California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) was passed on June 28, 2018.  The CCPA grants consumers the right to request businesses disclose the personal information, sources, and purposes businesses collect about consumers.  It also enables consumers to learn what information is shared with and sold to third parties.  The California legislature passed the bill in a relatively short period of time, largely because of an impending resolution that would have placed the issue on the ballot in the upcoming election on November 6, 2018.  The CCPA is often compared to the European Union’s General Data Protection Regulation (GDPR), which took effect earlier this year.  One major difference in the two laws is the GDPR has an opt in clause, while the CCPA has an opt out clause, which means companies doing business in the EU must give citizens the option of allowing personal information to be collected, whereas citizens in California must request businesses delete personal information.  Regardless of the differences, these privacy laws are going to profoundly impact the way businesses handle information about consumers.

The clock is now ticking for the CCPA as the law takes effect on January 1, 2020.  One of the lessons learned from the GDPR is once the ball drops on New Year’s Eve 2020, there will be advocates waiting to pounce on businesses that do no comply with the CCPA.  The European Center For Digital Rights filed lawsuits against Google and Facebook (as well as Facebook subsidiaries:  WhatsApp & Instagram) on the first day the GDPR became law.  The potential fines could total 7€ Billion.  NOYB  Although the California law does not place a fine on businesses based on a percentage of total annual global revenue (like the GDPR) , it can fine a company up to $750 per incident, so a company with millions of customers could potentially face fines in the hundreds of millions of dollars.

The CCPA requires businesses to establish at least two communications methods (most likely website and telephone) for consumers to contact the company to request what personal information the company has about them and how to opt out.  Interestingly, the law does not require a consumer to establish an account with the company before opting out.  Therefore, even if a business does not have an account with a consumer, they are still responsible for protecting the privacy of citizens who are not customers.  So, if a customer signs onto a company website to shop, but never buys anything and company collects personal information, they must comply with the CCPA.

The CCPA does give businesses some leeway in collecting personal information.  After all, companies must collect personal information to conduct business transactions and maintain security.  Businesses still have a need to collect consumer information for marketing and research.  The CCPA allows businesses to collect and retain consumer data by pseudonymizing or de-identify personal information.  In other words, privacy is maintained because the consumers’ data is not identifiable to a specific person.  However, pseudonymization and de-identification must be a one-way process.  This is a very important point, companies cannot have the ability to collect information, put it into an anonymizing database and then be able to reconstruct the personal information.

The CCPA presents new challenges for businesses to protect personal information.  This law of course does not stop at the California border; it impacts commerce across the United States.  Ascension Technical Group has experience in maintaining privacy and security for businesses and consumers and we would like to help your company prepare for the new privacy law standards that are long overdue.



"The appearance of U.S. Department of Defense (DoD) visual information does not imply or constitute DoD endorsement."

Change Management in Rapidly Changing Business Cycles

One of the toughest jobs I had in the military was the Chief of Current Intelligence Operations at U.S. Central Command (CENTCOM).  I was responsible for managing all intelligence forces in the CENTCOM area of responsibility (AOR), but specifically I orchestrated deployments tens of thousands of intelligence personnel to Afghanistan, Iraq, and the Horn of Africa between 2006-2010.  This was a period of heavy insurgency and piracy activity in the AOR.  President Bush and Congress authorized surge operations in the region to defeat the Taliban, al Qaeda, and Somali Pirate threats, which meant a rapid increase in requirements for intelligence forces throughout the region.  I distinctly remember the initial reaction from leaders on the ground; give us more troops.  However, they did not define the capabilities they needed.  There are of course a finite number of intelligence airmen, marines, sailors, and soldiers in the military and CENTCOM already had the bulk of intelligence resources since 9/11.  Moreover, counter insurgency operations were fluctuating in Iraq and Afghanistan, which meant commanders on the ground in Operations Iraqi Freedom (Iraq) and Enduring Freedom (Afghanistan), as well as Navy commanders in Operation Ocean Shield (Somalia) were arguing for the same resources.  The challenge was to find practical means to source requirements during a period of immense and rapid expansion, with competing internal requirements.

