Productivity in the Workplace (and at home): The Weekly Review

I was recently interviewed by the Juice on ways that I stay productive at work. I thought that I would write a short series on my particular methods of productivity. This is more of a description of how my system works, there will be very little technology mentioned. If there is interest, I could write a followup for the specific techniques that I use, however, I suspect that such information would be less useful to others than the general overview that follows in this series.

[flickr]photo:279594916(small)[/flickr]And someone said, Let the tasks within the system be gathered together unto one place, and let the structure appear: and it was so.
And people called the linked tasks Projects; and the gathering together of hopes and dreams called they Goals: and saw that it was good.This step is key. This is also the hardest one to do. The idea here is that most of GTD covers TACTICAL productivity. This is great. It allows you to prioritize on the fly, and make sure that work flows through you as you sit in a zen-like state doing-doing-doing. It’s also a great way to make sure that all you ever do is, well, do. There is nothing in there that allows you to consider whether you are doing what you really should be doing.The weekly review is the STRATEGIC part of the system. Once a week, I go through my entire system and check my progress. I check my collection points (more on these later) for work that needs to be done. I look at tasks (individual work items) and re-schedule them as needed. I look at my projects (collections of tasks), and decide which ones I care enough about to work on in the following week. I then look at my goals and decide how well I am doing.

I track my projects and goals in a wiki, so that it is accessible wherever I am. In theory, I should be able to-do this on my Treo, but it just didn’t work for me that way. I’d love to be able to keep my project lists with me wherever I go, but they just get too complex with task decencies and external resource dependencies. Since I’m online most of the time, I find this to a reasonable compromise. I may not be ideally productive, but I wasn’t using the ideal system anyway because it was too hard to use.

Also, I split my review into different parts. This, I suspect, is different from the standard GTD implementation. My work week starts on Sunday, which I think of as my “focus / reboot day”. This is the time when I work on servers if they need preventative maintenance. Then, I focus on my tasks, my projects, and my life.

I start by looking at my email out box, my time tracking, and my checked-off to-do items. I use this data to write my boss a weekly status report. I cover what I did in the last week, and highlight anything that I think he needs to know. This gives me three big benefits:

My boss knows what I’m up to, as there are often weeks where we do not communicate directly at all.
I get the information on a weekly basis of what I did that was important. This helps me update my resume when needed.
I get a sense of closure on the week, and I enter into the planning phase with a sense of accomplishment (usually).

The next phase is to look at the next week. I go through my to-do items and re-schedule the following week with things that I intend to do. I look at everything sitting in my collection points and deal with any filing that I may have put off and generally clean things up. I then go to my wiki and scroll through every project that I have listed as active, and adjust status in the wiki AND create to-do items on my Treo as needed. I then add a section to my report covering what I hope to accomplish in the next week. Then I send it to my boss (and myself).

Lastly, I go through my goals section and evaluate how I am doing at achieving my overall goals. This forces me to realize my personal flaws and try to come up with a way to deal with them. I also get a chance to pat myself on the back if I’m doing well.

For example, I am quite good at modifying my diet and am eating much healthier than I was. However, I am LOUSY at maintaining an exercise program. Too bad you can’t outsource things like that.

Then, I’m ready for my weekly work influx to start.

How often to you get status reports? How often should you?
What’s it worth to you to know what your employees think are important?
Would you like the chance to correct priorities before an employee runs down a rabbit trail.

Productivity in the Workplace (and at home): But which work?

[flickr]photo:224775465(small)[/flickr]And someone said, Let there be a system in the midst of the chaos, and let it divide the tasks from the tasks.
And someone made the system, and divided the tasks which were similar from the tasks which were not: and it was so.
And the system was called a scheduler. And time management was born.Another idea in GTD is that of a tickler file. Basically, if there is something that you do not need to-do now, but you will need to-do eventually, you put it into a time-based system so that you are reminded when it’s time. This is where terms like “43 folders” come in. However, since I had a Treo, I implemented it electronically.

I use DateBook 6 to track my items. It synchronizes with my work calendar, and pulls to-do items into the calendar view. Thus, if I need to defer a task to the future, I create the task, go into its properties, and move it to a specific date in the future. The fact that I can set to-do items to repeat means that the OPERATIONS side of getting things done is pretty easy. Once I vacuum the house, I check off the task and it automatically re-schedules itself one week into the future. Once I change the furnace filter, the task reschedules itself for 3 months later.

Similarly, if I need to follow up with someone, I go out to the day that I want to-do that and add a to-do instructing me to follow up with someone. Luckily, in DateBook 6, I can link to the person’s phone/email contact in my Treo, so it’s very easy to-do this.

Also, if I miss a task, it appears on the next day’s task list.

This can be bad.

I recently had a long-term medical issue that weakened me for months (I’m better now). BOY did the work pile up during that time. I kept rescheduling the same tasks into the future again and again.

I needed something to make sure that I could look at the big picture often enough that the work I was doing didn’t build up to unmanageable levels.

While the specific technology used is fairly unimportant, it can matter if it’s consistent across an organization.
Are you synchronizing work between your groupware system and employee’s PDAs?

Productivity in the Workplace (and at home): Doing the work

[flickr]photo:173246876(small)[/flickr]And people called the emergency work “do it” and the non-emergency work “defer it”. And priorities were the first system.One of the huge things that came out of GTD for me, was the idea that, if something needed to be done and took less than two minutes, just do it right away. This is the so called “two minute rule”. The power behind the idea is that it keeps the little piddly stuff from building up and distracting you with a huge pile of stress from un-done work.This works well, and is hugely important in reducing turnaround time. However, I have found that the negative here is that it can get you so focused on “cranking widgets” that you never get to the long-term work. See, the idea is balance. In the GTD system, you are to collect incoming work and then prioritize as you go, balancing what needs to be done against it’s urgency, your available resources, and your energy levels. David Allen uses a system of “contexts“, where you store your task items on different lists depending on the resources needed to-do the task. This makes perfect sense as you might have to-do certain things in different places.

Most of what I do is online.

Thus, contexts don’t work for me. I wound up with a handful of tasks that I needed to-do at home (vacuum, wash the cats, cook, etc), and everything else was in a “do anywhere” context. I wound up prioritizing by energy level. If I had the energy to-do a task, I’d do that one. The flaw here is that I tended to-do the easy tasks first, which left with less energy with which to tackle the more important and more complex tasks. I needed to get priorities back into the system.

Do you know where your employees work?
Do they work differently in different places?
Do they work differently at different times?

Productivity in the Workplace (and at home): Task Management

[flickr]photo:1867095482(small)[/flickr]And people saw the tasks, that they were good: and someone divided the emergency work from that which was not.

Until this point, I had prioritized my tasks by what needed to be done when. The concept of urgency and energy levels had never even occurred to me. GTD looks at tasks according to their “actionability”. If it doesn’t need to be done, don’t do it. If it is to be done, either do it or don’t, depending on several factors.Generally, the process you are supposed to-do is as follows:

Do I need to-do it?
1. If No, do I need it at all?
  1. If No, get rid of it (trash, delete, burn, etc)
  2. If Yes, store it.
2. If Yes, what is the next action?
  - If you need to-do it now, and you can, do it now.
  - If you need to delegate it, delegate it to someone else.
  - If you need to-do it, but not now, put it in your futures system
Track it in your tracking system

The ultimate goal is to achieve a state of flow. By processing the work as it comes, not doing it, you don’t have a disordered pile of work that sits there and taunts you. Instead, you have an organized and (more or less) self-prioritizing list of tasks. You pick one and work on it until you’re done, then you pick the next one. There are numerous little things to consider such as your general energy level and the fact that some tasks require you to complete other tasks first. However, it is important to remember that every little bit helps.

If you currently have no task management system, even implementing an imperfect one will generate results. All you have to do is get started and you’ll start working more effectively. Even better, if you can get others to use a similar system, the organization as a whole will operate more tightly.

Work will get done more quickly, and work will not get lost, and best of all, everyone will enjoy it more.

That’s what flow is all about.

Are your employees changing tasks often?
Does this impact their work flow?
How often is work lost?

Productivity in the Workplace (and at home): Stressful Productivity

[flickr]photo:303331939(small)[/flickr]In the beginning someone (they fail to claim responsibility) created home and work.
And the work was without structure, and void of purpose; and chaos was upon the life of the home.
And someone said (again, no record as to whom) “Let there be tasks”: and there were tasks.

Thus, did I experience life after college. In my first professional job, I thought I knew how to work. Until that point, “work” consisted of going to a place and waiting for someone to need help. Then, I would either help them or explain why I could not. Really, it was the same model whatever I did:

Food Service (wait for customer to give me an order and then give me money)
Book Sales / Retail (wait for customer to require assistance choosing a book or checking out, otherwise straighten and restock)
Helpdesk (wait for student or employee to need help with a problem, otherwise play with technology and surf the net)

In other words, the model was “Do A until B occurs. Once B occurs, deal with B. When B resolved, go back to doing A.”

Real life turned out to be a tad more complex. I had a boss for whom I had to make more money than he was paying me. I had numerous things that needed to be done, and I had crises that I had to resolve. In my first year, I had the following responsibilities:

Update web site, whether or not any of my fellow employees or boss gave me any content to post.
Create a LAN and network all our workstations together.
Research, learn, and implement two ISDN lines.
Build a Linux-based appliance to process data and securely deliver documents to our clients’ customers’ customers.
Learn Perl and write CGI code to handle the above.
Write processing scripts to manage different data formats.
Be the low person on the totem pole and deal with anything they didn’t want to do.
Receive phone calls from irate clients and attempt to resolve their issues.

Of course, I handled conflicting priorities in the time-honored tradition of the entry-level professional — I worked late.

Sometimes, I worked REALLY late.

Once I remember working 96 hours straight. (By the way, Cisco tech support is very helpful, even if you have to bounce between international call centers as the night wears on.)

But I digress.

In an effort to bring things under control, I restructured my day. It was difficult, as the boss required everyone to be there from 8 to 5, but being young and full of nearly infinite energy, I decided to work from 8 to 8 every day. I would leave the office at 5:00 PM and then put three hours learning a language (Perl, HTML, XHTML, Javascript, SQL, etc).

That made me a very good programmer. I could now be unproductive the right way.

As things went on, the requirements piled up, and I had to be responsible for system architecture, security analysis and correction, system administration, etc. I wound out building my own Linux distribution, guiding development policy (jointly with another), and generally being a rocking tech geek.

Then I changed jobs.

When people change jobs, there is generally a period where you get up to speed. You generally don’t have pre-existing assignments, and you actually have the time to think. After the massively stressful point where I was doing everything that my former job entailed AND getting certifications on my own AND getting a new job, I needed the downtime, so I sat and thought.

I realized that I needed something to keep my bright and shiny new job from rusting out and falling apart like my old job had. I needed a system. (queue dramatic music here)

As I’ve always been a bit of a bookish person, I headed to my local Borders and looked for the book. You know the one, it’s about two feet tall, about six inches thick, has a black leather cover and very yellowed parchment pages. It rests on a pedestal in the middle of your library and is always opened to the page that has the exact information that you need, inscribed in spidery handwriting with reference notes in the margin.

Borders doesn’t carry that one.

What I did find, however, was Getting Things Done by David Allen. While it was obviously a far cry from an ancient tome containing all the knowledge in the universe, it was, however, $15.00. I decided to risk it.

Thus started my journey on the path of stress free productivity.

Do you have a productivity system?
Do your employees?
Should they?

Real Life Lessons: Legal System

[flickr]photo:497353227(small)[/flickr]The fifth lesson was of the legal system. As you recall, I chose to not involve the police. If I had, I likely could have filed charges against the boy. (Not sure if it would have been breaking and entering, since he didn’t seem to break anything.) I chose to not do this. There were several reasons:

No harm, no foul.
It would have taken a lot of time to deal with the paperwork… and I had a full schedule.
I do not know how the law would have handled it, but to my own mind, I was just as negligent as he was.

In effect, I made a business decision that to involve the law would likely cost more (in time) than it was worth. Many people are faced with decisions like this, and most people have a different invisible line that must be crossed. I have known businesses that would call the police at the drop of a hat. I have also known business that would ignore successful network intrusions, considering them a “cost of business“.

In the event of a breach, most businesses consider it as follows:

dollar amount stolen + dollar amount of lost time in repair
dollar amount of successful prosecution times likelihood of successful prosecution – cost of successful prosecution – loss of trust in the market

It is often easier for a business to simply accept the loss than to risk greater losses by involving the legal system… but sometimes there is no choice. An increasing number of states have disclosure laws. If the breach involved any personal information (names, addresses, credit card numbers, social security numbers, etc), you may well be required to disclose the incident and accept any negative consequences that arise.

So, what is a business to do? First of all, you should have a lawyer that can help guide you through such a decision. Secondly, you should have a lawyer before a problem occurs – so that they are already familiar with your business. Third, you should know your data and know what possible ramifications might exist from storing it. Fourth, and optionally, you should have a security office or consultant who can look at your system and offer ways to limit risk and/or detect potential breaches. See, you’ll want to be the one telling your clients about the guy that broke in… not the newspapers.

Once you have these, your primary question should always be “Do I need to keep this data?“. If you are keeping information on users “just because“, and if that information would cost you if it got out… DELETE IT! It’s OK, if your users want you to have it, they’ll give it to you again.

My questions to you:

What data do you store on your employees, customers, clients, and partners?
If that information were stolen, how much could it damage you? (fines, lost clients, stolen clients, blackmail)
How many years would it take you to recover?

Real Life Lessons: Social Engineering

[flickr]photo:36572011(small)[/flickr]The fourth lesson to learn from my incident is that of social engineering. Simply put, social engineering is using predictable social response to create a situation that benefits you. From a security perspective, this technique is often described as a tool used by the bad guys, but it can also be used by the good ones. In my case, once I became aware of the situation, I did the following things:

I finished getting dressed. This puts me at a higher level than a person who is waking up disheveled. Though it was likely not consciously noticed, the distinction might have played in my favor. This helped to create the predictable response of a subordinate to a superior.
I positioned myself between the light and his head. This way, when he awoke, he would be at a visual disadvantage. I would be able to see him clearly and, to him, I would appear in silhouette. The response I was trying to get here was to maximize his confusion while also maximizing the amount of information I could get when he awoke.
I held a weapon on him, and I chose one which I could easily control and would likely create a feeling of fear but not create a feeling of terror. This way, I could anticipate a logical response (no terror), but a manipulated response (because he was scared).
I awoke him with very specific instructions and questions. The socially acceptable response to these questions when one is in an inferior position is to simply answer the questions.

By arranging the environment and taking control of the situation, I was able to very quickly get the information that I needed to determine whether or not he was a threat (he was not) and make a decision (to let him go and not involve the police). Since I was in control, I was also able to get him out of the house as rapidly as possible, while minimizing the harm to either of us or anything that I had in the house.

From a business perspective, you face social engineering all the time. Most business relationships (whether between boss/employee or company/vendor) are hierarchical. Where hierarchies exist, there are ample opportunities for social engineering. This can be something as simple as a coworker asking you for something and stating that your boss had asked them. It could also be as complex as an attacker calling in and pretending to be an irate customer — leading you to believe that if you do not do as they ask, your company will lose the account and you will be at fault.

There are only a few ways to combat social engineering. The first is through constant and thorough training. This is time consuming and costly. It is, however, the best way to secure your business. That said, if you go this route, you must take care that the training plan is based on reasons and reasoning. All too often training programmes focus on the threats instead of on analysis and consideration. This makes your business utterly secure against yesterday’s attacks . . . and completely open to tomorrow’s.

The second way to protect against social engineering attacks is to eliminate the time pressure. You can do this by empowering your employees to solve problems in non-standard ways. If the “irate client/boss” refuses to accept rational non-standard solutions, there might be an attack going on. In such a situation, escalating the issue to someone with more experience just makes sense. You can also eliminate the time pressure by investing in highly redundant and flexible systems. This works well if you are devising a new solution… less well if you are supporting legacy technology. If you are handling legacy systems, the risks of inflexibility should be considered the next time you build a business case for overhaul and replacement.

The third way to protect against social engineering is to implement an identification system. If your front-line people can know, with certainty, that the person with whom they are talking is really who they claim to be, most concerns can be eliminated. There is, however, an element of client training to such a system. Any challenge-response system is accepted more easily when all parties are expecting it.

So, my questions to you are:

What would you give an angry client or boss in order to make them happy?
What if it wasn’t really them?

Real Life Lessons: Access Control

[flickr]photo:321434733(small)[/flickr]The third lesson to learn from my incident is the importance of access control. This model is often described in policy and procedure terms. We’ll use as an example, the different levels of people who I allow into my house.

From a policy perspective, I lay out the rules and roles of different people who are permitted to access my house:

I always allow myself access to my house. In I.T. terms, I am my house’s administrator (or “root”) and have permission to go everywhere.
I also allow my cats access to much of my house. However, as I have a higher level of clearance, there are certain rooms into which I may go (laundry room, exercise room), from which my cats are banned.
At a lower level of clearance are my friends and family. While they can come over, I generally prefer that this occur only when I am present. While they are some rooms in which they are permitted without supervision (bathroom), others I need to be present (bedroom and office).
Lastly, some people fall under the “service personnel” category (plumbers, electricians, etc). Their access is limited to a “need to know” basis, and I tend to be present at all times.
All other people are not permitted in my house.

Once a policy is defined, the next step is to implement it. There are many many ways to do this. In my case, I use an access control list (ACL) which defines who has access to do what, and rely on a combination of mandatory and discretionary access controls. Allow me to explain:

To implement (1) in the policy, I give myself a set of keys to everything in the house. This gives me complete access to everything that exists. The ACL entry would read: “Me: ALL“. The control would be mandatory, as I require a key to access what I need.
To implement (2) in the policy, I give my cats free range to all the rooms in which they are permitted. For the rooms from which they are banned, I simply close the door. The ACL entry would read: “Cats: ALL except ‘laundry room, exercise room, office’“. The control would be mandatory, as I am relying on the fact that my cats lack opposible thumbs and cannot operate the doorknobs. (They are also not allowed on the kitchen table or counters, but this is a descrectionary control, as can evidenced by the fact that I often hear a thump when I walk into the kitchen, followed by a small furry face looking up at me with a perfect picture of innocence.)
To implement (3) in the policy, I had to be somewhat more complicated. Generally, my friends are allowed in my house, but only when I am present. However, in certain circumstances (when I am traveling), certain friends are allowed to come over and feed my cats. The ACL here is somewhat more complex:
- “Friends: ALL when ‘Me in room’“
- “Friends: ‘bathroom, kitchen, living room’ when ‘Me in house’“
- “Friends.trusted: ‘bathroom, kitchen, living room’“

The control here is a combination of mandatory and discretionary. In order to access my house, my friends must either request access (ring the doorbell) and have it granted (I open the door and let them in) or be in the Friends.trusted group (I give them a key). This allows them access to the house. Once they are in, I rely on the discretionary access control of social mores (the customs, not the eels) to keep them from digging around my private areas.

To implement (4) in the policy, I use a similar method as with friends but with a tighter ACL rule: “ServicePersonnel: ALL when ‘Me in room’ AND ‘have reason’“. As with my friends, the service personnel must request access and have it granted. Then, I stay with them at all times keep them where they only have a reason to be.
To implement (5) in the policy, I simply keep the doors locked and the security system armed.

Though I failed operationally to implement (5) at the time of my incident, I have corrected this problem. My questions for you:

What different roles/groups of people do you have in your business?
How do you make sure that you limit access to these roles?

Real Life Lessons: Monitoring

[flickr]photo:2194849199(small)[/flickr]The second lesson to learn from my incident is the importance of monitoring. The concept behind monitoring is where you have a service that periodically checks the status of your resource and if there is a problem, it lets you know. These are commonly seen in physical security (where you have a device that knows when doors/windows open or if there is movement where there should not be) and in I.T. (where you periodically look at a web or email server and make sure that things are running properly).

In my case, I had three monitoring systems. My security system is aware of when doors or windows open, and if that occurs, it sounds an alarm and notifies the security company. This is highly (99%) reliable, when it is active. The fatal flaw in the system is that it does this whether a criminal comes in the house or if I leave the house. Thus, it is easy to leave it off when I am home. The second monitoring system is that of my watch cats. In theory, if someone enters the house, the watch cats will start hissing and clawing and otherwise alert me to the individual’s presence. In practice, the proper operation of watch cats is directly proportional to how tired they are… and how likely the intruder is to give them yummy food.

They’re not 100% reliable.

The third monitoring system was me. On some level I was aware that something wasn’t right, and the smell of cigarette smoke did wake me. However, while the monitoring was effective (I woke up), the monitor was not (I ignored the problem and went back to sleep).

Thus, all three of my monitoring systems failed, largely due to operational problems. I have corrected this by making sure that my security system is on, even when I am home. Like many operational challenges, the problem is taking the same action often enough to make it become a habit. Once you reach that point the operational costs are effectively zero.

My questions to you:

What are your primary resources that need protection?
How do you ensure that you know when they are affected?

Real Life Lessons: Defense in Depth

[flickr]photo:121282608(small)[/flickr] The first lesson to draw from my experience is that is almost perfectly illustrates the idea of Defense in Depth (DiD). Simply put, the concept is that it is best to layer your defenses. That way, if one layer fails, there is a good chance that a second layer will block the attack.

In my case, I had locks (two different ones). I had a security system. I also had two watch cats and a defensive weapon. When the incident occurred, my first two controls had failed. The locks weren’t engaged and the security system was off. However, my watch cats reacted to the changed circumstances (which I ignored). Once I became aware of the situation, I was able to arm myself and defuse it.

To generalize this, if you’ll oblige me while I lapse into a bit of math (a small amount, I promise).

Suppose that you are comparing two technologies. One is 99% effective, the other is 90% effective. If money were not a factor, most people would go to the 99% effective option. . . but let’s look a tad deeper. Let’s say that the 99% effective solution costs $100,000 but the 90% effective solution only costs $10,000. Now you’re caught in a classic security vs economy choice. However, suppose that there is a second product that is also 90% effective and costs $10,000. If you layer them, you get the following comparison:

99% – Cost = $100,000 – 1 out of every 100 attacks gets through.
90% + 90% – Cost = $20,000 – 10 out of every 100 attacks gets through the first layer… 1 out of every 10 attacks get through the second.

So, you are looking at the same average effectiveness – 1 out of every 100 attacks are successful, which leaves you free to compare the $100,000 and $20,000 price tags. The choice gets a lot easier, doesn’t it?

However, that’s only half of the story. Let’s extend this a bit with two more layers.

99% – Cost = $100,000 – 1 out of every 100 attacks gets through.
90% * 90% * 90% * 90% – Cost = $40,000 – 1 out of every 10000 attacks gets through!

So, for $100,000 you can get a single solution that is 99% effective. And for $40,000 you can get four solutions that combine to be 99.99% effective!

In my case:

Locks ($200) – This is a binary defense. It is either ON or OFF. While you can still break the defense when they are ON, they are effectively absent when they are OFF.
Security System ($200 + $20/mo) – This is also a binary defense. Given that it is inside the house, it is more difficult to break this defense, but still quite possible. Like the locks, it is 100% ineffective when it is OFF.
Watch Cats (~$100/mo) – This is a complex defense. They have a high false positive rate. However, the false negatives are fairly low. The problem is that the high false postive rate creates the “cry wolf” problem that can render this defense ineffective. This is what occured in my instance.
Me + Sword ($200) – This is also a complex defense. It is highly expensive, as it depends on the primary resource that needs to be protected (me) to be effective. If it fails, the resource (me, again) could be compromised (i.e. injured or killed). On the plus side, I have a fairly low false positive rate (I almost never stab legitamate visitors) as well as a low false negative rate (I almost never let strangers wander around my house without confronting them).

Thus, in an instance where I had four fairly inexpensive security controls, three of which failed. However, because I had a layered defense, the primary resource (me) and the secondary resources (my stuff) were kept safe from harm. My questions to you:

What is your business’s primary defense?
What happens when it fails?