The Business-Technology Weave

October 14, 2012  1:29 PM

If the White House Can Be Hacked, What Hope Is There For Us?

David Scott David Scott Profile: David Scott

Business leaders with whom I speak are nervous about security.  The recent report that the White House was breached by Chinese hackers doesn’t help their nerves.  After all, the breach was characterized as a break into one of our most sensitive networks.  The network is used by the White House Military Office for nuclear commands – this according to defense officials.

Many business folks think:  “If they can hack the White House, for Gosh sake, they can break us too.”

Not necessarily (and I’ll resist the temptation to evaluate government “efficiency”).  You see, this break was characterized as a “spear phishing attack.”  Spear phishing relies less on sophisticated technical hacking, than on the simple fooling of e-mail-recipients into divulging confidential information, to include login credentials.

Officials characterize these types of attacks as “not infrequent” – thus you would think that staffers and officials would exercise extreme caution before divulging sensitive information.  And yet, we know that human error and misjudgments are the larger part of breaches and loss.  But what of you – and allied business?

Reinforce caution with all employees for use of electronic enablements:  In-house systems; communications systems such as e-mail; social networks; info disseminated on blogs; live chat windows, and so forth.  Ensure that all solutions partners – Vendors, visitors, solutions partners, associates, etc., understand your security posture and policy.

Keep training efforts regularized and up-to-date.

If the White House is listening:  Please fix this fast.  A former intelligence official who is familiar with the breached office says, “This is the most sensitive office in the U.S. government.  A compromise there would cause grave strategic damage to the United States.”


Now Playing:  Grateful Dead, Terrapin Station – vinyl, Nautilus SuperDisc.  Carver C1; Carver M-500t; Thorens TD-125, Shure v15v xMR.

October 8, 2012  1:34 PM

Applications and Inefficiency: Smash ambiguity!

David Scott David Scott Profile: David Scott

Image of ambiguous menu

A business system recently came to my attention that had a number of ambiguous paths and choices – it was difficult to know what to click in order to proceed.  The system is a core, mission-critical, business system at a “big box” retailer.

As to the ambiguities, consider this:  When ordering a major product for a customer (in terms of size and cost), a model number is entered – after calling up an existing customer record or creating a new one.  Once the product is added as a line to the order, the user is confronted with two buttons:  “Order Product” at center-bottom of screen, and “Continue” at bottom-right.  Hmmm…

Now, after undergoing a modicum of training, and with some acclimation to the system, a user knows to click “Continue” in order to complete the order; and knows to click “Order Product” to add another line item (another specific product) to the order.  However, for new employees, the system can be cumbersome and arcane.  Here, it would be an easy enough job for any business analyst to view the system through the user’s eyes:  The “Order Product” button can just as easily be marked as “Add Another Item” or “Add Another Product.”  Once all products are added, it is quite intuitive to click the “Continue” button to move the order along to completion.  Much easier on the users, and a better match of easy-to-understand screens in match to training.

Another area of the system has a template for fill-in of very complex products.  One example:  Carpeting.  Here, specifications (and fields) include Type (loop, pattern, texture, twist), Color, Brand, Fiber, and other qualifiers.  However, a system anomaly exists here.  the more comprehensively you fill the template, the more likely you are to receive a system error!  In fact, it’s best to fill one field, and to proceed through a more cumbersome (and under usual circumstances, more inefficient) path to ultimate resolution of ordering carpet.

I see breakages and ambiguities like this all the time in the course of my consultations.  I hear complaints from business people quite frequently.  Here, IT needs to build applications and associated designs while imagining the business-class user’s negotiation of the system – to a business end.  It’s really not that difficult.

To business folks:  When participating as a stakeholder, and partnering with an IT counterpart, listen to what you’re saying through their ears, and be aware of what may be ambiguous to them.  Smash ambiguity – be specific in how systems are to work, how systems are to look.

To IT folks:  Design and exercise beta versions from business’ perspective, and watch for ambiguous and broken paths and procedures.

It’s easy to do with a little practice – and well worth it.


Now Playing:  John Lee Hooker, Endless Boogie, original (commercial) open-reel tape, 3 ¾ IPS.

