All Posts in Policies and Procedures

|In: Career Management|Last Updated:

Are you tired of the phrase “perfect storm”?

Me too. But tired or not, one is hitting IT right now. Several interconnected trends are affecting the business world in ways that will … and should … radically redefine IT’s role. Among them:

Cloud 3.0

Cloud 1.0 was playing with cheap or free stuff, notably but not limited to Amazon Web Services. Because Cloud 1.0 services were cheap or free, the IT pundit class concluded Cloud computing was going to be dramatically more economical than owned infrastructure.

Cloud 2.0 consists of (present tense because it’s going strong) important but standalone systems. Salesforce is an example. While Salesforce is integratable, most Salesforce implementations were and are standalone “islands of automation” to use a quaint phrase from a bygone era. Cloud 2.0 wasn’t/isn’t cheap or free.

Cloud 3.0 is serious enterprise-class computing that makes use of Cloud services and architecture. By serious, I mean it has the same characteristics as projects IT is accustomed to dealing with. Cloud 3.0 provides systems that are integrated into the rest of the applications and information portfolio; they make use of the enterprise directory service for identity management; and they’re subjected to the same rigorous software quality assurance and change control protocols as systems that run on owned infrastructure.

IT could ignore Cloud 1.0 and Cloud 2.0. Cloud 3.0? IT will be neck-deep in Cloud 3.0 projects whether it takes the lead or is dragged into them, kicking and screaming.

Shadow IT

Shadow IT isn’t so much a second, separate trend as it is the flip side of the Cloud coin.

Gartner has famously predicted that by 2017, marketing departments will have bigger IT budgets than IT departments and marketing isn’t the only department outside IT that buys information technology independently. Sales is an obvious example, routinely signing contracts with Salesforce.com without asking IT’s permission first (see Cloud 2.0, above).

Here’s what’s rarely mentioned: Companies have invested large amounts of time, effort, and political capital developing IT governance processes. Depending who you ask and after how much beer, this is either because companies want to gain maximum business advantage from their investments in information technology, or because business executives don’t trust IT do anything other than play with the latest and greatest shiny ball unless the rest of the business supervises it closely.

So here’s the question: Given that Marketing doesn’t, in most companies, have a strong reputation for tight cost discipline, does anyone really think CEOs are going to give Marketing, or any other department for that matter, a free rein when it comes to its non-IT IT spending?

Me neither.

The digital enterprise

Okay, okay. Yes, this is one of those so-visionary-it-might-be hallucination buzzphrases. Except that, shorn of its buzzphrasey trendiness there’s a lot of current reality behind it. In particular, there’s the rise of smart products that don’t keep their smarts to themselves — products that constantly collect data and communicate it to what I sure hope we soon stop calling “big data” repositories through what I hope even more we stop calling “the Internet of things.”

From IT’s perspective, this is a big, big deal, because …

Back in the day, most companies that sold technology products kept internal IT and product-development IT separate. Merge them and either the company would soon consist of nothing but cobbler’s children as product development sucked all of the priority out of internal support projects, or products would become second-rate as internal priorities had the opposite impact.

That worked when product IT and internal IT had no technological point of contact.

But smart products that send data to internal databases for use in customer support and marketing analytics are seriously smudging the line separating internal and external IT.

Politically, CIOs might win biggest by sitting this dance out, watching product development, marketing, and customer service duke it out in the silo wars, then riding in as the white knight that can pull it all together. After all, most business executives value solutions much more than they value prevention.

Another reason to wait on the sidelines: The most obvious organizational solution for all this — a dramatic expansion of central IT — would look like empire building should you propose it.

But waiting on the sidelines is the opposite of leadership.

Fortunately, there’s a better solution. Unfortunately, we’re out of space for this week.

So stay tuned.

* * *

Six years ago I published one of the most important columns I ever wrote — “The portal,” describing a better way to think about personal computers, although if I wrote it today I’d add tablets and smartphones.

And eighteen years ago, in InfoWorld’s “IS Survival Guide,” I took my first shot at the difference between productivity and effectiveness.

Comments

|In: Industry Commentary|Last Updated:

More thoughts triggered by Target, because I can’t resist:

Just because they’re the bad guys, that doesn’t mean we have nothing to learn from them.

