IT says: Why can’t I get business folks to focus? Why don’t stakeholders engage? We don’t know what business wants. Business doesn’t know what it wants. (!)
Business folks say: Why doesn’t our IT department listen to us? Why is this project lagging so badly? Why didn’t my requirements make it into this “solution”? Why is this project costing so much?
In fact, as to that last: At the outset of projects it’s often difficult to set realistic budgets. Consider the simple business concerns: Controlling cost is important to any organization, so it’s not difficult to understand that appropriate budgets must be lobbied, argued for… sold. In other words, IT must sell business on the idea that a budget is spec’d appropriately, realistically. In turn, business is constantly selling to IT: We need this module; we need these modules to do this; no, we can’t modify this particular business routine in service to a budget ceiling… etc.
For either side of teams – Business vice IT – an important communication and collaboration mechanism is the ability to sell… and to do that, you have to know how to sell, and you have to know what selling is.
Selling is exposing someone, or groups of someones, to something they may need, or may want. The side doing the selling may know that the other side wants or needs something – and that other side may know it too, or may not. For example: Business often doesn’t know it needs a more robust security posture, and corresponding set of solutions (in service to a rapidly changing environment). Prying budget dollars in this circumstance can be difficult. It requires “selling” business on the notion that a change must be made, and that an investment is necessary.
Correspondingly, business must often “sell” IT on the idea that a revisit to proposed solutions is in order: a more robust budget is simply not available, and IT must apply imagination in reducing cost; Business may suggest – or demand – that IT shop around for more effective solutions partners, vendors, products, etc.
So – how to sell? There are four basic steps:
In Part II, we’ll take a look at this four-step process for selling. Our goal: Gaining the ready-agreement by both sides for fully sanctioned progressions, for delivery of best solutions, within best business and IT practices. And, all of this must be done in service to best ROI, TCO and TtV considerations. Stay tuned.
There’s seemingly no limit on time-wasting elements in today’s modern organization: Social networking; Twitter; idle web surfing; checking in on mobile devices; fooling with freeware, discussion groups, and on and on and… on…
What of that earliest electronic potential of a timewaster? E-mail.
A recent study and news release by the University of California, Irvine, has provided some interesting info. Employees who took a break from e-mail found that after 5 days, their stress went down, their productivity went up, and they had increased focus.
The study also found that in an environment lacking e-mail, workers switched windows less frequently – 18 times per hour, vs. 37 when e-mail was present.
The study made no mention if other “temptations” remained in the environment, such as those things mentioned in the first paragraph. (For those, you can consider limiting social networking, etc. to breaks and lunch, for example – unless those types of accounts are indigenous to your marketing efforts, and so forth. But get a handle on personal use of these things).
No matter how distracting e-mail might be, it ain’t goin’ nowhere. There are a few helpful suggestions, though. Productivity experts recommend against checking e-mail first thing in the morning. Rather, concentrate on priorities as listed in a To Do list. Some organizations are also having “e-mail vacations” – some specified time and measure during the day where workers are directed to stay out of e-mail, and to focus on work.
Of course, not everyone has the luxury of ignoring e-mail first think in their morning, nor can they do it during the day, either. Co-workers, clients, customers, etc., expect timely responses to e-mails. “We were having a vacation” isn’t going to sound too professional during the workday, now is it?
Organizations need to spell out guidance and expectations in strong Acceptable Use, Security, and Business Practices policies. For e-mail, just determine the general requirement for responses – if something isn’t marked “Urgent” or “High Importance,” then perhaps you can open it later – a quick perusal of Senders and Subjects in the morning will let you know if you can delay e-mail administration ‘till 10 or 11 a.m., and you can settle in with a cup of something, and tackle those reports, or even visit with someone in person to settle some nagging project questions. Get up and stretch those legs – a little physical relief goes a long way to reducing stress, and a simple walk across the office, or to another floor, can be refreshing.
Try to create a little balance, in other words. Remember that checking any account too frequently rather defeats the purpose of these enabling sorts of things – instead of being efficient, you’re wasting time and achieving a diminishing return. Check perhaps once an hour, instead of the constant “flip” to e-mail, social networking, discussion groups, etc. It’s tempting (I know), but not really necessary, unless you’re awaiting something urgent.
