Many IT Executives really base all decisions on what Gartner says. Good plan? Today, the smart money is on innovation, powered by IT. What can you do that you didn’t do before? What can you offer that your competition can’t? The answers lie in emerging technology concepts that will forever change how you collaborate with colleagues, interact with customers and use information to make faster, better business decisions. So is Gartner a friend in this?
As the flow of unstructured information grows in volume and intensity, even those organizations with a BI stake in the ground are struggling to understand the impact of shifting data patterns, and deliver on an increased demand for transparency and improved data quality. Still others are trying to bring order to their data chaos to eliminate the “white spaces” that prohibit a common view of the enterprise and negatively impact cohesive, collaborative decision making. Can Gartner help you with this?
The technology successes of the past 20 years, while remarkable, are sometimes less surprising to IT experts than the failures are. Why does one IT concept get derailed in its infancy while another achieves widespread adoption? Can we expect technology advances to emerge more quickly in the future than they have in the past? How do you know what technology will make it and what will not? Does anyone know?
Gartner does not have a lab, they do not test any of the technology or put it through any kind of lab research, they interview both vendor and customer and do analysis. So is what Gartner has to say gospel? Probably not. The information they have to share is of value, and as a IT Executive you should read and evaluate.
I propose to you that Gartner is a tool in the management toolbox for the IT Executive. I would reference their opinion, but I would also develop relationships with your vendors, colleagues and industry leaders. A balanced opinion on a topic is best, and your decision should be based on a well balanced view. In addition, take your business needs, business capabilities and direction into account when deciding your technology direction. This is no time for the faint-hearted. Having the confidence to act decisively is key to your company’s success, and crucial to your career. Thousands of CIOs and senior IT executives return regularly to Gartner to identify trends, plan initiatives and evaluate both short- and long-term strategies. Keeping in mind Hype is Hype. Don't always follow the pack just for the sake of being a follower. See what others are doing and see if it plays a key role in your organization - does it bring value, a good TCO, and meet enabiling capabilities.
Therefore, I would say Gartner is a friend, but not the authority on what you should do. As IT Executive - your business is asking you to be the technology authority for your company. Take the responsibility serious.
Stay Postive!
Scott Arnett
scott.arnett@charter.net
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
Friday, July 30, 2010
Monday, July 26, 2010
PC Virus Phone Scams
Have you gotten a phone call claiming you have malware on your computer and for a small fee they will remote into your computer to help clean it up? Sounds like a good deal - right? Wrong -
The stories out there about people being scammed by cold calls from Indian call centres has been remarkable. (A quick reminder: people get cold-called and told there's a "problem with your computer" and talked into handing over remote access, and then $85 or so for "remote support". It's not worth taking up the offer, and the police took action against a number of sites used for this scam in April.)
Here is an interesting story from a victim... "These aren't always "cold" calls. My mother called her telephone/internet provider about an intermittent problem with her phone line - it was an Indian call centre. 15 minutes later she received one of these calls - obviously her information had been passed on by an insider - claiming to be a follow-up as they had spotted a problem with her broadband. She was thoroughly bamboozled by the caller (she's in her mid -70s), but had enough presence of mind to put the phone down when he started demanding money. Fortunately, this was before the dodgy software had been downloaded.
"Of course, her phone provider denied that this was possible..."
If you have a good virus and internet security software loaded on your computer, you have little to worry about, just keeping it updated. Hang up on these calls. I would recommend if you have a concern or issue, Microsoft has a free scan tool, others have as well. Call a local, store front business for assistance. Keep in mind, your data is on that computer. If you leave that computer behind, ensure you have an agreement in writing around confidential information, and privacy. Set the expectations up front - it is your computer, your data, and your responsibility.
I find working with these call centers very difficult. Difficult to hear, difficult to understand, and personally, I don't want my account information, financial information and details about me being access by these offshore centers. India does not have the same laws or social expectations as we have here. In addition, there are questionable motives in many of these activities.