October 6, 2012  11:36 AM

Internet Law, Pt. IV – Other interesting things of note

David Scott David Scott Profile: David Scott

[Note:  Please see Part I, Part II and Part III of the Internet Law series if you haven’t already]

Terms of Use, Violations, and Criminal Liability

We spoke briefly of the Computer Fraud and Abuse Act (CFAA) in Part III.  The CFAA makes it illegal to access a “protected computer without authorization, or exceeding authorized access.”  It seems pretty obvious that if someone broke into a specific computer, or network, and stole confidential, or proprietary info, that that would be criminal – it’s theft.  But sometimes, the idea of a “protected computer” has been taken to mean a website.  As a website (its owner) can define its own terms of use, it can include things that are prohibited; specifically, things that are not authorized.  It would seem that violations of these sorts of things would represent criminal, prosecutable, conduct.  However, this is not necessarily so.

A social network user suffered a federal criminal prosecution in 2008 for violating the site’s terms of service.  However, this prosecution was grounded in the assumption that a private company’s terms and conditions enjoyed a standing within, and were incorporated to, the federal criminal code (the assumption was made absent any formal ascertaining of that standing for terms/conditions of service/use, by any proper oversight authority – a relevant court).

The court, in this case where the prosecution was attempted, held that this interpretation could not withstand Constitutional challenge, and entered a judgment of acquittal.  Further, the highest federal legal authority (short of the Supreme Court), the U.S. Justice Department, now holds that these sorts of prosecutions will not be attempted.

Consumer Protection

Commercial sites collect and analyze data about their customers for purpose of marketing, service, and sales.  Mere visitors also may have data collected regarding them.  Recognize that the sites must disclose types of data, and the purpose for its collection and associated use.  On the federal level, the Federal Trade Commission (FTC) will pursue violators of consumer privacy rights, or ones that mislead consumers by stating uses of data and associated protections that are not true reflections of use and security.  At the state level, attorneys general make these enforcements of consumer protection laws.

What of children?  They are consumers of web services too – just by virtue of “surfing” the web.  The Children’s Online Privacy Protection Act (COPPA) provides an extra measure of protection for them.  When a website is “directed to children,” or whose operator knows that the site is collecting information from children, it must not do so without parental consent.  There is no formal definition of “directed to children” by rule or statute; the enforcer of COPPA, the FTC, has been seen to interpret this as meaning “directed primarily to children.”


Now Playing:  Brubeck, Time Out.

October 3, 2012  3:03 PM

Internet Law – Part III: Anonymity

David Scott David Scott Profile: David Scott

[Note:  Please see Part I and Part II of the Internet Law series if you haven’t already]

Online Anonymity

It may surprise some readers that the Federalist Papers were written anonymously; published and signed as “PUBLIUS.”  James Madison, John Jay, and Alexander Hamilton (maybe others) utilized this pseudonym in the production of 85 essays supporting ratification of the U.S. Constitution.

More recently, the State of Ohio and its legislature attempted to ban anonymous political literature.  The law was struck down by the U.S. Supreme Court, which stated:  “The right to remain anonymous may be abused when it shields fraudulent conduct.  But… in general, our society accords greater weight to the value of free speech than to the dangers of its misuse.”

That’s an important recognition and right.  But recognize this too:  There is no right to express one’s views anonymously online.

Why is that?  Because, while the government cannot infringe your right to free speech (anonymous or otherwise) by virtue of the First Amendment, the government is not in the business of providing internet service (yet – shudder).  Therefore, recognize that online privacy  is not a right, but a matter of contract.  So, remember well our counsel from Part II:  Online companies can collect and disseminate any information they can acquire – whether for commercial purposes or not –as long as their terms of use state that they can do so.

At the same time, a certain de facto anonymity can exist and is quite common.  Many forums, blogs, news articles, etc., allow login and submission for anonymous posting.  One can also submit pseudonymously through simple account/free-mail creation.  Yet, a practical means of identification does still exist.  For example, an entity can contact a forum’s host, checking the IP address of a user; the ISP can then be contacted, and various logs can at least narrow the search considerably.  This can be employed upon discovery of violation of intellectual property rights, defamatory comments, criminal activity, and so on.

While we’ve spoken thus far about online privacy in a contractual sense, by virtue of terms of use, there are many, many violations of online privacy that are outside of that sort of relationship.  Intrusions such as hacking, spamming, unauthorized access to e-mail, unauthorized logins (such as after leaving an employer’s employ), stealing mobile devices such as phones, laptops, drives, etc., all represent breaches of privacy.  Phishing is also a nagging concern:  A fake merchant site can collect the personal information of gullible people, and sometimes savvy ones, as they register for the site’s use.

