September 2, 2011 11:07 AM
Posted by: David Scott
35 million users hacked
, business breach
, computer hack
, IT breach
, multiple accounts
, personal information
, security breach
, SK Communications
In thinking about today’s post, I wondered if the title was a bit of hyperbole. Upon reflection, I don’t think so.
Consider: How many people use the same User ID and password for multiple accounts? Many, many people do – and this practice bleeds across personal (social) and professional accounts to a very dangerous degree. Consider too: One hack should not have the potential to daisy-chain and wreak havoc through multiple domains and accounts, by virtue of simple clues granted in one account’s initial breach.
The reason I got to thinking: There’s no shortage of security breaches and leaks, as indicated by the Privacy Rights Clearinghouse’s Chronology of Data Breaches . But I also happened to be reading an international news story: Back in July, SK Communications Company of Korea reported that the personal information of its 35 million users had been hacked.
In a statement, SK said, “The specific scale of the hacking is still being investigated, but it is estimated that some of the personal information of 35 million Nate and Cyworld members have been leaked.” Nate is South Korea’s third-most popular search engine. Cyworld is the country’s largest social networking site; with 25 million users, it accounts for half of the country’s population.
The Biggest Security “Hole”? By virtue of SK’s recent breach, and just a general peek at the Chronology, consider again carefully: How many people – in any country – use the same user ID and password for multiple sites? How many people have the same authenticating credentials for multiple personal accounts… and sensitive work accounts?…
Answer: Too many. Ok, that’s not a very empirical, scientific, report. But I just did a survey of people around me, and… most people have a measure of the same credentials for all sorts of environments.
It could be worse – and it is: What does this mean? This means that if one site is hacked, and credentials are stolen… other information that may point to other sensitive accounts can lead the hackers to those accounts, and they can spin your credentials through all of them. Consider accounts such as: Banks, mortgage companies, work, professional associations, schools, and on, and on, and on…
For the professional business and IT audience: Make it a part of your Security Policy, and any other relevant policies and forums (such as user orientations, quarterly security refresher training, etc.) that user ID(s) and password(s) for business systems must be unique, separate, and apart, from all personal user IDs and passwords. Even security questions and answers should be unique, and used only for the specific work environment.
For the individual: I strongly urge you to consider separate and unique authenticating credentials for personal accounts such as Facebook, MySpace, YouTube, dating sites, and so on – and further, your bank(s) and other related accounts of high sensitivity – whatever you have and wherever you’re involved.
Again: One hack should not have the potential to daisy-chain and wreak havoc through your entire life’s online and subsequent real world existence.
Think about it – and act.
On this day (September 2nd): In 1930, the first non-stop airplane flight from Europe to the US was completed in 37 hours.
September 1, 2011 1:10 PM
Posted by: David Scott
, acceptable use policy
, acceptable use training
, best business practice
, best employee practice
, business vulnerabilities
, business vulnerability
, computer security
, computer use
, computer vulnerabilities
, computer vulnerability
, content management
, content management policy
, content management training
, employee handbook
, human resources
, security policy
, security training
, workplace compliance
, workplace policies
, workplace policy
I was speaking with a colleague and friend yesterday. He’s just left an organization in the outlying Washington, DC Metro area for a larger one directly downtown.
My friend is about as savvy as they come regarding computer use, online peril, and so-called netiquette. But surprisingly, he doesn’t know what the Acceptable Use policy is at his new organization, or if they even have one.
He did know the situation at his former place of business: They most definitely didn’t have one. The place was a mess in terms of Content Management, Acceptable use, Security, and other formalizations, expectations, and just simple courtesies of informing workers about standards, adherence, and expectations.
But this new place is supposedly a little more refined, larger, has a bit of longevity, and certainly should know better than to be remiss about standard policies – to say nothing of a prudent survey for budding challenges and timely considerations of those – in establishing and evolving policies in match.
I don’t know about you, but I like knowing what’s allowed, and what’s not, and I like remaining squarely within best practices and operational principles in not only leveraging systems and access to best business outcomes, but also leveraging that for best protections. Call it general business surety.