Personally, if I call a company and the call center is offshore, I hang up. If unsure, ask - you have a right to. I propose to you that untill we get global laws dealing with privacy, data security and network security - this will be a ongoing threat to our well being. Not everything is as cheap as it appears on a spreadsheet.
I like to deal with the small town business man, where a handshake still means something.
Scott Arnett
scott.arnett@charter.net
The stories out there about people being scammed by cold calls from Indian call centres has been remarkable. (A quick reminder: people get cold-called and told there's a "problem with your computer" and talked into handing over remote access, and then $85 or so for "remote support". It's not worth taking up the offer, and the police took action against a number of sites used for this scam in April.)
Here is an interesting story from a victim... "These aren't always "cold" calls. My mother called her telephone/internet provider about an intermittent problem with her phone line - it was an Indian call centre. 15 minutes later she received one of these calls - obviously her information had been passed on by an insider - claiming to be a follow-up as they had spotted a problem with her broadband. She was thoroughly bamboozled by the caller (she's in her mid -70s), but had enough presence of mind to put the phone down when he started demanding money. Fortunately, this was before the dodgy software had been downloaded.
"Of course, her phone provider denied that this was possible..."
If you have a good virus and internet security software loaded on your computer, you have little to worry about, just keeping it updated. Hang up on these calls. I would recommend if you have a concern or issue, Microsoft has a free scan tool, others have as well. Call a local, store front business for assistance. Keep in mind, your data is on that computer. If you leave that computer behind, ensure you have an agreement in writing around confidential information, and privacy. Set the expectations up front - it is your computer, your data, and your responsibility.
I find working with these call centers very difficult. Difficult to hear, difficult to understand, and personally, I don't want my account information, financial information and details about me being access by these offshore centers. India does not have the same laws or social expectations as we have here. In addition, there are questionable motives in many of these activities.
Personally, if I call a company and the call center is offshore, I hang up. If unsure, ask - you have a right to. I propose to you that untill we get global laws dealing with privacy, data security and network security - this will be a ongoing threat to our well being. Not everything is as cheap as it appears on a spreadsheet.
I like to deal with the small town business man, where a handshake still means something.
Scott Arnett
scott.arnett@charter.net
Friday, July 23, 2010
Laptop Encryption - Necessary? Really?
Have a laptop? Travel with it? Ever worry about it being lost or stolen? Do you take extra efforts to ensure the security of your laptop - like place it in the trunk, never leave in your hotel room? Who is responsible for the laptop if it is lost or stolen? Was it your responsibility? Do you know the laws around this topic?
The law mandates encryption of data on laptops, smart phones, USB sticks and like platforms. Do you know what law? Try the new privacy laws. Some of the new privacy law requirements are unsurprising. Perhaps the bases are already covered: a Written Information Security Plan (WISP), encryption from laptops to servers, policy controls on third party access, yada yada. You realize you’re not there yet, but already steps have been taken in the right direction. Right?
Fines? $5,000 per breach or lost record. Lose records for a thousand Massachusetts residents and the company could be out $5M. Okay, that’s serious. Taking it serious? Not many companies are yet. Every laptop should be encrypted before it leaves the setup lab. The law requires a combination of “technical, administrative and physical safeguards.” Workstations and servers may be password protected, but what if the box is simply carried off and the disk contents examined? You may have a state-of-the-art firewall, but do your perimeter protections guard against walk-offs?
I propose to you that tools such as PointSec and SafeBoot are essential to every laptop build. Yes MS Windows is now coming with these features, so turn them on. No laptop should ever leave the building without safeguards. Laptops are lost or stolen at airport security check points all the time, hotel rooms, cars, and the list goes on. The laptop was assigned to you, so you are responsible.
Laptop encryption should be part of your security framework, it is necessary, and now required by new privacy laws. I would also propose that each user should be careful of what data they do store on the laptop, backup that laptop and maintain the data.