Perhaps the most practical solutions we devised was to use unit sourcing to fill requirements.  Instead of trying to provide a scores of individual teams, we could provide a battalion or brigade size unit to satisfy the commanders’ needs.  Even though an intelligence battalion is much larger, it was a win-win-win solution because ground commanders had a unit they could command and control, the battalion/brigade commanders could much easier prepare their units for deployment, and the force providers could write orders for whole units, instead of trying to fill hundreds of four of five soldier teams.

In times of rapid expansion, business leaders are faced with similar dilemmas.  They face tough decisions about where to expand their business operations while trying to balance internal competing opportunities.  One solution may be to outsource a requirement to another company that already has the full capability to get the job done. This is very similar to our methodology at CENTCOM of trying to find a unit sourcing solution.  There are several advantages to this approach, such as rapidly standing up a new capability, reducing the internal disruption, and having the ability to set limits on the time commitment to a new project.  However, the cost may of course be higher.

Another big dilemma in change management during rapidly changing business cycles is balancing competing requirements.  We all want to hire strong leaders who have a desire to succeed.  When business owners have competing, passionate leaders, who believe their own project is the key to success for the company, it is very difficult to choose one course of action over another, especially when emotions run high, which invariably they will.  This may seem counterintuitive, but while we were trying to satisfy competing requirements a CENTCOM we resisted the strong push to set priorities between the competing commands in Iraq and Afghanistan.  We did not do this for two reasons.  First, we knew if we set priorities the force providers would not source all our requirements and may only provide troops for 70-80% of our needs.  Second and more importantly, if we set priorities for one command over another, we would lose the neutral, decision-making authority to evaluate requirements.  Leadership in business is usually all about setting priorities, but sometimes you must enable the competing parties fight it out and let the team that makes the best argument win the case.  In these situations, the role of business leaders must be to ensure a level playing field.

At Ascension, we can be your trusted, independent advisors to help you make tough change management decisions.  We can help set up the ground rules to have a fair and impartial decision-making process.

‘Caveat Emptor – Buyer Beware’ 50Million accounts exposed…

As I began to read numerous news feeds and reports, regarding FaceBook’s apparent hack of over 50 Million user account.   I remembered an insightful debate in my graduate Business Law class, years ago.  Vaguely recalling, my law Professor contemptuously pontificating that Caveat Emptor should be applied to all business–not just between buyer and seller–rather “everyone should be skeptical” in all manner of business.

With that memory prominent in my thoughts, I became very concerned regarding the clear use of FaceBook content for social engineers to profile subjects; you and me.  Over 50 million pseudo-psychological blueprints of our behaviors–likes, “un” likes, visual photography and many more artifacts, directly tied to us.  A mother, child, father, friend–pick your own labels, most all apply to this situation.

Then a second question began to surface, which led me down the road to how FaceBook’s Authentication systems works?  Could it be fully breached?  Does anyone really know how many third-party applications use the FaceBook Authentication system for access?  I know of many…..but how many?  Let’s just say, a lot!

Where does this road end?  I’m not a big facebook user, however, I use it to keep up with a few friends.  We all know that a majority of users, over the years, have shared and accumulated a considerable amount of personal information and actual behaviors on FaceBook?

This specific situation may have significant impact on busineses.  Because these users, these persons, are employees–employees having access to the crown jewels of our businesses.

I think my professor was correct, “Omnis Cave — Everyone beware”*

Please feel free to comment and/or contact me to discuss.

Paul Scott


*Google latin translator.

Scaling Cybersecurity for Smaller Organizations

When hackers successfully breach large organizations, such as the U.S. Office of Personnel Management or Sony Pictures, and steal massive amounts data, it quickly becomes front page news.  Therefore, multinational companies spend millions of dollars and hire thousands of security professionals to protect their networks and information.  However, it is a common misperception to believe the threat is greater to larger businesses because cybercriminals can get more information from these sources.  In fact, almost 60 percent of all cyber-attacks are directed against small business, according to Verizon’s 2018 Data Breach Investigations Report.  Hostile cyber actors, whether they are criminal organizations, insider threats, or industrial espionage agents, look for what they perceive to be softer targets.  Small businesses have limited resources to devote to network security.  So, how can a medium to small company or organization protect their intellectual property?

