, where he additionally played roles in leadership and corporate training in the consumer packaged goods and retail industries. He also serves an adjunct professor at the University of Nebraska-Omaha where he instructs business students on Leadership theory and application.

About Trility

Trility is a collection of value-driven advisors, technologists, and business people who have critical skills and experience to help clients win in the modern digital economy. We solve complex problems, help guide clients down roads they’ve never ventured, and offer solutions in Cloud & Infrastructure, Product Design and Development, Data Strategy, IoT, Information Security, and Operational Modernization.

Trility’s proven approach is to provide observations and recommendations along the way, presenting options for clients to iterate for the best, high-priority outcome. We never compromise on security and leverage our team’s full-stack expertise and ability to train your team to question security requirements from Day 1 and build with continuous delivery everywhere.

Interested in learning more?

Connect with Gerard Forbes on LinkedIn, email or call him at (402) 212-7835.

Information Security Can’t Rely on Pinky Swears

No one in your organization gets to be clueless about information security.

This article was originally published on LinkedIn.

“We hire great people” is something we all hear companies regularly communicate.

How do you feel about a hypothetical company that believes the risk of an information security breach is low largely because they hire good people? In other words, their information security strategy is to hire good people and trust them individually to do the right thing. Maybe they even sign a paper pinky swearing they’ll always do what’s right.

Let’s say this hypothetical company houses some of the most sensitive data about you and your family or company that exists. Your information is passed around via email or attachments inside and outside the company. Information is even passed between teammates via chat tools sometimes. Said information is also accessible, editable and exchangeable between partner/vendor companies in the background. This data is unencrypted when stored (at rest) and when passed around (in transit).

Do you know about companies like this? Is this your company? Is a company like this minding your personal data?

While information security is everyone’s responsibility, it is first the responsibility of the company itself. Hiring great people does not alleviate, or defer, the responsibility an organization has to be compliant with information security policies, legislation and industry best practices. If we can’t trust a company to do the right thing, why would we value their brand?

Interesting Things We’ve Heard Through the Years:

  • “Our people, vendors, and partners do the right thing. That’s why we work with them. I don’t think we have anyone in the company who would abuse our customer data.”
  • “First, we must get product to market and prove the idea is viable. We’ll validate viability of our product by customer adoption velocity and demand for new features. If the numbers suggest customers want to buy and use our product, then we’ll figure out what security we need thereafter.”
  • “We’re going to wait and see if this policy/legislation has any teeth. If we start getting fined for non-compliance, then we’ll begin considering if, how and to what extent we need to invest in information security.”
  • “Our industry is not very interesting to most folks. We don’t believe our company, products or services are really a threat to anyone. And we believe the likelihood of being attacked or otherwise exploited is pretty low to non-existent. We’ll wait until it makes sense before investing in some of the information security measures we hear about. It all sounds so expensive anyway.”
  • “It is actually cheaper for us to pay the fines.”
  • “Our customers don’t know any better.”

“Security first” or “security by design” is a choice. And it must first be the choice of the governing board and company leadership before it will become a reality for employees, partners and vendors. If it is not a top-down, constantly communicated, verifiable expectation, it does not exist.

7 Steps to Become a Security-First Organization

1. Internally declare that your company will become “security-first”

When initiatives start at the bottom of the company, they risk dying out due to lack of energy, resources, and attention. Sometimes they risk actually burning up the people trying to get the changes implemented as hope turns into apathy. It is the proverbial “fight against the man.”

As a Board or Senior Leadership of a company, what is important to you is important to the company. If it isn’t, that is a different problem altogether.

For a company to become a security-first focused organization, the declaration of importance, direction, and expected actions must come from Senior Leadership first.

An example “From the CEO” communication:

“Folks, effective immediately, we will put security, privacy, and compliance first in our daily operations. This means with every product, service, interaction, and communication, internally and externally, we will consider what must be secured, how it must be secured and under what conditions we must secure it – data, systems, teams, company and client interests inclusive. It is not a task to accomplish and be done. This must be our DNA. It must be our daily lifestyle. And it will take time to get to a proper baseline of competency and time to maintain, evolve and increase it.

From this day forward there will exist training expectations that must be pursued and accomplished monthly, quarterly and annually. Look for them in your Learning Management System (LMS) assignments. All roles, titles, and capacities. No exceptions. Me included.

