[Please see Part I and Part II of this series if you haven’t yet]
Let’s discuss some specifics in determining whether your IT structure is optimal, and if not, how to get it on the right footing. Essentially, you should be able to perform a review according to the simple model below. You can extend and apply this view to your own organization’s IT structure. Look for any misplaced work, gaps, uneven distribution of load, and general inefficiencies.
¨ Assess current positions by relevancy and number.
¨ Match your positions to standard “field definitions.”
¨ Eliminate, add, combine, or separate positions as necessary.
¨ Adjust individual positions as necessary.
¨ Redistribute work as necessary.
¨ Ensure a balanced load.
Let’s take a more detailed look at each of these:
Assessing current positions by relevancy and number: Positions should be surveyed against organizational needs, and against the positions’ standings against standard field definitions.
You, or someone prior, may have apportioned specific duties and loads based on something other than an optimal structure for your particular organization. Often times the original reasons for distributions of effort no longer apply – if they ever really did. It’s important to fix any imbalances and inequities. Compounding problems can sneak up on an organization over time. Not only do the internal requirements change: the outside field of IT itself evolves around you. Coming will be new scales of computer hardware and architecture, supporting ever more powerful software applications; new leveraging of the Cloud; entirely new focuses and disciplines. Evolving supports and disciplines are not only enabling, they establish dependency and vulnerability, and therefore burdens of support. Too, other equipment or products may reduce or otherwise shift burdens.
As the climate of business changes, your organization’s burden in meeting outside expectations can change radically. Your environment will need new scales of skill, talent, and imagination in maintaining your environment. There will be an immediacy that makes new demands of Business – and thus Business’ demands of Technology. We’ve mentioned the Five-Year Plan in these regards – it should have a template item regarding your evolving burden and type of work, and its influence on your positions and support posture. You’ll then have a proactive collection of salient facts, coming into sharper relief as the years click forward, and you’ll be less reactive and far better situated to make necessary job and position changes.
Match your positions to standard IT definitions: Try to keep your position descriptions within the bounds of accepted IT standard job definitions. This creates efficiencies in managing and supporting your IT environment and business environment. It also lends to efficiencies in managing the structures of jobs themselves, and the people in them. You have ready reference on the Internet to a variety of job descriptions for known job categories, and these can serve as your templates as you fine-tune your own internal job descriptions. You’ll also have ready access to the standards to which these jobs should be performed – and, you’ll have matching professional training resources for when you need to send people to training. Too, it becomes easier to replace people as they exit the organization, or move up. Interviewing candidates for positions is far easier when your positions adhere to known, “industry”, standards. Staffing is a smooth, efficient, process. In the modern organization, this must be a tenet: That which can be routine, must be made routine. Anything less is inefficient, and therefore, expensive.
The positions should fit together like puzzle pieces to create a seamless structure of support to the Business environment. Over time, you may start to experience gaps between the pieces (the positions); that’s when you determine the correct course of action to close the gaps (to cover the new area[s] of support): either through assignment of the work to an existing position, creation of a new position, or the determination that the work belongs in the Business sphere.
Add, eliminate, combine, or separate positions/duties as necessary. Take a careful look at each position in IT. Compare the described duties within each position with standard job definitions. Many of us have seen network managers who were performing programming on behalf of programmers, seen HelpDesk technicians tuning databases, seen programmers performing HelpDesk calls – not as an overlapping backup between positions, but as a matter of routine.
A lot of times this happens because individuals within the user body start to develop “favorites” – people whom they prefer for support. This favoring is independent of what a support person is supposed to be doing in the larger sense, and may mean that the support person has to dig for details or knowledge that are already known by the appropriate support person. It’s tempting to go to your favorite IT person with every request, whether that person is the primary responder for the type of assistance you’re seeking or not. This can exert a slow gravitational pull, whereby everyone in IT begins to assume a “jack of all trades, master of none” kind of posture. SMB are particularly vulnerable here.
Business leaders should help to ensure that calls for help by staff are made through the appropriate avenue. They should call a HelpDesk number, as opposed to specific individuals, and the HelpDesk can dispatch appropriate help, or escalate the issue as necessary. The IT leader has to fully explain the process to Business, and the IT leader has to enforce the discipline necessary to ensure an efficient use of support resources.