Well the simple answer to that question is risk management, but of course that is easier said than done.  There are several risk management formulas to calculate risk, such as:

Threat x Vulnerability = Risk

Probability x Loss = Risk

(Threat + Vulnerability) – Mitigation = Calculated Risk

Throughout my 37-year Army career, I have used many variations of these models and each methodology can be effective.  However, almost universally, the risk management strategy gets bogged down because the right people or stakeholders are not involved in the assessment process.  Typically, a single staff officer would write the risk management strategy for the entire organization or enterprise.  Vice versa, in some situations everyone would try to play a part in the process to protect their own interests, without adhering to the bigger picture.  Therefore, decision makers would not have trust in the risk management process or strategy.

At Ascension Technical Group we can help your organization develop a tailored and cost-effective risk mitigation strategy to help protect your intellectual property.  More importantly, we can also help establish and implement lasting risk mitigation processes, which will enable your company to adapt to both changes in your business and counter emerging cyber threats.

Verizon Research Report, 2018 Data Breach Investigations Report, accessed September 12, 2018. 

"The appearance of U.S. Department of Defense (DoD) visual information does not imply or constitute DoD endorsement."

All I Really Needed to Know (about Project Management) I Learned in Ranger School

Agile, Scrum, PMP, Lean Six Sigma, Gantt Charts, PERT Diagrams, TQM, and MDMP are a few of the project management techniques I have learned and used in the Army.  Each of them has helped me solve a myriad of complex and challenging problems.  Nevertheless, I learned more about preparing and completing a mission (project) during Ranger School than any other time in the Army.

Leadership.  The first line in the Ranger Handbook states, “Leadership is the most important element of combat power.”  If you ask any soldier who has completed Ranger School, they will tell you fundamentally, it’s about leadership.  Similarly, the first and most important interpersonal skill required for a successful project manager is leadership, according to the Project Management Institute.

Troop Leading Procedures.  Time is unequivocally the most important commodity in Ranger School.  There was so much training and activity jammed into the 60-day Ranger School that I do not recall getting more than four hours of sleep in a single day, usually we were lucky to get two hours and sometimes went 48-hours straight without sleep.  Therefore, effective time-management is essential, and Ranger School teaches troop leading procedures to help leaders prepare their unit to accomplish a mission.  Time management is a principal component of project management.  Defining activities and developing the schedule are key project management tasks.  Above all, the project manager must tightly control the schedule, much like the patrol leader must control the troop leading procedures.

Battle Drills.  In Ranger School we learned battle drills to react to commonly established situations.  The lesson here is that project managers can use common Knowledge Areas that are used on most projects most of the time.  Project management uses well-established processes to help project managers to complete their projects.  While there are several types of process groups, it is important to select the appropriate processes required to meet the project objectives.

Ascension has the experience to help improve your organization’s project management procedures.

Near shore vs. Off Shore development…

Culture, Culture, Culture!  Many of have heard this espoused, time after time, regarding companies valuing culture.   Whether a small start-up or a mature, large corporation; culture has become a significant factor for success.

I have found the same success factor, when using development teams outside the US. Some good and some not so good.   We have adopted the use of “Near” shore development teams.  We have excellent relationships with teams within Mexico and the Southern Americas.  The cost of using said teams, has helped our clients manage tight budgets while receiving excellent results.   I have been experiencing success with these teams and appreciate this new way of looking at technology sourcing.   I would relay to you, culture is perhaps the single most, success factor, that I have observed, while using near shore teams.

Working with these near shore teams, I have seen difficult discussions, technical design disparities and conflict resolution, handled very similarly to our US ways.   A respectful culture that encourages; seeking answers, rather than, wanting customers to feel good.  We have discussions that involved working through difficult issues and all parties are  working towards the solution and not an outside agenda.  In the distant past, unfortunately,  I and possibility you, have witnessed the opposite.  It has tarnished my view of sourcing, until now.  I don’t worry about losing meaning due to translation.  Or fighting over who has the better mousetrap.   Also, A HUGE factor, I can pick up the phone and call any of the team, within the relatively same time period of time– no more calling at 9pm or 2am.

I would encourage businesses to consider the use of near shore teams.  Where outside consulting and/or services can help you attain your goals, while paying less for the same result, the near shore option is available to you.  Feel free to call me @ 425-750-0670.