And from this day forward you will see our CISO take a more prominent role in defining our pursuits, our strategies and validation of our compliance readiness. We as a leadership team choose to proactively educate our teams, protect our assets and behave in a manner expected by our Founders and those who have come before us to build this great company.

Thank you for your commitment to being the best.”

Top-down declarations become realities.

2. Determine what industry regulations apply to your company

Information Security / Regulatory Compliance is a career. And there is a shortage of people who do this type of work. Find them. Hire them. Leverage them. Knowing what you must align to will save you money. Knowing what you need not align to will also save you money.

There are quick determinants to flush out directions, follow-up actions, and investment. The road will not be small, nor easy; though this list will help point you in a direction of what matters, when it matters and to what extent.

  • In what industry do you operate?
  • Is your business localized to your state only? Your country only?
  • Do you do business internationally? What countries?
  • Do you exchange money with customers?
  • Do you ask for and store personally identifiable information?
  • Are you working with non-governmental organizations? Charities? Governments? Militaries? Public companies? Private companies?
  • Have you failed any previous compliance audits?
  • Have you been fined by a third-party organization for non-compliance?

3. Determine what industry best practices will help your company

You may discover your information security folks want impenetrable castle walls, which eventually mean your employees are unable to use the bathroom in the name of security. An extreme.

You may also discover your engineers want the freedom to use anything at any time for any reason in the name of innovation, digital transformation or being competitive. Probable.

And your business unit leaders? You’re expecting them to grow the business, delight the industry and client base. They want to do whatever is necessary and appropriate to meet the goals expected of them as well.

Security, innovation and growth are not mutually exclusive. They must be collaborative and it will require constant, purposeful and involved leadership. Otherwise, it is just theater.

Regulated industries communicate best practices and compliance expectations, which makes it easier to know what matters and what doesn’t. Where your time will be spent is determining how tightly to dial up the security requirements on your operation and how they will impact friction, flow, deliverable velocity and value from the organization.

Unregulated industries still have communicated best practices and compliance recommendations. In the absence of all knowledge, ask the following questions of your Chief {Information Officer, Information Security Officer, Product Officer, Technology Officer}:

  • Against what information security / regulatory compliance standards must we be measuring ourselves?
  • How are we training our people to be predictably and repeatably compliant with these expectations in our everyday lives?
  • How can we regularly prove that what we expect is actually being employed?
  • How do we culturally make security and compliance a behavioral assumption versus a Learning Management System (LMS) assigned task?

4. Implement role-based security awareness training

No one is exempt from information security. No person, role or title. Like leadership and teams, security is a “we” endeavor.

Not all roles in the company have the same requirements. Some roles are specialized while others are more general. Below is a simplification of this idea.

Specialized: Information Security folks may say higher-level things like confidentiality, integrity, and availability. They may roll out policies, procedures and learning courses while facilitating internal and third-party audits. They’ll even be discussing Plans of Actions & Milestones (POA&M or POAM) items resultant from audits. They’ll need to know frameworks, behaviors, implementations, monitoring methods, and reaction/response ladders and industry standards like NIST-CSF, PCI-DSS, HIPAA and so many more.

Specialized: Engineers who focus on infrastructure, networks, data, and software technology stacks need to know about the what, but more importantly, they need to understand the why and how as they do their work. For example, data encryption at rest and in transit, authorization, and authentication, securing failover infrastructures, hybrid cloud solutions, bring your own device security, separation of duties, least privilege and need-to-know principles. There is more than one way to implement any one of these concepts and Engineers need to know them.

Generalized Awareness: Everyone else.

Figure 1. The diagram above demonstrates at a high level how role-based security awareness training could be rolled out and that everyone is a part of it. No one ever gets to be “clueless.”

5. Include the information security role in solution delivery teams

Whether your company calls them Scrum, Strike, AgileProduct or Project Teams, the team construct used to deliver an idea from inception to conclusion often contains multiple roles and therefore multiple people.

In order to become a security-by-design or security-first company, your teams must be shaped to enable the desired outcome. Which then suggests that an information security/regulatory compliance expert must be included from project inception through the course of the project.

This conversation is less about the recipe for roles and teams and more about the desired outcome. Context-driven teams influenced by desired outcomes.

Strike Team Delivery Model
Figure 2. Trility’s preferred team pattern is the use of a Strike Team that always includes an Information Security/Regulatory Compliance expert involved throughout the lifecycle of the project or product. While we tend to construct teams based upon the desired project outcomes, we include an Information Security expert on the team by default.