Fortunately, there are State and Federal laws that help to discourage invasions of privacy online.  The Electronic Communications Privacy Act (ECPA) prohibits access to any computer absent proper authorization.  The Computer Fraud and Abuse Act (CFAA) makes it illegal to access any “protected computer without authorization, or exceeding authorized access.”  Then there is the CAN-SPAM Act.  This law requires all unsolicited commercial e-mail to provide an ability to opt-out.

Fortunately, most states now have data breach notification laws.  Companies that harbor the private information of individuals must notify them in the event of any breach of privacy.

We’ll continue in the coming days…


Now Playing:  Josh White sings Ballads – Blues; original 1957 pressing of this LP on Elektra.  Carver C-1; Carver M-500t; Thorens TD-125 w/ Shure v15v xMR.  Peerless in Jensen cabs.

September 30, 2012  4:30 PM

Data Breach and Legislation: What’s Coming Your Way?

David Scott David Scott Profile: David Scott


It’s rather interesting to monitor what’s happening in the UK right now. Data protection legislation is moving forward. And… business there supports data protection legislation.

A survey of 1200 businesses indicates that those businesses are concerned about the strength of laws: Nearly 50% feel that laws are weak and require revision, and 87% believe that organizations should be required to divulge breaches of sensitive content where information about the public is involved. [Source: Sophos].

Here in the U.S., I rather doubt business is keen on more legislative oversight. Generally speaking, I’m wary of new legislation – new laws must be thoroughly reviewed so as to guard against unintended – and negative – consequences, particularly where business is concerned. In today’s economy, we don’t want to impinge businesses’ opportunities for hearty conduct and growth.

However, I do like the breach notification idea. It serves a couple purposes that come readily to mind:

  – Stakeholders (the public, customers, allied agencies…) are entitled to know about breaches that affect them, or ones that just have the potential to affect the general well-being of the business.

– Also, healthy exposure, and just that potential, help to motivate business in the currency of their ongoing security measures.

Particularly for small/medium business, and smaller government agencies such as those at county/municipality level: Do you have in-house security professionals who cast the horizon for new threats, with attendant posture of proactivity? And (or), do you have strong security partners in the form of vendors and allied security products?

How do readers here feel about it?  Would you welcome new legislation? Are you confident regarding security in your organization?

September 30, 2012  4:21 PM

Cyber-terror, Hacktivism, etc.: New thoughts on security for the modern organization

David Scott David Scott Profile: David Scott

The Washington Post recently reported that foreign hackers disabled a pump at an Illinois water plant last week, according to the preliminary state report.

If the source of the attack is confirmed as foreign, it will be the first known attack on a critical public (that is, societal) support:  That of water, power, communications, and other essentials such as policing and communications.

There have been many hacks and harming incidents of various scope and harm in years past, of course.  However, those were squarely within the realm of information’s availability or wellness:  Incidents involving theft of content, destruction/corruption of it, or the interruption of availability to it by harming websites and their availability.

But now, there are entirely new vulnerabilities faced by our government, and subsequently you and your organization.  Any org relies on the steady reliability of public infrastructures and enablements – and we’ve discussed those here in the past.  But what of more mundane, and perhaps likely, concerns for the average organization?

Threats are becoming more sophisticated, and in many cases eclipsing the status of security in even the most “sophisticated” environments (relatively speaking).  What your organization must do is to survey your entire “security bouquet” prior to something that is certain to happen:  Hacktivists, and just general miscreants, are going to shop for companies, agencies, and groups that they can “take down.”  It will be sport.  It will be an attempt to gain mention on the daily news cycle.

Why?  Because if people can do it, they generally will.

Begin with a review of your Acceptable Use Policy (AUP):  Make certain people in your organization are not opening security vulnerabilities.  Then review your Mobile Policy.  Folks shouldn’t be using work resources to spend time on nefarious sites, nor should they correspond with strangers – new “friends” – outside of any business context – using domain credentials, to include their simple work e-mail address.  If your org has a Bring Your Own Device (BYOD) Policy, ensure that it is updated to support the AUP, the MP, and all other security policies and documentation sets.

They also shouldn’t be posting comments to boards or articles with domain credentials – What is being done in the name of your domain? – that could bring the wrong kind of attention to your organization.  Further, when they are on legitimate sites, such as professional support forums, they should take care not to run afoul of Terms of Service elements, nor should they be argumentative or abusive:  There can be definite risk of recrimination from a forum member who decides to seek retribution by a “take-down” of some element of your domain.