We have seen near shore work in the development of –

  • Systems and applications
  • Process refinement to reduce IT costs
  • High end Analytics
  • SharePoint and systems management
  • Development coaching for migrations to Agile and Dev/Ops
  • Systems refresh and re-architecture
  • Program and Project Management
  • Other Technology and IT deployment services programs

Yes, T-Mobile/Sprint is a good deal for all!

Someone recently asked me, whether I thought the T-Mobile/Sprint deal should be approved.  I responded quickly YES, the deal SHOULD be approved.  This is good for the companies, shareholders and consumers.  When I worked within the DOJ Transition Trustee Group for the Verizon/Alltel deal, I was fortunate to see, from the inside, how the deal works.   There are benefits that many do not see from the outside.

Most people do not realize that deals like the T-Mobile/Sprint deal involve all the carriers.  The deal will parse out geographical and spectrum area between the carriers.  This is to continue, to ensure consumers are not monopolized by a single carrier. The deal will help re-formulate customer focus on more offerings and products of both carriers.  Deadwood will fall out and new, better offerings will surface to the top.  This will take time, however, in the long run will be better for all.

For the shareholders, the value of both companies will, over time, prove to be valuable as one.  The combined firms will be able to compete head to head with Verizon which has had, since the Verizon/Alltel Merger, a significant advantage over all the other carriers, especially rural & roaming coverages.

2018 subscribers


As we enter the new era of 5G+, this is a must for consumers.  ATT and Verizon currently have a strong advantage, therefore T-Mobile and Sprint customers may be left out in the cold comparatively.  If fact, based on subscriber basis, it would not be fair to consumers, to reject the deal.  5G implementations are expensive and need to have the companies combined to provide expansion appropriately.

There are considerably more advantages over time, that will bear out.  I’m encouraged by the T-Mobile leadership and fervor to make this deal happen.  Again, this will be good for all!

Cybersecurity: It’s still about fundamentals.

At Ascension, we spend a good percentage our time, improving business functions for our clients. We work with the organization through effective process change and implementations of modern technical solutions.  Without question, we are seeing security becoming top of mind for leadership.   Many organizations are becoming fearful of the almost certain prospect, that they will become victims of a data breach and/or ransom-ware in the near future.

I have no illusions about technology and the critical need for cybersecurity to advance. Fortunately, the central issue of combatting cybersecurity still is about focusing on the fundamental principles of  security management.  Making sure security is an integral part of day-to-day operations.   Ascension will always remain neutral regarding brands and vendors, however, we are seeing the need for companies to use newer technology platforms to perform the needed and necessary operational functions. Today, good security means good business.

Strictly speaking the market is showing strong indications that Cybersecurity is a major issue and the market is pushing extremely hard to innovate and invest in real solutions.  Over the last year the S&P 500 performed with a 4.7 percentage improvement, however, companies such as CyberArk and Imperva have between 22% and 55% improvement over the same year.  Impressive!  Market forces are showing us the way.

Cybersecurity Stock by goldman 2018

I pray that the industry will focus efforts to utilize technologies such as blockchain and Machine Learning to help combat the security issue of today as well as tomorrow.

Please feel free to comment and/or contact me to discuss.

Paul Scott

Connected Cities

Smart or Connected cities is an exciting new strategy.  Ascension and one of our premier clients have been involved in new initiatives.  The other day, when attending a technology leadership summit, a colleague and I were pontificating on the disparate nomenclatures involved with smart cities.  It reminded both of us of the confusion during the beginning of the World Wide Web days.  As I was querying  my phone for definitions, I, as a matter of course, looked a Wikipedia for a primer to the question.  I found that 2 of the 4 frameworks, listed, we very helpful in providing a baseline understanding “Smart Cities” and the relationship to humans.

Directly from July 17th, 2018

Technology frameworks

Several concepts of the Smart city rely heavily on the use of technology; a technological Smart City is not just one concept but there are different combinations of technological infrastructure that build a concept of smart city.

  • Digital city: it combines service oriented infrastructure, innovation services and communication infrastructure; Yovanof, G. S. & Hazapis, G. N.[45] define a digital city “a connected community that combines broadband communications infrastructure; a flexible, service-oriented computing infrastructure based on open industry standards; and, innovative services to meet the needs of governments and their employees, citizens and businesses”.

The main purpose is to create an environment in which citizens are interconnected and easily share information anywhere in the city.