The overwhelming majority of people (at least in this readership) want to do the right thing. People are interested in:
1. Remaining outside the sphere of trouble.
2. Upholding and bolstering their organization’s reputation through solid
contributions and deliveries.
3. Remaining within safe and sure business, and allied technical operations.
Organizations, for their part, must perform due diligence for states of security – inside and out – and keep policies up to date. Any workforce is entitled to know its organization’s stance regarding threats and protections, and the position of those to the organization’s vulnerabilities. They then must be made aware of the subsequent bouquet of policies, procedures, schedule of training, and pro-active notifications – all in service to thwart of threat.
Business should have their IT department survey for what other organizations are doing: Orgs of your similar size; in your market; in your geographic area. It’s a start. Begin to determine what low-cost/no-cost protections can be mounted inside, by institution of appropriate behaviors and practices. Then, forecast (budget) what protections need to be mounted through the help of solutions-providers… vendors.
If you don’t have budget presently, at least get the markers on a 5-year plan or something similar. Whether you’re on the “business” side or “IT” side of the equation, you can also write tangential position papers regarding future’s streaming challenges, with the matching answer to them.
But whatever you do – don’t remain vulnerable. Be fully informed, reasoned, and straightforward in making any gaps and concerns known.
On this day (Sep. 1st): In 1858, the first transatlantic cable failed after less than one month. If at first you don’t succeed…
August 27, 2011 9:31 AM
Posted by: David Scott
, IT budget
, project management
, project planning
, unexpected business results
, unexpected IT results
There’s a number of first-time readers joining the group, so I want to preface today’s post by saying it’s a bit of frivolity – it’s Saturday, after all. (Click here for all articles, and scroll for those that may interest you).
But as to today’s post: I had an interesting, totally unexpected, situation while discussing needs with a client on the phone the other day. I was in my home office discussing the theme of a needed white paper, the nature of the intended audience, and so on. Our mobile call began to break up, and so I asked my client to hold for a moment while I transferred outside.
I took my laptop and phone to my deck, and sat down at an outdoor table. It’s one of those with an umbrella in the middle. I cranked the umbrella open, sat down, and resumed my conversation with the client while typing notes.
Suddenly, a bat flew into my face, abruptly turning and flying past my head. It had been overnighting under the closed umbrella in the folds. I had abruptly opened its “bed,” and rudely disturbed its rest…
Amazingly, I resisted the temptation to blurt, “Yikes! A bat just flew into my face!” – or worse. I remained focused, continuing to converse, make and take suggestions, and type notes. Meanwhile, the bat wasn’t about to give up – it kept flying back under its roost – landing on the spokes of the umbrella, or hanging off the cloth, and then flying back out, about, and back in. For some reason, its preferred path remained in the vicinity of my face and head. Soon, a complicating factor arose (don’t they always?)…
My cat Rex jumped up on the table and began batting and leaping at the flying bat… inches from my laptop, but more importantly, near my morning-lifeline: My coffee.
Did I lose focus? No. I remained calm, level-headed, and contributed and captured for the day’s deliverable (but did protect my coffee). Eventually, the bat flew off. Rex turned his attention to other pursuits, and the client and I wrapped the call. The client was none-the-wiser for what had just transpired, although it doesn’t really matter (he may read about the episode here, I imagine).
But the unusual confluence of events reminded me about something very important: It served as a reminder to “expect the unexpected” – to get out of your comfortable box, to survey your environment with some imaginative views: Employ some “What If?”s and “What Would We Do?”s. It doesn’t have to be a big consumption of time, but get off the beaten path of the day-to-day and near-term project focus and be certain you’re on a responsible forward edge for evolving threats and challenges.
It doesn’t have to be a consideration for possible bat infestation (unless it’s concerning
co-workers’ belfries), but remember this: No organization ever went into a project expecting overruns. No one plays for a breach. No one wants to hobble business with poor-fit solutions.
Things happen all the time.