Review all security policies, and establish a monthly or quarterly security refresher training.  All actions and activities should be viewed through security’s prism. 

Make everyone in the organization a virtual security officer.

September 30, 2012  4:15 PM

Internet Law: Contracts and Privacy – Pt. II

David Scott David Scott Profile: David Scott

[Read the first part of this series on Internet Law.]

Online Privacy

Whether we wish it or not, our lives are becoming ever more open, and the most intimate details of our personal lives are being made available in a very public way.  Apps capture and compile information about our likes and dislikes, our shopping habits, where we go and how, etc.

If you use social networking, such as the seemingly ubiquitous Facebook, it’s not just what you choose to share – it’s also what your friends post and discuss about you.  Even if you eschew social networking, we’re on store cams – smartcams – which include facial recognition on an increasing basis.  Even our property is not immune from a privacy intrustion of sorts:  Entities such as Google are photographing that, from cars and satellites no less.

Imagine this:  You’re walking through town, a smartphone at your waist – facing front.  It scans, captures and processes the faces streaming past you.  You not only capture who they are, their names, but where they live, and work.  You can know their interests, their professional associates and friends, as well as their educational and any criminal background.

Consider this:  It is thought that most under-30 police officers have Facebook pages.  Does this inhibit undercover police work?  What of the future?

Today, any person must recognize that online privacy is not a right, but a matter of contract.  So, recognize that online companies can collect and disseminate any information they can acquire – whether for commercial purposes or not –as long as their terms of use state that they can do so.

In the coming days, we’ll explore areas where a certain anonymity may be granted (and therefore an expectation of online privacy), and conditions whereby anonymity may be broken.  That is undergoing a bit of research on my part, and we’ll pick this “thread” back up in the coming days…

In the meantime, remember online privacy’s bottom line:  It is wholly dependent on any site’s terms of use.  If you have a concern, read and understand the terms of use.

September 27, 2012  11:20 AM

Internet Law: Contracts and Privacy – A Generation’s Development

David Scott David Scott Profile: David Scott

[Note:  These are my present understandings regarding specific areas of internet law; you will want to vet this material to your own satisfaction, and will also need to monitor this ever-changing environment.  – DS]

Many readers here will be aware of the internet’s beginnings:  From research and development of the early ‘60s by the Advanced Research Projects Agency, yielding the ARPAnet, on through the Department of Defense’s work, giving rise to the DARPAnet (check here if interested), we eventually arrived at today’s Internet.

By 1991, a limited internet was operating beyond governmental development, and serving a degree of academic user body, and that infrastructure evolved into the large widespread commercial use we see today.

In examining the period comprising the early 1990s onward and the Internet’s associated use, we can realize that Internet law has had a generation to develop.  Of particular interest to both individual users and business are National and International laws regulating the Internet’s use – here we’ll concentrate on two things:  1)  Online contracts and 2)  Privacy.

Online Contracts

Let’s examine perhaps the most fundamental, and universal, of online contracts first:  That of Terms of Use.  First, realize that merely visiting a website does not bind you in a contractual sense to that site’s terms of use.  Initially, a passive visit can activate certain terms of access.  For example, the site may state and employ the right to monitor your interaction with it.  The website may emplace cookies.  The site may display particular content that you, the site visitor, may or may not wish to see:  Graphic, or violent, images as example.  Another popular term of access is to disclaim any accuracy of information.  Be aware of what various terms of access can be, and what a “passive” visit to a site can entail (in other words, just because you haven’t clicked a box indicating some sort of awareness or agreement for the site’s use, it doesn’t mean that certain assumptions are not in place).

Anything beyond a passive look at a website can possibly bind the user contractually to the site’s terms of use.  For example:  Downloading content, or performing searches.  It is not necessary to click a box agreeing to terms.  No money need be exchanged, and indeed, no identification of you, the user, need be made by the site at the time.  Here, an interaction with the website constitutes the user’s “signature” to something called “intent-to-be-bound.”  The courts usually find such intent is fulfilled on the website’s and user’s part by a simple existence of a link to the site’s terms of use – so long as it is conspicuous.  Be aware that the user can even be a minor:  Contracts entered into by minors are not void; they are only voidable.  Be aware too that interaction will bind you to terms of use even if you do not read the terms, and whether you “click,” agree to, or otherwise acknowledge the terms – there only need be the aforementioned conspicuous link.

