The Business-Technology Weave » BIT

Crucial Considerations when Going Mobile, Pt. IV – Security

David Scott — Fri, 31 Aug 2012 20:38:34 +0000

Security is of prime concern in the mobile environment.

IT security in any realm involves logical security and physical security. Logical security is the integrity of data (content), precision of associated processing, and the delivery of coherent, accurate, content. In other words, data that reflects reality; data that does not mislead or distort various actuals by virtue of distortion/errors of input, process, and output.

Physical security is such things as locked doors on computer rooms. It’s the safety and surety of infrastructure; protection against overheating, for example. Physical security is often mundane; don’t set your coffee on a server, for example.

Mobile is especially vulnerable within the realm of physical security. Devices are constantly transported, their owners on the go, and they can be lost or stolen. Ensure that users make immediate reportage of loss or theft. Consider strong encryption, as any content risks exposure.

As to logical security, determine whether users access organizational resources via a virtual-private-network (VPN), or the internet. Also, ensure strong malware protections are emplaced on devices.

In BYOD environments, that last is especially important: It’s hard to know where users will be surfing, and what manner of personal downloads will be transpiring. Regularized scanning for viruses, malware, and unauthorized intrusions is imperative.

BIT: The Business Implementation Team

David Scott — Wed, 09 Feb 2011 14:21:50 +0000

I was having a discussion the other day about organizations and efforts in piloting their way effectively into the future.

Some organizations struggle their way forward and others do it with relative aplomb. The latter not only see to the horizon (with a fair measure of accuracy), they see just beyond the scroll of the horizon: They have people willing to survey the future in harboring a vision… and in making business use of that vision.

Regardless, it is challenging for all; challenge is good and this particular challenge (futures planning) should bring out, and be matched by, our best. No organization should blink in the harsh glare of an impending unfriendly future, due to lack of foresight, planning, and activity – but many do.

Consider high-profile examples: How did MySpace lose dominance in the social media environment to the “upstart” Facebook? How did AOL totally miss the boat regarding the modern social media revolution? (AOL’s largest block of revenue still comes from dial-up subscribers. Oops. Not exactly a plan for longevity).

We’ve discussed BIT before: a team comprising individual business stakeholders who are qualified to discuss the stakes both by virtue of their standing in the organization, and by virtue of their interest and willingness to pedal fast enough to discuss IT on a business basis. Those business folks are matched by IT counterparts who bring common dialog to the table; they lose the junk terms, arcane language, acronyms the business audience doesn’t know – and thus they engage effectively.

In leveraging BIT, however, it is possible to debut important concepts and agree to a “dictionary of terms” for purpose of efficient engagement and discussion. A great example is “RFE.”

RFE is Responsible Forward Edge. Organizations sometimes ask me, “Should we be on a leading edge? Bleeding edge? A prudent lagging edge, to see what works for others?” They want to know when to invest; when to assess new systems; when and what to procure; when to implement enhancements, and so on – and how best to make qualified judgments, with resultant prudent activity, for best business.

I tell them to find their RFE, specifically tuned to:

1) Their budget.

2) Their market challenges:

a. Obligation in serving clients, customers…

b. Pressure from competitors.

c. Overall expectations, given the general level of society’s advance…

3) The capacity of their employees to handle change.

4) The capacity of the senior executive class (and boards, oversight, etc.) to handle change…

a. They must have a measure of understanding technical change and reasons for it.

b. They must sponsor change.

c. They must then support it through the inevitable challenges.

5) Detail some of your own – specific to your organization.

Branding and making powerful shorthand of RFE creates very efficient discussion in the BIT group. And that is but one example. I’ve detailed BIT and what it can do for the organization in I.T. Wars – but you’ll have your own ideas.

Remember: BIT is not a rolling close-steer of specific projects (although BIT should touch those). BIT is a high-level piloting of the organization’s direction in view of evolving, best, technical supports; BIT anticipates and tracks the inevitable “what’s coming next.”

BIT opens the view to the possibilities, and hands off assessments to specific leaders who make the ongoing selection of products; those who engage the vendors and value-added-remarketers (VARs), in sustaining the organization through implementations and enablements – whether that’s a new mission-critical core business system, or a flock of new printers.

Some orgs decry “yet another meeting!” Make BIT annual, or semi-annual, or quarterly… see what happens and where it goes – judge its tune, size, and effectiveness. Also, look for a regularized meeting you can eliminate to free some time. I’ve seen “glad-handing” stuff on the calendar that, while important, can definitely go in making space for something as important as BIT.

And, you can glad-hand at the end of each meeting as you pilot your way into a future that the organization determines:

Define your future – before the future defines you.

NP: Van Cliburn, Rachmaninoff Concerto No. 3, Kiril Kondrashin conducting (Carnegie Hall, May 19, 1958). Original Red Seal RCA Victor LP, LM-2355.

An IT Deficit

David Scott — Tue, 27 Apr 2010 19:02:39 +0000

A couple articles ago, I talked about a business deficit. It’s only fair we consider one on the other side of the line.

Let’s look at a common mistake on IT’s part. How many organizations have a requirement for “centralized” data, yet have full knowledge that users – the business community – are storing data on local (c:, etc.) computer drives or on desktops? Even the most sophisticated organizations, and the most tightly controlled environments, have this condition. This goes on even in organizations where it violates a document retention and content management policy – policies that are often imposed or required by outside regulatory agencies, or other bodies (that is, boards, classes of customers/clients, and so on). Yet, if business members and leaders insist that it’s a necessary “work-around,” IT goes along. This can be a major mistake on IT’s part. Let’s leave the document retention/content management considerations aside for the moment, and look at the situation from a simple backup and recovery standpoint.

IT’s position in any organization should be that all data is secure: accessible according to authorization; safely and securely maintained in the technical environment; recoverable in the case of loss in the production environment through any reason. Too often, users are responsible for backing up their own local drives. This is wrong. If there is genuine business data that is not coming under the umbrella of IT’s backup domain, then that is a wrong situation and you cannot profess to have complete security. You are at risk. You can hash out in the BIT forum as to how to expose peripheral data, and how to manage it, secure it and back it up – at a minimum you must document exceptions to policy and put them on record. Many important caches and swaths of data have been lost by organizations because the central, qualified, authority for the safekeeping of data (IT) was unaware of it. So, there was no central authority guaranteeing its safekeeping under these circumstances.

Let’s look at one more area where IT is frequently remiss. Increasingly, organizations are responsible for anything and everything that happens within. We see where large judgments have been made in favor of employee plaintiffs who had complaints regarding offense and damages over electronic content containing porn, offensive jokes, illegal advocacy, and other inappropriate content. This is content that has long been defined as this kind of liability by courts. Remember too that just because some content may be “legal” in the broader sense, it can still violate your organization’s best interest. Should your organization’s data be subpoenaed, you wouldn’t want negative characterizations of business partners or critical evaluations of members made public, for example. Most organizations have policies to guard against inappropriate use of business resources and to explain the consequences of harboring improper content, but many don’t adequately reinforce the policy. Further, it’s apparent that a lot of IT departments haven’t picked up their responsibility, or perceived their own liability, in this area.

Let’s be clear: One thing you don’t want to have happen is that something blows up into an embarrassing exposure, with people asking how “IT” could have let inappropriate content broach your business-technology environment. For it is IT that implements spam-guards, monitors storage, and has the means (even if only under special permission by Business) to do a comprehensive review of data. The mechanics of, and the burden in, running a “clean” environment is IT’s. While it is true that Business must cooperate and contribute to a clean environment, and that this is reinforced by policies both Business (HR) and IT – no business person has the authority to look across the board at data and content on a regular basis. No business person is tasked to have knowledge superior to IT’s regarding best practice protections and best software solutions. This is a “behind the screen” faculty. If you’re an IT staff member, and your IT department is not comfortable in answering to your organization’s content, you need to get this into the BIT agenda quickly.

Next, we’ll discuss putting activity where it belongs.