Interweave business and technology: It’s a culture that yields immediate benefits, spreading an “umbrella” of protection and influence over the environment. You won’t have many unexpected moments and situations. But – when you do, be sure to have an agility in place: People who remain calm while having the reflexes to act quickly, with appropriate knowledge, with appropriate ability, with appropriate scale and placement of effort – within sanctioned authority. Define these things, hire according to spec, hammer out plans in match not only to actuals, but also to the ”bats” of contingencies.
Craft an efficient, effective, business-technology weave – and maintain it.
As to my bats (there are now three), I rather like them. They probably just like the view:
NP: Who’s Got Rhythm, Gerry Mulligan/Ben Webster, jazz24.org
August 23, 2011 12:47 PM
Posted by: David Scott
, data breach
, data hack
, data theft
, hacking attempt
, hacking group anonymous
, IT security
, rural law attacked by anonymous
, rural law enforcement
I frequently encounter organizations that have a, shall we say, rather naïve view of security.
Often, their position is some measure of: “No one but our [customers/clients/constituency, etc.] knows about us, and they’re certainly not going to harm us.”
Another refrain is: “We’re small; under the radar for the moment. Sure, we’re evaluating better security… we’re going to get to that…”.
And then there are the orgs that think they’re already “water-tight” – until the flood of bad results pour in from a breach.
We spoke of the hacking group Anonymous a few days ago. Now it seems that this group has hacked into approximately 70 rural U.S. law enforcement websites, taking information regarding investigations and posting it to the internet, as well as tips from the public, e-mails from officers and, rather amazingly, credit card numbers.
In a statement by Anonymous, this theft of data was in retaliation for arrest of sympathizers in the U.S. and Great Britain – to the tune of 10 gigabytes. They further stated their leak was “a massive amount of confidential information that is sure to discredit and incriminate police officers across the U.S.” and that this would “demonstrate the inherently corrupt nature of law enforcement using their own words” to “disrupt and sabotage their ability to communicate and terrorize communities.”
Ah – sort of a public service, eh? But what do we take away here in the Biz-IT community?
We take this: This isn’t an attack on the NYPD, the LAPD, the CPD (Chicago). This is theft from rural areas in places such as Arkansas, Kansas, Louisiana, Missouri and Mississippi. Thus, mischief makers and individuals and groups with chips on their shoulders will look for soft targets: the naïve, the ignorant, and… after this… the unwise.
One of the chief difficulties in putting off security evaluations and initiatives is that it becomes difficult, expensive, and consuming (of resources such as $$, time, and people) when you finally get around to tackling it. And that’s the significant enough rub assuming you don’t have a breach or loss. It’s like you’re standing at the base of a cliff, looking to scale a challenge all at once, with immediate need for egress to the top.
If your security initiative is paired with a recent breach, and an “Oh sh… sh… should we tackle security now?”-moment, then it’s all the more difficult. You’re facing the fire of fallout, more potential breach, and you have to mount and complete initiatives in a rush.
Make no assumptions: not about outside threat, your risk about being targeted (or found), nor about what “invitations” your staff may be making in terms of their outreaches to nefarious domains and entities: Whether intentional, accidental, or through ignorance. Survey security now: Inside and out (in terms of products and protections that are available). If you’re comfortable with your security initiatives, survey the market anyway. Survey what other organizations are doing that are in your domain, your market, that are your size with similar budgets.
When security is managed as an ongoing initiative, with monthly or quarterly assessments (as well as ad hoc ones based on exigencies – let’s not forget that), paired with the annual review of all states of business and IT, we find that we have something very important:
We have a manageable, affordable, and protecting forward-posture as regards the overall state of security.
NP: Skoshuss, Bluesiana, jazz24.org
August 20, 2011 11:42 AM
Posted by: David Scott
anonymous hacking group
, business theft
, data theft
, gmail hacked
, hackers anonymous
, personal information
, security breach
, sensitive information
, vanguard defense industries
Oh, the irony. Vanguard Defense Industries (VDI) was hacked by the hacking group Anonymous.
I don’t mean to sound too critical, or unsympathetic. After all, if an industry with the word “defense” in it’s very corporate name and charter can be breached… what hope is there for the rest of us?