Changing Terms:  An important principle to understand:

Recognize that when you proceed after merely having had the opportunity to review terms of use, you are contractually bound by them; you may not have read them, you may not agree with them, and you may even be ignorant of the opportunity for review (perhaps you overlooked the link, or blatant text on a landing page – remember, it’s “the courts” that will determine “conspicuousness”).  But further, a new contractual paradigm is in play.  Online contracts can be changed, or wholly rewritten, and you can be bound to them.  This can happen at any time, and no notice is required to be given to the user.

How can this be so?  Contracts cannot be unilaterally rewritten – that is, one side of an agreeing set of parties cannot arbitrarily change agreed-to principles, standards, measurables, deliveries, definitions, etc., in the absence of negotiation and consent of the other side.  However, recognize this principle:  Courts have found that changed terms of use contracts are valid because such contracts are valid for a single visit.  Technically speaking, from a legal standpoint and in understanding your standing within the terms of use, you the user must check those terms each time you visit; either accepting the terms and proceeding, or rejecting them and discontinuing the visit and the site’s use.

A best practice endeavor here is for sites to display the date of the most recent Terms of Use, and to make prior versions available.  If you are engaged in deploying, maintaining, and updating websites – either your own, or on behalf of commercial and other organizations – consider a dated “Current Terms of Use” – with a prominent link to prior versions.

Hardcopy Contracts, Purchase Orders, Requests for Proposals (RFPs), etc.

Be aware of an emerging trend and practice:  Increasingly, organizations are issuing hard-copy form contracts and other similar documentation that do not have all terms and conditions printed on them.  Instead, they incorporate these by reference to the organization’s website.  The date of the hardcopy item, with associated signatures, determines which version of the posted terms and conditions applies.  Watch for this situation to supplant “fine print,” comprehensive, contracts and documents.  Hardcopy forms don’t have to be changed as often when “offloading” the details to a web reference.

This sort of “Hybrid” documentation has been challenged on the grounds that specific terms and conditions are not sufficiently conspicuous.  However, courts have already upheld the validity of these incorporations by reference; there only need be a clearly identified website in the document, and that website indicated as harboring the proper provisions.

Next Up:  Online Privacy.

September 25, 2012  1:59 PM

94 MILLION Personal Files Exposed: Sobering Statistics Regarding Data Breach

David Scott David Scott Profile: David Scott

According to security firm Rapid 7, approximately 94 million personal files of Americans have been exposed by government agencies since 2009 – those that we know about, that is.

There are likely even more, given the fact that many states do not require agencies to report breaches.

As to the Feds:  According to a recent Government Accounting Office (GAO) report, 18 of 24 surveyed Federal agencies had poor security controls, deemed not of sufficient standards for securing our personal information.

Private business has nothing to brag about either.  Breaches were up 58% in 2011 over 2010, and 2012 will beat last year.

None of this surprises me:  From a recent visit, I know for certain that a certain high-profile Fortune 100 firm simply does not enforce their policy requiring all users to log out of computer systems at end-of-day, or during extended absences from their desks/work areas.  It’s rather extraordinary:  People who are gone for the day remain logged in throughout the office, with a variety of proprietary, confidential, client, and personal information displayed.  So much for systems that employ individual and group securities, and associated access/enablements.  (Lest anyone wonder why automatic logouts are not employed, I wonder too). 

IdentityForce ™ estimates that 86% of data breaches are not IT-related (that is, due to faults within IT systems, processes, or protections), but rather are due to remises of policy and training. 

It has always been my view that matters of human error, and simple lack of care, are the better part of so-called “breaches” – and in those instances are better described as data exposures.  Regardless, organizations seem to be at increasing risk, rather than decreasing, for allowing sensitive data to reach the wrong parties. 

Is your organization at risk?  It’s time for a survey – even if you feel you’re fairly tight.  Survey your environment, and you can pretty much figure that your Acceptable Use, Security, and Disaster Recovery plans, policies and postures are due for modernization and updating. 

Then train your personnel for appropriate behaviors and contingencies…  essentially, today, everyone should be a virtual security officer…

Keep this important BTW tenet in mind:  In the realm of risk, unmanaged possibilities become probabilities.   

September 24, 2012  10:56 AM

Part II: When IT and Business Collaborate, Selling (and buying) is Key

David Scott David Scott Profile: David Scott

[If you haven’t read Part I, please see that post immediately below this one]

From Part I, our goal for the course of best business-IT outcomes is to gain the ready-agreement by both sides for fully sanctioned progressions, for delivery of best solutions, within best business and IT practices.  And, all of this must be done in service to best ROI, TCO and TtV considerations.  In getting to a best business-IT environment, an ability to sell will be key.  In achieving this, we can use the Engage; Qualify; Overcome; and Close model.  But first –

Most folks here are well-familiar with concepts and related goals, of best Returns-on-Investments (we want to maximize our returns [profits; efficiencies reinvestments, etc.], and Total Cost of Overhead (we want to drive those costs down as much as possible).  But what of TtV – Time to Value? 

In the matter of TtV, we want to serve the present as efficiently as possible through the delivery of timely projects, with on-target solutions, that serve business, as well as IT goals.  Too, we want to plan our future effectively, with upcoming deliveries happening on-time – in fact, if we can get solving and serving things into place even faster than anticipated, so much the better. 

However, a qualifier here is that we do things efficiently, and as rapidly as possible, within all legal, ethical, and safety-consideration elements, at all times.  We also don’t want to stress people and projects in service to timelines and pressures that are unrealistic, or just too aggresive.  Given those cautions, TtV is very important, and should always be “collapsed” to the shortest time possible, with associated prudency. 

So – business needs deliveries from IT; short and long-term:  Technical systems and enablements that grant effective conduct of business.

IT needs exposures from business stakeholders in order to deliver enabling things:  What does business want/need?  When?  How will we (IT) deliver that?  (What budget are we allowed?   Who from business is available to engage?) 

For both business and IT:  How do we negotiate changes?  How do we lobby for more resources?  How do we adjust budgets (either up or down)?  How do we lobby for time?  We “sell” – and get the other party to “buy.” 

Everything ultimately involves a sale. 

So – how to sell?  There are four basic steps:

1)      Engage:  Engagement in a business environment is formally achieved through meetings, both ad hoc and on schedules (such as regularized ones in service to any project’s general management, and others, such as Weekly Meetings, for example).  There are also many one-on-one meetings, whereby a business stakeholder or IT person simply schedules a meeting, or “drops by” to discuss an issue or initiative.  Engaging in a direct sense is not particularly challenging for readers here, but quality of engagement can be.  Remember to engage with positivity, from an informed and ready posture, and bring solid contributions for the advancement of the organization’s initiatives and business.

2)      Qualify:  When either business or IT engages, for purpose of advancing an idea or specific initiative, one side must qualify the other (in order to “sell” the other side on cooperation, in service to the goal).  Is the other side (party, group, individual, department, etc.) informed, or do we need to set fundamental understandings first?  Are they qualified to hear and digest what I want to present (and sell)?  If I’m asking them to make changes, to spec something up, to hold something back in prioritizing something else… are they able to do that?  Do they have decision authority, or will they have to seek approval up the line?  Qualify that.  Will they need additional budget?  Qualify that.  Can they ramp up – do they have the people, knowledge, and time to do it?  Qualify that.  Will they need to lobby their management chain for additional budget, or do they have power and sanctioning authority within their group to direct dollars to the considerations under discussion?  Qualify that.  Qualify, and thus know.

3)      Overcome:  Whether it’s business or IT speaking within their respective discipline (one IT group to another, for example), or across to the other (business stakeholders delivering requirements to IT, as another example) – the “buying” party (hopefully) may have objections.  “We can’t fund Initiative X this Quarter, because we have Initiative Y underway, and we’re experiencing cost overruns.”  Here, assuming a meritorious case for progressing, overcoming the objection may involve something like this – IT:  “Well, we have an extreme security vulnerability here; we need your department’s engagement in sewing this situation shut.  Can we lobby for more budget this Quarter?  We’ll help you to make the case with senior management.”  A business department might respond:  “Sure; let’s get all of the reasoning and documentation together; we’ll juggle priorities and get the necessary resources – obviously this is important.”

4)      Close:  Cement the agreements – the “buying” of the “sell” – by documenting all agreements and necessary actions.  Make assignments, and agree to deliveries, standards, and dates.  

Go into any business or IT discussion with a solid understanding of the process above.  Have ready answers in service to the model. 

Remember:  to engage with positivity, for positive pursuits and positive results.  Qualify the other side as being best positioned to receive your “pitch” upon that engagement.  Be prepared to face objections, so that you can cite your case in overcoming those objections, for purpose of getting on the necessary path for progression to the goal(s). 

Close the sale by securing and documenting all agreements, responsibilities, standards and deliveries.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: