Enterprise IT Watch Blog

November 19, 2009  8:59 AM

How to write effective IT e-mails: 5 simple steps

Michael Morisy Michael Morisy Profile: Michael Morisy

In IT, how often is is that the wires that get crossed aren’t electric? By one estimate, almost 80% of people spend two hours or more a day on e-mail.

That’s a lot of time for miscommunication to happen. Even if a poorly worded message sends someone off to do slightly the wrong task, valuable time has been wasted and the sender might be jeopardizing their shot at a promotion down the road. I spoke with Dianna Booher, author of  E-Writing: 21st Century Tools for Effective Communication, and she said poorly-worded e-mails can even be career killers.

And it’s not those accidental “Reply All”‘s that kill careers: It’s the e-mails that are only circulated internally, maybe even only to handful of people, that can come back to haunt employees without them even knowing it.

“Writing outside of the organization, nobody who controls your paycheck will likely read it,” Dianna said. “Most e-mails internally get stuck in the files, circulated to 8 other people on the team, and they make impressions that last for a long, long time – and they are a picture of your thinking process. If they are disorganized, if they omit details that are relevant or if they are confusing, that’s a reflection of how you think.”

Booher offered to share some advice on what, in her opinion, makes a good e-mail:

1)  Avoid knee-jerk responses: Email’s greatest benefit can also be its greatest drawback: speed. We open. We read. We reply. Then we think–or don’t, as the case may be.
2)  If you don’t have something to say, don’t say it: On the street,when someone you know speaks to you, etiquette requires that you return the greeting. Not so with email.  Don’t clutter up others’ in-box with inane responses.
3) Tune in to the tone of directives: Brief is good. Blunt is not.

Continued »

November 17, 2009  6:52 AM

Is no security better than bad security?

Michael Morisy Michael Morisy Profile: Michael Morisy

A stunning 96% of security products up for certification fail to achieve it on their first go, claims a report put out by ICSA Labs, a certification division of Verizon Business. The most common reasons for failure?

The report found the number one reason why a product fails during initial testing is that it doesn’t adequately perform as intended. Across seven product categories core product functionality accounted for 78 percent of initial test failures. For example, an anti-virus product failing to prevent infection and for firewalls or an IPS product not filtering malicious traffic.

The failure of a product to completely and accurately log data was the second most common reason. Incomplete or inaccurate logging of who did what and when accounted for 58 percent of initial failures.

Is it time to head for the hills? Well, maybe not: A security certification authority telling you un-certified products simply don’t work is a little bit like a rabbi telling you bacon isn’t worth the health risks: I’ll take my bacon, thank you very much, and you should probably keep using security products.

I thought Alan Shimel had an interesting take which might strike to the heart of the problem: It’s not that the products don’t work, it’s that they aren’t working the way they’re installed.

Now, you have to take all of this with a grain of salt because of where the report is coming from. Obviously ICSA admittedly has a vested interest in seeing more products get tested and users demanding that products are tested prior to buying.  But from my experience with far too many security tools, without some expert implementation getting this stuff to work as intended is worse then putting together one of those do it yourself pieces of furniture that you get from Staples or Office Depot.  As an industry we have to do better to making our solutions easier to install, easier to use and easier to see the value.ashimmy.com, The Ashimmy Blog, Nov 2009

So often, implementation and execution are half (or more) of the battle. Larry Walsh over on ChannelInsider worries about a larger threat from the report, however: That proper protection will simply take a backseat as users conclude that security doesn’t work anyways, so why bother.

The problem with this report is that it’s coming at a time when end users are questioning the value of the products they’ve spent millions of dollars on. While even bad security products will provide some level of threat protection, the ICSA findings could give end users some reason for pause when considering new purchases. Many security solution providers are complaining that end users—particularly SMBs—are reticent to invest in new security technologies because they don’t believe they’re at risk or don’t have the budget. The ICSA findings could give them a new reason to doubt the need for security investment.

I imagine those users will be in the minority: There are still too many high-profile data leakage cases, with ever increasing fines, for business owners. What do you think? Have you seen security products fail to operate as promised, or operate at all? Let me know in the comments or at Michael@ITKnowledgeExchange.com.