And yet, what the heck? (I resisted the temptation to say “What the hack?”). Don’t we have to persevere in the belief that true progressions, true protections, and ultimate measures of true security can, will and do trump threats and potentials of breach? The short answer is: Yes.
Things have to fall one way or another – with the simple strength of a push. Organizations need to be constantly pushing security… lest a breach pushes itself into and onto you. What does this “push” really mean?
It means being vigilant with a proactivity and focus that extends to the horizon – and beyond. You must survey the current risks that are out there, survey for ones that are developing, and survey for those rumored to be developing. You then must pair this awareness, vigilance and survey with your present environment: Bring necessary security solutions and practices to its supports, its protections, its plans, its projected progressions. View everything through a security prism.
In the case of Vanguard, a top official had his e-mail account broken into. Messages were stolen from the Senior Vice President’s account. According to Anonymous’ own statement, 1 gigabyte of data was stolen, comprising personal information (never good), meeting notes and worse: Purportedly taken too were counterterrorism documents marked “law enforcement sensitive” and “for official use only.” Internal meeting notes were also breached.
Here is the real payout to us, here in the IT and business community: The e-mails were stolen from the Senior VP’s private Gmail account. Wow. Here are the questions that are raised:
1. Is Gmail an authorized, sanctioned, mail system – endorsed by Vanguard Defense Industries for internal and external use?
2. If so, what is VDI’s guidance for what levels of information can be transmitted and stored in a system that is outside the direct scope and control of VDI’s security standards and measures?
3. What are Gmail’s own standards of security? Do they match and/or exceed those of VDI? Or are they considerably lower?
4. Regardless of present standards, what guarantees can Gmail offer regarding continuity of security over time; such as a prudent forward progression as threats evolve and increase? We all know wonderful companies and products of yesteryear that failed to grow with the times…
5. Will outside standards remain high in the face of business challenges, such as any budget constraints, and competing avenues of attention/progression such as new online products and features?
The lesson for business and IT in general? Survey and find out immediately, if you don’t presently know, what your staff is doing via free and ready services. Things such as Gmail, Facebook, message boards, Comments areas in news lists – etc. Update Acceptable Use policies, Content Management policies, Security policies… Define what is permissible. Define what is impermissible (not allowed, unauthorized, forbidden, to be avoided, etc.). However –
When defining the “Impermissible,” be certain to include specifics, but also include a caveat that it is not meant as a comprehensive list of specifics. Specify that, due to evolving and new products and avenues of breach, all general areas are included. For example, you can bar Facebook, MySpace, and others’ use at work; but also indicate that social networking in general is not allowed. That way, as new SN sites bloom, they are covered. You can also grant conditional access: A particular project or group may benefit through access, which can be qualified by training and best use. Departments may need access – those that don’t require it, don’t allow it. This is business – nothing personal.
Recognize that even senior-most staff represent security liabilities if they are under-educated regarding modern and evolving perils. Whether you’re a CXO (CIO, CTO, CFO, etc.), Senior Vice President, President, Director, Manager, Supervisor, staff person or temporary hire – make certain you know areas of risk, and best protections – you must set the example.
Further, if you’re a leader, get the right people on the solutions and protections and the related currencies and advancements.
Further still: Get the right security training and awareness in place for staff.
Stay safe out there…
On this day (August 20th): In 1896, the dial telephone was patented.
August 17, 2011 11:08 AM
Posted by: David Scott
Let’s look at a common mistake on IT’s part. How many organizations have a requirement for “centralized” data, yet have full knowledge that users – the business community – are storing data on local (c:) computer drives? It matters not whether you have server virtualization, or if you harbor your own physical server(s).
In fact, it doesn’t even matter if you have virtualized desktops. If your users are storing data in the wrong virtual space, it’s in the wrong place!
Even some of the most sophisticated organizations, and the most tightly controlled enterprise environments, have this condition. This goes on even in organizations where it violates a document retention and content management policy – policies that are often imposed by outside regulatory agencies, or client bodies. Yet, if business members and leaders insist that it’s a necessary “work-around,” IT frequently goes along.