  • Virtual city: In these kinds of cities functions are implemented in a cyberspace; it includes the notion of hybrid city, which consists of a reality with real citizens and entities and a parallel virtual city of real entities and people. Having a smart city that is virtual means that in some cities it is possible the coexistence between these two reality, however the issue of physical distance and location is still not easy to manage. The vision of the world without distance still remains unmet in many ways. In practice this idea is hold up through physical IT infrastructure of cables, data centers, and exchanges.
  • Information city: It collects local information and delivered them to the public portal; In that city, many inhabitants are able to live and even work on the Internet because they could obtain every information through IT infrastructures, thanks to the sharing information method among citizens themselves. Using this approach, an information city could be an urban centre both economically and socially speaking; the most important thing is the linkage among civic services, people interactions and government institutions.
  • Intelligent city: it involves function as research or technological innovation to support learning and innovation procedure. The notion emerges in a social context in which knowledge, learning process and creativity have great importance and the human capital is considered the most precious resource within this type of technological city. In particular one of the most significant feature of an intelligent city is that every infrastructure is up to date, that means have the latest technology in telecommunications, electronic and mechanical technology. According to Komninos and Sefertzi,[46] the attempt to build an “intelligent” Smart City is more a radical innovation rather than an incremental innovation owing to a big quantity of efforts to use IT trying to transform the daily life.
  • Ubiquitous city (U-city): It creates an environment that connect citizens to any services through any device. According to Anthopoulos, L., & Fitsilis, P.,[47] U-city is a further extension of digital city concept because of the facility in terms of accessibility to every infrastructure. This makes easier to the citizen the use of any available devices to interconnect them. Its goal is to create a city where any citizen can get any services anywhere and anytime through any kind of devices. It is important to highlights that the ubiquitous city is different from the above virtual city: while the virtual city creates another space by visualizing the real urban elements within the virtual space, U-city is given by the computer chips inserted to those urban elements.
  • Cognitive Smart City: Cognitive smart city expands the concept of the smart city by referring to the convergence of the emerging Internet of Things (IoT) and smart city technologies, their generated big data, and artificial intelligence techniques. Continuous learning through human interactions and consequently performing a dynamic and flexible behavior and actions based on the dynamic environment of the city are the core components of such framework.

Human framework  

Human infrastructure (i.e., creative occupations and workforce, knowledge networks, voluntary organisations) is a crucial axis for city development.

  • Creative city: creativity is recognized as a key driver to smart city and it represents also a version of it. Social infrastructures, like for instance intellectual and social capital are indispensable factors to build a city that is smart according to the human framework. These infrastructures concern people and their relationship. Smart City benefits from social capital and it could be possible and easier to create a Smart city concept if there are mix of education and training, culture and arts, business and commerce as Bartlett, L.[48] said.
  • Learning city: according to Moser, M. A.,[49] learning city is involved in building skilled workforce. This type of city in the human context improves the competitiveness in the global knowledge economy and Campbell [16] established a typology of cities that are learning to be smart: individually proactive city, city cluster, one-to-one link between cities, and city network. That lead a city to learn how it should be possible and realistic to be smart through learning process followed by city workforce.
  • Humane city: It exploits human potential, in particular the knowledge workforce. Following this approach, it is possible focus on education and builds a center of higher education, which is the city, obtaining better-educated individuals. According to Glaeser, E. L., & Berry, C. R,[50] this view moves a smart city concept in a city full of skilled workforces; the same reasoning could be make for those high tech knowledge-sensitive industries which want to migrate in a so dynamic and proactive community. As a consequence of the above movement, the difference between Smart City and not are getting wider; Smart places are getting smarter while other places getting less smarter because such places act as a magnet for creative people and workers (Malanga, S. 2004 [51]).
  • Knowledge city: It is related to knowledge economy and innovation process; this type of Smart City is very similar to a learning city, the only difference refers to “a knowledge city is heavily related to knowledge economy, and its distinction is stress on innovation” (Dirks, S., Gurdgiev, C., & Keeling, M.[52]).

The concept of knowledge city is linked with similar evolving concepts of Smart City such as intelligent city and educating city. The most important feature of this city is the fundamental concept of knowledge-based urban development, which has become an important and widespread mechanism for the development of knowledge cities.

We live in exciting times 😉