November 16, 2009  10:41 AM

The WSJ takes aim at your IT policies

Michael Morisy Michael Morisy Profile: Michael Morisy

The Wall Street Journal gives an inside cover today to an old question: Why can’t I pick the technology I use in the office? (Skip the paywall with Google) The Wall Street Journal’s certainly not the first to address the topic: Slate tackled it this past summer, with countless office workers grumbling the same questions well before, during and after these and other pieces.

The article tackles the costs, infrastructure and support challenges in handing over IT decisions to users, but generally is pretty keen on a rosy future where companies cut costs using consumer tools, support for non-standard choices is handled via internal user self-help forums, and data leakage is taken care of via virtual machines launching here, there and everywhere.

Read it and let me know what you think, in the comments, on Twitter at @Morisy, or via Michael@ITKnowledgeExchange.com. I’m more than happy to keep your information private if requested.

More on users and IT:

November 13, 2009  3:14 PM

Madoff’s programmers might soon join him

Michael Morisy Michael Morisy Profile: Michael Morisy

Working for the man might land two programmers in jail. Of course, it wasn’t just any man: Their boss, Bernie Madoff; their office, the now infamous House 17; their project, technical support for his $18 billion scam.

As Reuters reports:

The FBI arrested Jerome O’Hara, 46, and George Perez, 43, at their homes on Friday morning on criminal charges of conspiracy for falsifying books and records at both the broker-dealer and investment arms of Bernard L. Madoff Investment Securities LLC in New York.

“The computer codes and random algorithms they allegedly designed served to deceive investors and regulators and concealed Madoff’s crimes,” said federal prosecutor Preet Bharara. “They have been charged for their roles in Madoff’s epic fraud, and the investigation remains ongoing.”

The max sentence for the duo for their part in the fraud: 30 years in jail plus millions in fines.

November 11, 2009  2:08 PM

Sesame Street’s 10 lessons for IT departments

Michael Morisy Michael Morisy Profile: Michael Morisy

10. Focus on the fundamentals. Sesame Street tackles a whole host of issues, from basic counting and the alphabet to overcoming cultural differences and even death. For the most part, however, the issues are key elements of early development: Not always easy, but necessary. Are the projects and problems you’re tackling necessary to the bottom line? Will they give a return to the business?

9. Speak different languages. Early on, Sesame Street emphasized the importance of learning foreign languages, even if it was just the basics, such as the Count learning to say uno to diez in Spanish. More now than ever, it’s critical that IT learns to speak in business terms to explain value, as recent guest blogger  Claude Roeltgen noted. So-called soft skills can save a career, and really, it’s just a matter of saying what you need and what you can do in the right language. [kml_flashembed movie="http://www.youtube.com/v/Jg3WY2Sgxtw" width="425" height="350" wmode="transparent" /]

8. Learn to count. Or better yet, teach others to count. Just as our dear friend The Count spent painstaking hours teaching others to count from one to ten (in English and beyond!), IT must teach the rest of the business how IT enables profits and performance. And if you let others do the counting? Expect IT to become a cost center, with aggressive accounting for every dollar and annual budget fights.

7. Be wary of strangers. Sesame Street wins over adult fans with copious guest stars, running the gamut of celebrities, athletes and musicians. But these guests are introduced by trusted adults on the show, and viewers learn that while you shouldn’t fear people different than you, you also shouldn’t give them your complete trust until they’ve earned it. What are your security policies, and what do you do to ensure that temporary workers or outside consultants have what they need — but nothing else?

6. It’s not (always) easy being green. Kermit the Frog was right: No matter often people tout the benefits of “going green,” cutting costs while saving energy can be full of trade-offs. There’s always new equipment to buy, new processes to manage, and while there may be a green revolution, there’s a premium to be paid for leading that charge. On the other hand, Kermit did get the girl and in many cases the energy savings from a comprehensive, business-savvy “green” policy can bring home the bacon at the end of the day.