At the same time, work may be flowing against the grain of your position definitions for very valid reasons. Work may actually be settling into a correct alignment, but across the lines of positions (even departments on occasion). You may very well determine that the manner and flow of work needs to be codified as it is, with new position descriptions that reflect the correct order of things as they already informally stand. As necessary, get the primary responsibilities where they belong, and defined correctly, so as to manage, document, acknowledge and reward people properly. This will become increasingly important as each job position takes on new responsibilities within its specific scope. I aids in planning the future of the position, in seeking better cost efficiency, in contributing to security, and so on.
There does need to be an effective overlap of some knowledge between jobs, obviously – but not to the point of diminished returns and inefficient redundancies.
We’ll wrap up in the next article.
NP: I Remember You, Coleman Hawkins, jazz24.org.
In Part I we spoke of how “Frankenstein” positions get cobbled together, comprising various disciplines and duties for an awkward straddle. Here, we’ll discuss a few ideas for correcting, and even avoiding, these inefficient situations.
Ignoring increasing burdens or emerging priorities is not wise – whatever else may be hindering action. If you lack budget, approval, and your own authority to build a new position, you can still plan the position and have it ready to go. If you believe in a new position, and believe in a necessary redistribution of work based on changing conditions, you can still create and assemble your supporting documentation.
If you’re right, the issue will force itself sooner or later. Without preparation, you may make mistakes when the time and authority to act does come. Waiting until you absolutely have to break off work to a new position is like standing at the base of a cliff. You won’t have the gentler progression of planning as you track the practices and requirements of new areas.
IT should look at the long-range business plan, the projections of growth (hopefully), and general changing methods regarding the exercise of business in order to assess their own staffing requirements. This should be marked and tracked within a Five-Year Plan, with more specifics in a One-Year Plan. As any new positions begin to manifest and focus, IT should build position descriptions, budgets, and justifications for them. This prevents being caught flat-footed.
A new position may become necessary through an increasing volume of existing work, or the requirement to perform a new kind of work. In either case strong consideration should be given toward emplacing the new position before a critical need develops. Where possible, activate a position for new work “ahead of the curve.” This way, you can have the concurrent grooming of an incumbent along with the “settling” of that position as it breaks-in to business.
Waiting means that you risk sizing a position, and hiring into it, to cover requirements not fully understood. You’ll be scrambling to define the position, the salary, and the kind of person you want for it, while needs are yet evidencing themselves. You may not have direct familiarity with the market for such a person. Business won’t know how it needs to be supported, HR won’t quite know how to hire for the position, and IT will be struggling to define it based on an amalgam of surveys of peers and associates. This, plus you’ll be reaping the results of running “lean” for too long: impacts of bad morale and negative consequences to staff and business are quite possible – frequently there is turnover and the loss of good people.
Next – we’ll get a bit further into setting IT staffing structure.
NP: Blue Train, John Coltrane, Jazz24.org.
Many of us have seen situations where a person of considerable general competence accumulates duties – like a magnet. They attract responsibilities that in some cases go far afield from that which they’re supposed to be doing. Why does this occur?
It is often expedient – and perhaps even necessary – in an environment where other people are not held to appropriate standards of performance. Many times conscientious people volunteer to get the job done – whether it’s in their sphere or not – and deliver on whatever the task, whatever the assignment.
Neither Business nor IT should skew work that way. Don’t build up a position as a reaction to ‘negatives’ – and inadvertently create a hybrid position that is difficult to maintain in the longer term. A “Frankenstein” job position: Particularly for small-to-medium business (SMB) environments; take heed. Particularly as you grow, be absolutely certain that leadership and HR begin to put formal, tried-and-true (longstanding, effective, efficient) Position Descriptions and definitions in place.
Too frequently in the SMB environment, a position is cobbled together from many “parts” (disciplines, requirements and exigencies) without regard to best practice, known IT definitions, or long-term consequences. Many times Business goes right along – the ultimate stakeholders. For their part, HR often does not dictate adherence to appropriate definitions and distribution of duties. Nor does IT’s ultimate executive management do this. Frankly, oftentimes no one knows any better – or the organization deliberately ignores deviations in trying to soothe the pain of the moment.
Today’s Expediency – Tomorrow’s Emergency
Why would any organization or leader create positions of this nature? Organizations create hybrid, Frankenstein, positions in order to keep their staff small. The problem that arises is that, as the particular disciplines’ sophistications increase within the umbrella of the Frankenstein position, more and more time to manage those disparate disciplines is required. It becomes difficult to train up for the changes – akin to having a foot in two different boats, each beginning to diverge. It’s one thing to track the requirements and attend a schedule of training in remaining current in a particular field of endeavor, or fields closely related and supporting; it’s quite another challenge to remain current in a variety of disciplines – too often training is ignored or missed due to the sheer challenge in covering disparate environments. A point of diminishing return is quickly reached.