For example, hackers have a more modern management structure than most corporations, which is one reason they have no trouble staying a step ahead.

Most people think “management structure” means the organizational chart. They aren’t exactly wrong. They’re just looking in the wrong direction.

The organizational chart describes how the work of the corporation has been delegated. It starts with the CEO, who’s accountable for everything. The next layer, called the Executive Leadership Team or something like it (and it’s rarely a “team” in the sense of its members truly trusting each other and being aligned to a common purpose, but I’ll let it go) … where was I? Oh, yes, the ELT. Each member is accountable for a slice of the organization’s work. In theory, and it’s a bad theory because it’s always wrong, they each have their own, mutually exclusive partition. Add them up and you have the company as a whole.

It’s a bad theory because the organizational chart also describes decision-making authority, because as we all know, you’re supposed to match authority and responsibility.

Except you can’t, because so many important decisions cross organizational boundaries no matter how you design the org chart (“Hierarchy is dead. Long live hierarchy, KJR, 6/15/2009).

Which is why leaders should encourage anyone to collaborate with anyone else, no matter where they sit or who they report to, to figure out whatever needs figuring out that day and to reach a reasonable decision no matter which parts of the organizational chart are supposed to have authority.

This is how you keep the organizational chart from turning into a bunch of warring siloes.

The community of data thieves is organized more or less like this. It’s a bunch of autonomous actors who collaborate when it’s useful and convenient. They more or less trust each other, and are aligned to a common purpose … intrusion and theft.

Maybe loose aggregation vs hierarchy is the inevitable difference between organizing for offense and organizing for defense. So never mind information security. Businesses as a whole should be organized to play offense, which means traditional CEOs — those who prefer hierarchical decision-making at least — have something to learn from the data thieves.

Your vendors are you

In case you haven’t been paying attention, Target’s problems seem to have started with a phishing attack on one of Target’s vendors — one that provides refrigeration units to its supermarket section. The phishing attack gave the data thieves login credentials to a Target vendor portal.

First thought: We don’t know how a vendor portal could have provided access to the rest of Target’s network. Seems to me, limiting a portal’s access to the rest of the network to a small set of predefined transactions shouldn’t be all that difficult, but as I continue to emphasize, I’m not an infosec specialist.

Second thought: Electronic Data Interchange (EDI) is more secure than vendor portals. Want vendors to invoice you electronically? Have them deposit electronic invoices on a server that’s disconnected from the rest of your network. Disconnect it from the Internet before importing the invoices.

Third thought: The vendor in question’s primary line of defense against Trojan horses and phishing attacks was the freeware version of Malwarebytes, a product that doesn’t provide protection against Trojan horses and phishing attacks. Click the link for details.

You’re Target. You have lots of vendors. You can’t perform an information security audit on all of them. For the minor ones, like your refrigeration vendor, you publish your requirements and trust your vendors to respond honestly on your surveys. What else can you afford to do?

At the risk of dancing beyond my bounds of expertise, a thought:

  • Right now, phishing attacks and Trojan horses are the greatest infosec threats.
  • Insider threats — disgruntled, careless, and former employees, both yours and your vendors, contractors, consultants and outsourcers who have access to your internal systems — pose bigger risks than outsiders.
  • The bad guys have no trouble flooding your employees and your vendors’ employees with phishing attacks.
  • Do it first.

I’m not suggesting you try to get employees’ on-line banking login credentials, profitable though that might be. I’m suggesting you emulate a phishing attack that tries to get vendor and employee login credentials to your own systems.

White hat phishing isn’t a new idea. Usually, it’s used to discover internal vulnerabilities.

But in 2014, as businesses increasingly source externally with portals aplenty, the distinction between inside and outside has become quite blurry.

Intruders are phishing your vendors all the time.

If you can’t beat ’em, join ’em.

* * *

Two years ago in KJR, some thoughts about the world being less than entirely flat, courtesy of a trip to Morocco, in “The world is bumpy.”

Hard to choose this week, too — lots of past columns tempted me. I couldn’t even live with just one runner up.

And so, from 2001, advice for newly hired managers on “Dealing with rivals” that wouldn’t change a bit if I were to write it today.

And from 2006 some “IT leadership musings” that wouldn’t change if I wrote them next week.

Comments