Conversely, business often assumes that policies are being adhered to, even as IT lets the environment go slack. This is a major mistake on IT’s part. Let’s leave the document retention/content management considerations aside for the moment, other than to state the obvious: If business leaders and various level users are running reports on what they believe to be a coherent data-store, in the absence of critical data that is harbored in unapproved and unrecognized repositories, then reports content can never be accurate and true. Business decisions can be weighted according to false criteria, and a true measure of any situation cannot be made. Today, let’s look at the situation from a simple backup and recovery standpoint – certainly an important enough area to highlight perils.
IT’s position in any organization should be that all data is secure: accessible according to authorization; safely and securely maintained in the technical environment; recoverable in the case of loss in the production environment through any reason (corruption, human error). Too often, especially in SMB environments, users are responsible for backing up their own local drives. This is wrong. If there is genuine business data that is not coming under the umbrella of IT’s backup domain, then that is a wrong situation and you cannot profess to have complete security. You are at risk.
You can hash out in a business-IT management team as to how to expose peripheral data, and how to manage it, secure it and back it up – at a minimum you must document exceptions to policy and put them on record. Ideally and in accordance with best practice, you’ll want to “centralize” data (whether actually or virtually) and put it squarely in the realm of IT’s secure and sure backup process. Many important caches and swaths of data have been lost by organizations because the central, qualified, authority for the safekeeping of data (IT) was unaware of it. There was no central authority guaranteeing its safekeeping under these circumstances.
Let’s look at one more area where IT is frequently remiss. Organizations overall are responsible for anything and everything that happens within: We see where large judgments have been made in favor of employee plaintiffs with complaints regarding offense and damages over electronic content containing porn, offensive jokes, inflammatory material based on race, etc., illegal advocacy, and other inappropriate content. Here, we’re speaking of content that has long been defined as this kind of liability by courts. Remember too that just because some content may be “legal” in the broader sense, it can still violate your organization’s best interest: Perhaps its internal policies, and those of clients and allied organizations.
Consider too: Should your organization’s data be subpoenaed, you wouldn’t want negative characterizations of business partners or critical evaluations of members made public, for example. Most organizations have policies to guard against inappropriate use of business resources and to explain the consequences of harboring improper content, but many don’t adequately reinforce, refresh, or train to the policy. Further, it’s apparent that a lot of IT departments haven’t picked up their responsibility, or perceived their own liability, in this area.
IT: Take care of business – and take care of business – if you know what I mean. ;^)
NP: Feeling Good, Gerry Mulligan, jazz24.org
August 16, 2011 10:58 AM
Posted by: David Scott
best business practice
, best IT practice
, business and IT
, business deficit
, business qualification
, business training
, IT deficit
, IT qualification
, IT training
Ok, it’s really only Part IV. I promise, this is the last part of this series. (We’ll follow on with a quick “IT Deficit” article – just to be fair – in the next days. Also, please see Parts I, II, and III, below, if you haven’t already).
But this is very important, especially for SMB: How many IT departments are producing reports from end-user applications that should be produced by someone in the business element? How many IT departments are orienting incoming hires for entrenched business software – the specific use of which is better explained by someone that is in the business department making the hire? (IT can concentrate on security orientations). How many IT departments are breaking out, coding and tracking mobile connectivity charges for business? Aren’t those an administrative duty better performed by someone in Finance or the actual departments? I’ve seen all of the above, and have set a number of organizations on a more efficient footing…
In other words, look for situations where “filing cabinets” have been delivered, but where the duty of “filing” is not being effectively picked up out in the business arena. Making effective use of technology is a profit-enhancing lever, and the user community needs to “file” effectively. Do what is necessary: deliver training, place the expectation, and let Business set up and run their “filing cabinets.” This frees IT to fulfill its obligations in other rapidly expanding arenas – Security, to name one. Content Management to name another. Planning and fulfillment on future, accelerating, business and technical requirements to name more. Let’s look at one additional example on the Business side of the equation before we look at some IT challenges.
A Business Deficit
Recently, a business director approached to introduce himself to me. After his name, his very first words were “I’m ‘computer-illiterate’.” He went on to explain that he would be IT’s “best customer” because he required frequent help. He joked of being proud on mornings when he could just remember how to turn his computer on. He had a smile on his face, and he most likely thought that his confessed ignorance would be seen as a friendly, non-threatening, sign. But, it was dismaying – as his ‘illiteracy’ turned out to be true.
He was also positioned critically; his department relied on external technical subscription services and critical agreements with solutions partners in forwarding the organization’s business. Working with this person, although he was nice enough, presented difficulties. So, how is it that, in this new millennium, a person of otherwise high standing still has a comfort level in divulging ignorance regarding Information Technology matters? For one thing, he possessed power: He was a C-level executive. But in this day and age, this ignorance is an extreme limitation for any organization, regarding any job or position.
Thought of another way: Suppose you approach your CFO – you’re new to the organization. You’re a department head, a business leader, someone who is expected to set an example – a manager, director, or even a VP. You smile and make a confession: “I sure hope I don’t have to prepare or balance any budgets around here – I’m ‘financially-illiterate!’” In fact, I can’t even balance my own checkbook! Numbers just aren’t my thing.”
Every organization’s managers are required to maintain budgets and to know how to manage them. Presumably they are hired with some basic skills: knowing how to add and subtract, and having some common understandings of basic budgets and the required accounting principles. Just because a staff member doesn’t work in Finance & Accounting doesn’t mean they’ll never have to perform some nuts-and-bolts finance and accounting. Likewise, it is not too much to expect that managers and users have some basic computer skills, and specifically, some close-fit skills regarding the organization’s specific applications and tools.
That expectation is quickly morphing into the outright need that these people understand and promote their own use of technology in its relation to the business. After all, most people who enter an organization that has a Business-Technology Weave are the sort of people who have computers at home, or have used them in school. No one is allowed to get away with “computer-illiteracy” any more, or even a stagnant appreciation of technology. Your organizational culture must evolve to one whereby users and managers are imaginative thinkers when it comes to using and growing the organization’s use of technology. They should employ the same imagination and judgment when partnering on the use and plan of technology that they use when partnering with Finance on the organization’s budget.
Most of you are there; but I imagine we’ve all dealt with laggards at various strata of the org. HR needs to sanction and enforce the appropriate expectations for training and all persons’ modern qualifications for occupancy in The Weave.
NP: Who’s Got Rhythm, Gerry Mulligan/Ben Webster, jazz24.org
August 15, 2011 12:16 PM
Posted by: David Scott
, accounting systems
, computer accounting systems
, Finance & Accounting
, Finance and Accounting
, finance and IT
, finance codes
, finance systems
, financial and accounting systems
Please see Pt. I and Pt. II if necessary.
Remember our discussion about finance codes, and IT’s maintenance of them? This example served to show IT’s “ownership” of the codes creation – as opposed to positing this responsibility in the business arena.
I once observed a broken process in this very arena; as an issue in the project management context. A project manager’s duty, of many, was to bump along an Expositions Director’s (the Expo department’s) creation of finance codes – an important task supporting a project: The implementation of a new association management system (AMS). The Expositions department was the task’s owner: The action of creating the codes was that department’s responsibility, with a shared component. That was creating them in compliance with the Finance department’s oversight of all finance codes.
However, there was a lag in the code creation: Due to the Expositions Director’s insistence that this was IT’s responsibility. However, IT is not the generator of the codes. Nor does IT maintain them – or use them. (IT has, and uses, their own department codes – but shouldn’t maintain – nor use! – other’s).
The syntax and format of the codes is defined largely by Finance. Further, the Expo Department is intimately familiar with their (Exposition’s) financial tracking needs. They know how many codes and definitions are needed in the conduct of their business. They also know the character and number of codes that exist in the old AMS – for various conference booths, hotel rooms, services, etc. Having IT survey a business situation that Expositions is responsible for is not a correct placement of effort or responsibility. Nor is it efficient.
IT-effort in this regard would mean: IT must perform the administrative drill of surveying business methodologies to a granular degree, and subsequent creation of the codes for approval by Expositions. This would engender a review, any necessary adjustments, and resubmittals with another Expo review. This would be followed by IT’s arrangement for review with Finance.
