Wow. I was reading an article in InformationWeek magazine: The Top 10 Security Challenges for 2010. I guess I’m slowing down: The article is from January 2nd. Ahem, however –
There’s a great, great, line in the article – I wish I’d written it, but I’m happy to source it: Speed may be Google’s most cherished goal, but it also increases the velocity of risk.
The “velocity of risk”! That is an incredible concept: Velocity’s definition comprises speed paired with direction. In other words, 35mph is an indication of speed. 35mph due North is velocity.
But, what is Velocity of Risk in an IT/business sense?
Well – risk now arises quickly, and comes from many directions: The cloud (internet apps and services), social networking sites such as facebook and MySpace (just recently suffering its own breach), business sites such as LinkedIn, real-time enablements like Twitter and chat agents… and on and on and on…. you get the idea.
So, we can see that risks stream toward us from many directions (sources), and risk speeds toward us (opens quickly) – in both the unmanaged (or poorly managed) environment; but also too often in the best, most carefully managed, environments. Unmanaged risk opens, and will ultimately deliver, incidents of directed harm in the form of malware, hacks, etc., and incidents of inadvertent harm (lack of centralized data/nightly backups, as one example).
A tenet from The Weave that we’ve hammered many times: In the realm of risk, unmanaged possibilities become probabilities. And quite naturally, an ongoing situation of probability will deliver in the course of time – it’s a guarantee: data breach, identity theft, corrupted data, applications crash… followed by costly recoveries… or – loss of business reputation and customer-faith.
When IT and Business converse across the table, be sure to discuss risk management, associated costs, and delivery of protections (ROI) in a specific context.
That context is Velocity of Risk.
NP: Rolling Stones: Metamorphisis. The opening track – the alternate take of “Out of Time” – is worth the price of admission. On vinyl. Next week, some NPs involving hardcore Blues on original 78 rpm.
Oh oh – here we go again. A Wall Street Journal investigation has found that the social networking site MySpace, in conjunction with popular applications on the site, has been sending crucial data to advertising companies. This data can be used to identify users – and I’d call this a breach of identity.
This report comes amid news that many employers are blocking access to sites such as MySpace, facebook, and even AOL. This comes at a time when social networking is becoming, or has already become, as ubiquitous as e-mail. Many work folks stay abreast of family and friend occurrences and commitments through these means, just as they do through e-mail.
Companies need to revisit Acceptable Use and Security Policies again. If you’re not covering and directing what people can do with organizational resources, to include social networking, you need to address that at once.
For some companies, facebook and MySpace, et al, represent opportunity for marketing and expansion of client bases, exposition of products, and sales. The authorized uses of social networking are obvious and can be easily documented in an Acceptable Use Policy. If your company is utilizing social networking in expanding business, you merely follow many of the same dictates for appropriate use of e-mail, for appropriate communications, etc.
However, in any Acceptable Use Policy’s three main sections (Required Activities; Forbidden Activities; and Limited Personal Use Activities), it is the “Limited Personal Use…” section that is trickiest. Here is where the organization attempts to be a “decent chap,” in making allowance for some of the mental snack time we all need; some idle web surfing, personal e-mailing, social networking perusal and update…
In other words, it’s tolerated, so long as
1) You don’t publish proprietary information
2) Shared resources aren’t tied up,
3) Inflammatory or illegal material isn’t published
4) Personal activity isn’t conducted under the impression that you’re operating in your official capacity
5) You don’t open security holes for breach
And so on and so forth.
MySpace is still around?? Be careful out there. :^ ) Also, you may wish to visit Social Networking and the Blended Environment.
NP: Band of Gypsys (Hendrix, Cox, Miles) on original vinyl. Naturally. (And yeah, it is “Gypsys” – but you knew that).
(Please see Parts I and II, below)
Well, as you may remember, I wrote a letter to Starbucks. After all, they want to hear my concerns (according to the website, “…We’re here to listen”).
However, 2+ weeks after the letter – nothin’. No call, no e-mail, no letter.
So, I asked “Helen,” the original barista to whom I had made the complaint.
“Hey Helen, were you guys informed that I had written a letter to Starbucks Corporate Headquarters?”
Helen (coyly): Mayyyybeeeee….”.
In the course of our short conversation, Helen informed me that “we’re discontinuing the practice” of counting money on the food-counter, in view of customers.
But, within 3 days, a barista was counting a huge pile of money on the same counter. When I asked about it, the store manager, Jackie, informed me that tips would not be counted there any longer, but money at the end of shift changes would be.
When I asked if there wasn’t an office in the back, Jackie told me there was a desk. Well, this would seem to be the natural place to do some accounting of money. But no – apparently, it is corporate policy that money is counted out in the customer area. Seems rather tactless, but what do I know?
Well, I know that large sums of money, over time, can inspire temptation and ultimately theft. It might be beneficial to keep a tenet from The Weave firmly in mind:
In the realm of risk, unmanaged possibilities become probabilities.
I spoke to the owner of several Tim Horton’s coffee shops. He was incredulous: He said that the only time customers saw money was when TH made change in selling coffee and pastries, etc. Registers were emptied by whisking away the inside of cash drawers, and empty ones making replacement. That seems reasonable.
Imagine going into AutoZone, and they’re counting stacks of money on the counter in front of you. Or Sears. Or WalMart… or, anywhere else.
Starbucks’ practice is a temptation for sure. Counting stacks of money in customer view can embolden a thief, who may don a mask and time a return trip. In my case, I witnessed a large stack of money totally unattended for a lengthy period of time. Technology (cameras) notwithstanding, it remains poor business practice.
And that is my point in wrapping this series. I’d welcome your comments.
NP (now playing): Jethro Tull, War Child.
Here is my letter to Starbucks Corporate Headquarters. In a day or so I’ll post Part III – what follows the letter below was a bit surprising to me. Customer service, and general communication, is not what it used to be. I suppose we all know that, but I was still a little surprised at the broken process and ultimate result of my contact with Starbucks:
September 7, 2010
Starbucks Customer Relations
PO Box 3717
Seattle, WA 98124-3717
Dear Sir or Madam:
I wish to make you aware of what I believe to be an ongoing bad-business practice at one of your shops. It concerns the [address] location.
I do most of my work at Starbucks: I am a book author, writer (paid technical blogger), and IT consultant by profession. I am a steady customer: Some weeks, I am there working every day; other weeks minimally three times.
I have professional standing for both a complaint, and positive suggestion, that I’d like to make. (You may review my standing by Googling The Business-Technology Weave). Absent treatment of this complaint, I will have to find another location for my business writing. I do not wish to do that.
This past Sunday, September 5th, I was using my laptop, writing my latest article for my blog, when I noticed a large pile of cash on the counter (to one side of the food display, opposite the cash registers). The pile was about 6 inches high – there was also quite a bit of change on the counter. The money was attended only sporadically, when a barista performed some measure of counting. In the course of my several hours of work, the money was there, and primarily unattended – I believe there was a period of at least an hour where no one touched the money at all.
I have noticed this situation several times in the past and a thought occurred to me: It would be easy enough for someone else to notice the situation, and time a return trip from the restroom, swipe up the cash, and exit the store. (In fact, given the regularity that money is unattended on this counter, someone could build courage over the course of weeks, and time a theft). I was the only customer seated in the back on this day, and when I left, the money was still there – making a theft even easier. There were three baristas (that I noticed) on duty, and most frequently they were bunched toward the front of the store, near the drive up window and the cash register opposite.
When I’m writing, I’m focused on my laptop largely to the exclusion of my surroundings. Thus, if the money disappeared, suspicion would fall on whomever was seated toward the back of the store: On this day, me. I decided to speak to a barista about it. I chose someone I know fairly well and that I speak to often.
Our conversation was as follows, and I assure you this is very nearly verbatim:
“Hey, Helen; may I make a kind suggestion?”
The barista answered “What?”
I said, “This pile of money makes me uncomfortable; no one is watching it. Would you be able to…”
I was interrupted, “Dave, I’ve been extremely busy.” The response was snappish.
I said, “But if someone was to breeze by and snatch this, I or anyone sitting back here alone would naturally be under suspicion. This situation makes me very uncomfortable.”
The answer was very curt, “I will take that under advisement,” and the person turned away – leaving the money yet unattended.
I left the store about 10 minutes later, and the money was still there. The baristas were again bunched at the front of the inside counter area, toward the drive up window. No one was even facing the pile of money, about 20 feet away. I don’t think there was even a direct line of sight to it.
If common and, perhaps, corporate sense is violated concerning the day’s profits, it leads a reasonable person to wonder what other violations may be transpiring at the store. Frankly, money is dirty and I’ve seen food and drink mixes prepared at the same counter that the money was directly on.
Please, it is not my intention to get the barista in trouble and that is why I do not mention the name, or even gender, of the person. I enjoy talking with, and the service from, Helen, Janice, Sally, Tim, Jerrold, Sharon, Martha and the other personnel at the store; I also know several other customers and enjoy the atmosphere. My letter is sent so that the manager of the store – Jackie (who was not there on the 5th) – can train staff to a better level of standard regarding simple business security. Perhaps the manager herself needs training.
I’m not privy to Starbucks standard business practices, but is there no office in the back in which to count money? Is there not, at the very least, a table? Certainly there must be a private area, away from general public traffic, for the handling of large sums of money? That would be my first suggestion – and one that comports with common business advisement and secure practices.
Lastly, if a customer makes a good-faith suggestion, in the kindest of tones, service personnel should listen and at least be courteous. A snappish response was a surprise to me.
Clients pay me to advise them regarding security. My counsel: In the realm of risk, unmanaged possibilities become probabilities.
For the [store name] Starbucks, there already exists risk – of theft. It is certainly a possibility that someone can take the money – totally unobserved. Given the unmanaged possibility, I believe the risk of theft is too high for sloppy handling of money at this store. Given the economy and unemployment, the sight of money is too large a temptation. Large sums of unattended money also puts customers at risk. This practice is witless.
If for some reason you believe the practices at this store to be proper, or if you determine that my concerns are off-target or my observations of the 5th inaccurate, then I need to know that so that I can make a couple decisions. Otherwise, I’d like to know what is being done to address the problem at this store.
Thank you for taking the time to listen to my concerns regarding the [store name] Starbucks store.
I.T. Wars: Managing the Business-Technology Weave in the New Millennium
Blog: The Business-Technology Weave
[phone number] (mobile)
Octorber, 24th: On this day in 1836 the match is patented .
I’ve stumbled on something rather disturbing regarding Starbucks’ business practices. First, let me say that Starbucks is not a client of mine: Therefore, I’m free to speak without fear of divulging any client confidentialities – I would never speak about clients here anyway, without express permission, and an identified reason.
Also, my recent observations and engagements with Starbucks are from a purely business point-of-view on my part. There is nothing personal here, and I harbor no animosity against Starbucks – in spite of some rather interesting customer engagements I experienced. I merely observed an ongoing bad business practice, and expressed some polite concern.
Let me now set the stage (all names have been changed, save mine):
As readers (hopefully) know, I’m a big proponent of security in business and data environments. It would be difficult for any of us business and IT pros not to be – hardly a news bulletin.
Security not only includes computer systems and associated content (central and dispersed), but physical security aspects as well. In fact, the protection of business and all associated assets includes manifestly physical protections: Locked rooms, sign-in and sign-out logs, locked safes and cabinets, careful handling of money, appropriate accounting of money, and so on.
In protecting a business, we also must recognize that customers and staff are also assets, and best business practices are central to protecting those people. Physical business security promotes safety and ongoing surety.
Any security should also harbor a basic, rather simple, concept: We shouldn’t tempt thieves. We don’t want to make ourselves a target. Therefore we don’t “front” certain light, transportable, easily carried and hidden assets. Like money.
Well… most of us don’t.
A few weeks ago, this writer was laboring mightily on behalf of this blog when I noticed something peculiar: There was a large stack of money on a counter. A pile of bills. Unattended. It was at least 6 inches high. Further, it was on the counter next to the food and drink display case, and this counter itself is used to prepare food and drink.
I’m no prude, but my first thought was: Money is dirty. It is generally kept well-clear of surfaces where food is handled. Starbucks uses plates, of course, but still… I approached the counter and spoke to the nearest barista (Starbuck’s preferred term for their customer service folks, for the uninitiated). Very politely I said, “Hey Helen, there’s a big stack of money here…”. I was about to continue that it made me uncomfortable, but Helen snapped, “Dave, I’ve been extremely busy.” I understand being busy, so I merely continued, “Well, it makes me uncomfortable to see it here unattended…”. I was informed that this is where the money was always counted. (This, despite a desk and computer in the back, where I would presume the accounting information would eventually be entered…).
I very politely asked to speak to the manager, “Jackie.” I was told that she was in the Bahamas. I returned to my work. But presently, with the money remaining on the counter for over an hour (and still there upon my departure), I decided to make contact with Starbucks corporate headquarters. Under the Customer Service tab on the website, I was heartened to see that they’re “here to listen” and that they want me to enjoy my trip to Starbucks every time I visit the store. They provided a physical address: Starbucks Customer Relations, P.O. Box 3717, Seatle, WA 98124-3717.
I wrote a very nice letter. I will post the letter tomorrow, and then pick up this series with Part II, and Part III, where I’ll detail Starbucks subsequent interactions with me, and what they told me about the handling of money vis-à-vis business security. There are also a number of other violations of standards as indicated in The Weave, and general common sense business-dictates. I’ll detail those too – there are some great lessons…
You won’t want to miss the discussion of their business posture.
October 22nd: On this day in 1746, Princeton University (NJ) received its charter.
How does the biggest social networking site suffer a data breach?
Breaches are so mundane, and I expect better from facebook: I mean, I rely on banks, universities, government agencies, restaurants, etc.… for breach of data. (Cheesecake Factory, anyone?!? Gosh, how’d you like to be on the same level of security as the Cheescake Factory?).
Once again, I refer you to the Privacy Rights Clearinghouse’s Chronology of Data Breaches for a little perspective.
But facebook? C’mon. You do almost nothing but handle personal details of people. You don’t have much additional challenge – it’s not like you’re balancing our bank accounts, handling sophisticated things like mortgages or something. For that matter, you don’t even have to serve cheesecake. It’s all about sending “winks,” or “pokes,” saying “hello” and slamming teachers, or something like that (so they tell me).
I just noticed something else: facebook is not FaceBook. It’s all lower case. Hmmm. Anyway, just so you know it’s not me that’s driving literacy and solid writing skills down. And – in the interest of full disclosure – I do have a facebook account.
But you know, I can empathize with facebook: Good help is hard to find. Maybe they just don’t have the staff, with the right chops, to keep things secure in a world of “hacktivists” and other ne’er-do-wells.
Which gets me to thinking: I experienced something at Starbucks the other day that was quite surprising. Very surprising. It was what I consider to be a total breach of common sense, sound business practice, and security.
I’ll have a three-part series beginning with my next post, along with a nice letter I sent to their corporate headquarters (After all, Starbucks says right there on their corporate website: “We want to hear from you”).
Until then – stay safe.
October 18th: On this day in 1892, the first commercial long-distance phone line opened, Chicago to New York (and that, my friends, was a milestone in the business-technology weave).
Last time, in Pt. 1 below, I was talking about local businesses (local to me), and a few I consult with out-of-town, lamenting the fact that they were having difficulty finding solid people. This comprises just about all disciplines, whether they’re staffing their Finance and Accounting departments, Sales and Marketing, Retail Sales, Customer Service, production lines, general administrative support, and so on and so forth.
However, when it comes to IT it’s a problem on steroids, apparently. I’ve heard a number of disquieting stories: Network Managers who slide on nightly backups (unheard of in my day, unless it resulted in a firing), programmers who fail to meet critical deadlines for new empiricals (such as price changes, rate changes, incorporation of new data points, etc.), business analysts who fail to analyze, and (the real bellwether of organizational health) even HelpDesk personnel who fail to answer service calls with requisite regularity.
Further, there is a dearth of quality in the outside agencies that any organization relies on: value added remarketers (VARs); solutions-partners, contractors – even regulatory oversight agencies. Consider what’s now going on in the housing market, and the allied foreclosure situation. We’re suffering through a foreclosure-freeze due to bank paperwork that fails to meet some sort of measure. Of course, one could suppose it’s nice that some folks get to remain in their houses a little longer, but the chief problem here is that banks not only don’t get their mortgage payments – they don’t get the asset (the house) either. Further, when the foreclosures ultimately proceed (and they will – estimated to be in the Spring), the dump of houses onto the market will really tank things.
But I digress. Consider: It doesn’t get any more regulatory-dependent, oversight-dependent, details-dependent than a bank, does it? Who are we hiring, to what standards, and who the heck are we graduating to fill critical positions?… Details, details, details. It’s always those pesky details.
However, and as promised at the end of Pt. I, I have a few ideas for improvement to the situation.
First, a question: You know that feeling you get when you encounter an organization that “gets it”? Solid customer service thrust… a sound business footing… attention to detail… things done right, right on time. A certain excellence in every touch you have with that organization. And, a very certain uniformity: Everyone knows what they’re doing, why – and enjoys doing it.
That engenders a very good feeling.
That’s my encounter and feeling regarding my local Business Incubator. If you don’t know what a “business incubator” is, let me explain. It’s a program and a space to improve the chances for new, entrepreneurial, businesses’ success upon startup, to enhance their chances for staying in business, and to help enable their growth. There is collective community benefit as successful startups grow; employing more people, and bringing positive impact to their region through vigorous and natural stimulation of the local economy. Success begets success.
According to some sources, 87% of Incubator “graduates” stay in business.
As Incubator candidates must apply and qualify for admission, and because they benefit from advice and ongoing counsel from qualified business leaders and professional staff, you find allied excellence in these startups. Their ideas, solutions, goods, services, and ethics harbor qualities that match the Incubator itself.
I would suggest that established and successful businesses, as well as individuals, might get to know their Business Incubators, and rake them for any startups that might deliver the very services you’re looking for – to the measure of your needs and standards, and likely at a very favorable cost. Google “Business Incubator” in your town to get started.
Another suggestion as follow-on to that last post: Professional associations of various stripes abound, but a nice one to examine is the Association of Information Technology Professionals (AITP). Locally, I’m working to bring students into my AITP in realizing fresh actualizations and relationships for everyone’s benefit, including my own. Not just IT students: Obviously, we need all manner of business students too – in tightening and freshening the general Business-Technology Weave.
Students who are otherwise knowledgeable often don’t know about groups like these. I’m on the hunt for the brightest and most motivated – they deserve a place to learn, grow, and as importantly, contribute.
Well, those are a couple of my suggestions and ideas. I’d like to hear yours. What can we do to ensure a qualified candidate pool for all disciplines associated with The Business-Technology Weave?
I think it’s time to get imaginative…
October 15th: On this day in 1951, the television show “I Love Lucy” debuted on CBS television.
Way back in my youth, I was enamored of qualification by way of “rubber meets the road” experience. I was a lack-luster student and formal education was a bit of a challenge for me, so I was convinced that formal education didn’t need to be too heavily weighted in establishing a nice foundation of knowledge, paired with experience.
At one point, someone told me that I was “anti-education.” No so… not even then. I waz educated gooder than most any body around me. (Ok, that was a little obvious, but if I made just one person laugh today, it was worth it).
However, many miles down the road, well-educated and well-qualified (I hope), I am now starting to notice something around me: A difficulty in finding talented, educated, qualified, IT folks. People possessing good judgment paired with sound skills. I can’t afford to be picky regarding the ratio of education vis-à-vis actual experience: Just send me someone who can do the job.
A campus of a major university where I’ve been doing some IT consulting doesn’t even have an IT program. That’s very disappointing.
And now, an Obama administration official has gone on record as saying that unemployment is exacerbated by people’s lack of education and skills. My own political leanings might normally have me countering someone like this person: However, I think she has a point. In my local surroundings, I’m hearing innumerable business leaders lament the dismal talent pool. I don’t have a formal survey or empirical figures, but it’s not their imagination, nor mine. Things are changing, and not for the better.
How do you feel about it? What are the challenges for you in an increasingly technical environment – for both business and IT?
I have a few ideas for improvement which I’ll share over the next few days…
October 9th: On this day in 1930, Laura Ingalls becomes the first woman to complete a transcontinental flight.
Well here’s a twist to security. It seems a law firm, specifically ACS: Law, was targeting certain owners of internet accounts. These accounts were alleged to have accessed and downloaded music and videos that are copyrighted. ACS:Law sought compensation from the owners for remuneration to clients, with ACS:Law keeping up to a third of the payments.
But ACS:Law has its own problems now…
Some of the folks targeted claimed to be innocent – and indeed, it is possible for nefarious online entities to hijack any of our IP addresses. Thus, it can look like a hijacked party is the perpetrator of illegal file sharing, when indeed they are not.
But it seems “hacktivists,” unhappy with ACS:Law’s activity, have attacked their servers, first creating a denial-of-service situation, and subsequently exposing over 13,000 records containing sensitive personal information of the folks targeted; names, addresses, internet activity (yikes), and – in cases where people paid up, bank details.
ACS:Law now faces its own huge fine. And of course, if it is found that they targeted innocent users indiscriminately, that is going to present huge problems of credibility and common business sense.
The lesson? Whether you’re a company mounting action against others (or on behalf of others, for that matter) – or you’re an individual traipsing across the ‘net, enjoying your day – be very careful in what you do, how you do it, and in the actions you take.
Stay safe out there…
October 8th: On this day in 1860, the telegraph line between Los Angeles and San Francisco opened.
It’s being reported that state budgets, increasingly in the red, are impacting cybersecurity – and not in a good way, as you may have suspected.
A NASCIO/Deloitte survey finds that many Chief Information Security Officers are reporting increased reliance on outsourced services – with a resultant difficulty in securing state data environments and associated content, including personal information.
However, the problem is not funding alone: Some of this risk is being engendered by an associated lack of control as experienced by these CISOs: A lack of “visibility and authority to effectively drive security down to the individual agency level” according to Deloitte.
There is something that CISOs can do, in the absence of their ability or direct authority in leveraging security – we’ll get to that. But first, in my own fact-finding and consulting, I’ve discovered something rather interesting: Most organizations’ Acceptable Use policies have a security hole (You may wish to visit, or revisit, “Check Your Acceptable Use Policy: Is this missing?”. They do not make mention of social networking liabilities; after all, many people avail themselves of social networking from organizational resources (workstations, connectivity, company time, etc.). It is definitely inappropriate and counter to any AU policy to make damaging remarks on company time, but personnel should understand that doing that at any time is counter to their good standing – work problems and conflicts have sanctioned channels for disposition: supervisory, supervisory chain, and Human Resources. ALSO: Ensure personnel understand to not post aggregious material elsewhere: Comments to blogs, news articles, professional sites such as LinkedIn, Monster, and entertainment areas such as YouTube, and so on. It’s a Wild (Cyber) World out there – move abreast of and ahead of potentials.
Further, there is no “Watch what you do in the name of our domain” type of warning in any of these policies I’ve looked at. In other words, don’t post internal proprietary information, inflammatory opinions, rants, etc., under the aegis of JohnQPublic@OurCompanyName.com.” (Check “Social Networking and the Blended Environment: What is Being Done in the Name of Your Domain?”).
There is an alarming number of policies that don’t even address data’s portability, with associated best practices for securing that data against loss: portable drives, flash drives, CDs, laptops – even the carrying of official data on personal phones, etc!
Perhaps the biggest liability: Absense of a User Agreement form at the end of these policies. The form should indicate that personnel a) understand the policy, b) agree to adhere to the policy, and c) are willing to sign their name, indicating understanding and intention of complying. As importantly, this forces an opportunity to ask questions so as to be fully informed and qualified to at least know how to adhere to policy: Expectations and requirements are fully understood by a fully educated and informed employee, contractor, outside solutions partner, value-added remarketer, etc.
Back to those CISOs that are feeling vulnerable and what they can do: They should get the ear of their governance. Establish a protocol: Everyone should read and sign an AU policy, and any other cautionary/controlling policies as appropriate, in ensuring a united security front. A regularized schedule of training should also be considered, for necessary updates to security awareness and practices.
One area that many organizations may wish to check today: Call your insurer. Data breaches are estimated to cost many organizations between $100 and $180 per record. Ask about protections should your organization suffer a data breach, with resultant lawsuits and loss to the business. Make sure you understand your organization’s obligation under relevant policies so as to be qualified for reimbursement should you ever file a claim. Recognize too; money that you consider spending on an insurance plan might be better directed toward security itself. Today’s organizations must qualify themselves for evolving practices and discussions.
But first priority, and as stated before: Most organizations enjoy security as a matter of luck; everyone must be a mini-security officer these days. Evaluate every action and activity through security’s prism.
September 30th: On this day in 1960, The Flintstones premiers. It is the first prime-time animation show.