And why not? Everything gets more expensive as time goes by. In fact, cost of breaches has risen for each of the past three years.
Symantec, folks who ought to know, says the average cost of a breach is around $3 million a year per business breached. If that sounds like a lot, realize that some businesses suffer losses of 10s of millions.
Of course, ever more breaches require ever more security awareness training and education for employees: More cost.
Too, the organization must survey its firewalls, virus and malware protections for currency and comprehension, and just generally expend precious business resources (time, attention, money, assessments for returns, to say nothing of repairs to reputation and breached systems…), thus robbing energy and focus from that main thrust that should occupy any business: Business.
Most breaches and loss or corruption of data are due to human error: Blame the employees. Nah: Actually, there’s enough blame to go around. Management/leadership (both IT and Business leadership) must put the proper emphasis on security and associated awareness.
One way IT can help: Send out a regularized (once a month?) Security Quiz. You can ask such things as “If a web site asks you to… should you….?” You get the idea; come up with a dozen questions. You’d be surprised how lax interns are, in spite of tight IT security orientations, delivered upon hire and start. Not to pick on interns (they probably get picked on enough); regular staff can be pretty abysmal in their actions and activities too. Give away some nominal surprise for the winner: a free day off? Use your imagination – coordinate with HR and management – evaluate the returns. Does the environment seem safer?
Don’t forget data’s liability in the era of portability: USB sticks, laptops, smartphones… Even e-mail is an element of portability: Do not let staff conduct business via personal e-mail accounts, facebook, YouTube, etc. And make a determination, and publication, of expectations for appropriate use of official e-mail. If you don’t spell out the “dos” and “don’ts,” you’ll reap all sorts of silly, expensive, results.
Unfortunately, in the era of all-access, all-the time, breach and business reputation are always in play.
Stay on the responsible forward edge.
NP: How Deep is the Ocean – Ron Affif, jazz24.org
Security is always a delicate balance: You need to provide efficient access, but only to those that are allowed that access.
Because there are a growing number of mobile devices, and more people utilizing them, there is more potential for breach – it’s just a numbers game, really. Your networks require ever more attention: In matters of security solutions and updates; watchfulness for any day-to-day breach; and investigation of any suspect activity. At the same time, access has to be readily available to those authentic users, sustaining their productivity – and they must be be productive within a fully educated posture, based on well-communicated security policies.
First, before a user even authenticates, remember to have the device authenticate. The network must recognize the device, allow it, and further – have your network survey it for currency in updates, patches and policy. Now you’re swingin’.
Also, mobile devices use mobile-broadband, the same networks as mobile phones. Here, it is basically essential to employ a virtual-private-network (VPN) – and also for any access coming through the public internet. Generally, you want to encrypt any data/communications between devices which transmit through public broadband or internet.
The addition of firewalls is another layer of security. They can be comprised of software, hardware, or both – and essentially emplace filters and authenticating standards before letting devices and/or data through.
Remember that any security procedures and policies are only effective so long as the organization enforces them. The organization must invest in security, in more ways than one. More than monetary, it is the organization’s acknowledgement that security is paramount, and that people will be held accountable to security standards. Regularized training and awareness sessions must be adhered to, and all modern and effective security measures must be undertaken in match to the accelerative nature of outside demands and threats.
Get on a schedule of regularized updates in all regards: Organization, people, process, systems, data, communications, education… Also, be certain to weave Business and IT leaders’ understandings and sanctions in creating and adhering to mutually defined and understood goals.
NP: I Can’t Get Started, Cannonball Adderely, jazz24.org
No matter how tight your security policies, no matter how regularized your security training, no matter how careful your workforce – mobile devices are going to get lost.
Smartphones, laptops, tablets, cameras, flash drives, and anything that’s not nailed down is susceptible to being left at the airport, in the back seat of a cab, or on a table somewhere in a food court… as but a few examples. And that’s just the possibilities involving loss through negligence – oversight, in leaving a locale without all of your possessions firmly in tow.
What of theft? As difficult as it is to believe, people actually take things that don’t belong to them! This is something you have to actively guard against – not just by maintaining your eyes on portable devices, particularly when you’re using them in public spaces, but in another important way.