Consider too that when a Frankenstein is removed from the environment for one area of training, you are removing your support to the broader range of disciplines supported within that position. This is inefficient. You may put the entire gamut of disciplines at some measure of risk (whether this person is absent through training, or other loss).
Not everyone has to be a specialist, and there are always degrees of exception to everything. However, if you have extremely disparate disciplines under one job position, they will become increasingly difficult to straddle, the job will become increasingly difficult to do, increasingly difficult to populate, and there will be increasing difficulty in maintaining currency.
Where possible, and as work increases in your IT department, or as certain disciplines start to require more time, you’re better off creating a new, entry level position and hiring a relatively junior member to populate it. Step that person up over time as the position demands an increase in capability and responsibility. Alternatively, you can “hire up” slightly when there is turnover, and boost the position description to reflect new realities.
You not only risk stretching people too thin, and putting coverage at risk: Good people can become frustrated. When good people tire of covering too many disparate bases – or worse, other people’s bases – they’ll seek greener pastures where they can concentrate on an appropriate contribution on a better functioning team.
On this day: July 30, 1928 – George Eastman demonstrates the first color movie.
Today’s social networking environment is interesting from a variety of perspectives.
There’s the security aspect, of course. Folks have to be careful not to divulge too much information, such as:
“Hey! We’re on vacation in beautiful [insert location here]!”
This is the equivalent of a news bulletin to every nearby thief:
“Hi. We’re not in our home at the moment, and won’t be for the next couple weeks. Come on by, break in, and peruse our stuff – take what you like…”
In fact, it is often auto-responders that let criminals know that people are on vacation – and these can be very dangerous. Criminals survey the ‘net to find out which houses are empty, and auto-responders make for very efficient pairing of house-to-criminal. Think.
I remember the good old days when, as IT Director and later CIO, I’d walk out the door one afternoon and not touch a computer or send a message for two whole weeks. I might write a regular paper letter or two and post it while on vacation, but that was it. Today’s eCulture really has people tethered to their accounts and devices:
According to TechCrunch:
- 50% of all Americans are on Facebook – but only 37% have a passport.
- There are 750 million active users worldwide.
- There are 700 billion minutes per month spent.
- 58% of people are online while on vacation.
People feel pressure to stay “plugged in.” There’s pressure to e-mail, tweet, IM, update websites with vacation photos and blurbs…
This is a lot of people, and a lot of time spent. I would urge all users, family members, children, professional associates – all interconnected and linked people – to be very circumspect about what information you make public.
Also: Be very wary of what kinds of information new “friends” solicit. If you know someone exclusively through the domain of online social networking, e-mail, etc., be quite careful. Not to encourage spying, but take note of what children are doing too.
Also, consider private moments “breachable” – anything can happen, and it’s important to view every activity through a security prism. I counsel everyone with whom I work and deal: View all activity through security’s prism. Yes, that bears repeating – and often.
Rather than a burden, it becomes second nature – like fastening a seat belt or locking your door when exiting the house.
To “business” I say: Take stock of what you’re doing, saying, and exposing on social networking sites. Many businesses have official social networking sites and more are jumping in all the time. Employees often exit the “party” of their personal account, and bring the wrong voice to the work account. Know what employees are saying there; how they’re interacting with customers/clients and potential ones. Guard against mixing “friending” with “businessing” – have a social networking policy that comports with, and augments, the organization’s Communications Policy, Acceptable Use Policy, Security Policy, Content Management Policy, and any others.
If don’t have each of those, or if you’re a small org, that’s ok – just be certain to cover the bases in whatever general policies you have concerning employee activity and behavior. If you’re not sure what you have or need, find someone to help you and get liabilities and protections documented and dispersed throughout staff – via communication, training, and hopefully both.
For private individuals, for organizations, now is the time for these reviews, actions, and behaviors.
NP: John Coltrane, Live at the Village Vanguard, original Impulse! 33rpm LP.
It seems that one major online breach after another occurs: One breach hardly has time to clear the news cycle before another occurs.
Here at The BTW alone we’ve discussed the following major data breaches over the course of just the last month or so: CitiGroup, Sony, and the Pentagon (the Pentagon!).
In talking with small and medium businesses (SMB) in particular, many aren’t sure where the main liability lies: Whether companies aren’t taking the proper precautions to protect data (which would be more of a human failing, whether error in use, poor planning of protections) – or – whether the problem is inherent in poor software, firewalls, authentications/encryptions, and so forth.
Internet security is paramount. It’s not “insurance,” however. Insurance is what you purchase in order to recover from a bad outcome, if one happens. Internet security, however, is the protections that prevent a bad outcome from happening in the first place.
Speaking of the internet: Many SMBs aren’t fully aware of what Cloud computing is – if they’re aware at all – even when utilizing it! Therefore, when migrating storage, process, access, etc., in either discreet ways or as holistic solutions, security is often a back-of-the-envelope consideration. This is a huge mistake.
Let’s face it: Even large enterprises – the most “sophisticated” (we hope) environments – are struggling with security and poor outcomes. For SMB, it’s a real challenge: Many SMBs don’t know how to define what the Cloud is. And yet, according to Trend Micro, many are using cloud-based applications for such things as human resource management, or customer relationship management (CRM) – “…but don’t associate those apps with cloud computing”, according to Ian Gordon, Trend Micro Canada’s marketing and channel chief.
One has to wonder what their vendors are telling them when selling and instituting these “solutions” if the customer doesn’t even understand what they’re buying. And security? How do you secure something you can’t articulate in the simplest of terms? How do you assess what your vendor is doing?
Food for thought: If you’re “IT,” be certain you tell your business stakeholders exactly what is being implemented and what the advantages, and any liabilities, may be. Get full understanding and approval.
If you’re “Business,” understand the technology that you own, pay for, and use. It’s not that difficult to have a pragmatic understanding for where things reside, what business value they deliver, and what special accommodations must be made in securing and progressing the environment.
Get on it.
NP: Jive Samba, Cannonball Adderley, jazz24.org
It’s interesting to me that the European Union’s European Commission is considering some standard rules for breach notification. These rules would govern how companies make notification to stakeholders, and also govern their behavior throughout breach fallouts.
These “practical rules,” are being crafted from solicited input from the public, and also from national data protection authorities, as well as from consumer protection organizations. In the wake of several high-profile breaches, it’s an understandable consideration (see several of my prior posts regarding breaches).
As stated by Neelie Kroes, the EU’s digital agenda commissioner, “The duty to notify of data breaches is an important part of the new EU telecoms rules. But we need consistency across the EU so businesses don’t have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses.”
If transparency is key, as one of the stated goals, then I wonder why no mention of government? What of government breaches? Is there the same timely notification requirement for various agencies? In terms of stakeholders’ wellbeing, the government harbors extraordinarily critical content regarding citizens and their interests.
It’s of further interest to me that many “experts” feel that breaches will be an ongoing problem, by virtue of the number of private companies, banks, agencies, etc., that gather and store ever-more personal and empirical data about customers, clients, patients, and so on.
I rather agree that breaches will be an ongoing problem – but not due to an expansion of data stores – that is, more targets. Breaches will occur largely through careless harbor; poor security security practices, lagging security initiatives, and that most venerable and vexing problem: human error.
Joe McNamee, the head of European Digital Rights, says: “It is precisely because there will inevitably be breaches that rules are needed to ensure that citizens are informed and that companies have compelling reasons to minimize the data they collect and maximize their internal security,” he noted.
I rather think that breaches can be thwarted – with proper security protocols, proactive updating of environments to best security features and practices, sound training of personnel, and ever better encryption techniques.
Meantime: I’m back to government: What is their duty in notification of breached agencies and harbored data? Nothing I’ve read has indicated government’s oversight of… government.
I’ll also be curious to see what’s mounted, or attempted, in terms of government control here in the United States.
I’d like to hear from you. What are your thoughts on “breach notification laws”?
Stay safe out there.
NP: Elsa, Cannonball Adderley, jazz24.org
The Pentagon is supposedly mounting a new cyber security initiative following the loss of 24,000 files. They were actually stolen from a defense contractor but, as in any organization, the organization is ultimately responsible for the actions and activities of all subordinate elements: contractors; vendors; solutions partners; individuals.
I also use the word “loss” for a very important reason: Whether the Pentagon still has copies of the breached, stolen, files or not – they are lost in the sense that their exclusivity, their protection, and their discretion has been stolen.
The files truly are not what they once were – and that is theft and loss.