What are your thoughts?
IT security in any realm involves logical security and physical security. Logical security is the integrity of data (content), precision of associated processing, and the delivery of coherent, accurate, content. In other words, data that reflects reality; data that does not mislead or distort various actuals by virtue of distortion/errors of input, process, and output.
Physical security is such things as locked doors on computer rooms. It’s the safety and surety of infrastructure; protection against overheating, for example. Physical security is often mundane; don’t set your coffee on a server, for example.
Mobile is especially vulnerable within the realm of physical security. Devices are constantly transported, their owners on the go, and they can be lost or stolen. Ensure that users make immediate reportage of loss or theft. Consider strong encryption, as any content risks exposure.
As to logical security, determine whether users access organizational resources via a virtual-private-network (VPN), or the internet. Also, ensure strong malware protections are emplaced on devices.
In BYOD environments, that last is especially important: It’s hard to know where users will be surfing, and what manner of personal downloads will be transpiring. Regularized scanning for viruses, malware, and unauthorized intrusions is imperative.
In continuing our series, as companies consider mobile enablements, or an increase to a measure of already existing mobile dependency, there are a wide range of issues that must be addressed.
Recognize that a measure of user-initiated troubleshooting is imperative. Certainly as concerns formal mobile tools – that is, those owned and issued by the org – users should be capable of performing some measure of maintenance and troubleshooting on their own. As a backstop, the HelpDesk is available when problems exceed users’ capabilities, and/or when a mobile asset fails completely, and needs replacement by the dispatch of a new device to the field.
However, in the case of BYOD environments with personally-owned devices, users had better be well-versed in the use and troubleshooting of their own tools. If the modern org is investing significant business processing on users’ own devices, keep in mind that any HelpDesk or other help function can be significantly stretched: It’s one thing in days past where a HelpDesk and associated tech folks supported a defined, finite, set of technical assets, and was charged and trained by the org in the support of these devices.
It’s quite another thing to expect a HelpDesk to support an explosion of device types – to say nothing of users who acquire a new device without informing anyone; a device which may exceed the org’s capacity to support it via appropriate knowledge. Therefore, BYOD policy should plainly state that the authorization to utilize personally-owned devices includes the agreement that the user can support their own device, AND knows how to avail themselves of outside tech support from the vendor of their device. Either that, or a requirement to bring new devices to IT for assessment and approval, with corresponding charge to the HelpDesk to familiarize with the device. (Be certain, though, that IT-supported help does not violate Terms and Conditions of users’ devices from the manufacturer).
Get these understandings in order now. Consider the alternative: It’s one thing for a mobile-user to tell a friend, “Sorry I couldn’t reach you – my new SmartPhone was acting up.” It’s quite another to say, “Sorry about that late report, boss… my phone was messed up”… or a similar communication to a client.
Most organizations already have a schedule of regularized training – both for core, mission-critial, applications as they undergo revision and update – and in accommodating new apps and business methods.
It’s the nature of the beast: These devices lend themselves to a certain “rounding” – abbreviations and the compacting of words that would never be tolerated through other means: the support of texting; IM’ing; “friending;” Twittering, etc.
Too, there is the ready “firing off” of communications without the appropriate distance (time) for review. Ensure that business communications remain… business-like. You should train for caution, and for adherence to that standard.
Also remember to train staff in troubleshooting measures. When important business is being conducted through mobile, device-unavailability can put a real crimp in operations. Oftentimes routine problems can be overcome with simple guidance. Users should be able to examine connectivity issues to include setups, the verification of account info such as user ID and password, and they should have ready-access to a support desk.
Business is on the move today: Users are long past the days when accessing the enterprise – that is, information resources such as apps, processing, and content – entailed sitting at a desk, inside the four walls of a business entity, with a desktop computer. (As a matter of fact, the aforementioned apps, processing and content may not even reside in the enterprise! The Cloud, Software as a Service (SaaS), Processing as a Service (PaaS), Infrastructure as a Service (IaaS) and so forth can make the virtual office a front-end/back-end constitution).
Just in terms of “moving about,” the venerable laptop computer, whether organization-owned or personal, began changing that. But today, “mobile” devices are generally considered to be those that can be held comfortably in one’s hand, or hands, while performing meaningful computing activities.