It’s not so much the device itself that poses great risk – it’s merely any device’s potential manifest of harm, in the absence of appropriate controls when in the hands of an unauthorized person.
A device harbors content: That is, the data any particular device contains. Unauthorized physical access to the device cannot always be effected, as in the case of loss, so all other up-to-date methods of security must be employed. The device must be password protected. You might even consider fingerprint and card readers for total authentication and access. Further, the data residing on the device should be encrypted.
Risk is also posed through the access that the device represents: To your network, to your central data repositories, to your business intelligence, to your client information, to your employee information, to sensitive and confidential data, to proprietary solutions and systems, and on and on and on…
Another security measure to consider, which would protect both data and the device’s potential for directing harm to whatever it logs into, is to enable a remote-erase (wiping) solution. When a device goes missing, a trigger is pulled at the home office, sending a signal to the device to essentially destruct all data and mechanics of login.
March 12th: On this day in 1912, the Girl Guides (Girl Scouts) was founded by Juliette Gordon Low
Small and Medium Business (SMB) can really benefit from mobile readiness. Beyond the obvious reasons (the idea of “readiness” and a paired security posture hardly needs to be sold), the SMB market can capture and leverage a whole population of assets that essentially have no overhead. No TCO, no appreciable Time to Value (TtV); they’re here now, in that they’re often owned and maintained by people as personal assets: Things such as smartphones and laptops.
Of course, often enough these devices are provided by SMB too, as tools of any particular job; but there does exist a ready population that can be exploited – and that must be protected.
Whatever devices (and associated users) desire to access your data, systems, and tools – you must take inventory and qualify access before you greenlight it. Assess whether a particular user really needs remote access – is it going to be an efficient enhancement to work? Will it be productive? Does supervision agree that access is desirable? Is a strong case being made?
Then the risks can be weighed against the benefits – and there are always risks. Mobile devices will harbor sensitive data – and that data can easily be lost. Also, mobile devices transmit updated data back into your central repositories – on your network: filestores that represent the content feeding your mission critical applications. Things such as the organization’s sensitive financial information; customer databases and records, sensitive correspondence – you name it. You must ensure sourced mobile data is healthy, accurate, and whole.
Mobile devices also represent a portal through which malware may enter the organization. Therefore, an entire regime of recurring user education is necessary, and a standard schedule for review of devices for compliances and updated protections for malware, etc., is absolutely essential.
When devices are lost, it is imperative that users alert IT – lost devices can allow unauthorized access to the network; IT must immediately bar a device’s ability to access upon loss. And while on that subject, beware devices that have unsecured remote access – that is, no password or stored password, allowing the “greased entry” upon a simple switch-on of the device.
Let’s keep rolling on this…
NP: The “In” Crowd – The Ramsey Lewis Trio, jazz24.org.
Once upon a time, all an IT manager had to do was to secure an infrastructure and allied systems and tools that existed inside the “four walls” of the organization. That is, some measure of a computer room (speaking in a virtual sense; any of these elements could stripe through multiple buildings, offices, allied agencies, etc.), fileserver(s), a wiring closet or two, a computer workstation population, and so on…
A few forward individuals, either by power, station, or adventurousness, dialed-in to the network. Wow! I remember jokes in the workplace: Who the heck wants to bring the office home?
Today, we’re approaching universal connectivity. There are so many mobile devices, and associated mobile apps – paired with new data-densities, new bandwidth and processing power considerations – that business is everywhere.
The challenge to business and IT leaders alike is not just protection to organization assets and daily production, but the challenge includes spec’ing up to accommodate present and future demands for the mobile workforce. It also includes more than that…
It goes well beyond: You must document allowances, as far as which classes of users have mobile access, when, and how. And you must consider the blended environment of personal vs. business assets. Keep in mind that folks access your organization’s central computing and data assets from personal computers, laptops, phones, tablets, etc. The avenues for breach are many, in that you do not have an exclusive measure of control over these devices, and their associated “wellness” in terms of virus protection, malware protections, etc., etc.
Security demands are high. You must guard against spam, spyware, malware, viruses… denial-of-service attacks, whether directed or random. In this environment, it is prudent to consider data encryption for mobile devices. Today, you must safeguard sensitive organization data on mobile devices: Information is always vulnerable to theft and loss, but never more so when it’s repository is mobile and susceptible to loss itself.
More on this in the coming days…
March 10th: On this day in 1933, Nevada becomes the 1st state to regulate narcotics.
I’m not sure there are words to adequately express the true problem that this article illuminates: Douglas County Students Disciplined Over Facebook Post.
It is naturally disturbing that these students, in 2011, are not aware of social networking perils, the global wallop of the internet’s speed and comprehensibility, as well as aspects of damage to reputations. That, plus legal liabilities involving defamation.
But in a more basic and general sense – what of simple honesty, decency, and good character – how do 12-year-olds today think it is ok to label a teacher a pedophile; a rapist; as bipolar?
Or perhaps a better question is: What allows them to unthinkingly do this? Answer: The “realm of risk” allows them this latitude. In the realm of risk, unmanaged possibilities become probabilities. We can see how universal this important BTW warning is - and how wide its applicability: No one set proper expectations and limits on these kids’ online posts.
Kids say mean things; cruel things; stupid things. I did when I was young, and likely you did too. Today’s kids will do those things in the internet age’s equivalent of our neon lights – unless someone tells them not to, and spells out the consequences.
What of school policy? The modern requirements for school policy mandate a section concerning defamation of teachers, administrators, etc., regardless of forum; whether occurring on school grounds with school resources, or elsewhere. Today’s electronic enablements make this a no-brainer.
What of elementary education? It has to include coverage of internet communications and general use. If schools are in the business of teaching children the difference between “bad touches” and “good touches,” there sure is an appropriate need to be filled regarding electronic communication in 2011 – particularly given the parents’ reactions in the included article.
That is the most dismaying thing. Kids do not possess wisdom and experience – caring parents and educators help that along. But in this case, the parents are devoid of wisdom and experience – actually defending their kids within the most egregious defamations possible.
Go check your kids. They’re kids.
On this day: In 1959, Groucho, Chico and Harpo Marx make their final TV appearance together.
“Business success” really means “profitable endeavors.”
Even a non/not-for-profit organization has to deliver products and services that generate value and revenue. So, anything you do – your business – requires efficient work and deliveries.
Business goals have to meet marketplace demands. You have to develop something that people want: Otherwise it doesn’t matter how effectively you try to deliver. Absent delivery of something meaningful to market, it won’t matter now efficiently you produce it; it doesn’t matter how carefully you try to pump ROI by shortening TtV and by driving down TCO.
These days there is very rapid technological change. Customer expectations are very high – new, innovative, products are hitting the market all the time. Further, existing products are improved quickly, and “last year’s model” becomes antiquated and unattractive rather fast.
Phones, computers, cars, the speed at which we self-check out of a grocery store – ever more comprehensive services, ever-quicker deliveries and payouts; moving on to the next area of life and business.
The same holds true for your place of employ.
Vendors are shortening product lifecycles by, partly, simultaneously delivering new products to market. Don’t be fooled into buying too far ahead, or into something you don’t particularly need. Faster printers on the market? Great. But – are your present printers fast enough? Has anyone complained? Better to assess their remaining, anticipated, useful life. Also, perhaps some areas can retain slower printers… some printing is rather leisurely – someone gets around to picking up the output eventually…
Make sure you’re procuring, and investing in, the right business assets – at the right time. Make the basis for upgrades or new purchases in accordance with a holistic view of budgets and business objectives. Something interesting I observed at a company recently: When they upgrade their workstation and laptop populations, they do it as a complete, 100%, replacement of the old computers.
However, I did things a bit differently: I rolled existing computers down into positions that didn’t need the fastest, latest, greatest… you can establish a heirarchy.
I guess that goes against the grain of treating everyone “the same” – but, some people have offices, some have cubicles, and… in my world, some have faster computers than others.
You can project up to the maximum challenge of huge enterprise endeavors. Manage projects according to this principle: Look for the right timings, the right products, the right scale of rollout vs. limits, and above all – be certain the solution serves. In other words, be certain you’re investing in the right stuff, and make better decisions on where to apply limited financial resources and that allied potential.
Serve business – serve successful business.
NP: The Cannonball Adderly Quintet in San Francisco – original 1959 Riverside LP.
You’ve been at your position for three years or more. Things aren’t too bad: You work in an office environment; perhaps you have your own office (if not, see below); your hands stay reasonably clean; no one has yelled at you or physically assaulted you in quite some time; coffee’s not too bad; and so on and so forth…
But… but something’s missing. You want more challenge. Maybe a little more prestige. Some daylight to open ground – so that you have a reasonable chance for advancing your career. You deserve more pay (how do I know this? Because I deserve more pay, that gal over there deserves more pay, and you deserve more pay – ok?). :^ )
Before I became an author – and a professional blogger, and an independent person with my own clients – I worked directly in the field of Information Technology. Some of my early environments were pretty grim: The dark days of the ‘80s, early ‘90s… when all too frequently governance and management were largely clueless.
Well, that may be an exaggeration…
… but only in giving them too much credit: They were often dumb. (Of course, I’m using the word “dumb” in a neutral, academic, sense – not in a pejorative one: They were ignorant). Good people in all other regards, but here in the weave, we are nothing if not empirical.
Those early days of mine were ok, though, because that’s what taught me the absolute necessity for having a tight, mutually supporting, business-technology weave.
During those days, and in running up against significant ignorance, often overcoming it, and sometimes repeatedly smacking against it, I discovered something. I could generally glean all I needed to know from a specific organization in about 3 years: That is to say, general knowledge about leadership, its enablements, its limits, my place in it or against it, politics, business-IT relationships, etc.
Also, 3 years is about the minimum to avoid too much “churn” on your resume. If I wasn’t particularly happy – or just getting bored/stale – I simply changed jobs. Sometimes it was four years, five… The job market notwithstanding, you can simply go fishing… if something interesting comes up, take it.
Now please recognize: I always continued giving 100% when dissatisfied and looking. In fact, most of my employers couldn’t imagine me leaving – and several tried to entice me to come back within months of going. In spite of a few discussions, I never did go back– if you leave, recognize that you are leaving to be gone.
Every move was a step up; in responsibility and pay. Bigger office. Bigger environments, projects, challenges. If you decide to climb a ladder, be certain of your “rungs” – that they’re solid, and leading ever upward. Particularly for my more junior, SMB-oriented, readers: If you’ve never had your own office, and you’re interviewing somewhere, particularly for a leadership position, do not be afraid to ask, “Does this position come with an office?”
Don’t let fear hold you back. Most often, the only way “up” is “out.” There’s not a thing wrong with that…
Something missing in your career? Gauge the strength of your legs, and start climbing…
Thought for the day: “To be one’s self, and unafraid whether right or wrong, is more admirable than the easy cowardice of surrender to conformity.” - Irving Wallace
Any organization’s leaders (senior governance, management, board[s]) should have content awareness – but many don’t. (Of course, the entire organization needs to have content awareness, but the emphasis in today’s post will be on leadership).
Content, from an information perspective, is data the organization harbors, or contains (hence, “content”). Any data, electronic or hardcopy – irrespective of system or vessel – has to be managed for security, control, access, and use. Whether that’s data contained in F&A systems, core application and database systems, word processing, presentation programs, on portable drives, in filing cabinets – anything and everything – it must be managed with a 360o awareness.
We spoke of metadata the other day. It may seem a burden to tag every piece of content in your organization with appropriate metadata – but recognize: With a Content Management System (CMS), the assignation of metadata can be automated. The CMS merely rakes through the content, looks for key information based on controls that the organization sets, and fills in a metadata template which is forever linked to that content.
Such metadata fields could include:
- Source (Author, outside agency, etc.)
- Purpose of data
- Key departments, contributors, stakeholders…
- Authorizations (who is allowed to see/use; who is allowed to edit)
- Disposition instructions: Archive and/or destruct dates
- Applicable regulations (internal, external, or both) for dispositions
- Date and time of creation
- Any file manipulations such as encryption, passwording, etc.
Metadata can be anything the organization assigns for the control of data. You determine your own handles and controls for data.
Increasingly, organizations of all sizes must not only protect data, they must have ready access to it. They cannot afford to overlook any particular information-asset. Further, they must know how to dispose of content, in avoiding a glut of information that becomes difficult to sort through – slowing systems, corrupting databases, delivering out-of-date data that no longer has meaning or relevancy.