Continued »

November 10, 2009  10:17 AM

Bernie Madoff’s unwitting accomplice: The AS/400

Michael Morisy Michael Morisy Profile: Michael Morisy

When an Investment Dealer’s Digest article lumped some of the blame for Bernie Madoff’s scam onto the AS/400 (“The Technology Behind the Scam”) and Madoff’s “antiquated systems,” IBM’s venerable business system, the iSeries developer community was quick to defend its fabled friend. After all, technologies don’t scam people, people scam people.

John Dodge does dig up some juicy details on the Ponzi scheme’s execution based on forensic reports:

“[House 17] was a closed system, separate and distinct from any computer system utilized by the other BLMIS business units; consistent with one designed to mass produce fictitious customer statements,” according to Looby’s declaration. House 17’s expressed purpose was to maintain phony records and crank out millions of phony IRS 1099s on capital gains and dividends, trade confirmations, management reports and customer statements.

The AS/400 was like a giant Selectric — indeed, the Application System/400 is a multipurpose server that’s very good at printing. IBM publishes several technical overviews for IT professionals known as “RedBooks” on the AS/400’s extensive printing capabilities and also offers printing and forms design software for it.

But does the AS/400 actually make it any easier to perpetrate an $18 billion scam? Or is it simply a reliable Wall Street standard, a poor technology caught up in the wrong place at the wrong time with the wrong crowd? Vernon Hamberg, a software architect and regular on the Midrange technical dicussion list, wrote a spirited defense of the platform, which he kindly offered to let me publish here:

Mr Granahan:

I read with interest the article by John Dodge about technology behind the Madoff scam. It appears, from a quick read, to put much of the blame squarely on the AS/400 – the technology in question. I strongly object to this – it is, in my opinion, completely wrong-headed. I learned long ago that computers are stupid – they do exactly what you tell them, not what you want. If things were done on these systems that allowed Madoff to carry out his Ponzi scheme, it is not the system’s fault. It is some programmer, some auditor, some whatever human being behind it all.

I am a computer professional who works on these so-called legacy systems – a false categorization, unless you lump Unix systems in along with it. (Unix came out over 40 years ago – shall we talk legacy?) The IBM midrange systems have a tremendous feature, backward-compatibility – anything you wrote 20 years ago can be compiled on current systems without any change in source code. Talk to us about VB.net – about API calls in Windows that don’t work in the next release.

This strength of the system was exploited by a human – the extreme segregation of computing resources that let Madoff get away with his scheme. Mr Dodge’s report of the printing characteristics – well, it is a very narrow presentation of the system’s capabilities. That seems completely beside the point. And this is not unique to these systems. At all!! A distinction without a difference.

I appreciate you taking the time to read this. I ask you to publish a retraction or clarification – e.g., that the technology behind it was NOT to blame. Perhaps something about the true strengths of the platform and how human beings were able to take those strengths and fleece other people in such a way. THAT would be an interesting study in human nature – not the veiled suggestion of culpability of any technology as against that of those who use it.


Vernon M. Hamberg
Software Architect
RJS Software Systems

What are your thoughts? Does complex, custom legacy software make it easier to quietly caper, or are villains just villains, no matter how shiny the software and technology? I’d love to hear your thoughts in the comments or at Michael@ITKnowledgeExchange.com.

More on the Bernie Madoff scam:

November 9, 2009  4:11 PM

Can your IT security take a page from Wikipedia?

Michael Morisy Michael Morisy Profile: Michael Morisy

Security guru Bruce Schneier recently noted some Columbia University research on “Laissez-Faire File Sharing,” which advocates allowing users to set their own sharing permissions, with a focus on access auditing rather than access control (administrator policies don’t stop users from receiving or sharing a file, but all the viewers and editors of that file are then logged for later review and flagging).

Schneier simplifies it as a Wikipedian ideal (“Everybody has access to everything, but there are audit mechanisms in place to prevent abuse”), but that shortchanges the idea. Not all users can access files, for example: They must be granted access by a current user. The paper’s authors argue that this is already happening in an underground IT economy through e-mail attachments, USB thumbdrives and other workarounds, and that by working with the system, rather than against it, the new paradigm has the potential the “potential to increase both productivity and security.”

The paper outlines 5 cornerstones of Laissez-Faire File Sharing: Continued »

November 5, 2009  9:12 AM

New SSL security hole allows man-in-the-middle attacks

Michael Morisy Michael Morisy Profile: Michael Morisy

SSL Security Hole meeting

A newly disclosed SSL security hole allows savvy attackers to inject data into supposedly secure streams of the encryption standard, but while standards bodies and major vendors are quickly working to plug the vulnerability, it seems the attack avenues are currently relatively minimal.

As The Register reported on the SSL bug:

Indeed, Moxie Marlinspike a security researcher who has repeatedly exposed serious shortcomings in SSL, said the attacks were hard to pull off in the real world, in large part because they appeared to target a rarely used technology known as client certificate authentication.

“It’s clever, but to my knowledge the common cases in which the majority of people use SSL (webmail, online banking, etc.) are currently unaffected,” he wrote in an email. “I haven’t found these attacks to be very useful in practice.”

The security hole has been known since August in some circles, with ICASI (Industry Consortium for Advancement of Security on the Internet) heading up “Project Mogul,” an attempt to roll out an industry-wide set of security patches in a coordinated manner.

November 3, 2009  10:10 PM

Should IT police “dual use”?

Michael Morisy Michael Morisy Profile: Michael Morisy

Harvard Business has an interesting post by Michael Schrage on how to deal with BlackBerry junkies and other techno abusers, pointing the finger at two pilots who allegedly lost track of their current flight while scheduling future flights via their laptops.

IT is supposed to be about enabling the business, but what happens when it has users hell bent on using good technology to their own or corporate detriment? It’s not a new question: Enabling Internet browsing alone has caused innumerable productivity drains, from hours lost to cat videos and Facebook to more serious corporate threats like making data leakage as simple as sending an e-mail to a personal account.

How much of policing this double-edged sword is IT’s job, and how much is it up to management, HR and other departments? Have you ever had a case where you pushed back? I’d love to hear your thoughts at Michael@ITknowledgeExchange.com.

November 2, 2009  12:14 PM

The hidden world of IT in companies

Michael Morisy Guest Author Profile: Guest Author

This is a guest post by Claude Roeltgen, author of the book IT’s Hidden Face. His book tackles the communications gulf between IT … and the rest of the world. Interested in being a guest blogger on the IT Watch Blog? E-mail Michael@ITKnowledgeExchange.com. -MM

“Why?” is the most frequently asked question by people when something goes wrong in real life. Not so in IT – Users never ask this question when something happens. They say “Fix it” and “I don’t want to know what happened.”

Business users like to reproach us IT guys with sitting in an ivory tower using strange gobbledygook. But, let’s face it, they are happy enclosing us there and do nothing to understand the hidden world of IT in a company. “IT” and “problem” are synonyms, and for the vast majority of users, that’s as far as it goes. The public knows more about the biology of deep sea fish than about the internal mechanics of an IT department.

Even the best CIOs get into a defensive position all the time. “Be faster”, “be cheaper”, “reduce complexity”, “you need to understand the business better”, “why doesn’t this work for us?”, “why are we over budget and time?” are heard all the time, but are generally poorly answered. Users tell us “I install software in 10 minutes on my PC at home, why do you need so long?” Defensive fights all the time.

What should we do then to make things better? Well, there are a lot of things we can do. We have to tell the realities of our world in words that every business user will understand, and, no doubt, there’s a lot we can talk about. Like the fact that there are no two identical IT-biotopes and therefore they all have their own specific set of problems. Or that we have to deal with an incredibly immature software industry that delivers new software containing thousands of errors. Let’s tell them that software providers have outsourced quality assurance to their customers. Or that systems presented by providers can sometimes be called more accurately “cheatware” than “software”. We can write newsletters to our users giving them background information in their words about what is happening – we need to have a constant dialogue with our users and we need to be patient with them. We need to explain why we say “no” sometimes. We must become good in marketing ourselves. Today, we leave marketing IT to consultants. And this is not good for us!

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: