IT security in any realm involves logical security and physical security. Logical security is the integrity of data (content), precision of associated processing, and the delivery of coherent, accurate, content. In other words, data that reflects reality; data that does not mislead or distort various actuals by virtue of distortion/errors of input, process, and output.
Physical security is such things as locked doors on computer rooms. It’s the safety and surety of infrastructure; protection against overheating, for example. Physical security is often mundane; don’t set your coffee on a server, for example.
Mobile is especially vulnerable within the realm of physical security. Devices are constantly transported, their owners on the go, and they can be lost or stolen. Ensure that users make immediate reportage of loss or theft. Consider strong encryption, as any content risks exposure.
As to logical security, determine whether users access organizational resources via a virtual-private-network (VPN), or the internet. Also, ensure strong malware protections are emplaced on devices.
In BYOD environments, that last is especially important: It’s hard to know where users will be surfing, and what manner of personal downloads will be transpiring. Regularized scanning for viruses, malware, and unauthorized intrusions is imperative.
In continuing our series, as companies consider mobile enablements, or an increase to a measure of already existing mobile dependency, there are a wide range of issues that must be addressed.
Recognize that a measure of user-initiated troubleshooting is imperative. Certainly as concerns formal mobile tools – that is, those owned and issued by the org – users should be capable of performing some measure of maintenance and troubleshooting on their own. As a backstop, the HelpDesk is available when problems exceed users’ capabilities, and/or when a mobile asset fails completely, and needs replacement by the dispatch of a new device to the field.
However, in the case of BYOD environments with personally-owned devices, users had better be well-versed in the use and troubleshooting of their own tools. If the modern org is investing significant business processing on users’ own devices, keep in mind that any HelpDesk or other help function can be significantly stretched: It’s one thing in days past where a HelpDesk and associated tech folks supported a defined, finite, set of technical assets, and was charged and trained by the org in the support of these devices.
It’s quite another thing to expect a HelpDesk to support an explosion of device types – to say nothing of users who acquire a new device without informing anyone; a device which may exceed the org’s capacity to support it via appropriate knowledge. Therefore, BYOD policy should plainly state that the authorization to utilize personally-owned devices includes the agreement that the user can support their own device, AND knows how to avail themselves of outside tech support from the vendor of their device. Either that, or a requirement to bring new devices to IT for assessment and approval, with corresponding charge to the HelpDesk to familiarize with the device. (Be certain, though, that IT-supported help does not violate Terms and Conditions of users’ devices from the manufacturer).
Get these understandings in order now. Consider the alternative: It’s one thing for a mobile-user to tell a friend, “Sorry I couldn’t reach you – my new SmartPhone was acting up.” It’s quite another to say, “Sorry about that late report, boss… my phone was messed up”… or a similar communication to a client.
Most organizations already have a schedule of regularized training – both for core, mission-critial, applications as they undergo revision and update – and in accommodating new apps and business methods.
It’s the nature of the beast: These devices lend themselves to a certain “rounding” – abbreviations and the compacting of words that would never be tolerated through other means: the support of texting; IM’ing; “friending;” Twittering, etc.
Too, there is the ready “firing off” of communications without the appropriate distance (time) for review. Ensure that business communications remain… business-like. You should train for caution, and for adherence to that standard.
Also remember to train staff in troubleshooting measures. When important business is being conducted through mobile, device-unavailability can put a real crimp in operations. Oftentimes routine problems can be overcome with simple guidance. Users should be able to examine connectivity issues to include setups, the verification of account info such as user ID and password, and they should have ready-access to a support desk.
Business is on the move today: Users are long past the days when accessing the enterprise – that is, information resources such as apps, processing, and content – entailed sitting at a desk, inside the four walls of a business entity, with a desktop computer. (As a matter of fact, the aforementioned apps, processing and content may not even reside in the enterprise! The Cloud, Software as a Service (SaaS), Processing as a Service (PaaS), Infrastructure as a Service (IaaS) and so forth can make the virtual office a front-end/back-end constitution).
Just in terms of “moving about,” the venerable laptop computer, whether organization-owned or personal, began changing that. But today, “mobile” devices are generally considered to be those that can be held comfortably in one’s hand, or hands, while performing meaningful computing activities.
An explosion of mobile devices has made mobility not only possible – it’s downright necessary in many business realms. For example, many survey and certification endeavors, such as laboratory accreditation, are now conducted by inspectors utilizing mobile devices.