An explosion of mobile devices has made mobility not only possible – it’s downright necessary in many business realms. For example, many survey and certification endeavors, such as laboratory accreditation, are now conducted by inspectors utilizing mobile devices.
Whether a device is issued and maintained by the organization, or personally-owned, all manner of mobile assets are punching their way in: iPads, tablets, smartphones, personal data assistants (PDAs), and so on. If your organization is at the threshold of consideration and leverage of mobile, or if there is an informal migration to increasing use, there are some important factors that you must take into account – and we’ll explore those in the coming days.
One of the first gates the modern organization must navigate through is that of BYOD: Bring Your Own Device. We’ve discussed this in the past, and it’s whether the organization deems to grant access to enterprise apps, processing and data by personally-owned mobile devices. Ensure a robust BYOD policy if folks are to utilize their own assets (when possessing them). We’ll expose a robust template for a BYOD policy a bit later in the series; for now, recognize that TCO can be lowered considerably when capturing best use of personally-owned assets, as there is little to no capital expenditure in capturing the use of these existing devices. Just be sure to apply the same security considerations, and maintenance protocols, to this class of device (and associated users).
In Part II, we’ll dig into the advantages, challenges, and intelligent use of mobile devices – beginning with training.
A recent article I was reading stated that “the majority of the heavy lifting for IT management falls to the CIO and the IT team – the former to plan, the latter to execute.” (InfoWorld, Special Report, May 2012).
The rest of the content, and context, made clear that many decisions that are clearly business’, we’re mistakenly identified as IT’s.
In my experience, this is a fundamental mistake of view; it leads to mistakes in execution, and poor results. Let’s first take the CIO, and the “heavy lifting” of planning.
The heavy lifting of planning is a shared component: Between “Business” and “IT” (business stakeholders, and that aforementioned CIO, and various planning and project teams). In fact, business stakeholders had better engage, and have a major part of planning, along with IT’s business analysts, software engineers and programmers, and all the other collateral IT people who weigh in and contribute to projects (Network folks, HelpDesk, etc.). Business must mount a business-driven IT strategy – in service to itself. IT does not exist in a vacuum (even in a tech company – that is a business too, with an engaged and driving business component).
In fact, my book’s main argument is that IT serves at the pleasure of business. Something, i.e. business, must exist before IT can service, solve and support.
“Business” is defined simply as “the doing of the doing” (“busy-ness”) – whatever it is your organization does, be it Fortune 500® company, non-profit organization, government agency, or sole-proprietorship. In other words, for this post’s context, we’re not defining business as private enterprise, but whatever it is you do; this way, we can cover every organization, and everybody within.
This business-driven view, with subsequent strategy and effort, should be obvious – but in many realms it is not. (Refer to I.T. Wars: Managing the Business-Technology Weave in the New Millennium). I feel strongly enough about this that I branded a team – the Business Implementation Team (BIT), and stress that this team be comprised of top-talent business and IT folks for purpose of piloting the organization forward on best technical supports. It is essential.
This is a general roundtable (not a specific project-tethered team, for example) that surveys the horizon, the breaking developments, the new solutions – for evaluating and plotting the organization’s best directions, best destinations, and ultimate IT strategies, in service to the most efficient conduct of business.
Be wary of business leaders who disengage from IT planning. They may feel unqualified, and hide this by claiming that progressions are “IT’s business.” These business “leaders” don’t want to be seen as responsible if things go wrong. But how is IT to effectively plan and progress the org in the absence of business engagement? IT has the ticklish responsibility – for it’s own betterment – to force an engagement: But a willing partnership is best.
Establish a BIT team with talented business participants: business folks who are excited by technology’s prospects, and who are qualified to participate. First, explain the concept to business leaders who can sanction the team’s existence, and who have the power to place appropriate business folks at that planning table. Meet quarterly, semi-annually, or annually – whatever suits your org – and occassionally on an ad hoc basis.
Remember: The majority of the “heavy lifting” for IT management falls to business. Business must size and scope it’s IT team, being that IT doesn’t even exist until business exists. Business then must help to define IT’s direction, even as IT suggests and makes prudent exposures for new ideas, solutions and supports.