Content awareness – weave it into your organization.
NP: Sonny Rollins, Saxophone Colossus, on… CD. I know, I know… when I get home, I’m going to cleanse by playing an original Charlie Parker LP on Dial… maybe followed by Oscar Peterson at Carnegie Hall…
If you’ll bear with me, I may have a rather novel use for a Content Management System.
I had a question from someone recently: “What is a Content Management System?” (CMS). Great question – further, what can a CMS become?
I was presenting a rather high-level view of The Business-Technology Weave, so I mentioned briefly that a Content Management System enables the efficient control and use of information in the organization: setting triggers for archive, destruct, filing… sometimes just the removal of data from the “active environment” to preclude a glut of information.
It’s so much more of course: It’s the assignation of metadata (simply: data about data), tags, “handles,” for the ready “pull” of data into whatever reporting you need. It sets classifications for data. A CMS can cough up abstracts for larger information elements: pointing to papers, reports, related volumes of information – independent of whether reinforcing-content is a document, spreadsheet, presentation, record in a database… info in your finance and accounting system – that is, independent of where content resides (system, building, desk… electronic or paper). CMS manages the content contained within large, sophisticated, data repositories. (CMS is a very large subject: There’s an entire chapter on content and its management in I.T. Wars).
Therefore, CMS grants the ability to leverage dispersed and formerly hidden content, in bringing together scattered information assets that may be silo’d in diverse systems, repositories, departments, and so on. A good CMS even documents the location of content that exists solely on physical paper assets.
In looking at the Social Security Administration (SSA), and related problems with their new data facilitiy and allied project, I wonder if CMS was being employed in any way?
Most folks assume CMS is for the tracking, leveraging, reporting, and managing of information – for sole purpose of delivering to the “outside” mission. That mission can be educating students, selling widgets to customers, providing legal services to clients, manufacturing cars, surveying labs for regulatory compliancies… managing and dispensing payments to social security recipients… the mission can be anything. The “doing” of whatever it is you “do.” Most folks employ CMS largely for what I’ve mentioned above.
But CMS can do something that may be a rather novel application: You can register and track assets – an inventory (nothing new there), but one with “tethers” – the metadata to note any asset’s relationship, support to, and vulnerability within other supports, against all other inventoried assets – “CMS’d” assets. I wonder if anyone is utilizing CMS in this manner?
Once all assets are “CMS’d”, keeping up-to-date is fairly easy: Upon procurement of any resource, it is a fairly rapid and efficient task to create a record in a CMS for it. Populated are key metadata fields with the date of procurement, purpose, class of employees supported, some history regarding the vendor (years in business, size, market presence…etc. – yielding anticipated longevity), and all associated assets and systems with dependencies and supports. A general notes section adds to the metadata, all searchable within CMS, blooming any and all of the organization’s critical infrastructure and systems supports and dependencies; anticipated dates of major updates; anticipated dates of obsolescence, or consideration thereof. As to that consideration, remember BIT anyone? Ah… it all weaves together…
This does a couple things: You don’t get surprised by antiquated, incompetently produced, cabling schemes that grew over the years as different people procured new systems, stuffed more cables under a raised computer room floor, cramming them in until it’s a snake pit. A snake pit with no accompanying documentation or possibility of anything resembling this millennium’s best-practice-discipline of Wire/Cable Management.
Critical power sources are not located near water. If they are, a plan for the relocation of power (or water) is at least considered. It goes somewhere on the Five Year Plan (hopefully more near-term than far), and gets budgeted and scheduled according to the other priorities and initiatives in the organization.
It may seem a burden to administer this – but you have someone, or a whole department, inventorying already: This is an inventory with relationships; the who, what, when, where and why for each asset, its intentions, and its relationships. It can be done; with efficiency and accuracy. Then turn the CMS wheel in updating, retiring, acquiring, and blending all assets for maximum gains vis-à-vis ROI, TtV, and TCO.
The Weave; it serves.
Thought for today:
Few people are capable of expressing with equanimity opinions which differ from the prejudices of their social environment. Most people are even incapable of forming such opinions. - Albert Einstein