A recurring question in many environments follows along this line:
“If we no longer have servers, does IT need to maintain server management and administration skills?”
Organizations are virtualizing all manner of things – making some IT persons in specific environments and roles increasingly nervous. If you’re a server administrator, a technician for any specific piece of infrastructure, a programmer for an inside app that’s going to the Cloud, etc. – look out.
You’re seen primarily as an asset by IT governance… business. Sure, you’re “user-friendly,” supportive, well-liked… but – you’d better retool yourself and demonstrate ongoing value in some new realm, or look for a job elsewhere. Obviously, any IT professional has to support something, while progressing it, bettering it, and furthering its ongoing value to business. If something moves to the Cloud, or otherwise becomes virtualized, you’re going to be at a loose end – but not for long in the present organization.
A BTW tenet is that change is a continuum. Immerse yourself in assessments of change; read periodicals online and off; visit companies that are at the forefront of change, such as professional project management companies. Create friends and professional contacts at these sorts of orgs. Always be learning, both formally and informally.
As long as you’re taking stock of other organizations, keep something in mind: IT is pervasive – it has, after all, gathered virtually every human being around you and deemed them “users,” while simultaneously boosting their time spent using technology to nearly 100% of their workplace occupancy – all within an explosion of products, enablements, and services. See what other savvy organizations are doing, and how things are working for them. Evaluate their systems and services for possible furthering in your organization. Ensure your value – your business value.
Don’t wait for the organization to push you through awareness and training; get going yourself. You must remain a viable asset to the organization; in supporting it today and tomorrow; and you must change along with, preferably ahead of, all of the other change that is swirling around you… around all of us.
NP: Coltrane Plays the Blues, John Coltrane, Atlantic, original LP.
I was reviewing the accelerating change I’ve witnessed this year for both business and IT.
At the end of the year, it remains obvious that change is a continuum – even when major change is not manifesting and being managed within the organization, you must track change with-out: New products, resultant enablements, efficiencies to be gained, risks, and the appropriate scale and match to your org. And… timing is everything, as they say…
One aspect of this accelerating change, and its sponsor of universal challenge to business, is the proliferation of endpoint devices and users’ access (and expectations for access) to business content. A conventional office is not quite the antique-equivalent of a manual typewriter, but that “core” tradition of the office-bound, fixed, worker is shattered as a universal model for all business, and is fast being shattered in new realms and businesses all the time.
Access to content is becoming an expectation no matter the circumstance; conference rooms are the obvious and quite longstanding members of the “remote” (that is, non-internal-desktop) access. Satellite offices, and allied agencies, were next. Home offices made their entry – no longer merely a place to handle the household budget and taxes, a home office now is a full-range extension of the formal workplace: online access to all work applications, internet tools and research, e-mail, color printing, scanning, and manipulation of content.
Add to this all manner of access devices; laptops, phones, Kindles, virtual desktop interfaces, and the subsequent explosion of ready-access by employees, developers, vendors, VARs, brother-and-sister agencies, contractors, oversight agencies… There is not only a proliferation of devices and access-points for monitor and control, there is the accompanying population and ‘round-the-clock challenge that comes with this. It bears mentioning that if means and access increases for authorized personnel, then too does it increase for unauthorized personnel.
But, we’re up to the challenge. I know it. Stay safe this upcoming year.
Meantime: Happy New Year.
NP: Lonely Woman, Andy Summers, Jazz24.org
You may have heard about the man being prosecuted for using his wife’s password to access her e-mail account. Many news reports indicate that he “hacked” in to her account. However, the couple kept a small notebook of passwords next to the computer; he logged in.
Still, the man faces charges under a Michigan statute that, when boiled down, bars access to computers and associated resources without proper authorization.
Without going into the detail or merits of this specific legal case, it serves to remind us of something very important. If you don’t want your information read, breached, misused, or otherwise accessed and possibly disseminated, then don’t write your passwords down, and definitely don’t have them laying around for easy access.
Which brings us to the real concern: I’m aware of several environments that have shared accounts – system accounts – for controls, setups, configurations, etc. The accounts are shared amongst several, authorized, people. Sometimes there are multiple shared accounts; each having its own class of personnel availing themselves of specific avenues of access and system influence via this means.
Reasons for having shared accounts include:
1. Fewer accounts (and passwords) to create and maintain.
2. Personnel absences easily covered.
3. Fewer instances of forgotten passwords and resultant resets…
…and so on. Whatever the reasons, they are not good ones. Shared accounts represent a problem on several fronts:
What if there is a data breach due to a human error that occurred within the domain of a shared system account? Who is at fault and will they own up?