It really is necessary.
Scott Arnett
scott.arnett@charter.net
The law mandates encryption of data on laptops, smart phones, USB sticks and like platforms. Do you know what law? Try the new privacy laws. Some of the new privacy law requirements are unsurprising. Perhaps the bases are already covered: a Written Information Security Plan (WISP), encryption from laptops to servers, policy controls on third party access, yada yada. You realize you’re not there yet, but already steps have been taken in the right direction. Right?
Fines? $5,000 per breach or lost record. Lose records for a thousand Massachusetts residents and the company could be out $5M. Okay, that’s serious. Taking it serious? Not many companies are yet. Every laptop should be encrypted before it leaves the setup lab. The law requires a combination of “technical, administrative and physical safeguards.” Workstations and servers may be password protected, but what if the box is simply carried off and the disk contents examined? You may have a state-of-the-art firewall, but do your perimeter protections guard against walk-offs?
I propose to you that tools such as PointSec and SafeBoot are essential to every laptop build. Yes MS Windows is now coming with these features, so turn them on. No laptop should ever leave the building without safeguards. Laptops are lost or stolen at airport security check points all the time, hotel rooms, cars, and the list goes on. The laptop was assigned to you, so you are responsible.
Laptop encryption should be part of your security framework, it is necessary, and now required by new privacy laws. I would also propose that each user should be careful of what data they do store on the laptop, backup that laptop and maintain the data.
It really is necessary.
Scott Arnett
scott.arnett@charter.net
Thursday, July 22, 2010
The Good Old Phone Service
One thing you can usually count on with high degree is picking up the telephone at home and getting a dial tone - right? In the past 40 plus years I can only think of about 5 times our phone service was down. Is the new VoIP that reliable? Do we have the same expectations? I know I do......
VoIP phone services keep growing. The cable companies, for example Charter, are competing very effectively against the traditional legacy carriers for voice services. Pay phones keep disappearing. Mobile voice call volume keeps growing. How reliable is your cable TV or cable modem? I know mine is not reliable - has been down 9 times in the past 10 months - and not weather related. So why would I move my phone service to this unreliable provider?
We will eventually see the PSTN retire and POTS disappear. Wireless and broadband connections proliferate while the old copper pair connections offered by the Telcos are turned off, as many as 700,000 lines per month. The trend is all downhill for the PSTN and its legacy operation. This however does not mean the PSTN will close soon or without any challenges. Not everyone is going to live with this poor performance - or will they? Nevertheless, when all else fails, POTS is what we turn to as a back-up.
Is there a National Security concern here? Federal, state and local governments depend on the PSTN. The Department of Defense (DoD) and the Department of Homeland Security (DHS) will be very interested in any degradation, loss of coverage or closure of PSTN services. Since the PSTN has been and continues to be part of the plans of these agencies, I expect they will have to evaluate the ramifications posed by the PSTN closure. I also expect that there will be long drawn out process of evaluation before any decisions are made. Are wireless or broadband services as secure as the good old phone service?
The replacement of the PSTN with broadband access will affect many of the DoD and DHS systems as well as the government communications contracts that are in place. These contracts assume there is a PSTN. Can the government agencies cancel the contracts in favor of the broadband solution? At what cost? How will the migration occur? What about the networks used by these agencies that are beyond the US border? Will there have to be two distinctly different networks, broadband in the US and international PSTN for the rest of the world? These are complicated issues that will make to closure of the PSTN for these agencies a primary problem that most do not want to face soon.
I propose to you that we will continue to see a decrease in new demand for wired phone services. As fewer customers are now required to cover the fixed costs to maintain the wired network, that is less profit for the carrier. If they raise the rates to make up for fewer customers, they will push more customers away. I know I don't want more bills or higher bills. The other side of the coin, where are the customers pushing these broadband providers to provide a reliable service? I can live without cable tv, and I can live without internet or email - but it is a safety concern to have no working phone service in the home. VoIP services need to have the same reliable, redundant and simple services as what we have become to expect from the good old phone system. I don't see that today, I refuse to push my phone service over to a broadband provider and have on going outages monthly - and most of the outages are in the middle of the day. Nothing like doing router upgrades, network changes or maintenance in the middle of the day. These providers need to understand these services have to be available 24/7 365. Till they can provide that - they won't win over all the customers from the good old phone service.
I can still take your call on my good old phone service!
Keep engaged and positive!
Scott Arnett
scott.arnett@charter.net
VoIP phone services keep growing. The cable companies, for example Charter, are competing very effectively against the traditional legacy carriers for voice services. Pay phones keep disappearing. Mobile voice call volume keeps growing. How reliable is your cable TV or cable modem? I know mine is not reliable - has been down 9 times in the past 10 months - and not weather related. So why would I move my phone service to this unreliable provider?
We will eventually see the PSTN retire and POTS disappear. Wireless and broadband connections proliferate while the old copper pair connections offered by the Telcos are turned off, as many as 700,000 lines per month. The trend is all downhill for the PSTN and its legacy operation. This however does not mean the PSTN will close soon or without any challenges. Not everyone is going to live with this poor performance - or will they? Nevertheless, when all else fails, POTS is what we turn to as a back-up.
Is there a National Security concern here? Federal, state and local governments depend on the PSTN. The Department of Defense (DoD) and the Department of Homeland Security (DHS) will be very interested in any degradation, loss of coverage or closure of PSTN services. Since the PSTN has been and continues to be part of the plans of these agencies, I expect they will have to evaluate the ramifications posed by the PSTN closure. I also expect that there will be long drawn out process of evaluation before any decisions are made. Are wireless or broadband services as secure as the good old phone service?
The replacement of the PSTN with broadband access will affect many of the DoD and DHS systems as well as the government communications contracts that are in place. These contracts assume there is a PSTN. Can the government agencies cancel the contracts in favor of the broadband solution? At what cost? How will the migration occur? What about the networks used by these agencies that are beyond the US border? Will there have to be two distinctly different networks, broadband in the US and international PSTN for the rest of the world? These are complicated issues that will make to closure of the PSTN for these agencies a primary problem that most do not want to face soon.
I propose to you that we will continue to see a decrease in new demand for wired phone services. As fewer customers are now required to cover the fixed costs to maintain the wired network, that is less profit for the carrier. If they raise the rates to make up for fewer customers, they will push more customers away. I know I don't want more bills or higher bills. The other side of the coin, where are the customers pushing these broadband providers to provide a reliable service? I can live without cable tv, and I can live without internet or email - but it is a safety concern to have no working phone service in the home. VoIP services need to have the same reliable, redundant and simple services as what we have become to expect from the good old phone system. I don't see that today, I refuse to push my phone service over to a broadband provider and have on going outages monthly - and most of the outages are in the middle of the day. Nothing like doing router upgrades, network changes or maintenance in the middle of the day. These providers need to understand these services have to be available 24/7 365. Till they can provide that - they won't win over all the customers from the good old phone service.
I can still take your call on my good old phone service!
Keep engaged and positive!
Scott Arnett
scott.arnett@charter.net
Wednesday, July 21, 2010
HIPAA Proposed Modifications
As reported last week, on Thursday the Department of Health and Human Services ("HHS") issued its long-anticipated notice of proposed modifications to the HIPAA privacy, security and enforcement. Why the changes? The goal is to strengthen the privacy and security protection of health information, and to improve the workability and effectiveness of these HIPAA Rules.
The proposed statement states: "We propose to add language in . . . the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” . . . to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person." Sounds like our cloud computing efforts?
In today's business world, with ever-expanding multi-level arrangements for outsourcing, offshoring, and cloud computing, such a change in the HIPAA regulatory structure would have a tremendous impact. This appears to be exactly what HHS has in mind. As noted by the NPRM, "we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance." Keep in mind, you can't outsource your responsibility!
It is quite possible that many such vendors have no idea that they serve in such a capacity, or fail to do due diligence to determine if they are an agent of a business associate. Going forward, if the proposed modifications become final in their current form, vendors MUST determine whether they are playing such a role and set up contracts/handle compliance obligations accordingly. It will be the business associate's responsibility to set up a contract (and a business associate will be liable for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency). However, lack of such a contract (i.e., the business associate's failure to comply with its own responsibility in this regard) would not let the agent off the hook. Ensure your contracts cover all your obligations under the HIPAA act.
The NPRM provides the following example: "under this proposal, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).
• OK, but if the covered entity fails to set up a contract with me as a business associate in the first place, I am not a business associate, right?
Wrong. Even if there is no contract, under the proposed modifications, you are a business associate if you meet the definition of business associate: "a person is a business associate if it meets the definition of “business associate,” even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the required contract with the business associate."
As discussed above, the proposed modifications would add references to business associates in the Security Rule to make clear that, consistent with the requirements of the HITECH Act, business associates are now directly responsible for complying with the Security Rule. It is your responsibility that you have clearly defined the business partner/associate/vendor role. It is their responsibility to ensure they understand their role and the contract clearly states roles, compliance and how this will be under audit. It is your responsibility to audit your providers under contract for compliance, awareness and security.
I propose to you that these changes are necessary and good steps to ensure security around health data. To many organizations are quick to move portions of their IT organization to business partners in hopes to get out of HIPAA requirements. Like I said before, you can't outsource your responsibility. The responsibility remains with you and and any willful neglect is on your shoulders. Security has to be taken serious - throughout the organization. This includes social engineering training for your reception staff!
One more thing, research your cloud computing vendors, do a complete audit of their process, facility, security and review their 3rd party audits. Make sure you understand their complete security posture and what safeguards they can provide around your data. There are SaaS and cloud providers going into business that shouldn't be in business - they clearly don't understand security. Be cautious.
Keep positive and engaged!
Scott Arnett
scott.arnett@charter.net
The proposed statement states: "We propose to add language in . . . the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” . . . to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person." Sounds like our cloud computing efforts?
In today's business world, with ever-expanding multi-level arrangements for outsourcing, offshoring, and cloud computing, such a change in the HIPAA regulatory structure would have a tremendous impact. This appears to be exactly what HHS has in mind. As noted by the NPRM, "we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance." Keep in mind, you can't outsource your responsibility!
It is quite possible that many such vendors have no idea that they serve in such a capacity, or fail to do due diligence to determine if they are an agent of a business associate. Going forward, if the proposed modifications become final in their current form, vendors MUST determine whether they are playing such a role and set up contracts/handle compliance obligations accordingly. It will be the business associate's responsibility to set up a contract (and a business associate will be liable for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency). However, lack of such a contract (i.e., the business associate's failure to comply with its own responsibility in this regard) would not let the agent off the hook. Ensure your contracts cover all your obligations under the HIPAA act.
The NPRM provides the following example: "under this proposal, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).
• OK, but if the covered entity fails to set up a contract with me as a business associate in the first place, I am not a business associate, right?
Wrong. Even if there is no contract, under the proposed modifications, you are a business associate if you meet the definition of business associate: "a person is a business associate if it meets the definition of “business associate,” even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the required contract with the business associate."
As discussed above, the proposed modifications would add references to business associates in the Security Rule to make clear that, consistent with the requirements of the HITECH Act, business associates are now directly responsible for complying with the Security Rule. It is your responsibility that you have clearly defined the business partner/associate/vendor role. It is their responsibility to ensure they understand their role and the contract clearly states roles, compliance and how this will be under audit. It is your responsibility to audit your providers under contract for compliance, awareness and security.
I propose to you that these changes are necessary and good steps to ensure security around health data. To many organizations are quick to move portions of their IT organization to business partners in hopes to get out of HIPAA requirements. Like I said before, you can't outsource your responsibility. The responsibility remains with you and and any willful neglect is on your shoulders. Security has to be taken serious - throughout the organization. This includes social engineering training for your reception staff!
One more thing, research your cloud computing vendors, do a complete audit of their process, facility, security and review their 3rd party audits. Make sure you understand their complete security posture and what safeguards they can provide around your data. There are SaaS and cloud providers going into business that shouldn't be in business - they clearly don't understand security. Be cautious.
Keep positive and engaged!
Scott Arnett
scott.arnett@charter.net
Tuesday, July 20, 2010
Help Desk Challenges
Every successful IT organization has a help desk or service desk component to it. Service desk staff are the front door to the IT organization - they take all the phone calls, emails, IM's and have to assure the user community their issues will be addressed.
Help desk analysts are a unique breed. Not only must IT support professionals thoroughly understand enterprise computing systems, they must also convey their technical expertise clearly and succinctly to end users. Above all, help desk professionals must possess top-notch customer-service skills and stay cool under fire. In addition, a good manager of the group to keep a pulse on the team.
To help you hire the best people for these critical spots, use your team to help interview. In addition, you need a ready-to-use job description that lists all the skills the perfect candidate will have, as well as the duties that person is expected to be able to do. In addition, you should have a series of interview questions geared to help you zero in on the right candidates. People skills are key in this position. You can teach a candidate all the technical skills they need to be successful but people skills are tough to teach - should come natural.
Of course, quickly and efficiently resolving users' technology problems is a challenging and often thankless job. While you're expected to manage a wide range of issues, from deploying new solutions to calming irate users, few resources exist to help you overcome not only technical hurdles, but interpersonal issues as well. The manager needs to be able to move staff around to tasks and not just keep them on the phone 8 hours a day, 5 days a week. You can burn staff out, so keep a pulse on the team and have options for them to have a break from the phones. That is why I like to put help desk, procurement, and desktop groups under 1 Director level position. Cross training, knowledge share and many of the ITIL functions fit this model well.
I would also make sure you have the necessary tools in place to help this team be successful. Incident Management, Asset Management, and the applications needed to manage these are essential. Take a look at Service Now, it is a SaaS solution, it meets many ITIL functions, but it also does not require infrastructure support for the tool itself. Nice solution, worth taking a look at.
I propose the biggest challenge to the enterprise help desk is staffing, morale, and job satisfaction. We manage our call centers for the business appropriate, but we don't always look at our help desk as a call center and it becomes a negative environment quickly. Manage the staff workloads, morale, tool sets, workflow, and provide a success track. A manager's goal should be to see their staff be successful and move on to other teams within IT, like tier 3 support, server support, staff training, etc. Give them a promotional track.
I would also ensure the IT management team spends time with the help desk team and get their feedback, they hear from the user community hourly, so a great resource to collect feedback. Engage the team, thank the team, and give them some recognition.
Keep it postive!
Scott Arnett
scott.arnett@charter.net
Help desk analysts are a unique breed. Not only must IT support professionals thoroughly understand enterprise computing systems, they must also convey their technical expertise clearly and succinctly to end users. Above all, help desk professionals must possess top-notch customer-service skills and stay cool under fire. In addition, a good manager of the group to keep a pulse on the team.
To help you hire the best people for these critical spots, use your team to help interview. In addition, you need a ready-to-use job description that lists all the skills the perfect candidate will have, as well as the duties that person is expected to be able to do. In addition, you should have a series of interview questions geared to help you zero in on the right candidates. People skills are key in this position. You can teach a candidate all the technical skills they need to be successful but people skills are tough to teach - should come natural.