Here in the BTW, we often speak of The Responsible Forward Edge (RFE). It’s a proactive, aggressive, forward posture regarding survey of risk, mounted protections, and the comport with best business/IT practices. Best practices means constantly updated practices in accordance with evolving threats and the evolving security measures to counter them.
The responsible organization does this pragmatically, for sure: There’s budget to consider. Other resources factor too: time, available personnel for implementations and support, etc. But today, there simply has to be a schedule of survey of liabilities – even if none seem to exist today, tomorrow they will: Our environment is not static, and the number and nature of threats are not static either.
What makes the Pentagon’s hack so dismaying is that “foreign intruders” made the theft. According to Deputy Defense Secretary William Lynn, terabytes of data have been stolen over the past decade, involving “our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems and network security protocols.”
In this case, Lynn didn’t specify a country for the attack, or even whether it was a country versus the work of simple criminal hackers. However, a large part of the Pentagon’s new cyber security initiative is to share classified threat intelligence between defense companies. Hmmm… someone couldn’t have thought to do that a decade ago?
This should have been routine. A lesson for all organizations is to get your people thinking, imagining, and working together. Organizations should have, at a minimum, quarterly meetings with a significant block of time dedicated to security. Employees, security oriented and otherwise, should volunteer what they’ve heard regarding threats, solutions, other outcomes. Qualified personnel can vet ideas and threats – but it’s a nice exposure, and gets the organization thinking. Remember too to solicit and share ideas between regional offices, and between all partnering-organizations.
At the same time, IT can warn of social networking liabilities, breach conditions to avoid, and so forth; they can reinforce Acceptable Use, Content, Security, and other policies.
On this day, July 16th: In 1926, National Geographic takes the first natural-color undersea photos.]]>
An interesting thing happened to me on the way back from my mailbox the other day.
But first: I had a debit card that was getting increasingly difficult to use. The magnetic stripe on the back had a scratch on it, and I often had to swipe it three or four times to get it to read. So, I called the bank and requested a new one. I haven’t had to replace a card in a long, long time. I figured the new one would come with instructions to call a number for “activation.”
Interestingly (well, at least to me), when the card showed up, the accompanying letter made no mention of any need for activation. It did take care to tell me the card could be used at “millions of Visa ® merchant locations.” It talked about “free access to cash” at qualifying ATMs. Further, the letter was so helpful in telling any recipient that $300 cash was available each day, as was $1,500 in purchases.
Representing the most help, perhaps (particularly for thieves), was this informative sticker on the card itself! [Capitalization is exactly as on the sticker] –
This debit card works at all Visa merchant locations.
Press the CREDIT button and DO NOT INPUT YOUR PIN.
Funds will be deducted from your checking account
and there will be no transaction fee.
It really is nice not to have to fuss with a PIN. But here, we’re at a point of diminishing return: By making the card easier to use for the consumer, we’re also opening a very insecure avenue, yielding a breach potential: Unauthorized use of the card for THEFT. [Those caps are all mine].
The letter had a 1-800 customer service number and I called it. I wanted to confirm that the card was ready to use, absent any proactive activation on my part. The representative confirmed two things: 1) The card was ready to use, and 2) that, upon my direct query, the card indeed had been ready all along, as delivered to my mailbox.
Couple worrisome things here. There have been times, not too often but more than a few, where my neighbor’s mail has been delivered to my mailbox. In fact, this has happened at several addresses I’ve had over the years. I’m sure there has been mail of mine delivered elsewhere – in fact, I remember people walking stuff over here and there.
In the event this card had been placed in the wrong mailbox, there is the possibility that someone would be tempted to take the card and use it. The envelopes for these cards do not disguise the fact that they contain a card – you can readily feel a card just by picking up the envelope. Consider too that someone could tear an envelope open without noticing it’s meant for someone else (in fact, I’ve done it). Once open, there’s a nice sticker advertising the fact that you hold free money in your hand.
Of course, with all of the surveillance systems today, it would be distinctly unwise to use someone else’s card without authorization. But that doesn’t preclude kids, or stupid people, or even someone adopting a disguise and walking up to a machine, from gaining some ready cash… from… you.
I don’t like it. What do you think? Aren’t we supposed to be getting tighter as regards security?
Also, keep this in mind: Removing the need to call and authorize/activate a card takes a bit of a burden off the financial institution. But… presumably any burden regarding security is something a bank is precisely supposed to be offering.
Call it a service. :^ )
On this day: In 1836, U.S. Patent #1 is granted for locomotive wheels (after 9,957 unnumbered patents).
