All Posts in Technology

|In: Organizational Design|Last Updated:

A quick history of the United States:

If you’re running an IT organization, you’re probably coping and having a hard time doing it. IT has evolved from supporting core accounting, to all business functions, to PC-using autonomous end-users; to external, paying customers on the company’s website; to mobile apps, the company’s social media presence, its data warehouse, big-data storage and analytics … all while combatting an increasingly sophisticated and well-funded community of cyber attackers.

What hasn’t evolved is IT’s operating model — a description of the IT organization’s various moving parts and how they’re supposed to come together so the company gets the information technology it needs.

Your average, everyday CIO is trying to keep everything together applying disco-era “best practices” to the age of All of the Above.

Defining a complete IT All-of-the-Above operating model is beyond this week’s ambitions. Let’s start with something easier — just the piece that deals with the ever-accelerating flow of new technologies IT really ought to know about before any of its business collaborators within the enterprise take notice.

We’ve seen this movie before. PCs hit the enterprise and IT had no idea what to do about them. So it ignored them, which was probably best, as PCs unleashed a torrent of creativity throughout the world of business (assuming, of course, that torrents can be put on leashes in the first place). Had IT insisted on applying its disco-age governance practices, to PCs, all manner of newly automated business processes and practices would most probably still be managed using pencils and ledger sheets today.

Eventually, when PCs were sufficiently ubiquitous, IT got control of them, incorporating them into the enterprise technical architecture and developing the various administrative and security practices needed to keep the company’s various compliance enforcers happy, to the extent compliance enforcers are ever happy.

Then the World Wide Web made the Internet accessible to your average everyday corporate citizen, and IT had no idea what to do about it, either. So it did its best to ignore the web, resulting in another creativity torrent that had also presumably been subjected to IT’s leash laws.

It was a near point-for-point replay.

Now … make a list of every Digital and Gartner Hype Cycle technology you can think of, and ask yourself how IT has changed its operating model to prevent more ignore-and-coopt replays.

This is, it’s important to note, quite a different question from the ones that usually blindside CIOs: “What’s your x strategy?” where x is a specific currently hyped technology.

This is how most businesses and IT shops handle such things. But as COUNT(x) steadily increases, it’s understandable that your average CIO will acquire an increasingly bewildered visage, culminating in the entirely understandable decision to move the family to Vermont to grow cannabis in bulk while embracing a more bucolic lifestyle.

The view from here: Take a step back and solve the problem once instead of over and over. Establish a New Technologies Office. Its responsibilities:

  • Maintain a shortlist of promising new technologies — not promising in general, promising for your specific business.
  • Perform impact analyses for each shortlist technology and keep them current, taking into account your industry, marketplace and position in it, brand and customer communication strategy, products and product strategies, and so on. Include a forecast of when each technology will be ripe for use.
  • For each technology expected to be ripe within a year, develop an incubation and integration plan that includes first-business-use candidates and business cases, the logical IT (or, at times, non-IT) organizational home, and a TOWS impact analysis (threats, opportunities, weaknesses, strengths). Submit it to the project governance process.

Who should staff your new New Technologies Office? Make it for internal candidates only, and ask one question in your interviews: “What industry publications do you read on a regular basis?”

Qualified candidates will have an answer. Sadly, they’ll be in the minority. Most candidates don’t read.

They’re part of the problem you’re trying to solve.

Comments

|In: Architecture|Last Updated:

I usually define “expert” as anyone who knows enough more about a subject than I do that I can at best barely understand what they’re telling me.

Regrettably, this means, through the miracle of recursion, that when I claim to be an expert that pretty much means I at best barely understand what I’m talking about.

And so it came to pass that regular correspondent Will Pearce, in response to last week’s KJR, and in particular my advice regarding key rotation (“Bob vs the cloud,” 6/4/2018), kindly commented, “It sounds like your information on password security is a bit old.”

It turns out NIST has revised its security guidelines. Its source document is, shall we say, information-dense (translation: you won’t be able to just skim it). Mr. Pearce suggested a more readable summary to accompany it (“Time to rethink mandatory password changes,” Lorrie Cranor, Federal Trade Commission Chief Technologist).

The very short version: Not only does frequent password expiration provide no additional security, but it’s often counterproductive: Faced with the need to change passwords on a regular basis, many users choose less secure keys, often easily guessed permutations of previous keys.

A bit of additional research revealed that the complementary practice of asking security questions for password recovery (“What is your mother’s maiden name?”) is pretty much pointless given how few secrets any of us have any more and given our natural inclination to choose questions whose answers we’re most likely to remember later on (see “Google Study Shows Security Questions Aren’t All That Secure,” Frederic Lardinois, Tech Crunch, 5/21/2015).

I wasn’t able to find a good source for the question of whether frequent administrative and cryptographic key rotation is still considered good practice.

All of this led me to reconsider my definition of “expert.” Seems to me an expert is someone who, faced with new evidence and logic, reconsiders their beliefs, opinions, and practices. In particular they use the new evidence and logic as a pry bar, to expose to themselves the hidden assumptions on which their current views are based.

Start with the average non-InfoSec specialist’s mental image of who we’re protecting ourselves from. Very likely it’s the standard Hollywood introvert-living-in-his-mother’s basement. But as the estimable Roger Grimes (among others) has pointed out from time to time, these days you’re actually defending yourself against state actors and organized crime syndicates. That puts a very different face on the threat.

As Roger also points out, in a thoroughly depressing article titled, “5 computer security facts that surprise most people,” (CSO, 12/5/2017), 99% of all exploits are “… due to unpatched software or a social engineering event where someone is tricked into installing something they shouldn’t.”

What this means to you: On a personal level you should keep your OS and applications updated. It appears the risk from installing bad patches is lower than the risk of failing to install the important ones.

And, you should take care to avoid falling victim to Trojans and phishing attacks. In particular, inspect any link in an email before clicking on it to make sure it makes sense. This isn’t at all hard. If you receive an email purporting to be from Amazon.com, roll over any links in the message to make sure they point to somethingorother.amazon.com/somethingelseorother. Or, ignore the links altogether and navigate to whatever it was that caught your interest.

On the corporate side, other than the key rotation/password expiration issue, last week’s advice still holds, in particular the points about patch management and frequent white-hat phishing attacks used to educate employees about the same phishing attacks they need to be alert to at home.

And now, the moment you’ve been waiting for. Last week I mentioned my personal financial management software dilemma, and whether to acquiesce to the trends and use a cloud-based service. In the comments, Walt Etten was kind enough to endorse Moneydance, which, in exchange for a $49.99 license fee, stores data locally.

It’s a stark choice. On the one hand it appears there are several worthwhile free cloud-based alternatives (google “free personal financial management software”). On the other there’s Quicken or Moneydance.

It’s the classic dilemma: I can get what I want for fifty bucks, or I can come close to it for free.

It’s a tough, tough call.

Comments