Bring your own device (BYOD)

The 10 Danger Signs of a Failing IT Project – webinar on Oct. 30

Learn the red flags you should watch for in major IT projects.  I’ll share with you insights about identifying and responding to problems in management of IT projects.

Join me in this free one-hour webinar on October 30 at 10 AM Pacific time.

Register here

 

“Bring your own device” (BYOD) is the latest watchword in corporate IT.  For mid-sized companies and organizations, how should we think about mobile Apps?  Are we ready to embrace them?

Back in the good old days (before the iPhone, for example), companies only worried about laptops and their applications, and about lost BlackBerrys.  Applications did not change more than once every 3 to 6 months at the most frequent, so IT departments could spend a fair amount of time vetting the applications before deploying them for use at the office and away from the office.

Now, everyone has a smartphone and everyone wants to use one for access to the company’s databases.  This opens up a lot of security and usability issues.  Here are some of them:

SecurityCan unauthorized people get access to the databases?

PortabilityWill access from a smartphone compromise the effectiveness of the data because input is less reliable?

AccessibilityWill access from a smartphone make it difficult for the user to read or use the information?

Now that the Apps are in a small portable device, we have to worry about both old and new threats to security:

Spam – unwanted messages coming into our network

Phishing – malware injected into portable devices and crooks getting access to valuable data or login information

Data leaks – loss of valuable data by accident

Lost devices –  loss of the mobile device itself, together with its data and login information

Should I try to control the Apps?  The answer is yes and no.  Yes, make sure that you thoroughly test Apps that are to be used to access corporate data.   And no, don’t prevent people from downloading what works for them.  If and when you run into problems with a particular App, you can always ban its use.  Of course, this means that you should monitor which Apps are being used.

How can I avoid disaster?  Here are a few general principles:

Develop a list of trusted partners & suppliers for mobile Apps.  Also develop an in-house capability for testing and verification of operation (and problems).

Also develop a program of training for everyone who uses a mobile device for accessing corporate databases.  Make sure they understand the company policies about access and sharing of data.

Perform regular review of security policies and procedures.  The policies don’t have to be extensive, but they should be clear and enforceable.  Don’t try to enforce policies related to activities that you can’t monitor.

When introducing new capabilities, start by rolling out a new App on a small group first.  Monitor the new App more closely than you do for mature Apps, and make quick corrections when there are problems.

We are at the beginning of the mobile device era. PCs will have less and less influence on the future of IT interactions, while mobile devices will have more and more influence.  There is no way to stem this tide, so you may as well embrace the mobile devices and their Apps.

What do I need to know about mobile devices and social networks?

Mobile devices and social networks are the fastest-growing trends in today’s world of IT.  Even though most of us have a smart phone and may have a Facebook account, we may not have perspective on what’s happening inside the device & the network.  Here is a review of key things to know about mobile & social, and a list of security issues to think about.

Mobile devices

Smartphones are still telephones, they allow you to communicate by voice with people on other phones using the cellular telephone network.  The cell network covers most of the world, but not everywhere.  There will be places where you get “no signal.”

In addition, a smartphone is a complete personal computer, with all the complexity that this implies.  There is an operating system, a network data interface, and all of the application software (apps) that you have decided to run on the smartphone.

Your voice and your data may or may not be carried over the same network.  For example, when your smartphone is near a WiFi base station that it can connect to, your data will be sent and received using that WiFi path rather than the cell network.

Your basic phone subscription fee doesn’t include data transmission, so you’re paying extra to get data service for your phone.  And unless you’re very lucky, you don’t have unlimited data access.  If your data usage goes over a limit, you will pay extra.

The designers who made your smartphone have worked hard to overcome the constraints of the phone, compared with a PC:  the small size of the screen, the absence of a keyboard, and the need to maximize the battery life.  As a result, you’re learning to deal with the digital world using your fingers in a new way.

Extra security issues:

Your smartphone is connected to the cell network all the time. As long as it’s switched on, even when you’re not talking, it is communicating information about where you are back to the network every minute or less.

While you’re using data services of your smartphone, it may switch from a WiFi network to the cell network and back automatically.  This may have implications for how much you’re charged for data, particularly if you’re overseas.

Communications with WiFi networks may be vulnerable to being overheard by other devices and are not as secure as the voice network.

Everyone who uses a smartphone has a certain amount of personal usage.  After all, we all get personal phone calls, receive personal emails & text messages, and browse websites that are not business-related.  So if you’re concerned about employees using their company-provided smartphones for personal goals, quit worrying – they will.

Personal usage also includes music listening and video viewing which can load the data network greatly.  You may need to consider limiting the amount of bandwidth (data network usage) that people in your company use – at least while they’re connected through the cell network.

Your smartphone has a GPS device built in.  So it “knows” where you are all of the time.  In addition, the location information it has can be shared with any App running on the smartphone.  Make sure you want your location information to be shared in this manner.  If you don’t, change the settings on your phone to turn off the GPS location sharing.

Similarly, pay attention to the fact that the web browser on your smartphone keeps a browsing history.  This history may be visible to running Apps on the smartphone.

There are some new apps that have strong security boundaries (see, e.g., a new startup called kumoso.com).  Explore apps like these if you are concerned about the security of your communications.

Coming soon: ads & spam

Have you noticed that you’ve started receiving junk text messages?  I have, and I’m sure it won’t be long until we get spam in many forms on our phones.  Beyond emails, it will include text messages, unwanted pop-up ads in the browser, maybe even unwanted calendar items.

If you’re managing a corporate network of smartphones, you’ll need to add the mobile devices to your list of possible targets for spam and malware.  Get filters (software) that will help keep this stuff off of your mobile devices.

Social networks

Social networks, including Facebook, Twitter and LinkedIn, are now being used by nearly everyone who has either a PC or a smartphone.  There can be many advantages to using social networks, including:

having quick access to status information on your colleagues

posting short information to a large number of connected colleagues who need it (such as via Twitter)

connecting with new people using colleagues who are already in your network (such as through LinkedIn)

sharing articles and notes with people who may find it interesting and useful

Here are few things to consider as you indulge in social networks:

1. You have decided that your need for connectivity exceeds your need for privacy.  You actually want to hear from your friends & colleagues about what they’re up to, what they need, what they’ve done or read.  You don’t mind if what you share with them can be seen by anyone who cares to look you up or to Google your name.

2. You don’t mind that your history (what you’ve posted, poked, tweeted & connected to) is a public record.  Always assume that you cannot erase anything you’ve posted or tweeted.  The online record of social media is now a popular way for exploring vulnerabilities or skeletons in the closet of people who are lawsuit targets. Potential employers may search for your tweets to see what you’ve been saying before they offer you a job.

3. You don’t mind being open to well-targeted ads.  The more you share online, the more the advertisers have access to what you’ve expressed an interest in.  They will use this information to make their ads closely match your interests.

Summary of security issues

Be willing to receive all the incoming messages, texts and tweets that are in store for you.

Make sure you want the exposure in a public record of what you’ve shared with others.  Think before you tweet – this may be a permanent record.

 

New webinar series

October 30, 10 AM:  free one-hour webinar, “The 10 Danger Signs of a Failing IT Project

Register here: http://www.anymeeting.com/PIID=E158DD888848

November 13, 10 AM:  free one-hour webinar, “How to Save a Failing IT Project

Register here: http://www.anymeeting.com/PIID=E158D787854D

I’ll share with you a lot of the insights I’ve gained over the last 30 years in identifying and responding to problem in project management and other aspects of getting things done in implementing IT capabilities.

Join me in a two-webinar series on IT Projects, coming up on October 30 and November 13.  The first webinar covers the red flags you should watch for in major IT projects, and the second one gives more details about how to save a project that looks as if it’s headed for failure.

When you need IT advice

When you ask for advice from an IT specialist, often the response is too technical, too closely tied to a commercial product, or simply off the mark because the underlying problems are management problems.  Who can you turn to for useful and practical advice?

What kind of technology advice do you need?

As a manager or executive you may have a variety of questions about “technology.”  Here is one way to classify those questions:

1. Pure technical analysis – what’s possible, what does it cost?

You already have a clear idea of the functions or capabilities you need.  But now you need to know what technologies can be used to get those functions, and what they are likely to cost.   An IT specialist with experience in building those functions can elaborate the technologies and give you a roadmap for building what you want.

If the specialist also has enough experience, you can get a fairly accurate estimate of how much it will cost – if things go well.  But always be prepared for bumps in the road.  Many time, due to evolving technologies, unforeseen glitches due to incompatibilities, and changing requirements, the costs will go up – even as much as doubling the initial estimates.

The best countermeasure to escalating costs is to define incremental delivery of the features.  Ask for demonstrations and delivery of working systems every few months, so that you can personally verify that things are on track – and that you’re getting what you want.

 

2. Help in selecting between competing alternatives – evaluating vendors and their products/services

When the times comes to select a vendor or to choose a team for building the capabilities you want, ask for help from someone who has done it before.  In other words, make sure the advice you get is from someone experienced in the particular functions and capabilities you’re asking for.

Be sure that your advisor is not “married” to a particular vendor.  Of course, this eliminates the sales representatives of the vendors from being the advice-givers you need.  Even your own IT staff may have prejudices based on their own history and experience with particular vendors’ products.  You may want to find a consultant who knows the field and can give you accurate information without being involved in the sale of a product.

Evaluating vendors also includes business aspects.  You need to know that the vendor will survive to support the product, has the infrastructure needed to provide what you need, and is willing to commit to meeting your service standards, whatever they may be.

 

3. Guidance in managing the implementation of new IT services

Once you’ve committed to implement a new capability, you form a team to carry out the project.  At this point, you may need help in assuring success of the project.

Projects fail all too often.  Most failures are due to one of the following:

•  Inadequate planning and scoping of the project

•  Unrealistic expectations about what can be done in what time

•  Unadequate management structures for coordinating the project

•  Unforeseen complexity and rapid change in the requirements

Hiring an experienced management consultant can insure you against project failure for a small fraction of the project cost.  You’ll want to find someone who speaks in business terms, has management experience, and knows technology well.

This third area — managing implementation — is the area in which I work.  I’ll be glad to offer you a free strategy session in which we examine your project and your plans in an initial consultation, to see if I can help raise your confidence that your project will succeed.  Simply contact me by any of the methods below.

 

SUBSCRIBE FREE: https://johnlevyconsulting.com/blog

Just complete the simple form. Takes about 10 seconds. And you’ll also get a free copy of my report, “9 Mistakes That Lead to IT Project Failure.”

 

John Levy Consulting                                415 663-1818

Deliver the promise of technology to business

https://johnlevyconsulting.com

PO Box 1419                  Point Reyes Station, CA 94956

 

Eliminate your IT department?

Cloud-based services are transforming business IT in major ways.  What does this mean for the structure and mission of the enterprise’s IT department?  Is there anything left that can’t be done by the cloud and by cloud service vendors?

Yes!  There are three major areas in which every enterprise still needs a collection of people who focus on IT.  And it is best to have them gathered in a department where they are able to exchange information at high bandwidth – in other words, in an IT department.

1.    Expertise

While it can be advantageous to place IT specialists inside of business departments where they can advise their business counterparts on specifics of applications, data and cloud services, keeping up with the range of IT offerings is a job best done at a central location.

Building a center of expertise will enable IT specialists to respond to requests from business units for recommendations and advice on cloud vendors, facilities and functions of various IT packages, and general information on what solutions are now available.  In addition, the experts can create informative newsletters and workshops on what’s around the corner, the progress of corporate IT initiatives, and other current IT topics.

This type of dissemination of information cannot typically be done as well by department-captive IT specialists.

2.    Strategy

Your business has a business strategy.  Almost certainly, that strategy depends on certain IT initiatives.  Defining, aligning, and guiding those initiatives must be done by people who understand the business strategy and also understand IT deeply.  These people should be IT experts who also are involved in strategic planning for the business.

As a result, they are strategists for IT as well as for the business.  So they need to keep up with the latest trends and possibilities in IT as well as know a lot about all of the enterprise’s current IT implementations.  These people are natural members of a central IT department.

3.    Management

IT management involves several different perspectives.

First is managing the IT-business interface across all IT initiatives and across the functional components of the business.

Second is managing the IT department and its initiatives, including developing, training and promoting IT specialists.

Finally, there is management of vendors, including cloud service vendors – and increasingly crucial portion of the management workload.

All three of these aspects of IT require an IT department – or an equivalent – that concentrates IT expertise and IT-related missions into a place where communications are very frequent and easy.

Don’t eliminate IT, transform it

As cloud-based services begin to transform the way in which IT functions are accomplished, the IT department should concentrate on developing its expertise in the following areas:

Cross-connecting siloed business functions and helping to eliminate duplication in IT activities and services.

Teaching, training and informing business leaders about IT, including which cloud-based services can best help get their jobs done.

Monitoring, measuring and rewarding vendors who are supporting business functions in the enterprise.  This includes setting standards for performance, helping with contractual arrangements with vendors, and monitoring both positive performance and negative incidents surrounding IT vendors.

Creating IT strategic plans, including corroborating those plans with enterprise strategies and plans.  And finally, adapting the enterprise to the rapidly-shifting cloud services environment.

In other words, there’s plenty left to do in an IT department.  Don’t eliminate it.

John’s webinar titled will be held on September 25 at 10:00 AM Pacific time.

Designing, implementing and integrating major IT systems has numerous pitfalls that don’t appear, for example, in building construction. If you’re responsible for delivering a major IT project – or if you are paying for one – you need to be aware of what indicators are red flags for possible failure of the project.

See more information and register at 

SUBSCRIBE FREE: https://johnlevyconsulting.com/blog

Just complete the simple form. Takes about 10 seconds. And you’ll also get a free copy of my report, “9 Mistakes That Lead to IT Project Failure.”

John Levy Consulting

Deliver the promise of technology to business


https://johnlevyconsulting.com

PO Box 1419, Point Reyes Station, CA 94956    415 663-1818

Why isn’t software more secure?

What makes software insecure?

Software is often insecure because it is complex, abstract and not completely understood even by the people who create it.  A software specialist who designs a human interaction module may not know much about the database software that the module depends on, for example.

In addition, software runs in a hardware environment (the computer system) that is not completely known by the creator of the software.  For example, when a software package is designed to run in a Microsoft Windows system, the hardware may have been manufactured by any of a dozen companies, each of which has its own detailed hardware environment (including things like BIOS, memory, storage, and input/output subsystems).

And the software itself has to keep changing to keep up with user expectations.  Software that doesn’t get updated gets stale.  [See more about this in my previous blog: stable or static]:

What vulnerabilities are there in software?

Software is vulnerable to many possible conditions that it may not be prepared for.  For example, unexpected inputs can lead to errors: if the software is expecting a number and it gets a value that is outside of reasonable bounds, it may have unpredictable consequences.

In addition, computer hardware can have exception conditions occur during instruction execution, such as dividing by zero.  These exceptions must be anticipated by the software, or else the program can simply terminate without finishing its work.

For example, one of the popular ways for hackers to break into computer systems is to create a “buffer overflow condition.”  If the software does not anticipate this condition, the computer can execute code that the hacker put into a data structure in advance, causing the computer to come under the control of the hacker.

Why are they always discovering new holes & vulnerabilities in our software and systems?  Doesn’t testing take care of these problems?

Proper testing can reduce insecurities and other bugs.  Often, software development organizations simply don’t use the best tools for testing.  But testing every possible case is impossible.  Testing has to be done using human judgment to decide the testing strategy.

[For an excellent exposition on this subject, see Gerald Weinberg’s book, Perfect Software]

Often the failure to do adequate testing is the fault of management.  When a software development project is behind schedule, the temptation to short-change the testing is very high, because testing is usually tacked on to the end of the development cycle.

[For more on this, see my previous blog: good software]

How else is software insecure?

Most software does not run in a vacuum.  Often it is interacting with a human operator.  When a program and a human are interacting, there are plenty of opportunities for misunderstandings.  For example, error messages may be confusing, or the human may take the wrong action in response to a warning message.

The people who make it their business to take advantage of software vulnerabilities – call them hackers or attackers – are becoming more sophisticated.  They may be after money or industrial secrets, and they often know a lot about the system and the person who is interacting with the system.

A whole class of attack, called spear-phishing, is based on deliberately showing misleading information to the human, such as an email that appears to come from the person’s boss.  Vulnerability to these attacks occurs both in the system (email delivery without validation) and in the person (accepting what appears at face value).

What’s an enterprise to do about insecure software?

As a first step, make sure that you have engaged security specialists – people who have studied and are expert in attacks and in security countermeasures.  The specialists should include “white hat” testers – people who deliberately try to break into your own systems in order to demonstrate vulnerabilities.

You should also ask questions of your project managers about tradeoffs being made between testing and quality.   You must recognize that when you choose to emphasize schedule, you often invite lower quality and therefore higher vulnerability.

Never assume that software is of high quality – and therefore invulnerable – until you have seen it demonstrated in actual use by real users.  And even then, expect to find vulnerabilities regularly, and be ready to fix them.

 

TO SUBSCRIBE FREE: https://johnlevyconsulting.com/blog

Just complete the simple form. Takes about 10 seconds. And you’ll also get a free copy of my report, “9 Mistakes That Lead to IT Project Failure.”

John Levy — Turn Around IT
      Helping business get full value from IT

https://johnlevyconsulting.com

PO Box 1419, Point Reyes Station, CA 94956    415 663-1818

Why don’t IT people understand our business?

Executives seem to agree that IT people – technicians and their leaders – do not understand the business very well.  This causes all sorts of trouble when making financial decisions on major IT projects.  Why don’t IT people “get” the business?

1.    They’re too busy studying technology.

We all know that information technology is complex.  It’s not surprising to learn that IT people have to put in a lot of time just keeping up with the changing technologies.

But CFOs and Controllers also have to spend a lot of time keeping up with regulatory and financial standards.  That doesn’t excuse them from acquiring a good working knowledge of the industry and the specifics of the enterprise’s products and markets.  So we shouldn’t let the IT folks off the hook just because they’re “too busy.”

2.    They’re not trained in business

IT people typically come from engineering and technology training backgrounds.  These give them good grounding in quantitative methods, but don’t give them a feel for business tradeoffs.  Case studies in business are not part of a technologist’s training.  And those who have ventured into business for themselves usually have to hire someone else to manage the business aspects of their enterprise.

Maybe there’s something you can do about this.

3.    No one on the business side has invited IT to learn about the business

OK, so the IT people aren’t business-savvy when they come to work here.  Why don’t we invite them to learn about the business?  After all, we expect HR and other departments to have a basic grasp of what we do and for whom.  Why not IT?

Do you have a short self-study course on the nature of the enterprise’s business?  Or at least a summary from the 10K that is provided to every new employee?  This would be a start.  Even better would be a concerted effort to explain not only the basics of the business to IT people, but to outline the key performance indicators and other metrics that drive the business.

4.    No one rewards IT people for being business-savvy

Reward systems in IT typically are based on operational metrics rather than business-specific measures.  If you reward IT people only for achieving 99.9% uptime, then you should not expect them to focus on anything else.

Everyone in the enterprise needs to have a basic grasp of why we’re in business and what we provide, and to whom.  But IT people implement many of the systems that make business processes run, so they should have in-depth understanding of what’s important in the business and the meaning of the executives’ measures.

Bringing IT people out from behind the wall of technology and exposing them to business concepts and measures can only benefit everyone in the company.  And it will make your future conversations with IT a lot easier.

How well do IT people understand business in your enterprise?  Add your comments below.