Now, we’re turning our watchful gaze to cloud computing, that buzzword of buzzwords that has promised to revolutionize the way we work, play and even lose our critical corporate data. Is it all it’s cracked up to be? Stay tuned on the IT Watch Blog for exclusive interviews with the likes of former Salesforce CEO and CFO Steve Cakebread, coming later this week.
What would you like me to cover? Do you think the promise of the cloud is over hyped? What resources have been valuable? Let me know at Michael@ITKnowledgeExchange.com and I’ll do my best to get your pressing questions answered.
Ongoing annual savings from SAM programs requires ongoing involvement of IT staff and senior management
Scott Rosenberg, founder and CEO of Miro Consulting, warns that without continued vigilance, software asset management programs aren’t that much better than a crash diet. Read on for his thoughts on why, and what you can do to keep costs low for your IT department. For related information, read our IT and Business Alignment Guide.
Software asset management (SAM) gets a lot of attention these days, and many organizations have implemented or plan to implement SAM programs soon. There’s no mystery why – significant initial savings of up to 25% from recycling shelfware (those sexy programs that nobody actually uses), renegotiating software licensing contracts and/or right-sizing software investments, policies and usage.
But then something funny happens. Like the crash dieter who loses 30-40 pounds in a hurry only to gain it all back within a year or so, many middle and senior executives assume that their SAM programs somehow run on autopilot, which allows unnecessary software costs to creep right back into their enterprise. But it’s not a perfect analogy. Unlike the dieters’ added weight, those unnecessary software costs typically cannot be readily seen, and they aren’t even necessarily the same costs that were reduced or eliminated in the first place. And those creeping costs represent what should be ongoing annual savings of 15 to 20 percent.
What’s going on here? Usually, it’s a combination of misalignment, misunderstanding and misinterpretation of SAM between senior executives and IT staff. Nine times out of ten, once the initial SAM savings are achieved, senior executives rarely look at the program again, and the new SAM policies and procedures are not enforced correctly. Typically assigned to an IT administrator, many middle or upper executives regard SAM as purely an administrative function that requires little, or none, of their ongoing attention. While most of the day-to-day execution should, indeed, be assigned to an IT administrator, neglect by middle and senior management overlooks the importance SAM plays in multimillion or billion dollar software budgets.
This is especially true when it comes to software licensing. While Adobe and the Microsoft Office suite are easily definable, major Enterprise Resource Planning (ERP) and database vendors such as Oracle and Microsoft have complex licensing models that are about as easy to understand as Egyptian hieroglyphics. And these ERP and database licenses often have annual support and maintenance fees in the millions! Much of the time, these licensing contracts are housed, managed and maintained by either the controller, the CIO or the procurement office – separate from the person in charge of the SAM program. This disconnect often works against the enterprise – especially in the case of an audit (whether internal or external). While the SAM administrator is taking care of the daily technology needs of employees near and far, chances are good that she is creating licensing compliance conflicts based on lack of access to, or understanding of, the hieroglyphic (and rapidly changing) Terms and Conditions within specific licensing agreements.
The fact is, companies need a SAM administrator for day-to-day functions, but they also need upper executives to create and participate in a committee dedicated to understanding all the functions in deploying software, including:
• Re-upping licenses: are there better methods for reducing costs or adding value during this process?
• Purchasing new licenses: a SAM administrator might see a need, but may not necessarily be the “go-to” expert for negotiating the best deal, or especially Terms & Conditions.
• Recycling licensing: would the SAM administrator know that Oracle licensing, by and large, cannot be re-used except under very specific terms?
• Reviewing maintenance and support: most SAM administrators don’t understand that maintenance and support fees are a percentage of the total software purchase. Furthermore, they are not usually focusing on connecting software based on ‘best fit,’ but seeking to fulfill current needs expressed by their internal clients.
Bottom line: successful SAM programs require senior executive involvement. If they don’t seem interested, emphasize that the initial savings are just the first course (approximately 30 percent) … that ongoing SAM savings typically dish up annual savings of somewhere between 15 – 20 percent a year. Most C-suite executives will respond to that, especially in this economic climate!