If the information security people are technical, they may be helpful with design, development, and implementation every step of the way, all day every day. If the information security people are non-technical, they may be more aptly leveraged in a principle-based guidance role during iteration planning, stand-ups, demos and reviews to ensure the project continues to move forward between the fences.

Either way, there must be a full-time champion for the company and clients in terms of privacy, compliance and best practices to achieve the desired outcome.

6. Determine how you will proactively test your ongoing compliance

There are any number of methods to test ongoing compliance. Blind trust. Word of mouth. Internal (infrequent) manual inspection. Third-party annual inspections. Or continuously through automation.

Our typical practice is to identify what attributes of compliance must continually exist, automate those attributes into a series of tests that are called, executed, logged and tagged every time new infrastructure and applications are built. When non-compliance happens, alert someone (as shown below). Otherwise, keep moving. We have some examples out there in the ether for you to thoughtfully consider.

Automated Security Tests
Figure 3. The diagram above shows how you can build-in automated security/compliance tests such that every build now has the capability of logging activity, events, alerts and compliance status.

7. Attach quality and compliance tools to the delivery pipeline

Continuous delivery pipeline behaviors are not new. Wide-spread awareness and adoption of new concepts takes time to expand across industries, companies, leaders, and teams. As more companies implement continuous delivery principles, more of the things many companies used to exclude because it took too much time, or did perform, but manually in arrears and infrequently, will be automated providing real-time information radiators.

Look for vendors and tools that are API-driven, have a great online community, openly available developer and administrative documentation, as well as, active tool support. These tools enable you to perform automated analysis-refactor loops now versus waiting until later and hoping for the best. It is worth your money to know your risk exposure now.

Continuous delivery pipeline with security built-in
Figure 4. This diagram illustrates wherein the continuous delivery pipeline predictable, repeatable and auditable security behaviors may be baked into the solution delivery process now versus waiting until later.

Hire great people. Cast a vision, communicate desired outcomes, define clear objectives, give them the resources to be successful, give them rules of engagement and stay involved.

Great people make mistakes. And even great people some times do not know what to do. Security frameworks help mitigate oversights, mistakes and provide guidance when people are in new, different and complex situations.

I drink a lot of caffeinated coffee and tea. And I’m on airplanes a lot. Drinking coffee and tea. I’m making a commitment to write more articles in 2020 – and increase the number of speaking engagements at which I drink coffee and tea. It is material we discuss every day at Trility and with our clients. It is material that you may find helpful as well. If you’d like to keep informed, and even interact, please connect or follow me on LinkedIn. Or we can send you an email

We are also always looking for system thinkers to join us – those who can see the larger landscape and do the work as well. If this resembles you, email us.

Leadership In Absentia

Ensure people are empowered to grow, learn, and care about successful outcomes when pursuing innovative digital transformation

This article was originally published on LinkedIn.

Hire new people. Separate them from the rest of the company. Give them a landfall budget. Tell them to innovate using the newest cool words. Maybe all of the words at the same time. Tell them they do not need to care about the existing people, teams or operations that currently and historically generate revenue for the company. Do not give them a time limit to show results. Don’t create it, but allow a “they are special” mentality in the culture. Tell the folks on the existing (legacy) side of the house to “keep the lights on” while the new folks bring fresh ideas, play with all the new technologies and receive the accolades.

If you want people to leave, let them know they aren’t working on the most important things, aren’t valued as much as the others and there is no budget to explore ideas for improving their situation. Just tell them to keep working. For good measure, yell at them.

This recipe sounds horribly negative and absolutely does not value people.

There will be no culture that builds a company using this recipe because there will be no people. Taking a company and splitting it down the middle using, “old stuff” and “new stuff” mentalities breaks the culture, the loyalty, commitment and positive outlook of the people. And it guarantees time and money will be spent. Not guaranteed is whether the company will be better in the end.

A healthy company is “we.” An unhealthy company is “us/them.” Which one you experience is attributable either to active, purposeful leadership or leadership in absentia.

No one does that. Do they? Sadly it happens in the conversations which also use the words “innovation” and “digital transformation”. The goal is quite logically to move a culture and company into the next chapter of life.

We see quotes from Peter Drucker, Lee Iacocca, Bill Gates, Steve Jobs, Richard Branson or Jim Collins floating through social media and other published material regularly. They are leaders with a history of influence and success. And what we often hear they said is, “Hire great people and get out of the way.”

What we do not hear in the same conversations is, “getting out of the way” is predicated by giving people the direction, parameters, latitude and resources to do great things and then get out of the way. “Hire great people and get out of the way” makes it sound like people require blank checks, blue skies and absolutely no friction, pressure, expectations, knotholes, constraints, guiding attributes, parameters or leadership.

Getting out of the way still requires active leadership.

Getting out of the way as a leadership tenet still requires two crucial attributes: (1) there must exist a clear objective, and (2) there must exist rules of engagement.

Before you cast off this material as drivel, ask yourself this: If you needed to liquidate personal assets to grow a company, would you want clear objectives and rules of engagement to exist before your personal money left the bank? As you spend your employer’s money, are you similarly disciplined?

The recipe for growing and transforming people and companies isn’t hard. It is time-consuming. It will require active planning, re-planning, leadership and management. It will require communication and over-communication. As many companies attest, there is no shortcut. Organizational change must be all-in, top-down, on-purpose.

It will absolutely require work.

1. Cast the Vision (What)

A vision tells people at a high level where you want to go compared to where you are.

Examples of vision:

  • Build a shareable smart city platform.
  • Move us completely into the cloud and out of brick and mortar.
  • Practice test-driven development for all product development and evolution.
  • Be EBITDA positive.
  • Implement a document management solution for our enterprise.
  • Implement an automated build, bundle and delivery process.

2. Describe the Outcomes (Why)

Outcomes tell people what it will look like when the desired vision is reached.

Examples of outcomes:

“By building a shareable smart city platform, we will enable approved third-party partners and vendors to work with us to serve our clients through real-time bi-directional sharing of information, more systemic feature and function opportunities, greater influence over the direction of the smart city industry, as well as, increasing the value of our data and brand along the way.”

“We are an insurance company. We irrevocably owe it to our clients to manage data privacy, provide real-time interactions and always be available to their needs at all times. We also owe it to them to be wholly focused, wholly available for their needs. We do not want to be in business of owning and managing physical data center assets in the future. By moving into the cloud we enable a larger percentage of our company team members and assets to focus on serving the real-time, interactive insurance needs of our clients than ever before.”

3. Identify Desired Objectives (Attributes of Done)

Objectives are explicit statements that are tangible, have a clear definition of done and are usable/useful solutions in the end.

Example objectives:

  • Enable a complete digital exhaust picture for all documents that enter, exist within, and exit our corporation including, but not limited to: when create, edit, delete, by whom, from where, sent/shared to whom or to what.
  • Enable a complete digital exhaust picture for all software that enters, exists within and exits our corporation including, but not limited to: create, edit, delete, by whom, from where, to whom or what, how and when tested, how and when statically and dynamically inspected, how and when assessed for vulnerabilities, how and when penetration tested, when deployed, what was in the bundle, sent where.

4. Provide Resources

To enable success for any team, they need access to the resources necessary to achieve desired objectives and outcomes. Sending them off with duct tape, hope and zeal will have results. Whether they are the results you desire remains to be seen.

Great People + Clear Objectives + Required Resources = High Probability Outcomes

This is the step people sometimes mistake as the entire recipe for, “Hire great people and get out of the way.” If we give them time, people, money and latitude, magical things will happen.

If you want dependable outcomes, the “hire great people and get out of the way” mantra also requires clear rules of engagement.

5. Set Rules of Engagement

Rules Of Engagement (ROE), also known as constraints, parameters or attributes, help define the context and conditions of done. They are not designed to limit innovation opportunity or success. Rather, ROE help direct all of the great people, time, energy and resources into a direction that is most beneficial for the context.

Examples of bad/no constraints:

  • Hire a building contractor. Whether they build homes or commercial buildings you don’t know. Write them a check. Tell the contractor, “You have one year. Surprise me.”
  • Schedule an appreciation party for your project team. Hire a chef. Tell the chef to prepare enough food for twenty people. Tell the chef your folks like exotic meat and hot, spicy things and to make it memorable.

Examples of good constraints:

  • Our time to market must be six months
  • Our time to revenue must be nine months
  • Use only open-source software
  • Ensure we are NIST-CSF compliant for Day 01 launch

6. Create Teams that Consider the Whole Company

Oversimplified, there are two types of people in companies:

1) Those who only see what is in front of their face (component thinkers); and

2) Those that know what is in front of their face is only a fraction of what can be seen in the larger landscape (systems thinkers).

Hire people who naturally think about the whole business and client experiences, not just the parts they want to think about. Set clear expectations with teams and projects that they must consider end to end implications of decisions and solutions, not just the parts they know about. Create cross-company teams that consider yesterday, today and tomorrow to ensure you bring along your people, your company, your clients and your future.

If you truly value your people, include them in defining tomorrow so that they take ownership of the journey and the result.

7. Stay Actively Involved

When leaders hire people they trust, it is easy to step back, get out of the way and just believe all will be well. If leadership defines the vision, outcomes, and objectives for the company, leadership must stay involved in the journey until realization as well – that is leadership.

  • Regularly meet with the teams to let them know the project is important, their contribution and effort is important and that you want to hear what they have to say regarding activities, challenges, roadblocks, and progress.
  • Request and expect to see tangible, demonstrable output on a regular basis. Do not take someone’s “word” that progress is happening; nor should you accept status reports, presentations or glossy materials discussing output. See the output or there is no output.
  • Regularly ask people how they are making the business better, how they are making better experiences and solutions for clients and what the time to value, time to market, time to revenue will be as a result of this investment.
  • Eliminate toy boxes. All money must lead to a return on investment in some way that benefits the people, business and/or clients. If there is no evidential relationship between investment and return, the effort is likely a toy project for someone, but not a high-value proposition for the business. Eliminate toy boxes or they will eliminate your money.

8. Know When to Say When

Knowing when to stop investing in an idea is something you must determine before the investment begins. After you’ve been on the journey for a while, it has the propensity to become personal. After all, you’ve labored over this idea, spent time, money, blood, sweat and tears.

Decide before the effort begins and regularly and iteratively ask the same questions:

  • What do we want to see from the team that shows us this is a worthy investment?
  • How much time and money is enough to validate, refactor or trash the idea?
  • How much risk exposure exists now and will exist as a result of the current solution direction? Will this solution increase or decrease our business and technical risk exposure? What is our risk appetite?
  • What are the triggers that make this investment good, at-risk and a candidate for termination?

Active leadership is a great deal more than getting out of the way. It means you hire great people. You don’t leave others behind. And you go on the journey with them once you’ve cast the vision, expressed the desired outcomes, provided the ROE and resources to be successful. 

If you truly value your people, include them in defining tomorrow so they take ownership of the journey and the result.

If you’d like to keep informed, and even interact, please connect or follow me on LinkedIn. Or sign up to receive our emails

We are also always looking for system thinkers to join us – those who can see the larger landscape and do the work as well. If this resembles you, email us

Veterans Day: Honoring those who understand “true requirements” of service

Honoring Veterans on our team and everywhere

The majority of Americans will never experience the true requirements of service. But we are surrounded by those who do in our day-to-day lives. Today, we say thank you.

Our office is closed today for Veterans Day. We’d like to share something one of our team members, Jennifer Davis, shared last week reminding our team about today.

“On November 11th, our company will observe Veterans Day. First and foremost, if you are a Veteran, we here at Trility want to thank you for your service. For those of us who haven’t served, we can never fully understand the sacrifices you’ve made for our country, our safety, and our freedoms.

Thank you.

Almost all of my life, I’ve lived a few minutes from the world’s biggest naval base, Naval Station Norfolk, and close to U.S. Navy master jet base, Naval Air Station Oceana.  I get to see and hear jets fly over regularly. I can watch the Blue Angels and still get excited every year for their powerful display at the Oceana Air Show. From the beach, I’ve watched massive aircraft carriers leaving for or coming home from deployment. With my toes in the sand along the Chesapeake Bay, I’ve seen hovercraft vessels practicing for missions.  

The Blue Angels running laps over my house practicing for this weekend’s air show. – Jennifer Davis

Growing up and into my adult life, these sights and sounds have had a great impact on me. But I’ve only watched from the sidelines. My exposure has been limited to the displays of the awesome power of our Nation’s military. What I haven’t seen are the true requirements of the service itself. As we look forward to Monday, I want to celebrate and honor those who have served. I want to be reminded of what it takes to serve others. I want to be thankful for the freedoms I get to enjoy because of those who have served. And I want to encourage you to do the same.” 

– Jennifer Davis, Director of Operations

Ways To Die While Scuba Diving

Explore how diving and leading companies require continuous data, preparation, situational awareness, emotional maturity and a willingness to adapt.

Originally published on LinkedIn.

Years ago when I began diving, I had originally viewed diving as blue water with whales, dolphins and gorgeous coral reef. I quickly learned how diverse diving could really be.

I was trained in cold, brown water. Like all forms of diving, cold, brown water diving requires special attention to detail. Gear for staying warm, tools for extricating myself from unplanned situations such as fishing line, vines, branches and roots, multiple lights for seeing in the dark, murky waters and very good compass navigation skills.

As I expanded my learning and experience portfolio, I came to realize the preparation and skills necessary for warm, cold, caving, cavern, blue-water, brown-water, ocean, quarry, lake and river diving may seem the same, but each and every one of them have unique requirements within themselves. What I knew yesterday helped with today, but there was always more to learn. I realized a pattern of behaviors always required: plan, execute to plan, situational awareness and prepare for adversity, always. In all cases, be disciplined before, during, after and between dives.


I enjoyed compass-diving in brown water with 0-12 inches of visibility where many times I couldn’t see my hand when fully outstretched. I loved every minute of it because I never knew for sure what was coming and I needed to be ready for anything, at any time. Blue-water diving in the ocean offered infinite views in all directions. Nothing below, beside or above me other than sunlight coming down through the water – just blue infinity. Night diving meant that sometimes, were it not for my equipment, I could easily be upside down at 100 feet thinking I was right-side-up at 35. Like all forms of diving, all three of these experiences require many of the same skills.


And like all forms of diving, in all three of these experiences, one could become disoriented and make the decision to continue doing what you’re doing, make incremental and adaptive changes, or make poor, reactive and over-corrective decisions, which make things worse immediately. Over and over again diving – and living – came down to education, experience, discipline, planning, situational awareness and the need to make informed, responsive, level-headed decisions.

As I gained more experience, I made more diverse decisions increasing risk, complexity and potential return on decisions. Which then required more experience and more on-going education. To amplify learning diversity, I began to study how divers die and sought to understand how these deaths could have been prevented.

Reasons Divers Die (listed, not rank ordered):

- Failure to plan
- Failure to maintain and improve equipment
- Failure to maintain personal health and fitness
- Failure to keep themselves in check (emotions, ego, risk-taking)
- Failure to practice/improve/increase skills and knowledge

Diving is fun, adventurous, character-building and educational. It does not have to be deadly. The National Center for Biotechnology Information and the Diver’s Alert Network reported 59 diving-related deaths in the United States in 2016. That is a small number. Yet it is 59 too many. I encourage you to explore snorkeling and scuba diving for yourself. Get educated. Be disciplined. Have fun.

Why do you believe leaders and companies fail? It would seem that companies and diving have nothing in common until we compare the lists.

Reasons Leaders and Companies Fail (listed, not rank ordered):

- Failure to plan and adapt
- Failure to maintain and improve themselves, teams and systems
- Failure to maintain and improve personal health and fitness
- Failure to keep themselves and others in check (emotions, ego, risk)
- Failure to improve skills, knowledge and experience

How would you rank this list as it relates to you? Your boss? Your company?

Like diving, leading companies and teams require continuous data and decision-making. And in order to have continuous data that enables decision-making, there needs to exist a plan, situational awareness, a data feed, a pre-meditated, cool-headed ability to make decisions and the willingness to adapt.

Plan Your Dive or Plan For Failure

- Have a plan. Continually evaluate the plan. Be prepared to change.
- Know where you are in relation to the plan. Be prepared to change.
- Continue to purposefully improve yourself, your teams and your company. 
- Practice being thoughtfully responsive versus thoughtlessly reactive.

When you’re the only diver in the water, you are welcome to make any and all bad decisions available to you. You may (or may not) be the only one that will suffer from your mistakes.

However, when you’re in the water with others who rely upon your plan, your ability to see, hear, realize and adapt to incoming data, and they trust that you are capable of making the hard decisions in hard circumstances – your preparation, emotional maturity, adaptability and decisions matter.

Early on in my journey, an old, crusty diver made a dark comment to me that stuck with me permanently and heavily influenced my preparation, maintenance and overall discipline:

“When you’re down there doing what you do and you’ve failed to plan, failed to maintain your equipment, didn’t pay attention to the information in front of you or just plain didn’t keep a cool head, just remember, at 200 feet below the surface, no one can hear you scream.”

His point? Be disciplined. Plan. Be aware. Be adaptive. Keep your head screwed on correctly. Make context-driven decisions. Live to dive again. Make sure others with you have a good experience, learn and live to dive again.

The teams at Trility regularly help people create, modify and implement plans for successful dives, gain access to data in real-time so they can adapt, as well as, equip people with the solutions they need to keep cool heads at 200 feet.

Authors Note: We’re not really going to help you plan your dives. In fact, we may never dive together. You might be crazy. I just wanted to keep the analogy going. If you want to dive, join the military, attend a commercial diving school or reach out to diver training organizations like PADI.

If you want to learn how to digitally transform your company, influence your leaders, train your teams, plan and deliver some of the dirtiest, nastiest, most complex projects from the bottom of the deepest, darkest ocean that no one else wants to do – then do call or email us.

7 “Not Easy” Steps for Securely Using Data for Real-Time Decisions

ARTICLE | A step-by-step roadmap for taking control of your data, securing it and making it meaningful to everyone at the same time, in the same way.

Originally published on LinkedIn on Oct. 22, 2019.

Companies have data in many places. And many companies do not know what data they have, where it is stored, who and what has access to it, the trustworthiness of the data or how to organize it in a timely manner into decision criteria for leadership teams.

The easiest way to know if what I’m saying is truth is to ask someone on your technical staff to provide you an asset and access inventory. Ask them the following:

Tell me:

- All software applications used in the company
- All places data is stored in the company
- All hardware used in the company to host, edit and manage both
- Who/what has access to these things and with what levels of power


- How the data is secured in transit and at rest

Give them one business day. Their reaction will reveal your truth.

Running a company minimally requires two things: knowing where you want to go and having access to timely, trustworthy data that will guide your journey. This article discusses the data aspect only.

And as you may already hope, suspect or know, addressing unsecured, unmanaged, disparate applications, data and permissions is a solvable problem. Accessing one view into your company is also solvable. Let’s look at the plan.

1. Find Your Data

Inventory all software applications and data repositories inside and outside your company, as well as, anything interacting with or exchanging data with your applications and repositories.

2. Determine The State of Your Data

What is the technology collecting, managing, editing your data? Where is it hosted? By whom? Is it good, questionable or corrupt data? Who and what has access to it? What are they doing to the data? Who is managing the security and sanctity of the data? How do you know you can trust the data? Is the data current and with what frequency?

3. Secure your data

Is the data managed via role-based permissions or is it wide-open for too many people and systems to manipulate, extract and exploit? Is it direct-connect? Copy-paste? Batch-uploads? API-accessible? Is it secured while at rest? Is it secured while in transit?

Think your company not likely to be attacked, corrupted, ransomed or otherwise exploited? Consider your brand value, consumers, privacy laws and bad company press. Do people trust your brand today? Will they after a breach?

4. Establish a Common Data Format

When data originates from multiple data sources, the structure of the data is usually non-uniform. The first step is to understand the current structure and state of all data at the origination point.

The second step is to determine to what Common Data Format (CDF) all data will be funneled and/or otherwise re-organized. In other words, if your company’s growth strategy has been through Mergers and Acquisitions, you likely have many data stores with similar types of data, but with different states of sanity. If you want one view across all of these data stores, words must have the same meaning for all instances of all data. Establishing the same meaning for all similar instances is “normalization” or “establishing a Common Data Format.”

Many to one.

Only after there exists a common data format are you able to see, understand and make decisions that confidently and consistently take into consideration all parts of the company.

Establish a Common Data Format

5. Extract, Normalize and Put

When you understand all places from which data originates and have a CDF, your teams are then able to write predictable, repeatable and auditable methods of extracting, normalizing and putting data into your new, single source of truth.

To be clear, the methods of extracting data, normalizing data and putting data must be predictable, repeatable and auditable. And the structure into which all data is put is itself the CDF. Anything less and you will simply be creating a new mess that must be managed on top of your existing ecosystem — whatever the state.

6. Pull Data Predictably

Now that you’ve made the effort to ensure all data, from all locations, is secured and normalized, protect it. This means there must exist a predictable, repeatable and auditable manner by which applications, systems and companies access your data. Notice I didn’t say people.

To access data from the single source of truth, there must exist predictable, repeatable and auditable set of actors, permissions and activities. If there is variability in actors, permissions and activities, it will no longer be a single source of truth.

Require anyone or thing that wants access to your data to follow your rules. Non-negotiable. This includes people in Mensa, people with twenty years of tenure who have been there since the company started, the CEO’s nephew and your mom.

Your single source of truth is special. No one who wants access to the data is special. Despite what their mom told them when they were young.