Whether a device is issued and maintained by the organization, or personally-owned, all manner of mobile assets are punching their way in: iPads, tablets, smartphones, personal data assistants (PDAs), and so on. If your organization is at the threshold of consideration and leverage of mobile, or if there is an informal migration to increasing use, there are some important factors that you must take into account – and we’ll explore those in the coming days.
One of the first gates the modern organization must navigate through is that of BYOD: Bring Your Own Device. We’ve discussed this in the past, and it’s whether the organization deems to grant access to enterprise apps, processing and data by personally-owned mobile devices. Ensure a robust BYOD policy if folks are to utilize their own assets (when possessing them). We’ll expose a robust template for a BYOD policy a bit later in the series; for now, recognize that TCO can be lowered considerably when capturing best use of personally-owned assets, as there is little to no capital expenditure in capturing the use of these existing devices. Just be sure to apply the same security considerations, and maintenance protocols, to this class of device (and associated users).
In Part II, we’ll dig into the advantages, challenges, and intelligent use of mobile devices – beginning with training.
A recent article I was reading stated that “the majority of the heavy lifting for IT management falls to the CIO and the IT team – the former to plan, the latter to execute.” (InfoWorld, Special Report, May 2012).
The rest of the content, and context, made clear that many decisions that are clearly business’, we’re mistakenly identified as IT’s.
In my experience, this is a fundamental mistake of view; it leads to mistakes in execution, and poor results. Let’s first take the CIO, and the “heavy lifting” of planning.
The heavy lifting of planning is a shared component: Between “Business” and “IT” (business stakeholders, and that aforementioned CIO, and various planning and project teams). In fact, business stakeholders had better engage, and have a major part of planning, along with IT’s business analysts, software engineers and programmers, and all the other collateral IT people who weigh in and contribute to projects (Network folks, HelpDesk, etc.). Business must mount a business-driven IT strategy – in service to itself. IT does not exist in a vacuum (even in a tech company – that is a business too, with an engaged and driving business component).
In fact, my book’s main argument is that IT serves at the pleasure of business. Something, i.e. business, must exist before IT can service, solve and support.
“Business” is defined simply as “the doing of the doing” (“busy-ness”) – whatever it is your organization does, be it Fortune 500® company, non-profit organization, government agency, or sole-proprietorship. In other words, for this post’s context, we’re not defining business as private enterprise, but whatever it is you do; this way, we can cover every organization, and everybody within.
This business-driven view, with subsequent strategy and effort, should be obvious – but in many realms it is not. (Refer to I.T. Wars: Managing the Business-Technology Weave in the New Millennium). I feel strongly enough about this that I branded a team – the Business Implementation Team (BIT), and stress that this team be comprised of top-talent business and IT folks for purpose of piloting the organization forward on best technical supports. It is essential.
This is a general roundtable (not a specific project-tethered team, for example) that surveys the horizon, the breaking developments, the new solutions – for evaluating and plotting the organization’s best directions, best destinations, and ultimate IT strategies, in service to the most efficient conduct of business.
Be wary of business leaders who disengage from IT planning. They may feel unqualified, and hide this by claiming that progressions are “IT’s business.” These business “leaders” don’t want to be seen as responsible if things go wrong. But how is IT to effectively plan and progress the org in the absence of business engagement? IT has the ticklish responsibility – for it’s own betterment – to force an engagement: But a willing partnership is best.
Establish a BIT team with talented business participants: business folks who are excited by technology’s prospects, and who are qualified to participate. First, explain the concept to business leaders who can sanction the team’s existence, and who have the power to place appropriate business folks at that planning table. Meet quarterly, semi-annually, or annually – whatever suits your org – and occassionally on an ad hoc basis.
Remember: The majority of the “heavy lifting” for IT management falls to business. Business must size and scope it’s IT team, being that IT doesn’t even exist until business exists. Business then must help to define IT’s direction, even as IT suggests and makes prudent exposures for new ideas, solutions and supports.
But to IT: Get strong documentation that business has sanctioned any particular path and end destination.
Hit the target – Craft the best business-IT relationship with a strong partnership between Business and IT, with agreed upon and fully sanctioned services, solutions, and supports. And in servicing the future – share the “heavy lifting” of planning. Institute a BIT team; if you have an equivalent, tune it and take care of it.
[If you haven’t seen the first part of this article, please click here for Part I.]
According to a recent survey by InfoWorld, approximately one in five “IT-enabled” workers access non-authorized websites, and the same number avail themselves of social networking. Employees also utilize “rogue” software, and engage in blogging; about 15% and 10% respectively.
Frankly, I believe all of these figures to be low.
The “Consumerization of IT” (CoIT) has led to the personal use of devices, apps, processing power, and large data stores formerly available (and affordable) to large organizational environments. But today, users not only enjoy the familiarity and power of their own devices in the workplace (by virtue of BYOD sanction and policy), but are able to capture the power of consumer-oriented sites and services. Think: Self-provisioning; providing to one’s self whatever it is you think you need, from whatever source, in getting your job done and making your job more efficient.
Consider storage: Sites such as Box and DropBox make large data stores possible; wholly external to the enterprise environment. It’s important to build strong Acceptable Use and Security policies in determining whether these sites can be used, and if so, how, and for what sorts of data. IT and business leaders – and associated departments – need to evaluate free services for suitability. For example, Box has enterprise security features, as well as an API that allows integration to internal business solutions. Orgs today need to be careful that they not “reinvent the wheel” when free wheels exist for examination and potential use.
Social networks provide very powerful enablements: Marketing opportunities; job recruiting considerations; lead generation; the creation of intranet communities, and so forth.
Of course, software technologies are available: The organization has to create the discipline for what is allowed as either an adjunct to existing, internal, software – or what can be used in place of internally sanctioned solutions. Ensure that employees are schooled to ask before proceeding down any self-provisioning path. What of an employee who chooses to maintain contact information in the Cloud? Or critical documentation of customer agreements, communications, and support-triggers? Again, define everything allowed, disallowed, and partially sanctioned, by virtue of strong AU and Security policies.
Keep in mind the advantages: Self-provisioning technology has an enormous cost benefit to the organization, both in terms of BYOD and CoIT (the latter term actually encompasses the former, and is becoming a “catch-all”). The organization captures use of a pool of capital resources for which employees have paid; plus, employees have use of devices that they’re familiar with, largely like, and have already self-trained on. An area that any CoIT-enacting (/self-provisioning) org needs to explore is support to employees who use personal devices for sanctioned areas of work. Options for the org include paying some measure of monthly service charges for device use (reimbursement to phone plans for business calls, for example. A custom app could track minutes made against sanctioned phone numbers, as one idea). Orgs can also make partial payment for upgrades or maintenance to personal devices. Orgs also need to survey for unsanctioned apps and services and either 1) Bar them, or 2) Define adn control their use.
Keep this in mind: The ubiquity of personal devices, Cloud apps/services, social networking, large data repositories, and all manner of temptations – means that the organization has to document, document, and document what is allowed, and disallowed. And then?
Train, train, train - for this new environment, and the associated “allowables.” Train all incoming hires; train existing staff on a schedule (whether quarterly, semi-annually, or annually); and train by department when specific exigencies, challenges or changes apply. Install appropriate security and use considerations. Pair up with an appropriate vendor/solutions partner, or survey your existing ones for ability, to service the CoIT issue, and get this issue on your agenda. If you need a provider, I can recommend a few.
CoIT is the implementing of consumer technology to business – whether business has sanctioned any particular thing, whether it happens on an informal basis, or even in breach of policy in the form of work-arounds.
In gaining a full understanding of CoIT, it may be best to (1) review the phenomena of “Bring Your Own Device” (BYOD) practices, policies and issues, and then (2) discuss CoIT.
In recent years, organizations have begun capturing the ready population of consumer-oriented, personally-owned, mobile devices for business advantage. Organizations can affordably modify existing mobile apps for various personally/employee-owned devices and, of course, procure new apps – either off-the-shelf, or via their mobile apps provider.
The advantage is that there are no capital acquisition costs in procuring devices – they already exist in pockets, on belts, in purses, etc. There are, however, risks for any organization that builds significant operations and support on personal devices: The org does not own nor fully control them. There are issues of security, acceptable use, updates, loss prevention, and so forth. These are addressed in strong operational and BYOD policies – but some risk remains, of course.
But utilizing assets that are not under the direct control of the organization has been drifting into other areas: These areas comprise services such as storage, data management, and the easy acquisition/utilization of freeware, as well as commercial apps. Other areas include the use of social networking for all manner of enablements: aforementioned services as well as marketing opportunities, communications channels, and content provision/availability.
Overall, think: The Cloud.
This drift into, and pluck from, The Cloud has resulted in a “rain” of sorts – delivering all manner of enablements to the ground zero of the organization; where it conducts its business – in both a real and virtual sense. (As but one example: DropBox). Thus -
In Part II: We’ll identify CoIT challenges, examine ways to secure the environment in the face of these, and how to best manage things going forward.
Did you know that an inactive credit card can be breached, and have a charge applied to it? Neither did I, but it’s just recently happened. This is alarming for a couple reasons, but before speaking directly about Capital One, and their standards of maintaining credit card account security, I’d like to review a bit:
In the IT realm, whether we call it content, data, records, storage, personal info, or anything else, we’re speaking about information – anything that has the power to inform. And content, data, etc., has the power to inform the right people… and the wrong people.
Generally, we want to inform the right people by virtue of authorization paired with the need to know. We DON’T want to inform the wrong people – those who have no legitimate need, and who may have nefarious motives. We want a strong bar in place to prevent those sorts of folks from knowing any particular thing to which they are not authorized.
Whether IT or not, information security has always been of paramount importance: Access is everything. Even in centuries past, and on through today, information was and is protected and disseminated within standards, whether on stone tablet, parchment, tape, 8″ floppy discs, etc., and on through today’s e-mail, mobile media, social networking, the Cloud, and so forth.
So what happened at Capital One? Well, their standards are remiss, for one thing:
A customer received a statement with a bill for $6.99. The charge was processed from a company called Big Fish Games. There were a couple problems, though: This particular credit consumer did not make a purchase from Big Fish Games. Further, this person didn’t have a Capital One card, although he vaguely remembered that he might have had one once upon a time.
He called Capital One and found that:
1) He had had a credit card account, and card, in the past.
2) The account was paid in full.
3) The last payment, clearing the card’s balance, was made in April of 2009.
4) The card had been shredded; Capital One inactivated the card at that time. The consumer considered the card and account “gone,” “dead,” “buried,” etc.
However, as opposed to “dead,” this account was more like a zombie, rising to somehow process that fraudulent charge in July of this year. If you think about this from an IT perspective, it’s pretty incredible.
Consider what this means: Someone got hold of this person’s account information for an inactive credit card. They got a retail outlet to process a charge, and Capital One accepted that charge – even as the card remained in an Inactive status!
The customer care agents had no explanation, other than to assure the consumer that the charge was fraudulent, would be removed, and that the account would be (again) inactivated. (I’m not sure how you inactivate an inactive account. Maybe it can be placed on double-secret probation inactivation – with apologies to Animal House). They offered the issue of a new card. However, this consumer did not want a new card, and thus declined that. Can we blame him?
What is particularly bothersome is the failure of a simple flag… a bit in the right place… a “1” or a “0” would do the trick: Don’t process any incoming charges against this Inactive account.
I think Capital One has some work to do.
Why such a small charge? Well, fraudsters frequently try a small test charge against a breached account – if it goes through, a larger one follows. Or in some cases, particularly accounts that are paid with automatic online bill pay, a fraudster can run small monthly transactions for a good amount of time before they’re noticed by the cardholder.
Fortunately for this person, he does not engage in automatic online bill pay (a few liabilities there, but most folks appreciate the convenience, efficiency, and administrative benefits).
What lessons are here for us?
Remember: In the realm of risk, unmanaged possibilities become probabilities: View all business/IT activity through a security prism – and that includes personal business and, in this case, Capital One’s IT standing. For those of you who automate your bill payments online, be certain to check all accounts frequently.
NP: The Byrds – Untitled. Original vinyl LP.
Is your organization secure? I don’t mean from a content or access perspective: I mean, is it well-positioned for the future? Do the organization and visionaries make effective plans for secure transitions to new business models, allied enablements, products, services, and deliveries?
Anyone can stumble. Let’s consider a high-profile example: Kodak filed for Chapter 11 bankruptcy protection on January 19th. This, in spite of anticipating and trying to make adjustment from film to digital imaging. One has to ask: If a company like Kodak, with its deep financial and personnel resources, can stumble and go bankrupt, can the future impact my organization in a similar way? What is it that we need to be anticipating and doing… right now… in holding a “Kodak outcome” at bay?
Innovation expert Scott Anthony, author of The Little Black Book of Innovation says, “Even an insightful company can go wrong if it doesn’t push far enough, fast enough, into uncomfortable territory.”
And it’s with that realization that we come to the mobile revolution. The mobile revolution is any organization’s – yours – “film to digital” moment. Mobile devices, with ever more robust operating systems, increased processing capabilities, and higher storage capacities – are now able to run more applications and do ever-more sophisticated things. More applications are being developed, and delivering more productivity, all the time. And, custom apps can be fitted to your exact business models and methodologies. Think about it: The organization’s overall productivity enjoys an enormous boost when folks can access, process, and deliver from virtually anywhere - worldwide.