But to IT: Get strong documentation that business has sanctioned any particular path and end destination.
Hit the target – Craft the best business-IT relationship with a strong partnership between Business and IT, with agreed upon and fully sanctioned services, solutions, and supports. And in servicing the future – share the “heavy lifting” of planning. Institute a BIT team; if you have an equivalent, tune it and take care of it.
[If you haven’t seen the first part of this article, please click here for Part I.]
According to a recent survey by InfoWorld, approximately one in five “IT-enabled” workers access non-authorized websites, and the same number avail themselves of social networking. Employees also utilize “rogue” software, and engage in blogging; about 15% and 10% respectively.
Frankly, I believe all of these figures to be low.
The “Consumerization of IT” (CoIT) has led to the personal use of devices, apps, processing power, and large data stores formerly available (and affordable) to large organizational environments. But today, users not only enjoy the familiarity and power of their own devices in the workplace (by virtue of BYOD sanction and policy), but are able to capture the power of consumer-oriented sites and services. Think: Self-provisioning; providing to one’s self whatever it is you think you need, from whatever source, in getting your job done and making your job more efficient.
Consider storage: Sites such as Box and DropBox make large data stores possible; wholly external to the enterprise environment. It’s important to build strong Acceptable Use and Security policies in determining whether these sites can be used, and if so, how, and for what sorts of data. IT and business leaders – and associated departments – need to evaluate free services for suitability. For example, Box has enterprise security features, as well as an API that allows integration to internal business solutions. Orgs today need to be careful that they not “reinvent the wheel” when free wheels exist for examination and potential use.
Social networks provide very powerful enablements: Marketing opportunities; job recruiting considerations; lead generation; the creation of intranet communities, and so forth.
Of course, software technologies are available: The organization has to create the discipline for what is allowed as either an adjunct to existing, internal, software – or what can be used in place of internally sanctioned solutions. Ensure that employees are schooled to ask before proceeding down any self-provisioning path. What of an employee who chooses to maintain contact information in the Cloud? Or critical documentation of customer agreements, communications, and support-triggers? Again, define everything allowed, disallowed, and partially sanctioned, by virtue of strong AU and Security policies.
Keep in mind the advantages: Self-provisioning technology has an enormous cost benefit to the organization, both in terms of BYOD and CoIT (the latter term actually encompasses the former, and is becoming a “catch-all”). The organization captures use of a pool of capital resources for which employees have paid; plus, employees have use of devices that they’re familiar with, largely like, and have already self-trained on. An area that any CoIT-enacting (/self-provisioning) org needs to explore is support to employees who use personal devices for sanctioned areas of work. Options for the org include paying some measure of monthly service charges for device use (reimbursement to phone plans for business calls, for example. A custom app could track minutes made against sanctioned phone numbers, as one idea). Orgs can also make partial payment for upgrades or maintenance to personal devices. Orgs also need to survey for unsanctioned apps and services and either 1) Bar them, or 2) Define adn control their use.
Keep this in mind: The ubiquity of personal devices, Cloud apps/services, social networking, large data repositories, and all manner of temptations – means that the organization has to document, document, and document what is allowed, and disallowed. And then?
Train, train, train – for this new environment, and the associated “allowables.” Train all incoming hires; train existing staff on a schedule (whether quarterly, semi-annually, or annually); and train by department when specific exigencies, challenges or changes apply. Install appropriate security and use considerations. Pair up with an appropriate vendor/solutions partner, or survey your existing ones for ability, to service the CoIT issue, and get this issue on your agenda. If you need a provider, I can recommend a few.
CoIT is the implementing of consumer technology to business – whether business has sanctioned any particular thing, whether it happens on an informal basis, or even in breach of policy in the form of work-arounds.
In gaining a full understanding of CoIT, it may be best to (1) review the phenomena of “Bring Your Own Device” (BYOD) practices, policies and issues, and then (2) discuss CoIT.
In recent years, organizations have begun capturing the ready population of consumer-oriented, personally-owned, mobile devices for business advantage. Organizations can affordably modify existing mobile apps for various personally/employee-owned devices and, of course, procure new apps – either off-the-shelf, or via their mobile apps provider.
The advantage is that there are no capital acquisition costs in procuring devices – they already exist in pockets, on belts, in purses, etc. There are, however, risks for any organization that builds significant operations and support on personal devices: The org does not own nor fully control them. There are issues of security, acceptable use, updates, loss prevention, and so forth. These are addressed in strong operational and BYOD policies – but some risk remains, of course.
But utilizing assets that are not under the direct control of the organization has been drifting into other areas: These areas comprise services such as storage, data management, and the easy acquisition/utilization of freeware, as well as commercial apps. Other areas include the use of social networking for all manner of enablements: aforementioned services as well as marketing opportunities, communications channels, and content provision/availability.
Overall, think: The Cloud.
This drift into, and pluck from, The Cloud has resulted in a “rain” of sorts – delivering all manner of enablements to the ground zero of the organization; where it conducts its business – in both a real and virtual sense. (As but one example: DropBox). Thus –
In Part II: We’ll identify CoIT challenges, examine ways to secure the environment in the face of these, and how to best manage things going forward.
Did you know that an inactive credit card can be breached, and have a charge applied to it? Neither did I, but it’s just recently happened. This is alarming for a couple reasons, but before speaking directly about Capital One, and their standards of maintaining credit card account security, I’d like to review a bit:
In the IT realm, whether we call it content, data, records, storage, personal info, or anything else, we’re speaking about information – anything that has the power to inform. And content, data, etc., has the power to inform the right people… and the wrong people.
Generally, we want to inform the right people by virtue of authorization paired with the need to know. We DON’T want to inform the wrong people – those who have no legitimate need, and who may have nefarious motives. We want a strong bar in place to prevent those sorts of folks from knowing any particular thing to which they are not authorized.
Whether IT or not, information security has always been of paramount importance: Access is everything. Even in centuries past, and on through today, information was and is protected and disseminated within standards, whether on stone tablet, parchment, tape, 8″ floppy discs, etc., and on through today’s e-mail, mobile media, social networking, the Cloud, and so forth.
So what happened at Capital One? Well, their standards are remiss, for one thing:
A customer received a statement with a bill for $6.99. The charge was processed from a company called Big Fish Games. There were a couple problems, though: This particular credit consumer did not make a purchase from Big Fish Games. Further, this person didn’t have a Capital One card, although he vaguely remembered that he might have had one once upon a time.
He called Capital One and found that:
1) He had had a credit card account, and card, in the past.
2) The account was paid in full.
3) The last payment, clearing the card’s balance, was made in April of 2009.
4) The card had been shredded; Capital One inactivated the card at that time. The consumer considered the card and account “gone,” “dead,” “buried,” etc.
However, as opposed to “dead,” this account was more like a zombie, rising to somehow process that fraudulent charge in July of this year. If you think about this from an IT perspective, it’s pretty incredible.
Consider what this means: Someone got hold of this person’s account information for an inactive credit card. They got a retail outlet to process a charge, and Capital One accepted that charge – even as the card remained in an Inactive status!
The customer care agents had no explanation, other than to assure the consumer that the charge was fraudulent, would be removed, and that the account would be (again) inactivated. (I’m not sure how you inactivate an inactive account. Maybe it can be placed on double-secret probation inactivation – with apologies to Animal House). They offered the issue of a new card. However, this consumer did not want a new card, and thus declined that. Can we blame him?
What is particularly bothersome is the failure of a simple flag… a bit in the right place… a “1” or a “0” would do the trick: Don’t process any incoming charges against this Inactive account.
I think Capital One has some work to do.
Why such a small charge? Well, fraudsters frequently try a small test charge against a breached account – if it goes through, a larger one follows. Or in some cases, particularly accounts that are paid with automatic online bill pay, a fraudster can run small monthly transactions for a good amount of time before they’re noticed by the cardholder.
Fortunately for this person, he does not engage in automatic online bill pay (a few liabilities there, but most folks appreciate the convenience, efficiency, and administrative benefits).
What lessons are here for us?
Remember: In the realm of risk, unmanaged possibilities become probabilities: View all business/IT activity through a security prism – and that includes personal business and, in this case, Capital One’s IT standing. For those of you who automate your bill payments online, be certain to check all accounts frequently.
NP: The Byrds – Untitled. Original vinyl LP.