Does your right to remain silent, as protected by the U.S. Constitution’s Fifth Amendment, extend to encryption on a personal laptop?
It’s an interesting subject, and one that might be settled soon – by the Supreme Court. A woman accused of, and being prosecuted for, a mortgage scam in Colorado is under pressure to disclose her passphrase for decrypting her laptop, which police found in her bedroom upon the raid of her home – she has refused.
The Obama administration is asking a federal judge to order the defendant, Ms. Ramona Fricosu, to decrypt the laptop. As a slight aside, prosecutors don’t want the passphrase itself. They want Ms. Fricosu to simply type it in, and make the files available in their decrypted form. This may seem a minor point, but it does remove any wrinkles that may be encountered upon court rulings that make divulgence of the passphrase itself a protected item within the Fifth Amendment’s protections.
At the heart of the matter is whether a defendant can be compelled to serve up something from the privacy of their mind: Other courts have ruled that protections extend there. Prosecutor’s, however, liken passphrases to physical keys, and defendants can be made to produce keys to safes, for example. It’s an interesting situation.
One could make the argument that forcing a defendant to divulge a passphrase (or password, encryption keys, etc.) enters the realm of breaking protections against self-incrimination. While the Supreme Court has not yet ruled in matters such as these, lower courts have – and their rulings have, essentially, gone both ways: In one case stating that an individual did not have a Fifth Amendment right to keep files encrypted; in the other, that the defendant did – thus “protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination.”
Ms. Fricosu is charged with money laundering, wire fraud, and bank fraud in an alleged attempt to gain titles to homes via falsified court documents. She’s facing up to 30 years or more in prison.
For the rest of us, with – hopefully – more mundane privacy concerns, we can understand a desire to keep business secrets, diaries, and privileged communications from friends and associates private.
For us, and most definitely for business, the case does bear watching.
On this day: July 12, 1962, the Rolling Stones make their first public appearance (Marquee Club, London).
According to a top Homeland Security official, testifying before a hearing of the House Oversight and Government Reform Committee, computer software and hardware is being imported to the United States pre-loaded with security-defeats and spyware.
Greg Schaffer is Acting Deputy Undersecretary for National Protection and Programs at the Department of Homeland Security (at least he’s not the temporary acting deputy under… there are those too).
Schaffer made a disturbing statement in response to a query by Rep. Jason Chaffetz, R-Utah, who first took care to state “the issue of software infrastructure (and) hardware built overseas with items embedded in them already by the time they get to the United States … poses, obviously, security and intellectual property risks.”
Rep. Chaffetz then asked, “A) Is this happening, Mr. Schaffer? And, B) What are we going to do to fight back against this?”
After a moment’s obfuscation on the part of Schaffer, the representative sharpened his query, “Are you aware of any component software (or) hardware coming to the United States of America that already have security risks embedded into those components?”
Schaffer: “I am aware that there have been instances where that has happened.”
The panel is considering a government proposal to tighten controls on imported computer equipment for use by critical government and communications infrastructure.*
It would seem to me that that area would already have the highest possible standards. How many times have we stated here that protections must lead threats, not lag, and that a proactive, provocative security awareness is necessary?
The hearing didn’t tease out whether imported equipment included consumer-grade technical components and software like retail media, laptops, desktops, consoles, etc. However, if it’s determined that there’s a necessity to survey those imports, watch for consumer-grade items to jump in price, as cost of inspection and survey gets added to the bill.
* Meantime, the government isn’t doing everything possible to inspect and screen their own components? In the age of botnets, key-logging software, password discovery mechanisms, encryption-busting and other software that defeats and disables existing security programs, there’s no excuse. The missing existence of a progressive, matching, security posture and aggressive monitoring and survey/scrub for malfeasance is unaffordable.
Further, when an aggressive program is in place, that program is affordable because there is no cold-start mount in the face of extreme security perils: It’s kinda like riding a bike uphill; you get a good start on the stretch, and are then able to pedal into the hill… eventually, you get back on level ground and your effort eases – but you don’t relax – you’re readying for the next hill. However, if you start on the hill, it’s tough to get going.
What has the government been doing if it is just now acknowledging import of infected components? And… further, it is just now considering more stringent controls? It’s past time to pedal faster.
For your environment: True security demands an aggressive posture. Be certain to have the right mind-set in your organization. Review the security-themed posts here as necessary.
On this day: July 11th, 1798 Congress creates the Marine Corps.