Skip to main content

Author: Steve Blais

In Security

Let’s face it. It’s all about information. Everything we do is about information. We need information to do our job, and our job is usually about information, information that is collected from a wide range of sources over a long period of time, information that is created through the combination of other information, information that is printed, displayed, organized, manipulated, and stored for decades if not eons.

And that information is important. We depend on information.  We use information to know what is going on, to make decisions, to entertain us, to communicate, or simply to take us to places we’ve never been. It’s all about information.

It’s all about information security

And then, it’s all about security of that information; who can see it, when they can see it, how much of it they can see, and in what form will the information be kept and for how long? Should the information we need be secure and to what level? Should it be private, and private to whom? When should it be released? How long should it be kept before releasing or destroying? Can it be destroyed?

Security. Even in IT, we tend to view security as a specialist’s area. Security people are strange birds, and security “stuff” is generally the bailiwick of specialists who think differently than the rest of us. They have their own vocabulary – black hat, white hat, encryption, public and private keys, breach, vulnerability, hacker, cracker, malware, and so forth. As Business Analysts, and even as Developers, information security is viewed many times as a layer of nonfunctional requirements and / or software added to the basic business requirements at some later date in the software development lifecycle.  And in many cases that is the way it has to be.

But consider this; a breach in security is bad for business. Loss of information is not simply an IT issue; it is a business issue.  The loss of information might well lead to the loss of the entire business. Security requirements are business requirements. Consider even further – the level of security is based on the value of the business assets being secured. Therefore, it is necessary to analyze the business assets to determine the value of those assets and what levels of security are necessary. Note the words “analyze the business”; in other words, business analysis.

We are all insecure

The reality in information security is that there is no foolproof way of securing the business’ information except by physically disconnecting all the information from any external access.  In other words, “unplugging”. And while that was a perfectly valid business strategy 50 years ago when I started, today the concept of being completely disconnected from the Internet and still being successful in business would be considered far-fetched. (Actually for most businesses back then “unplugging” was not an option since there was nothing to “plug” into. Locked file cabinets containing the business “secrets” sufficed.) In those days, we who defined requirements, design systems, wrote the code, and tested the results were not worried about information security. Security, not just information security but all security (there was no category called information security at the time) was indeed handled by a completely different organization with whom we in data processing (as it was called back then) rarely had interactions. Security back then was focused on physical security, preventing unauthorized access to the premises, and to those locked file cabinets.

A Security Guideline for Business Analysts

Since we cannot, as Business Analysts, developers, or even security specialists, completely prevent an intrusion or a breach from occurring in today’s interconnected spider web of information, we need to have a guideline, a balance between security and convenience, between preventing access by the bad guys and inappropriately filtering out the good guys. If we do business on the Internet, we need to make it as easy as possible for those seeking to do business with us to access the information they need to do business while at the same time preventing those with malicious intent from accessing, manipulating, or modifying our information.

So we have this guideline that was written on a card which I kept pin on the wall of my office in a previous life in security:

Make the cost of the breach exceed the value of what is compromised.

If we are able to implement this guideline effectively we should be able to present the majority of damaging breaches, and pretty much all intrusions based on economic gain. What this does not prevent against those who are attempting to break security for reasons of revenge, “fun”, or simple malevolence. And those areas are indeed the purview of the security specialists, and probably also the psychologists.

However, the general approach will be effective.  Considering that the “cost” includes not only the time, effort, and or monetary expenditures to get to the information, but also the length of time of exposure. For example, the “Club” which many car owners have affixed to their steering wheel to “prevent” theft of their vehicles does not actually prevent theft. Cars can be stolen with a Club on the steering wheel. What the Club does is increase the amount of time the car thief has to spend to steal the car; thus, the “cost” of the theft is in the extended exposure and increased potentiality of being caught. If the vehicle is a Ferrari or some other car that costs six figures to purchase, it might be worth the risk. If the vehicle is my 17-year-old sedan, it clearly would not be. So the “cost” can also be measured in “exposure time” for the bad guy.

To make that guideline work effectively, the business must first have a definition or assessment of the value of its information. Not all information has the same value. And the cost of securing that information should be directly proportional to the value the information has. In other words the organization should spend more time and money securing their customer master files which have national identification numbers and credit card information than in securing the departmental picnic list file that contains the names of employees attending the annual picnic and what dish they are bringing (to prevent too many bags of potato chips and not enough vegetables).

{module ad 300×100 Large mobile}

The Business Analyst’s Role in Security

It takes business analysis to determine and assess the value of the information in the organization for any given business process or information system. Since security should not be an afterthought to be added after the systems or changes have been developed, it is up to the Business Analyst to determine the value of the information, all the information, being used by a particular business process or information system. The Business Analyst may not be required to identify threats and or countermeasures which is indeed the domain of the security professional (although I have seen many Business Analysts involved with threat assessment in organizations because of their breadth of knowledge of the business activities, processes, and information.)

The Business Analyst also provides a valuable check and balance to security by identifying when security measures may be too much – they prevent business from happening or make it exceedingly difficult – thus impairing the organization’s mission or keep it from achieving its strategic goals.

Helping the organization become secure

We typically think of security in terms of protecting against malicious intrusion or identity theft. But when we consider the entire business there are many other areas in which security is important to the business. For example, corporate espionage is a threat to many businesses. Privacy of both the employees using the systems and customers entering their data into the corporate databases has been increasing in importance the century and generally falls under security. While security is a policy of the organization to protect the organization, privacy falls under regulations of countries and other jurisdictions and may cause an organization to run afoul of the law.

Many times the solution to a security problem is not additional software or technological engineering, but a simple change in the business process. The Business Analyst is the primary role familiar with the entire business process and is able to identify security weaknesses in the human activities which in many cases is where a security breach starts.

While the technologists will focus on the networks, the portals, the access points, the web servers and other technology-based vulnerabilities in the organization, the Business Analyst can look at a wider picture that includes the movement of information outside the computers throughout the company and the people who handle that information.

It takes a Business Analyst to put a security problem into a business context. It takes a Business Analyst to evaluate whether the assets being protected are worth the cost of the protection. It takes a Business Analyst to understand the human factors involved with security issues and security breaches.

The Business Analyst can provide valuable information to the security professionals to help make their job easier and more accurate thus adding value to the organization (in terms of increased and better security, and a better cost-benefit ratio for the security activities) which is what the Business Analyst is all about.

The Silver Bullet Syndrome

Over the past several years I have heard an increasing number of complaints from a large number of Agile adherents accusing organizational management of expecting Agile to be a silver bullet (usually stated as “the next silver bullet” although I am not sure what other “silver bullet” Agile is replacing).

These accusations usually occur when there are problems with Agile or the approach does not work as advertised and organizational management pulls the plug or reverts to more traditional software development or management approaches. These complaints are not unique to the Agile community, although they do seem to be somewhat IT related in general. Hearing them got me to thinking about the whole concept of the silver bullet, the results of which follow.

We in IT are fond of condemning management of organizations for continually looking for “The Silver Bullet”. There is certainly some evidence to support IT’s contention that management expects a “magical” solution to business problems. We can cite many instances of technologies or approaches in IT that rose to preeminence and then were cast aside as not having The One Answer:  Business Process Re-engineering comes to mind as an example.

Perhaps we feel we in IT have a greater insight into how things work since Fred Brooks paper was published back in 1986  titled “No Silver Bullet – Essence and Accidents of Software Engineering.” And to a large degree, technology, headed by computer technology, has been the victim of “the next great thing” for decades. Since we in IT are the ones producing “the next great thing” perhaps, like Pogo, “we are the Silver Bullet that we complain about”. [1]

The Evolution of the Silver Bullet

For those not aware of the legend of the silver bullet, in folklore a silver bullet fired from a gun is the only way to kill a werewolf. (Note that the silver bullet was also used by the fictional Western character, The Lone Ranger, as a calling card and a symbol of law and order. We are not referring to that particular use of silver bullet in IT.) Initially, in common parlance, a “silver bullet” referred to the only successful solution to a given problem or situation (to kill a werewolf for example). It was a positive concept. I can remember management meetings in which someone would say, “well, that looks like our silver bullet to resolve the issue.” And it was.

Since Brooks’ article, “silver bullet” has become a pejorative term usually applied to management with the emphasis on the fictional aspect of the concept: there are no werewolves, and, therefore, no “magic” silver bullets to kill them. In other words, there is no single approach or technology that will solve a complicated business problem.

Deus ex Machina

Perhaps we in IT might be better served by using the term Deus ex Machina rather than silver bullet. The Deus ex Machina, Greek for “god from the machine”, was a device used by playwrights, and others, to get the hero or protagonist out of an impossible situation by means of some unexpected, and marginally believable, power or event that occurs to save the day. Usually, in Greek plays it was portrayed as some god arriving in a chariot when things were darkest for the heroes (the monster was about to devour them, or the enemy wipe them out) to set things right and to save the day.

Deus ex Machina might be a better analogy for the single magical solution that management would like to see to solve its business problem: A new product, or technology, or approach that would get them out of whatever difficulty they are in, and most likely got into by their own actions, or lack thereof.

However, Deus ex Machina is hard to say and is not quite that familiar. After all, Greek drama is not a common course for MBAs, not to mention IT curricula. So it looks like we will have to live with the term “silver bullet”.

There is a Silver Bullet

The logical binary oriented computer and IT people declaim management’s persistent belief in and search for the silver bullet. IT people, especially in software development, and more especially in the Agile approaches, state categorically that there is no silver bullet. This may be a valid, logical conclusion, at least in IT, but it flies in the face of human nature.

We might recall as children getting ourselves into an untenable situation or simply being the victim of circumstances of which we could not get out. The situation seemed hopeless, at least to us. Then our parents or teachers or some other adult produced a solution to the problem, sometimes with money, sometimes with an action they took, and sometimes with some simple adult advice and counsel. Whatever was done, a single solution evaporated the unsolvable problem. And this is the way it is supposed to be. Children trip and fall and the adult gets rid of the pain and comforts the injured so the child can get up and run again. Children try something new that does not work in the adult steps and to make it right. In other words we are used to “silver bullets” even though as we look back as adults on those events, we realize they are simply adult solutions to problems that we as children could not determine. Still, as children filled with a sense of relief that the problem is solved, we would call them “Silver Bullets” if such a phrase were in our vocabulary.

Being so used to “adult intervention” is it any wonder that we humans believe in silver bullets?

Romance and Comedy

Hollywood contributes to our continuing belief in the silver bullet. In romantic movie after comedic movie, the lead character gets something (love of their life, money, etc.), the lead character loses it, and then by some magical happenstance, the lead character gets it back (usually along with some insights) in the third act, and everyone lives happily ever after. Centuries of books, plays, operas, and nearly a century of movies (not to mention television and now Internet shows) have conditioned us to expect some kind of silver bullet to make everything right by the final credits. Regardless of how implausible, Andy Hardy puts on a show to save the orphanage. Cars line up for miles waiting to pay money to visit the Field of Dreams and save the farm from foreclosure. King Richard returns just in time to save Robin Hood from the forces of King John. The real criminal confesses to save the innocent man’s execution just before midnight. And so forth.

Our popular culture continues to reinforce the belief that somehow, someone or something will come along and save the day. More silver bullets.

The 24 Effect

In the very popular television series 24, the lead character, Jack Bauer, played by Kiefer Sutherland, had two often repeated phrases. The first, “dammit”, spawned a college drinking game. The second phrase, repeated in nearly every episode, shows how ingrained the concept of the silver bullet is in our culture. The phrase is “this is the only way”, usually stated after another character recites a laundry list of risks, such as death to Mr. Bauer.  Not only is Jack Bauer stating a single solution that will magically solve the problem (the problem of that 15-minute segment anyway) but the solution generally, in fact, works. And we believe it, or at least we suspend our disbelief.

As humans, we want to believe that there is a solution, even a “magical” solution that will get us out of our most dire situations.

This is called hope. And hope is not a bad thing.

And who knows? Maybe there are silver bullets. After all, someone has to win the lottery.

Silver Bullet Expectations

There are two primary reasons that Business Analysts have to be aware of the natural occurrence of the belief in silver bullets. We might call this the “Silver Bullet Bias.”

The first is one of expectations. This is the primary reason behind the negative connotation to the phrase “silver bullet”. If management assumes that a solution, for example an Agile approach, is a silver bullet, management will assume that the problem will be completely solved with no other action necessary.

Part of the reason for the Silver Bullet Bias is those who are proponents of the approach, the zealots or true believers.  There has been a lot of hype about Agile, for example, especially from the Agile advocates themselves. Agile, a software development philosophy or mindset, has been pushed to the corporate level far removed from the developers who signed the Agile Manifesto with promises that if the organization is Agile, great things will happen in software development and elsewhere (sales, marketing, customer service, etc.)  There is no mention of the work necessary and one of the underlying principles of Agile, which is that failure is necessary for success. Based on the concept that management is made up of human beings (although there are those in IT who doubt that concept), management will naturally jump at the possibility of a silver bullet.  We have only ourselves to blame for their expectations.

Expectations can be managed. Identifying the risks involved with the proposed solution, the shortcomings of the solution, and the aspects of the problem that may not be solved by this “silver bullet” solution will put the “silver bullet” in its proper context. Sometimes placing a potential solution in a realistic scenario including risks, impacts and limitations might force management to look for other solutions, which is never a bad thing, time permitting, and in many cases, the constraints of time tend to be artificial.

No Other Way

The second issue is more insidious. If management or anyone assumes a silver bullet approach, they will not consider any other options, and have a tendency to overlook the risks, similar to the 24 effect. If the solution is the “only way”, then there is no need to do risk analysis for the purpose of determining the alternative with the least risk, much less come up with another alternative. And this can be disastrous. 

The last thing a Business Analyst wants to hear about a failed solution is “we didn’t consider…” I’m not talking hindsight bias where the phrase is “If only we had known this would happen”.  I’m suggesting that additional information or analysis was stopped, prevented, because a silver bullet appeared and became “the only way.”  As Courtney Turk says in The Secret Diary of Ashley Juergens, or as Dr. Mouhamed Tarazi titles his book:  “There is always another way.” Or as Sherlock Holmes would say, “It’s a capital crime to theorize before you have all the evidence. It biases the judgment.”

The silver bullet is sometimes another way of jumping to solutions, or worse, ignoring or discounting any other possible solution (confirmation bias).

“No Silver Bullet” is a Silver Bullet

And, finally, the Silver Bullet Bias can be used as an excuse. It’s easy to say management is wrong because they want a silver bullet, and expect every solution to be a silver bullet and that’s why didn’t work. 

“Management expected Agile to be a silver bullet, so they pulled the plug on it when it didn’t solve all their problems.”  This is a convenient excuse, and it may hide the real reasons for the failure. Perhaps expectations were not set at the right level. Perhaps the approach was not correctly implemented. Perhaps the implementers tried to shoehorn the organization into a standard approach when customization, while more difficult, was called for. It’s easy to blame things that don’t go your way in business as a negative attitude on the part of management. The harder thing to do is to evaluate and assess and come back with a plan to do it right the next time (or at least to do it “righter”).

What can the Business Analyst do about it?

We recognize that all of us want, and to a degree believe in a silver bullet, to rescue us from whatever difficulties we are in.  While we cannot eliminate silver bullet thinking, we can address the issues of Silver Bullet Bias in business.

Considering the aspect of the “one and only” solution, the Business Analyst will offer multiple solutions to any business problem – or for that matter, any problem at all. The solutions do not have to be mutually exclusive nor realistic. In other words, one solution might be too expensive, and another realistic but improbable.  Solutions might be variations on the same theme. But they will be separately identifiable solutions to the problem.  Faced with options to solve the problem, management will likely recognize that the Silver Bullet solution is not the only way to go, and be forced into evaluating alternatives to come up with the best viable approach.

The Business Analyst can throw a little tarnish on the silver bullet showing that the solution may not provide all the answers or relief. The Business Analyst provides measurements and metrics pinpointing where the solution may fall short, and how management can determine that the solution is viable (or not). In this way, the “magic” of the silver bullet solution starts being replaced by situational reality. Management can begin to see behind the curtain.  Remember that even when the magic of the Wizard of Oz was shown to be fraud, the Wizard still satisfied everyone’s goals for going to Oz: a heart for the Tin Woodman, brain for the Scarecrow, courage for the Lion, and Kansas for Dorothy. The reality is that goals and solutions can be achieved without the silver bullet.

And, who knows, maybe the Business Analyst will show that the solution was, in fact, a silver bullet.

[1] The comic strip, “Pogo”, scripted by the late Walt Kelly (1913 – 1973) produced many quotes, among which, the most famous is “We have met the enemy, and he is us.”

Business Analysis According to Sherlock Holmes

I have been reading and rereading Arthur Conan Doyle’s stories and novels about the brilliant detective Sherlock Holmes for years. With the possible exception of Edgar Allen Poe’s lesser known Auguste Dupin (see The Murders on the Rue Morgue), Holmes stands as the pre-eminent and archetypical critical thinker and detective of all time. Sherlock Holmes provides the model for all the genius eccentric crime solvers who occupy the books, airwaves, and movie theaters of today. Holmes has a lot to say about how to analyze information and evidence and deduce the best solution or the perpetrator of the crime.

Sherlock Holmes is one of the charter members of the Business Analysis Hall of Fame. He has left a vast legacy of advice and counsel to business analysts of all ages. Herewith, direct from 221B Baker Street, are the words of wisdom from Sherlock Holmes.

“Approach the case with an absolutely blank mind, which is always an advantage. That way you formed no theories. You are simply there to observe and to draw inferences from your observations.” (Adventure of the Cardboard Box)

The business analyst needs to be objective. The business analyst cannot have preconceived notions, including those foisted on them by the customer, sponsor, or subject matter expert. When eliciting information the business analyst listens naively and asks questions without prejudice (see the series “How to Ask the Right Questions”, especially part 4: “Asking the Naked Question” for more information about listening naively). When the business analyst comes to an interview with a solution in mind, for example, one proposed to them by the sponsor or another stakeholder with political clout, the business analyst will tend to ask questions and hear the answers that support the solution and ignore or discount any information that may cast doubt on the solution. This is called confirmation bias. Sherlock Holmes cautions us against such behavior if we want to be top notch business analysts.

“It is a capital mistake to theorize before one has data. One begins to twist facts to suit theories, instead of theories to suit facts.” (A Scandal in Bohemia)

This is Holmes’ way of saying “Don’t jump to solutions.” A business analyst should look for more than one solution to a business problem. Once a solution has been established, ask “is there any other way to solve this problem?” In that way we keep ourselves from accepting the first, and not perhaps the best, solution that comes to mind. Looking for that second or third solution also forces us to seek out more information, some of which might invalidate the original solution (that is also a reason for not seeking additional information: it might prove our initial solution wrong, and who wants to be proven wrong?)

“Nothing clears up a case so much as stating it to another person.” (The Silver Blaze)

The Silver Blaze was a race horse and presented a challenging puzzle for Holmes. At one point he asks Watson to listen to him while he “enumerates over the facts of the case.” He knows that verbalizing what is in our heads forces us to focus on what we are saying and how we are saying it. We are trying to get the pictures and concepts in our brains into the brain of someone else and will tend to make those concepts simpler and clearer. And so he does. And so should we. Before conducting an information gathering session, perhaps it is a good idea to ask another business analyst the questions you plan to ask the subject matter expert or another stakeholder. Hearing the questions aloud might cause you to restate a question or two, or not ask them at all. You might also verbally walk through your solution, or your requirements, with another business analyst before committing the solution to a formal document for submission. And if you are creating user stories in an agile environment, reading them aloud is not just a good idea according to Sherlock Holmes, but also from others including the “inventor” of user stories, Ron Jeffries.

“There is nothing more deceptive than an obvious fact.” (The Bascombe Valley Mystery)

There are “facts” that everybody thinks they know. One of the more common is “It’s done this way because it’s always been done this way. It’s the only way to do it.” The business analyst is aware of the ‘fact” that cannot be proven, but must be taken as truth. In The Bascombe Valley Mystery, Holmes is responding to Watson’s claim that the evidence as reported is somewhat condemning to their client. Holmes points out that evidence, especially circumstantial, points in one direction, but with a little shift in your point of view, you may be looking at something completely different. It is similar in business analysis in the pursuit of a solution. The solution that everyone seems to agree to may not be the best solution when all the facts are in, including those facts not in play at the moment. In theory, those thinking the solution is best assume that all the facts are known.

“When you have eliminated the impossible whatever remains, HOWEVER IMPROBABLE, must be the truth.” (A Study in Scarlet)

“It is an old maxim of mine that when you have excluded the impossible, whatever remains, however improbable, must be the truth.” (The Beryl Coronet)

“We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth.” (The Adventure of the Bruce-Partington Plans)

These similar quotes refer to the method that Sherlock Holmes uses to solve a mystery. He begins to construct theories based on the data that he has in front of him. He is creating alternate solutions to the problem (the problem, of course, is to figure out who committed the crime and how was it committed). He then looks for more data or evidence that will either further confirm or eliminate each theory. Eventually, through a logical process of elimination, Holmes has solved the mystery. As business analysts we can perform a similar process of elimination by starting with the facts, confirming those facts, and then forming potential solutions. Then our investigative job becomes one of gathering information to disprove or eliminate each solution. As solutions are eliminated based on evidence gathered, we can determine the one, best solution. (Note that if all potential solutions are eliminated, we need to go back and re-theorize.) As Holmes says:

“If the fresh facts which come to our knowledge all fit themselves into the scheme, then our hypothesis may gradually become a solution.” (The Adventure of the Wisteria Lodge)

“A further knowledge of facts is necessary before I would venture to give a final and definite opinion.” (The Adventure of the Wisteria Lodge)

In this piece of advice, Holmes is suggesting that we hold off on rendering opinions or conclusions until we have enough information to do so. In many of his adventures he had the solution to the mystery in mind (his predominant theory, for example) and refused to disclose it until he got that last piece of evidence that confirmed the theory beyond doubt. We should be as careful about advancing our solutions until we are sure of them based on the information. (Or to quote someone from a different world altogether: Davy Crockett said, “Be sure you’re right, then go ahead”)

“Education never ends, Watson. It is a series of lessons with the greatest for the last.” (The Adventure of the Red Circle)

As brilliant as Holmes was, he never stopped learning. He admitted when he made a mistake, immediately recognizing what that mistake was. You get the feeling that once admitted he would never make that same mistake again, or perhaps not make even a similar mistake. For example, in “The Adventure of the Stock Broker’s Clerk”, Holmes and Watson enter a room to confront their suspect who is sitting at a table reading a newspaper. Upon seeing them, the suspect races into the next room and attempts to hang himself. Holmes is at first mystified that the fellow would attempt suicide at their appearance. Later when the man is revived, the motive for the suicide becomes apparent. It was something he read in the paper. Holmes then exclaims, “The paper! Of course! Idiot that I was! I thought so much of our visit that the paper never entered my head for an instant.”

Sherlock Holmes had a lot more to say that still resonates across the decades to us, advice that can be applied to our day-to-day work as business analysts and critical thinkers.

If we could all be like Sherlock Holmes, Conan Doyle’s protagonist would never have achieved the publishing success and lasting fame that Holmes has enjoyed for over a century now. We don’t have his remarkable ability to eradicate the emotional, eliminate the irrelevant, and focus with laser-like intensity on the given problem. We don’t have Holmes’ amazing powers of observation. (He could distinguish 75 different perfumes (The Hound of the Baskervilles) showing that he even brought his sense of smell into his observations). However, we can learn to better examine the information we receive with more critical thinking and withhold our judgment longer when evaluating that information. We can learn to restrict our observations more to the evidence that exists rather than what we think exists, or what we have been told.

While we are pursuing the best solution to the business problem and endeavoring to add value to the business through improving processes and solving problems, we might find we are doing a better job of it if we remember and apply the acronym WWSHD: “What would Sherlock Holmes do?”

Don’t forget to leave your comments below.

Ask the Naked Question: How To Ask the Right Question part 4

blais Mar3

In the previous episodes, we established a framework more conducive to asking the Right Question, increasing the probability that you will ask the Right Question, if even inadvertently. We talked about what to ask, and to a degree when to ask it. Now let’s wrap up with talking about how to ask the Right Question.

“How” is as important as “what”

The quality of the response is affected not only by the content of the question, but also by its manner of delivery, especially its pace and timing.
Michael Marquadt [3]

The trick to asking the Right Question may not just be in knowing what to ask, it may be in knowing how to ask it. This requires good questioning skills according to Andrew Griffiths who states that in addition to getting good answers, “good questioning skills will empower you and can transform your confidence, ability and results”. This being the evidence of leadership which “… is all about asking questions: the right questions at the right time in the right way”. [1]

Ask naïvely

Even though we know what information we want, we don’t want to assume we know what the answers are actually going to be. We may have asked the same question of eighteen other responders and gotten the same answer 18 times in a row, but the 19th time we ask, we want to ask it as though we never asked it before.

But, Steve, you might say, if I’ve been rummaging around the call center asking questions of everyone to define a new call center system, won’t the people I’m asking questions of know that I’m asking questions that have been answered by someone else?

Sure, and if you preface your question with “I’m not sure I understand this, which is why I’m asking you” or something similar, the person will tend to answer your questions as though he or she is the very first person you are questioning.

The same holds true for confirmation questions. When you preface the question with “so I understand this is how [fill in the blank] is done, is that correct?” You will get the close-ended response of “Yes”. And this is good for confirmation. However, if you start the confirmation question from the opposite point of view (“I’m having trouble understanding this, perhaps you could clear it up for me…”), you will likely get an answer that confirms your previous information and also adds new information or at least includes the personal perspective of the responder.

Getting Naked

To the degree possible, getting the Right Answer and not just a superficial response requires us to convince the responder that we genuinely want to know the answers to the questions we are asking and we invite all the information they have on the subject. This means approaching the information gathering session with a degree of humility as described by Patrick Lencioni in his book, Getting Naked. Lencioni suggests that we should be “so concerned about helping [our customers] that [we should be] willing to ask questions and make suggestions even if those questions and suggestions could turn out to be laughably wrong…readily admit that we don’t know and be quick to point out – even to celebrate – [our] errors because protecting [our] intellectual ego is not important to them.” [2]

There is one somewhat universal truth when it comes to getting answers to questions: people will not tell you something that they think you already know. When you ask a question and appear to already have knowledge about the subject, the responders will give you very generic and high-level answers. No one likes to give a detailed answer to then hear the other person say, “yes, right, I know all that, but what I really want to know is…” Appearing less knowledgeable gets more information for example using the approach Denzel Washington does in the movie Philadelphia, “tell it to me like I am six years old.”*

The trick here is to curtail your natural inclination to “discuss” the situation or responses by offering your opinion or knowledge gained on the topic. When your goal is to gather information, focus on the flow of information – coming to you and not going from you to the responders. Remind yourself that you will have plenty of time in review sessions and other engagements to exhibit your grasp of the situation and solution.

And Listen Naively

Listening naïvely is the technique in which you appear to be a sponge willing to learn everything that the responder can tell you about the topic.

To get the most information and the Right Answers, the questioner has to listen naively. That is, listen with no preconceived notions, exerting zero judgment, absorbing all information that is proffered without analysis. In other words, the questioner must hear the information as though for the first time. This is difficult because it requires the questioner to be totally in the moment and focused.

When you establish the information gathering session “frame” (as discussed in the previous article), you set the stage in the responder’s mind that you are in need of this information. It also reminds you to sit back and listen as though for the first time.

In other words, just ask the questions, the naked questions, unadorned by preface, explanation, suggestion, direction, assumption, or supposition. Here’s an example: when the responder does not understand the question and asks for an explanation, rather than give an explanation or background, rephrase the question so that you continue to ask questions rather than provide answers. As stated, there will be plenty of time to provide the answers when all the information has been collected.

You will find that people love to tell you what they know and if you are listening naïvely, they will tell you a lot more than your questions ask, perhaps even filling in the gaps between your questions.

Avoid Asking the Wrong Questions

“If they can get you asking the wrong questions, they don’t have to worry about answers.”
Thomas Pynchon

The opposite of “right” questions would likely be “wrong” questions. So if there are a few “right” questions, the rest must be wrong, unless there is some middle ground between right and wrong like mediocre.

Therefore, one solution might be to adopt the stance that all questions are “right” with a few exceptions which might be considered “wrong”

  • Questions which caused the information gathering session to be terminated by the responder: “so, before this new system replaces your job and we lay you off, can you describe some of the things we can do to make the system better?”
  • Questions which stemmed the flow of information: “yes, we get that. You clearly do not understand what we are looking for here. What happens when…?”
  • Questions which resulted in the same information you’ve already received (except when you are specifically looking to confirm information obtained from another source).
  • Questions that result in an abrupt change to the responders’ focus: “so to continue with the Accounts Payable voucher process, what did you think about the best picture award at the Oscars?”

Since cognitive studies have shown that we humans tend to remember the negative things more than the positive things that happen to us, we most likely remember those “inappropriate” questions a lot more and a lot longer than we remember the hundreds of “right” questions asked. And this remembrance of the less than optimum questions might explain why so many of us agonize over the “right question” issue.

So perhaps the best advice on how to ask the “right” question is to simply avoid asking the “wrong” questions. If you don’t ask any “wrong” questions, then clearly all the questions that you ask must be “right”.

Some Good Advice

Marquardt offers some good advice for asking the Right Question to elicit the Right Answer:

  • “Respond without judging the thoughts, feelings or situations of other people
  • Consider yourself a beginner, regardless of experience
  • Avoid focusing on your own role (which can lead to a self-protective approach) and take the role of an outside observer, researcher or reporter
  • Look at the situation from multiple perspectives, especially your respondents’
  • Be tolerant of yourself and others
  • Ask clarifying questions” [3]

Tips for Asking the Right Question(s)

Here are some final thoughts that might help you ask the Right Question.

  • Review your questions to see if you have the ‘right’ answer in mind, before asking the question. If you do, then either delete the answer, and all other judgment from the question, or don’t ask it.
  • Continually refer to the responder’s previous answers or comments for subsequent questions. This not only reaffirms what the responder has said previously, but it also reminds the responder that you are listening carefully to what the responder says, thus encouraging even more information to be shared.
  • Avoid focusing on your role or your deliverable. Focus on their problem or their part in the problem / solution. Be prepared to discover that they may not consider the problem you are striving so vigorously to solve to be important to them or not even a problem at all.
  • Ask the questions delicately and naïvely, and listen naïvely to the information provided. To paraphrase the X-Files: the Right Answer is in there.
  • Ask just the questions, naked unadorned questions, and keep asking

In the end, the Right Answer is the result of piecing together a lot of answers generated by a lot of Right Questions. You will be obtaining the Right Answers from people who probably don’t even know that they know the Right Answers. And this is the magic of information gathering and problem-solving. Go forth and ask more questions.

[1] Griffiths, Andrew, Ask a Stupid Question, Lightning Press, UK, 2012
[2] Lencioni, Patrick, Getting Naked, Jossey-Bass, San Francisco, 2010
[3] Marquadt, Michael, Leading with Questions, Jossey-Bass, San Francisco, 2014

* In the movie “Philadelphia” which involved an insurance trial in which Tom Hanks was the plaintiff, Denzel Washington was the lawyer called in specifically because of his knowledge of the complex insurance laws and regulations. Throughout the movie, in depositions and during the trial, Denzel Washington, as the lawyer, said to witnesses and others who were describing aspects of the case, “Tell it to me like I am six years old”. As an expert, he didn’t need for it to be made simpler, but those who were judging the case did, and by requesting the witness to respond in the simplest way possible reduced the ambiguity, vagueness and potential misunderstanding of the response.

Don’t forget to leave your comments below.

How to Ask the Right Questions Part 3: A Framework for Asking

Your goal is to get information. You want to get as much information as you can. You can always eliminate nonessential and irrelevant information when you analyze the information you have obtained after you have gotten it. Considering that the only way that we can be sure we will ask the Right Question is by getting the right answer, and the only way we know we got the Right Answer is by getting as many answers as we can. During the process of getting the information, we need to do everything we can to increase the flow of information and that includes preparation for asking as well as the actual act of asking the questions.

Whoever gets the most information wins

We need to gather as much information as possible. The more information we get, the better able we are to determine what the Right Answers are. However, given the time constraints of a normal business initiative and the limited amount of time we will get with the business stakeholders, we need to adopt a process which will give us the most information in the least amount of time.

In other words, we want to adopt the attitude of being a sponge (listening, observing, sensing, and absorbing all the information we can get) while at the same time keeping the information as focused on the business problem and solution as possible. This is not an easy task. This requires you to do everything you can to increase the flow of information from the responder to you while at the same time guiding and directing the responder to give you information that helps you both achieve the goal of solving the business problem.

Preparing To Ask the Right Question

First let’s make sure we create the best possible environment to ask the right question.

Just as we prepare for the entire information gathering process, we also prepare for the individual Information Gathering Session. We don’t simply think of a few questions to ask as we are walking to the interview or meeting. If we want to ask the Right Question, to get the Right Answer, we take some time before we engage in the session to determine what we want to know. The preparation stage of the information gathering session may take place well in advance of the session itself, or immediately beforehand. Generally we want to allocate approximately half the time scheduled for the session itself to spend on the preparation.

Why are we Doing This

Start with the objective of the session. What is the purpose for taking this person’s time (and yours, of course)? What is the Big Question you want answered when you leave the session? This is your objective. All information gathering sessions have an objective. The top reporters, journalists, detectives, and others who make their livelihood asking the Right Questions have an objective to be achieved when they conduct an interview or other information gathering session.

Where does the objective come from? The Information Gathering Plan (see Part 2 of this series which describes creating an Information Gathering Plan). You have established in the Information Gathering Plan what information you need to understand the problem domain or define a solution. Now you are getting that information, so each item in the Information Gathering Plan becomes an objective in an Information Gathering Session.

The Questions to Ask

It’s easier to come up with the questions that we are going to ask during an information gathering session if we have an objective to achieve. Once we defined the objective, we can more easily think of questions to ask that will achieve that objective. The key aspect is to write the questions down. In that way, we imprint the questions on our brain so that the questions come to us more naturally during the actual session. Even if we leave our written questions behind, we will likely end up asking those same questions because we wrote them into our thinking. Once we have the list of questions, we reorder the questions so that they are listed from easy questions (those that don’t require any thought or concern to answer, such as “how long have you worked here?”) to more difficult questions (those that require more thought, or explanation, or which may cause an emotional reaction in the responder, such as “do you think you’ll be laid off when we implement the new system?”) And then back to easy questions to wrap up (such as “Are you going to the holiday party next week?”)

The Information Gathering Plan (from the previous article) has “what is the process of doing vendor voucher entry” as an item. Your objective in an interview or meeting with the voucher entry clerks becomes: “Determine the process of doing vendor voucher entry”. You then list questions that will achieve your objective, such as: 

  1. What triggers the voucher entry process?
  2. Where does the information that you key in come from?
  3. What does the form of information look like?
  4. Can you show me the screen that you use to enter the information into?
  5. What do you do first to get started?
  6. Then what do you do?
  7. Why did you do that?
  8. Do you always do that?
  9. What if you could do this instead?
  10. Do you like doing that?
  11. Can you expand on that?
  12. What if that doesn’t happen?

And so forth.

This is an unordered list and contains no introduction or closing questions. Notice that we don’t ask: “Will you tell me the way you do the process of voucher entry?” Instead we ask questions that will give us this answer. In this way, we gain significantly more information and don’t turn the session over to the responder. While we do want the responder(s) talking most of the time, we still want to regulate the information received.

Setting the Table

An information gathering session consists of three basic stages: the introduction, the body, and the close. Each of the stages is important to the goal of increasing the flow of information to get the Right Answers. Let’s start with the Introduction in which we set the “frame” for the session.

Introduction: The Frame

Social Science and Psychology have given us the concept of the “frame”. When you frame your information gathering session, you establish a boundary within which you want the responder’s responses to remain. So framing saves time by keeping the responders (and you) focused.

Instead of starting out the Information Gathering Session by stating the objective you wish to achieve with the session, (as in, ‘‘Hello, Charley, I’m Steve. I am here to understand how you enter the vouchers’’) start the session by expressing the following:

  • This is the problem we are here to solve.
  • This is the vision that we see occurring as the result of solving the problem.
  • This is why it is important to the responder(s) personally (provided you know why it is important to them).

The opening statement would then be something like this: ‘‘Hello, Charley, I’m Steve. I want to talk with you about the time it takes to do voucher entry. I understand that it is taking too long with all these vendor payment terms that have to be entered. We want to create a process where all of the terms are automatically entered from a database, and all the vouchers are completed quickly and you get to go to happy hour on time.’’

Framing your conversation has these effects [1]:

  • The frame (in the example, the accounts payable problem) focuses the responders’ thoughts so that each answer is made in light of the frame.
  • The responders tend to be more motivated to provide information that solves the problem because they are subconsciously thinking about how to solve it.
  •  There is less chance that the responders will get sidetracked or derailed since they are thinking ‘inside the frame’ (in meetings this tendency to stay focused takes the pressure off the meeting facilitator and moderator.
  • By observing the responder’s reaction, you can get a good feeling whether the responder has the information you are seeking. When the responder nods in agreement with the problem, acknowledging it, you know he has the information.
  • Stating the frame gives the responder a chance to orient his or her thoughts and prepare mentally for the interview. It also gives you a chance to organize your thoughts around the objectives of the Information Gathering Session.

The Rhythm of Question and Answer

Once we establish the frame for information gathering we can proceed with our questions and answers. We may get the same volume of information without the frame, but the frame helps to keep the information focused on the problem at hand and achieving the objective and therefore increases the number of Right Answers.

To get the continuous flow of information from the responders we need to establish a rhythm of asking and answering. A key element to establishing that rhythm and getting the most information flowing toward you is to focus on only asking questions and not including commentary in and among the questions you ask. Most importantly try to avoid asking questions that produce responsive questions in the responder. And if that happens, keep your response short and succinct, and get back to asking questions. Information cannot flow to you if you are talking. Once in the rhythm of ask-answer, the responder will tend to maintain that rhythm and you will get the information that you are requesting which contain are the Right Answers.

How do you get that rhythm going? By inserting a purposeful pause between the responders answer and your next question. Mentally count to four if necessary. (It’s not a good idea to nod your head with each count, or to tap your finger to keep count.) This pause has several magical effects:

  • The pause establishes a rhythm for the questions and answers that the responder will get into subconsciously increasing the flow of information. (Note that you will also fall into this rhythm and find that the asking of questions becomes easier.)
  • When you pause before asking the next question, you have time to formulate that question and increase the chance that the next question will be a great question and generate a Right Answer.
  • When you pause before asking the next question, the responder will assume that you are thinking about their answer, especially when the next question is based on their answer, and feel as though the information they are providing is being valued. When the responder feels the information is valuable to you, the responder will give you more information.
  • Most people interpret a pause, or silence after an answer, as an indicator that the questioner expects more information or that the answer given did not satisfy the questioner, and therefore will immediately add more information. Many times they provide information that you would not have thought of asking for: a Right Answer.

When you start counting the pause between answers and questions, it doesn’t take long before you find that you get in the habit of pausing between answers and questions and don’t need to count.

The Body of the Session: getting the Right Answers

Perhaps to know how to ask the Right Question, we might better focus on the Right Answers and that requires us to consider the psychology of the responder and what the responder is thinking about while trying to form an answer. Whenever we humans are in a situation of having to formally answer questions, no matter how benign the questions are, we experience a level of stress. Sometimes the stress is discernible such as when you are being interviewed for a job or new position or when, as a teenager, your parents are questioning you about the dented fender on the family car the morning after you borrowed it. Other times, the stress is subliminal. Regardless, it is always there. (Next time you conduct an interview, or an Information Gathering Session, as you end the session, announce clearly that you are finished asking questions and observe the change in body posture and actions. The responders will show visible release of stress that they may not even be conscious of: leaning forward, rolling their shoulders a bit, touching their face, change in behavior like starting or stopping tapping a pencil on the table, and so on).

Part of that stress comes from the fear that we will be asked a question we can’t answer (we don’t know the answer when we are expected to, the answer is something we would prefer not to talk about, etc.). While we can’t eliminate the stress completely, and perhaps we don’t want to, we can observe indications of increased stress when particular questions or lines of questioning are asked. In addition to changes in body language, changes in the rhythm of the responses are also indicators of change in the level of stress.

Another part of the stress comes from the desire of the responder to help the questioner by providing the information that the responder thinks the questioner is looking for. A change in rhythm such as when a responder takes longer to answer a question might indicate that he or she is searching for the answer they believe will provide you the information you are looking for (or it might indicate a hidden agenda and the responder is trying to phrase the answer carefully). This need to provide the “correct” information may stem from school training in which we were required to produce the correct answers to the teachers’ questions, or face the consequences. In other words, we have been trained to anticipate what the right answer should be and give that answer regardless of what the Right Answer might be.

The Right Answers May Not Come until after the Session

Getting the Right Answers is more than just asking questions. There is also some analysis involved. This is where the business analyst excels: applying critical thinking to the information received.

Asking the right question may not be a matter of what is asked, but how it is asked. “Often we don’t ask the right questions. Or we don’t ask questions in a way that will lead to honest and informative answers.” [3]

Probe and Clarify

Clarifying questions are those you ask for yourself. Questions that add more clarity or information to previous answers or that help you understand a topic or a facet. The responder will generally have a ready answer or response to a clarifying question and the answer could be more facts.

Probing questions are those you ask as much for the responder or group as for yourself. Probing questions help the responder to think more deeply about the topic or the problem or solution or the question just asked. The responder may not have a ready answer, or not have an answer at all, and the answer, when given, may be more opinion and conjecture than facts.

Listen to Your Questions and Their Answers

“My greatest strength as a consultant is to be ignorant and ask a few questions.”
– Peter Drucker

The right question is the one in which you can remove yourself from the answer and allow the responder to truly answer the question. The right answer may be embedded in a flow of information, sometimes seeming to be stream of consciousness, or it may be in the way that the answer is given, the choice of words or phraseology. In other words, listen to the answer, as though you are just hearing the question yourself for the first time.

As Gene Ballinger, director of Systems Thinking World says, “Most people ask questions with the answer already in mind.” When you have the answer already in mind you don’t really listen to the responder answering the question, or you only hear that part which confirms what you already believe. This is called “Confirmation Bias”. While you certainly should have an idea of the format of the answer (when you ask a closed ended question, you don’t expect a long winded answer, for example) you listen naively for the answer. You listen as though someone else asked the question and you are interested in hearing the answer. (More on listening to discern the Right Answer in the next installment.)

So, What Question Should I Ask?

Asking the right question is both a combination of the question and the answer. Obviously, there must be a question first before an answer will come. We should choose the questions that we ask with the session objective in mind.

The Harvard Project Zero developed the Evidence Process which is the protocol for “choosing the question.”[2]

The protocol requires you to ask yourself the following questions about the questions you are going to ask (I have adapted the questions for our information gathering purposes):

  1. Why is this question important to you and to the definition of the problem or solution? (Except in the introduction stage or the closing stage, all questions should either provide information to define or solve the problem, or move the information gathering forward.)
  2. How is it relevant to the overall discussion and/or the problem or solution domain in general? (Even with the frame established for the information gathering session, the irrelevant question may drive the conversation out of the frame and into areas that generate irrelevant responses. And once there may be difficulty getting back on track.)
  3. What connections can the responder make between the question and the problem or solution? (Be careful of ambiguous questions that might take the conversation away from the topic. Also be careful of questions that the responder may not understand. If the responder has to struggle with understanding the question to come up with an answer, the rhythm may be broken or the answer not pertinent.)

Close the Session: Ensure Another Session if Needed

It would be great if we could time questioning and the answers we receive in a way that we have asked all the questions and received all the information we need at precisely the time that the session is scheduled to close. Unfortunately that is as likely as winning the lottery twice. The most important rule of information gathering is to end the session on time. Therefore regardless of the questions we have left or the interest we have in the answers, we must terminate the session before the schedule and continue to the Close Stage. The purpose of the close stage is to make sure that the session comes to a graceful end and that the responder(s) are perfectly comfortable returning for another session, if necessary. There are three questions that you should ask after we have closed the body of the session:

  1. Do you have any questions for me?
  2. Is there anything else we should have talked about?
  3. Is there anyone else you know who might have additional information to help solve the problem?

In the unlikely event that any of these questions promote a new round of conversation that may take you past the scheduled end of the session, table the discussion to a new session. Thank the responders for their time and especially for the information they provided, and end the session on time.

After the session, analyze the information you received, eliminate the irrelevant and the non-germane, summarize the pertinent information, and send the responders the summary with an invitation to add to or change, and include any questions that might occur to you during the analysis. In this way, you might get more information which might include the Right Answers, information that came to the responders after the session as a result of ruminating on the session or discussions with others who were not in the session. In any case, it’s “free” information.

The framework of the Information Gathering Session – the introduction, body, and close – provides a structure that increases the flow of information and the chances that you will get the Right Answers.

We’ll spend some more time discussing the Right Questions themselves, how to ask them and how to discern the Right Answer in the next article.

Don’t forget to leave your comments below.

[1] Blais, Steven. Business Analysis: Best Practices for Success, John Wiley, 2011
[2] Senge, P., Roberts. C., Roth, G., Ross, R., and Smith, B. The Dance of Change: The Challenges to Sustaining Momentum in Learning Organizations, Doubleday, 1999
[3] Marquadt, Michael. Leading with Questions, Jossey-Bass, San Francisco, 2014