7. Use Your Data to Inform Your Decisions Dynamically

Attach reporting solutions. Attach streaming solutions. Attach elastic search. Attach dashboards. Follow the rules. Enjoy peace.

Now you can trust that your data has integrity. You can trust it is secure. You can trust your data is predictable, repeatable and auditable. You can trust your company has one message.

And you can trust that you know all applications, repositories, data management and security behaviors, actors, hosting solutions and reports are something upon which you can bank your company’s reputation.

If you would like to take control of your data, secure it and make it dynamically meaningful to everyone in your company, the teams at Trility help companies solve these challenges with a focus on predictable, repeatable and auditable behaviors. Email us at

Simplify Compliance Management with New Features in Cybersecurity Solution

Companies can leverage a centralized, easy-to-understand tool to align with compliance standards.

July 12, 2019, DES MOINES, IA – Trility Consulting® has launched two new features to the IronBench Compliance Navigator™ product built to enable centralized management and reporting of your organization’s alignment to standards. The Trility team originally set out to simplify how their own teams understand, implement, manage and audit today’s information security/regulatory compliance requirements while building solutions for their clients. The result of this effort rendered a number of new software products including IronBench Compliance Navigator. 

IronBench Compliance Navigator

“Our IronBench Compliance Navigator product targets organizations that want a simple, light-weight and centralized method of managing their organization’s compliance efforts without the complexity and cost many folks experience today. People want the flexibility to handle multiple standards, audits, projects and teams at the same time, understand at a glance where risk exposures exist and to know that as people come and go, data and history will not be lost because a spreadsheet left with the last exiting team member,” says Matthew Edwards, CEO of Trility.

…data and history will not be lost because a spreadsheet left with the last exiting team member.

“We’ve seen the plight of the information security folks who get left behind learning about projects, risks and issues in arrears. We’ve seen amazing people doing amazing things to keep up and ensure their organization is prepared for the next audit or attack. We think it should be easier. That’s why we built IronBench Compliance Navigator.” 

What’s does IronBench Compliance Navigator offer?

  • The California Consumer Privacy Act (CCPA) module shows companies what is required of them to meet California’s new consumer protection law and provides an intuitive, centralized method of managing and reporting your company’s status against this law today and into the future. Take a 1-minute, free assessment to determine if this law impacts your company. If it does, the CCPA module within IronBench Compliance Navigator helps you manage your ongoing compliance requirements in a simple, easy-to-understand manner today and into the future.
  • The Payment Card Industry Data Security Standard (PCI DSS) module shows companies what is required of them to meet today’s payment card industry requirements in an intuitive, centralized method of management and reporting. If your company accepts credit cards as a form of payment, you are expected to evidence compliance regularly. This module helps companies understand what is required, as well as helps manage your organization’s on-going compliance status in a low-friction, easy-to-use experience year after year.
  • The NIST Cybersecurity Framework (NIST CSF) module shows, in everyday language and concepts, private sector companies what is recommended in order to prevent, detect and respond to cyber incidents in today’s critical technology infrastructure. If you are looking for a centralized, easy-to-understand and use method of aligning your organization to the NIST-CSF, this module will guide you through the material and enables you to manage your organization’s alignment as your company, your industry and as the standard itself changes through the years.

    To get started, you can also take a free Maturity Assessment to understand where your organization is along the path to alignment with the NIST CSF. 

IronBench Compliance Navigator guides you through the process of identifying which standards apply to you, where your organization is strong and where it needs work, as well as helps you identify possible solutions to increase your preparedness along the way. Customer benefits include:

  • Track all compliance requirements, risks and responses in one secure location that’s accessible to all of your teams anytime, anywhere
  • Track your organization against multiple standards at the same time, in the same tool, year after year – change history included
  • Stay on top of new regulatory compliance standards in the marketplace, as well as changes to existing standards against which you currently manage your organization
    Delegate responsibility to others to acquire answers instead of having to personally perform each and every step manually

Create a free account to view the available tools in the IronBench Cybersecurity Suite and purchase only the ones relevant to your organization. If you’re interested in a white-label solution or an enterprise version of this tool that meets your specific needs, contact us

The IronBench Cybersecurity Suite of tools, as well as all associated patents and trademarks, are wholly-owned by IronBench LLC. IronBench and Trility Consulting, as well as all associated patents and trademarks, are wholly-owned subsidiaries of Trility Group Holdings, Inc. Trility provides strategic management consulting, digital transformation expertise and advanced technical solutions for forward-thinking global businesses.