Scott Rosenberg, founder and CEO of Miro Consulting, has more than 20 years of engineering and operations experience. Miro Consulting has over 400+ clients across North America and has overseen more than $1 billion in Oracle and Microsoft transactions. Prior to Miro Consulting, Mr. Rosenberg was a founding principal and driving force behind Cintra, a highly successful Oracle consulting company with over $20 million in revenues. Mr. Rosenberg is an active member of the International Association of Information Technology Asset Managers (IAITAM) and is a Certified Software Asset Manager (CSAM).
Mr. Rosenberg earned an Industrial Engineering degree from the University of Pittsburgh. He currently resides in Leonia, N.J.
David Scott, author of IT Wars and a business consultant, knows first hand the risks social networking can pose to the enterprise through his work with clients who’ve faced these very threats. But how does IT fit into it? The following guest post offers some strategies on where your IT department fits in fighting the wide variety of risks while still reaping the rewards the technology can offer. Like what you’ve read? Check out our Bookworm Blog for a free chapter download of David’s book, or buy it on Amazon.
Organizations have long faced liability in an environment of e-mail, instant messaging, blogs, and downloads. Critical dependencies and vulnerabilities abound. But a fairly recent, yet established, challenge has materialized in the workplace: that of social networking. In addition to high profile sites such as Facebook, Twitter, LinkedIn, et al., there are countless other sites – some friendly, some professional, and some neither friendly nor professional. For an exposure to the latter, just try Googling “vent your job,” “rant about your job,” etc.
In the recent past, it was enough to have a prudent e-mail policy as part of an Acceptable Use policy for information systems at large. Most of it was obvious, though necessary: no harassment, no abuse in terms of too much personal e-mailing of family and friends, no e-mailing of negative views, such as political or corporate, and no posting of any kind to questionable forums – under the aegis of the corporate domain. That is, don’t use your corporate e-mail or user account for anything that could adversely reflect on the organization or you as a representative of that organization.
But today, often in the lag of policy, social networking has employees toggling between “friending” on Facebook, Twitter, etc. one moment, and “businessing” on corporate systems the next. In the case of small businesses, many find themselves taking advantage of social networks in the interests of client-building, marketing, communication, and general exposure. This is inexpensive and efficient – but here, the blend is a blur.
Of course, social networking has that universal business peril: wasted time. But this switch between friending and businessing can pose an extreme peril to any organization’s #1 asset – its reputation – in an age that grants enormous power to individuals. For example, Genesis HealthCare System, of Ohio, recently had to counsel healthcare professionals not to make negative postings online; personnel were discussing patients and referring to them by room number. Going the other way, employees too often have the temptation to bring an inappropriately lighter sensibility to business communications, having just exited the “party” of social networking.
Another peril in the blend of friending and businessing is the security concern. There is a proliferation of sites that offer to import contacts from other systems – be it your corporate account or other social networking sites. This blending of corporate and personal contacts can group people together for communications that may be inappropriate for either half of the group. These sites can also deliver malware, which in turn can monitor keystrokes, steal sensitive data (one need only refer to the Privacy Rights Clearinghouse, and its Chronology of Data Breaches report, for a little perspective), and can direct users to other websites of further harm. Beyond, these activities can consume bandwidth and crimp resources better devoted to legitimate business, robbing Internet speed for other employees and online customers. Organizations must understand that when employees access outside systems, they risk exposure of confidential information, and open a possibility for hacking, spyware, viruses and, ultimately, potential lawsuits.
In the same vein, organizations must also look at how employees are accessing what they access. Today’s blended environment includes personal and business assets: In the era of remote and home offices, employees access corporate networks with their own PCs and laptops. Are these computers secure? Do they have virus protection? Is it updated? How often? Just as importantly, when employees take corporate laptops offsite, do they utilize them on secure WiFi networks? If a corporate laptop prompts for a download and update, does the employee know enough to vet and accept, or decline, the update? Would some employees decline a legitimate security update?
In a furtherance of blending, consider data’s portability: CDs, DVDs, thumb drives, mobile phones with huge storage capacity… who is transporting your organization’s data, and how? If an employee takes data off-site, is there a standard operating procedure for how that data is transported? Must the employee utilize a company asset for a critical transfer? Or is it enough that the employee shows up “with the goods”?
So – what to do? Companies are varied and no “one-size-fits-all” solution exists. Small Business, with limited budget, is exploiting social networking for all it’s worth; it is free, far reaching and effective. Some big companies are totally down on it as their client base, boards, and senior management can have a more conservative business sense. But in either case, smart organizations have always leveraged and protected content (information, business data), as well as the blended environment of personal and business assets. They now must do so with an immediacy for modern awareness, issues and resolutions. In this blending of the corporate and public domains, and of corporate and employee assets, a robust Acceptable Use policy and its maintenance have never been more important.
Fortunately, for diverse organizations, there are more options than extreme positions of green-lighting all social networking access, or red-lighting any access at all as a total denial. There is also the option to manage limits in between. Subsets of users can have partial or all-access; different sites can be available to certain users according to their role in the organization; some users may indeed have no access; and there may be conditional access based on projects and temporary need. The leading cause of data breaches is negligence, according to CIOZone, making control and education paramount. So, by adding necessary precautions and education, you should be well-poised for what some call “The Wild West” of social networking.
In getting there, IT Governance (Business) must engage. It is Business, after all, that owns “business” – the doing – even in a tech company. Business must understand the payoff and the perils, the benefit to risk, and must insist on a fully qualified user body and a regime of standards in service to present and evolving realities. Everyone needs to be a mini-security officer: Every activity must be viewed through security’s prism. IT must help to shape policy, in fully informing and serving Business, by making known the risks and exposures, and IT can enforce compliance to standards through regularized training and monitoring of activity. But the important thing is to mount a new awareness and to hammer policy and plans into shape based on your organization’s needs, vulnerabilities, size, budget, culture, etc. A good planning and policy panel is a Business Implementation Team (BIT), comprised of qualified Business, IT, and User counterparts.
In the realm of risk, unmanaged possibilities become probabilities. Security is only as good as its weakest link: an untrained or uncaring employee, a laptop with disabled virus protection, a data breach, a damaging Facebook post, or a ranting Comment to a news article by Firstname_Lastname@YourBusinessDomain.com – these can do extraordinary damage. Failed events and circumstances have a common point: It’s the failure to identify a true need – resulting in the denial of an appropriate solution.
Today and tomorrow, prudent business needs to managing an accelerating, even forced, evolution of critical technical empowerments and their best use. Organizations need to manage their progression through a world of accelerative change. A good part of this will be directing their employee’s use of, or avoidance to, social networking and other outside sites. Further, there should be a regularized schedule for review and updates to Acceptable Use policies and reinforcing training. Organizations should also survey their blended assets for protection, update, and best use.
In today’s blended environment, don’t wait – your domain hangs in the balance.
David Scott is the author of the MBA-text, I.T. WARS: MANAGING THE BUSINESS-TECHNOLOGY WEAVE IN THE NEW MILLENNIUM, and is a business consultant. For more information about him, visit his homepage or professional profile on The Business Forum.
Brett Beaubouef (ITKE Profile), author of Maximize Your Investment: 10 Key Strategies for Effective Packaged Software Implementations, agreed to write a guest post about a topic near and dear to many IT professional’s hearts: How to make sure your off-the-shelf software delivers when you actually get it into the hands of your users. His piece is part of our month-long focus on IT and business alignment. Update: Fixed the link to Brett’s book.
You’ve decided on the software you need, the business side has bought into it, and you’ve even picked your integrator. Now the hard work begins: Making sure that your software deployment strategy sets your company up for success, and that means making sure business, IT and implementation partners are all speaking the same language when needed.
The implementation of packaged software is the implementation of a business solution. In order to be effective there must be alignment between Business and their IT partners (internal IT organization, Implementation Partners). Collaboration is a key enabler for alignment. However, being in the same meetings or having the latest collaborative technology does not ensure collaboration. It first begins with all the partners having common understanding and language. Consider the following illustration: Continued »
Everywhere, I see them: Busy workers, both in the office and around at the various Wi-Fi connected places that dot Cambridge, tapping away in front of their laptops, shooting out e-mails or scheduling meetings or just checking out a fun thing to go that night.
Chances are good, however, that although they’re typing in front of their laptops, they’re not tapping on their laptops. Instead, it’s become common to see people flipping through e-mails or tapping notes on their cell phones (even fully digital ones!) when there’s a perfectly good computer right by.
Pecking away and cramping your fingers voluntarily makes little sense until you go back to that laptop and how dangerous it’s become: Blinking IMs, Tsk’ing alarms, flashing warnings are all there, lurking to sidetrack you. Even modern browsers contribute to stimulus overload: You somehow go from full throttle to idle in 15 tabs, all filled with so much data that demands to be read you just want to shut them all down and be done with it.
The cell phone, particularly the iPhone but any modern phone will do, is a haven: One thing at a time, with maybe a gentle nudge here to tell you a new song is coming or a friend is calling. It’s comprehensible. It’s simple.
I fear that haven may have a countdown, however.
Tomorrow, in all likelihood, Apple will release its new tablet PC, running a modified version of the iPhone’s OS, as well as the 4th major release of this OS, which will probably include the ability to run background applications, a first for the line of devices and a major sticking point for competitors like the Droid. “True” multi-tasking is inevitable, and knowing Apple it will probably be wonderfully executed but, perhaps imperceptibly, some joyful simplicity will be lost.
Already, the New York Times is reportedly in production of a e-newspaper for the tablet that will not only beautifully format the Grey Lady’s text, but embed videos as well. More, more, more. It’s gotten to the point that there are services that take out all the extra cruft, the metadata and design and multimedia, to return readers to a simpler relationship with text.
It is, of course, progress. Even necessary, noble progress. The gleeful comic that compared typical corporate applications to Apple and Google designs was rightfully chided as simplistic: There’s a reason for complexity, because we live in a complex world, one that requires more than one input field, one that requires a gradient of choices, and one that demands multiple applications running at the same time, a juggling array of responsibilities and duties.
But that doesn’t mean we can’t yearn for simpler times.
She raised a trembling hand during the social media panel: “How are we supposed to manage Twitter, a Facebook account, LinkedIn, and everything else when we have a job to do?” It was a suicide mission.
“A second monitor dedicated solely to following all your accounts in live stream!”
And finally, belatedly, some sanity: “And you need to know when to turn it off.”
“A Little Less Conversation” was actually the title of famed geek blogger/ former Microsoftie Joel Spolsky’s most recent Inc. column, in which he outlines the problems of over-communication:
Now, we all know that communication is very important, and that many organizational problems are caused by a failure to communicate. Most people try to solve this problem by increasing the amount of communication: cc’ing everybody on an e-mail, having long meetings and inviting the whole staff, and asking for everyone’s two cents before implementing a decision.
But communications costs add up faster than you think, especially on larger teams. What used to work with three people in a garage all talking to one another about everything just doesn’t work when your head count reaches 10 or 20 people. Everybody who doesn’t need to be in that meeting is killing productivity. Everybody who doesn’t need to read that e-mail is distracted by it. At some point, overcommunicating just isn’t efficient.
Expect the problem to get worse: Even if you don’t have any real life friends, soon our own machines will turn against us in an over-sharing glut. Take ManageEngine’s OpManager 8.5 update:
The latest update to OpManager also integrates the software’s alarm management module with the social networking and micro-blogging service, Twitter. Alarms generated in OpManager can now be sent as Direct Messages to users’ Twitter accounts and users can then acknowledge, clear or delete the alarms by replying via Direct Message. Another important addition is to the fault management module in OpManager 8.5, which can now receive network alerts via RSS feed.
Next your router will be poking you, your data center will be friend’ing you and your Firewall will be tweeting albums of the crazy kegger it went to this past weekend.
At least now you’ll know where those new vulnerabilities came from.
I’ll file this under “Conspiracy Theories” for now, but security vendor Imperva’s CTO Amichai Shulman said the prevailing explanation for the Chinese hacking incident just doesn’t add up – and it might be a ploy to boost downloads of Google’s Chrome web browser.
Currently, most media reports cite a Microsoft Internet Explorer security flaw as the attack vector for the high-profile security breach, as widely touted by anti-virus maven McAfee. In an e-mailed statement, Schulman had a different theory.
“First, why are Google employees using IE and not Google’s own browser, Chrome? This doesn’t make sense,” explained Shulman.
“Second, to execute an attack this sophisticated, it likely occurred as a result of spear phishing Google employees to gain access to Google users credentials. A hacker would have to jump through many hoops inside an internal network. This requires network—not browser—vulnerabilities so that the attacker can communicate with malware inside Google’s internal network,” explained Shulman.
“Unfortunately, blaming Microsoft is all too easy and it’s leading to a panic. France and Germany are now recommending that its citizens not use Internet Explorer given its role in the recent Google hacking incident,” he said citing today’s decision by the leading European governments. “Could this be a clever way to boost Google Chrome downloads?”
Microsoft thanks the following companies for working with us and for providing details of the attack:
- Google Inc. and MANDIANT
Er, erm. Eh.
At least Imperva’s take makes a good story. I e-mailed Rob Rachwald with Imperva, who e-mailed me Schulman’s statement originally, for clarification.
Can CloudCamp make it rain? That’s what organizers are hoping for as they put on CloudCamp Haiti on January 20th: The $25 registration fee, as well as sponsorship fees, go towards the Red Cross’s relief efforts in Haiti. Dozens have already registered, including legendary cloud presenters like Christofer Hoff and James Urquhart (check out the full guest list yourself).
What is a CloudCamp? It’s a more informal “unconference” where the agenda is set day-of by participants’ questions and attendees expertise. Curious about what the return on investment of a clouded data center? Worried about the risks of customer data on EC2? There’s a great chance you can get those questions and more answered just by showing up and asking, all from the comfort of your own home or office and directly from actual users and implementers with a minimal amount of vendor pitch-iness.
If you’re interested, it’s this Thursday starting at 11:00 a.m. ET, and you can get all the details on CloudCamp Haiti’s homepage.
More and more employees are going mobile and remote, and for good reason: It often makes it easier to keep or recruit qualified talent at a good price, and you don’t even have to pay for office space to house them. But it also means a lot more data floating around. A recent Check Point survey underlines the threat (do note that Check Point, a security management vendor, is fairly vested in the outcome here):
According to the survey of 224 IT and security administrators, over 40 percent of businesses in the last year have more remote users connecting to the corporate network from home or when travelling compared to 2008. Check Point discovered the clear majority (77 percent) of businesses have up to a quarter of their total workforce consisting of regular remote users.
Yet, regardless of the growth in remote users, Check Point found just 27 percent of respondents say their companies currently use hard disk encryption to protect sensitive data on corporate endpoints. In addition, only 9 percent of businesses surveyed use encryption for removable storage devices, such as USB flash drives. A more mobile workforce carrying large amounts of data on portable devices leaves confidential corporate data vulnerable to loss, theft and interception.
Unfortunately, all these security measures come at a cost: Added management complexity, reduced speed and reduced convenience. The reason USB drives are so popular, after all, is because they’re simple enough for almost anyone to understand: Plug in, drag, drop, pop out. But that convenience has cost thousands of people their Social Security Numbers and other sensitive information over the years. Maybe it’s time to take a harder look at what we pay for that trade off.
I recently had a chance to catch up with Bola Rotibi, a principal analyst at MWD Advisors, to get her advice on IT business alignment. Her main strategy might be somewhat comforting as IT professionals look to make the most out of their budgets: Stop buying more stuff to fix every problem!
“You can go into any IT organization and throw a stick and find a tool they’ve purchased that they aren’t utilizing,” she said. “Let’s actually take a good review of what we’ve already got.”
And isn’t January a great time to do that, even as we embark on those other new year resolutions to drop some weight, ask for a raise or spend more time with family?
If you’re looking for a little inspiration, we have a guest post from a Rahul Pitre on the Bookworm Blog, who advises how IT can safely expand their role without taking on much extra work using Microsoft Office Live Small Business. Or Mr. Denny has outlined his professional goals for 2010: Some might be worth mirroring in your own career.