This is inefficient: Expo can drive and complete this process, in its entirety, in less time. Otherwise, it takes IT people away from doing the things that only IT can do. It engages them on a largely administrative task that should be assigned within the Expo department. Expo should not require IT to maintain their finance codes any more than IT can expect Expo to maintain IT’s finance codes.
Once Expositions creates their codes as tasked, they must let a project manager know they’re ready. The PM can schedule a sit down with Finance for review of the codes. Once Finance approves them, the PM (or a delegate) can train Expo on how to enter the codes into the AMS. The Expo department should have the authority to maintain their codes in the AMS so as to match their authority in maintaining the codes in the business sense.
Ask yourself here: who is responsible for knowing Exposition’s codes in order to exercise Exposition’s business? It is within that party, or group, where action must transpire. Today’s employment of “systems” or technology is not an excuse to defer ability, authority, activity, and responsibility. In any circumstance, an oversight authority from Business or Technology can simply ask: who is the relevant party that knows, or should know, the “business” of what is under consideration? That party must be empowered in every possible sense so as to match activity to the root of knowledge.
In short: IT delivers and maintains the mechanics of the system – Business must utilize the system and maintain their authorized information and content within it. IT most certainly maintains the backend, and can help, when authorized, on the front end – but make certain that “business content” is generated, maintained, and utilized primarily by business.
On this day (August 15, 1969): The Woodstock Music & Arts Fair opens in New York state on Max Yasgur’s dairy farm.
August 13, 2011 11:06 AM
Posted by: David Scott
best business practice
, best IT practice
, best practice
, business management
, business plans
, directing business
, directing technology
, integrating technology to business
, IT plans
, managing business
, managing technology
The Filing Cabinet Analogy
Your office is cluttered – you have documents all over the place. The paperless office of the future has not yet arrived, will never arrive, and your hardcopy papers are necessary, important, and accumulating. You must get them filed for safekeeping, but you also need a system of storage and access: You require ready reference of the content.
You call up your supply department and order a filing cabinet. A few days later, a supply clerk rolls your cabinet in, asking where you would like it.
In exiting, the clerk wheels his empty dolly toward your door… you say, “Wait! You’re not finished…” Bewildered, the clerk asks you what you mean. You politely gesture to all the stacks of paper on your desk, your table, your office floor. You tell him that he needs to label the drawers. He needs to create folders with tabs for various subjects, projects and tasks. He needs to alphabetize and categorize your paper documentation and file it in the appropriate place in the new cabinet.
Hmmm… what is wrong here? Simply this: You, the recipient of the filing cabinet, expect the supply clerk to do your filing – which is not the supply clerk’s job. The supply clerk has delivered a system for filing – the recipient must file, or delegate that to relevant department staff. But realize too: the cabinet’s recipient must not only use and administer the “system,” – the cabinet, drawers, folders, and setup of information storage – the recipient must do some initial configuring and setup of that system. After all, it is the recipient who best understands the business requirement of that system (the labeling, categorization, etc. that is necessary).
Now, we know that no one would ask the supply clerk above to do that filing – or configuring – yet IT finds itself in that very position as it delivers its “filing cabinets.” Often times business systems are delivered, and IT is expected to set up such things as finance codes – and to maintain them. Why? Business uses those codes, and should have an intimate knowledge for best codes: syntax, how many, subcodes, inter-relations… and on and on.
We’ll examine this example in the next days, but it is business’ “filing cabinet” of codes to maintain – not IT’s. IT can assist with suggestions for entering and structuring the codes as necessary, but IT should not determine the business-mechanics of the codes and their fit and inter-relationship to business. Further, this is just a sliver of an example: IT is frequently bled across lines of diminishing returns; maintaining all sorts of business structures, rules and updates – that are squarely within any reasonable person’s definition of business responsibility.
Yet IT is often tasked precisely the wrong way, taking time away from the rush of security challenges, best progressions, and vision to the horizon of accelerating challenges…
On this day (August 13th): In 1907, the first taxicab begins operation in New York City.