Suppose there is fraudulent activity… who is the guilty party? This could even include embezzlement, or directing too much authority to a specific user, for example.
If there are setup or configuration errors, it’s important to readily identify the transgressing party for purpose of training, or discipline in the case of sloppy work.
Each person in the organization should have a unique account name and associated password. Network supervisory roles and other special accounts (for the aforementioned setups, fiscal management programs, etc.) should be tethered to one specific person. If additional accounts with similar roles and authorities are required, create them with unique names and passwords.
As to people who keep passwords in notebooks next to their computer, be advised: You’re practically soliciting a breach. Don’t share passwords, don’t write them down (unless they’re in a locked safe, with a discreet list of access), and for certain don’t have them written somewhere in the vicinity of data’s access point (the computer).
NP: The Red Garland Trio, Manteca, original 1958 LP. Wonderful album.
When securing information, intellectual property, data (hard and soft, paper and electronic; hereafter referred to as content) it’s first necessary to know what you have… and where.
Once you know what you have and where, it should be relatively simple to secure data. Note that I didn’t say “easy.” But in terms of simplicity, there’s a relatively flat qualifier – something very initial – to securing content that comes before anything else. Something comes prior to any associated system, and any hierarchy of control regarding such things as outside regulatory oversight, internal control, general stakeholder interest (that is, specific department oversight), and general principles of security.
Initially, any activity involving content requires looking through a security prism. Merely consider content’s “lay” (its location, its residency, its container, its present status, et al) vis-à-vis your upcoming, intended, action on that content.
The view through security’s prism must always generate this question:
Will my action on this content compromise, or possibly compromise, its protection, discretion and safety?
Of course, by extension we’re really talking about the organization’s protection, discretion and safety – as well as allied parties (clients, customers, partners, etc.). It’s essential to take a big picture view and make best consideration of all interests, involvements and relationships.
If your staff doesn’t know to take this view, doesn’t know to ask this question, then it doesn’t know how to handle and protect content. Simple.
You don’t know what you don’t know – ‘till you know it. Survey and account for data. Then~
Bring the associated system(s) of control to bear, ensure their effective use through training and ongoing awareness. Most breaches of content and exposures are due to human error. Ensure appropriate human awareness for treatment of content by reinforcing that look through the security prism.
Remember: Know what you have; know how to protect it.
NP: Thingamagig – The Mel Powell Trio – Original 1954 Vanguard LP.
Senator Tom Coburn, (R)-Oklahoma, appeared on Fox News Sunday with Chris Wallace this past weekend. He delivered a sobering assessment of the Federal debt and its future impact (absent getting it under control) in the midst of my Happy Holidaying.
“What does this have to do with content and systems management?” one may well ask. Well, let’s consider:
Coburn gave an encapsulated and articulate description of Federal redundancies and waste which some believe, if left unchecked, will lead to 15 to 18% unemployment, hyper-inflation, debilitating effect on GDP, and destruction of the middle class. Heck, is that all? Gimme another stimulus…
Seriously, consider that the Feds harbor 267 job training programs across 39 different agencies – why? Talk about compartmentalized and silo’d…
There are 105 programs, 105, to encourage people to go into science, technology, engineering and math. In Coburn’s view, “That’s 105 sets of bureaucrats; none of them have metrics on them.” So… if we take him at his word, there are no empirical measures to determine if some, one, or any of these programs are making effective use of resources?
As to another area of waste, there is 100 billion dollars (maybe more) of fraud in Medicare and Medicaid. As Coburn says, “That’s money that’s just being blown away.”
He continues, “The Pentagon can’t even audit its own books. It doesn’t even know where its money is going. And we refuse to have the tough forces go on the Pentagon so at least they’re efficient with the money they’re spending.”
Coburn says there is approximately 350 billion dollars that can be eliminated from the budget that will not truly impact anybody in the country.
But in my own view, any elimination of waste, fraud, and abuse is only going to come from an accurate accounting. Before there can be any political rendering, and any resulting pragmatic, empirical, meritorious action that delivers to real-world realities… we have to know where we are.
Only generally do we know where we are: We know there’s waste; we know there’s fraud; we know there’s redundancies, wasted effort, duplicated effort, efforts that work at cross-purposes, and money pouring down a drain. But we have to survey, expose and manage according to a coherent, comprehensive and trusted system of accountability, as it delivers real data from systems’ content.
Of course, it’s the big entitlement programs (Social Security, Medicare, Medicaid, and various stimuluses) that are the largest drivers of the deficit and resultant debt. We’re not going to get into that, being that this isn’t a political column. But frankly, I think every little bit counts, even if only for the discipline and practice of being austere, frugal and fiscally responsible.
The Federal Government really, really, needs better content and systems management – now. The expanding Federal Debt will yield what some describe as “apocalyptic pain” in a few years’ time – if we don’t act soon.
The time is now. It’s the right thing to do.
NP: Miles Davis, Kind of Blue – Legacy Edition. (On CD, yes, but I’ll be listening to some jazz on original Vanguard LP a bit later… rest assured.
I just happened to stumble into an interesting debate (again) through a chance circumstance. I was dining with a couple of handsome ladies and one of their sons had an Asus Netbook with a Dvorak keyboard.
For the uninitiated, the Dvorak keyboard is an entirely different layout than a standard keyboard, with keys situated and labeled in an unfamiliar pattern for the overwhelming majority of people with standard QWERTY devices. (The QWERTY name derives from the letters just above the “home” row of the left hand, reading left-to-right).
The Dvorak board supposedly makes more efficient use of finger motion by grouping the most commonly used (typed) letters together. Thus, there is supposed to be less wasted motion and a benefit in reducing or eliminating chance of carpal tunnel syndrome. Hmmm…
I’m an experienced typist of more years than I care to remember – in certain overseas locations, I even banged out more than a few reports on manual typewriters way back in my dim past. In my years of communicating via sticks on logs, smoke, drums, typing on mechanical machines, various consoles, IBM Selectrics, desktops and laptops, I’ve noticed one thing for certain: I’m fortunate in that I type as fast as I think. (Insert jokes here).
I’ve never felt any particular discomfort when typing; even for long periods. However, I’m all for optimization and efficiency. A simple software is available for switching from QWERTY to Dvorak – and back – should anyone be interested. The fellow who had his Dvorak Netbook said it took about a month to learn Dvorak. Further, he said it took about 20 minutes to become optimal if switching back to QWERTY.
We then got into a discussion of keyboards with keys having tiny LCD screens on top of them: In this case, you can assign a letter, function symbol, or picture to the key – and make changes any time you wish. Easy enough, then, to re-label from QWERTY to Dvorak, among other things.
However, in the case of simple keyboard layout swaps, I recommend something quite simple and totally reliable: Lenticular optics.
Remember those pictures that changed as you tilted them? Holding a lenticular picture at one angle might show a tiger, for example – when tilting slightly in the other direction, the picture might change to a lion. It would be easy enough to use lenticular optics to toggle keyboard labeling between two systems. On a laptop or Netbook, one could simply raise or lower back risers to effect the change if the optics were horizontal. Or, a vertical optics could be employed, and simply sliding the device’s position a few inches left or right could effect the change.
At any rate, I am fortunate and glad that I do not have carpal tunnel syndrome, and that I don’t think (or generate original content) any faster than I do. My typing seems quite efficient as matched to the flow of my thoughts…
…and I fault all mistakes in grammar and spelling errors to my software.
NP: This is the Moody Blues, double-LP, vinyl.
Word comes to us, courtesy of an excellent article in USA Today, that the number of people 55 and older with jobs is projected to hit 28 million – a record. (American workforce growing grayer, by Dennis Cauchon).
I don’t’ know about you, but I’m not at all surprised. Beyond reasons stated in the article, such as “better health, longer lives and less physically damaging jobs” there are a couple other phenomena – the article touches on one: Experience. So true. Older workers do, generally as a group, have more experience. How can they not?
But there’s something else: In my own general experience, older workers are more exacting, careful, and prideful (in a good way): They take pride in their work, and what that work delivers.
I’m a bit older myself, so I run the risk of veering into a zone of “these young whippersnappers today, they just don’t care…” – and that’s not where I’m trying to go. What I’d like to reinforce, to the younger audience, is that in order to break into a sluggish job market, with older workers hanging on, you must separate yourself, distinguish yourself, sell yourself – in the interview.
When I was just out of high school, attending college part-time at night, I was applying for jobs by day. About all I’d done was physical factory work. Not a thing wrong with that. In fact, I dropped a resume off at a large electrical manufacturing firm in order to apply for an opening on their loading dock. Some kind person – gosh I’d like to thank them properly today – noticed that I had extensive drafting classes in High School and Community College – and HR called and asked if I’d like to be interviewed for an Electrical Draftsman position. Would I?
But… why didn’t I think to market myself that way? Well, I was around 19 years old: a little too modest, perhaps… a little insecure – and also, I didn’t know a thing about marketing myself – about blowing my own horn. But, I won that job, held it, and loved it for about three years before entering the U.S. Army for many, many more experiences.
Blow your horn – be accurate, be modest, but make full exposition for who and what you are.
Now, recognize that beyond experience, employers like older workers for very specific qualities. Therefore, if you can convince an employer that you – as a younger worker – possess those same specific qualities, and you qualify in core respects, you’ll win the job:
Emphasize your dependability (and be dependable); emphasize your “results-oriented” mentality; emphasize your ability to work well with others. I have no empirical measures or surveys handy, but in the course of my consulting, I hear the same laments on the side: Send me some people who know what it means to get along, to stay focused on results, to come to work on time…
In my time, I’ve hired a lot of people – and fired more than a few. My hires worked and “stuck to the walls” – that is, they were great employees – I knew what qualities to look for. Anyone I fired was almost always someone I “inherited.” Be the person that all hiring managers look to find: core competencies are almost a given or you wouldn’t be applying for a particular job – but emphasize all the collateral requirements that factor into… not a good employee – but a great one.
If you were looking for someone you absolutely HAD to depend on – what would you look for? Then… BE that, and SPEAK to that, when you interview.
NP: Backdoor Santa – Clarence Carter. At Starbucks. What a great R&B track – check it out if you get a chance.
I see where the University of Wisconsin–Madison campus had a recent breach necessitating the contact of 60,000 people (according to the Milwaukee Journal Sentinel). There are interesting twists to this particular breach.
First, to set the stage: A database was “compromised,” and it contained names and social security numbers. Oops; compromising names and SSNs is rather an embarrassing violation of data’s security – no question.
Here’s the really interesting – and quite dismaying – part: UofW used to embed the students’ social security numbers in their student ID numbers. Hmmm. That’s bad enough – really unwise. But further, their present system contained an old file with old photo IDs, names, and the student ID number with the embedded SSN. You know, just hanging ‘round in case – or maybe because no one remembered it was there… and no system existed that could throw up a flag.
Content management anyone? A tenet: If data no longer has business value, relevancy, and use – get rid of it. Archive it or delete it. This is a perfect example of legacy data’s liability.
Lessons of Legacy: It’s reported that the identities of those who accessed the file remains unknown. But consider: There are all manner of systems out there, with “dead wood” files just hanging around. Who knows what measures of security awareness existed at the time of creation and accumulation of records in those files? What vulnerabilities exist that we wouldn’t even consider looking for today? I’d never have thought someone would embed an entire SSN in a larger ID number- seems rather crazy, but I’d just about bet they weren’t the only ones to do something like this back in the day.
Going back and surveying legacy systems and files for larger enterprises can represent a mountain of work – and it’s no small task for SMB and their corresponding smaller staffs – and once undertaken, you might not even expose and correct vulnerabilities to a 100% standard. This is why it is so critically important these days to mount security from a whole-view perspective, with a whole-view of content. It is far easier, and much more efficient, to manage as you go. Construct and secure data within solid systems, and have a CMS system with destruct-dates and archive-dates well established.
For stuff that no longer has active business or historical value, get it out of the active system; be certain the actions you take are legal – and in accordance with governance (business sanction) – archive it if you must; if you can, delete (destruct) it.
Don’t wait because, today, violating data’s security attains a much higher profile, becomes much wider-spread, and is increasingly unaffordable.
NP: Haitian Fight Song, Charles Mingus – Jazz24.org – online; (10:36:02 in length, and it’s jammin’ – I’ll cleanse myself with vinyl/analog later tonight).
The Wikileaks mess remains front and center in the news and it only gets worse.
In an earlier article I noted that, today, undesired outcomes have efficiencies – right along with efficient solutions. Our desired objectives and outcomes are at risk. For example, consider simple errors: Once upon a time, if you made an error in configuration, or just set something that wasn’t optimal for business, it involved the setup and correction of a single computer. Now, errors can be compounded and propagated exponentially by virtue of erroneous images when ghosting machines, for example. One image can affect dozens, hundreds, thousands, of machines.
In the case of Wikileaks, they can affect what millions of machines (and people) are doing.
As Wikileaks is showing us, it now turns out that data breaches are quite efficient too. Perhaps we need a nice handle for a high-profile element of information warfare that comports with such things as web surfing, friending (social networking), databasing… how about data breaching?
What did you do last night?
I was busy data breaching – copped a lot of interesting content. Tonight I’ll be hacking bank accounts.
In matters of efficiency, consider that Wikileaks has quite an efficient “staff.” Julian Assange’s London-based lawyer Mark Stephens says,
“He’s had more credit for the publication of these cables than perhaps is due to him and he’s also had more attention than is perhaps due to him as a consequence. I think people will realize over the next few weeks, if Julian stays in custody, that actually he’s not essential to the functioning of this organization and it will continue.”
Jonathan Hunt, of Fox News, noted that the leaks from Wikileaks keep coming, and that Assange had said prior to being jailed that 100,000 people now have the ability to publish all of the documents if something should happen to him. Wikileaks has been characterized as a well-oiled “leaking machine.”
What does this mean? Consider: No one who isn’t supposed to know, knows the formula for Coca-Cola. Or Pepsi… but the State Department can’t even cough up a flag when a Private First Class downloads over 250,000 classified documents. You know, something like,
“We’re sorry. In order to guard against data breaching, you are limited to access of 100,000 classified documents in a 24-hour period. Please try again tomorrow.”
I’m being a little facetious – but this whole situation begs credulity. What I would suggest for everyone here, including any readers from the State Department, is to:
1. Review and update your data security and content management policies ASAP, and all associated security measures.
2. Schedule security refreshers for organization staff. (Create the training if you don’t presently have it – and shame on you).
3. Review your statuses and protections for all technical enablements; meet with vendors, VARS, solutions-partners, etc. – anyone and everyone.
4. Don’t forget to review physical security and associated measures such as access, locks, authorized personnel, and so forth.
NP: Time Out, The Dave Brubeck Quartet, on original 1959 Columbia vinyl LP.
I was thinking of going into some explanation of Content Management Systems (CMS) for the small and medium (SMB) market. However, I think this audience understands taxonomies, metadata, key fields, reporting (on data), and so forth – for those who need a solid primer, review Ch. 17, Content: Leveraging Information; Limiting Liability; Managing Documents and Their Retention. (I.T. Wars).
Meantime, there’s a proliferation of unstructured data in all manner of organizations, and this contributes to an “unsecuring” of data:
You have to know what you have, you have to know who is accessing it, and you have to completely understand all associated vulnerabilities – in mounting true protection of assets.
Look to the State Department, the associated Wikileaks dump, and then consider the prior statement carefully. Also, as referenced here before, peruse The Privacy Rights Clearinghouse’s Chronology of Data Breaches. Determine your organization’s future, before the future determines it for you – with a breach.
Let’s consider your environment: You’ve secured it. Being that most breaches are due to human error and activity (sometimes deliberate intent to harm), you must have controlling and guiding policies firmly in place (along with their contribution to user education). Further, you must make timely updates to policy, based on changing conditions within the organization, and with-out: compliance to shifting regulatory burdens, board guidance, procurement of new lines of business, emerging liabilities – all manner of things.
As but one simple example of a CMS’s contribution to efficiency regarding policies, consider a recent lament I overheard: an HR department frequently updates a communications guide. Upon update, they phone or e-mail IT to advise them to update a portion of IT’s Acceptable Use Policy – which points to a section of HR’s Communications Policy, and even contains an extract. Someone has to do a cut-and-paste, and republish the policies. Conversely, any time IT updates any policy that feeds anyone else’s, the same thing goes on. It can be quite a complicated puzzle, this interlock and self-referencing of various organizational guidance and policy.
Here’s where a CMS can help: Just assign metadata/key fields, “pulls,” to sections of various policies. Instead of HR calling IT and advising to check Section 4.2c of the Communications Policy, for updated inclusion to the Acceptable Use Policy, you pull a trigger whereby the CMS system survey’s for any updated components that feed the AU Policy – and populates the policy with the update.
The CMS can have global triggers, as well as subordinate specific triggers, for all manner of interlocking updates and contributions, and automatic populating of updates to all associate-policies across the organization.
This is not to say that human oversight is no longer necessary: Systems make “mistakes” too. In addition to writing updated policy (and components) based on changing business and world conditions, an authority will always need to review and possibly edit policy after the CMS trigger-pull.
But if you’re doing this right, effort goes down, and all manner of staff is freed in addressing larger concerns based on requirements and needs – in this overall acceleration of business and change.
NP: Jacques Loussier – Allegro from Bach’s Concerto in F Minor (online, Jazz24.org)