But it’s more than that…
Total Cost of Overhead (TCO) and Time to Value (TtV) are key components in any successful business. TCO needs to be driven down, in service to keeping expense under control, which serves profit. TtV needs to be speedy: Faster development and implementations aid TCO, and quick business enablements also begin serving faster returns on investments (ROI), again in service to profit. Even non-profit environments and government agencies need lower cost, efficient implementations, and best returns.
In view of all that, consider that many organizations are capturing the ready population of existing personal mobile devices that employees already own – they’re a free capital resource. Why buy expensive laptops, tablets, smartphones, iPads, etc., if there’s an existing mobile population already in hand in the form of personally owned assets? All that’s required is a strong Bring Your Own Device (BYOD) Policy, and associated Security Policy and training.
All that’s really left is to engage a mobile solutions provider that understands change, innovation, and the streaming present/future environment. A steady partnership with a mobile innovator will be in every organization’s future.
Today, any business has to ask itself: “What is my organization’s standing in the mobile revolution?”
Am I a “Kodak,” or am I innovating appropriately?
Two Types of Organizations – Where Are You?
For this article, let’s define “business” as “the doing of the doing” – whatever it is your organization does for delivery to the outside world. You may be a private enterprise, a non/not-for-profit, a government agency, a school, and so forth.
In today’s business environment, from the Weave perspective, there are two types of organizations. Simply put: those that understand how to manage business-technology endeavors, and those that do not.
In order for the IT leader to effectively manage – to maximize that department’s support to business – the organization as a whole must be able to effectively manage IT. It’s a partnership – but a partnership that Business manages.
A frequent complaint from IT leaders (and quite a few business leaders) translates as “my organization doesn’t understand technology.” The follow-on from Business is that systems are cumbersome, don’t deliver as expected, and that IT help is frequently ineffective. A parallel IT follow-on is that senior executives, directors and managers don’t understand IT, and many simply care not to. Within these circumstances, Business and IT fail to set an example, which means that staff fails to understand, or seek how to effectively use, the technology at their disposal. The result is that many organizations don’t understand technology’s true role in the organization, and our modern responsibility within that.
On one end of the extreme is the organization that thinks of IT as a sort of glorified computer repair. Plans and success for optimal alignment between business and technology suffer here, but so too does the day-to-day. In other words, people at all levels of the organization first and foremost think of IT as a place to call when their PC acts up. Theirs is a rather benign, naïve view of the technology lever – and therefore they don’t grab that lever and use it to maximum effect. The organization does not reap the best return on its technical supports and investments. In this realm too are those that resent technology – they have an adversarial relationship with it and the people who support it. At best is a view that technology is a necessary evil of sorts – there is a diminished and delayed engagement on the planning and execution of solutions, as this engagement is viewed as a difficult, unrewarding, endeavor.
Yet, powerful enablements within various software applications – core, mission-critical apps – go unexplored. Training only goes so far: Folks must maximize use of systems through Help functions and basic exploration, as apps packages have many features that are well within Acceptable Use policies, user-security standings, and within users’ capabilities for use.
At the other extreme is the organization that “gets it” – IT occupies a place at the organization’s planning table – there’s not a relevant business decision made without IT’s knowledge, and it’s recommendation. People respect technology’s interwoven contribution, and they value the professionals who work within this important core endeavor. In these environments, people poke, explore, suggest and expand systems’ capabilities. They are more likely to self-motivate in expanding their knowledge, and in contributing to the forward momentum of their organization’s Business-Technology Weave.
Most organizations fall somewhere in the middle. No matter where your organization falls, there is always room for improvement – …the first important key is to know where you are. You cannot get where you’re trying to go if you do not know where you’re starting from. Tell me how to get to Chicago. Tell me. You must first ask me, “From where are you departing?”
In the next day or so, we will explore a simple checklist for determining where your organization IS, (in terms of culture, business-technology acumen, protocols for planning, etc.) in order to effectively plan the subsequent “destinations” of projects and deliveries. We’ll examine various positionings for implementation of new products, new training, new security measures – in accommodating, and leading, the demands a changing world makes.
Knowing where you are – where you truly are – helps you to maneuver, and helps your organization as a whole in piloting its way forward to the ultimate destination: Success.
On this day (May 23): 1922 – “Daylight Saving Time” was debated in the first debate ever to be heard on radio, in Washington, DC.