Of course, quickly and efficiently resolving users' technology problems is a challenging and often thankless job. While you're expected to manage a wide range of issues, from deploying new solutions to calming irate users, few resources exist to help you overcome not only technical hurdles, but interpersonal issues as well. The manager needs to be able to move staff around to tasks and not just keep them on the phone 8 hours a day, 5 days a week. You can burn staff out, so keep a pulse on the team and have options for them to have a break from the phones. That is why I like to put help desk, procurement, and desktop groups under 1 Director level position. Cross training, knowledge share and many of the ITIL functions fit this model well.
I would also make sure you have the necessary tools in place to help this team be successful. Incident Management, Asset Management, and the applications needed to manage these are essential. Take a look at Service Now, it is a SaaS solution, it meets many ITIL functions, but it also does not require infrastructure support for the tool itself. Nice solution, worth taking a look at.
I propose the biggest challenge to the enterprise help desk is staffing, morale, and job satisfaction. We manage our call centers for the business appropriate, but we don't always look at our help desk as a call center and it becomes a negative environment quickly. Manage the staff workloads, morale, tool sets, workflow, and provide a success track. A manager's goal should be to see their staff be successful and move on to other teams within IT, like tier 3 support, server support, staff training, etc. Give them a promotional track.
I would also ensure the IT management team spends time with the help desk team and get their feedback, they hear from the user community hourly, so a great resource to collect feedback. Engage the team, thank the team, and give them some recognition.
Keep it postive!
Scott Arnett
scott.arnett@charter.net
Monday, July 19, 2010
Shouldn't compliance be a enterprise wide initiative?
Governance, risk, and compliance (GRC) issues are hot topics today, thanks to a myriad of high-profile stories about companies that failed to meet regulatory requirements governing finance, environmental compliance, and other areas.
Addressing individual regulations can prove to be a costly and complicated process. Quickly organizations start to wonder can they afford compliance and regulations, and where are all the FTE staff going to come from.
SAS70 type audits are now being replaced. SSAE 16, the new standard for SAS70 compliance. How do you keep it all straight? Should we have a compliance department just dealing with all of this? Most cases, yes. In addition, the compliance department should not report up through the CIO, it should belong to the risk or legal group.
Many companies have responded to regulatory mandates by implementing disconnected, tactical processes and point solutions that address a single regulation or corporate initiative. But these fragmented efforts can make compliance far more costly and complicated than it needs to be. You would need to purchase and deploy multiple GRC applications for each enterprise application and then define risks, set policies, and monitor compliance for each application. At the same time, you need to find a way to manage countless GRC policies, decisions and GRC data - data that is likely based on different metrics, standards, software, and methodologies. The resulting complexity can make it impossible to aggregate this data to gain complete view of enterprise risk.
A true cross-enterprise GRC solution dramatically simplifies management and execution of these activities - making it easy to compile data for comprehensive perspective on overall exposure, monitor compliance and risk effectively, and adjust business processes to meet changing business and regulatory mandates.
I propose to you that whatever GRC solution you are looking at, make sure you do a five year cost evaluation. Year 1 looks very good, but make sure you clearly understand the cost matrix for year 2- 5. Many of these vendors love to raise license cost(s) or maintance cost(s) after year 1.
In summary, it only makes sense to have a enterprise wide initiative and approach to compliance. A accurate and complete application inventory, data management (classification, retention, storage), and a security framework will help drive the success of this initiative. Don't be afraid to audit yourself internal to measure how you are doing, and how you can improve.
Keep engaged and postive!
Scott Arnett
scott.arnett@charter.net
Addressing individual regulations can prove to be a costly and complicated process. Quickly organizations start to wonder can they afford compliance and regulations, and where are all the FTE staff going to come from.
SAS70 type audits are now being replaced. SSAE 16, the new standard for SAS70 compliance. How do you keep it all straight? Should we have a compliance department just dealing with all of this? Most cases, yes. In addition, the compliance department should not report up through the CIO, it should belong to the risk or legal group.
Many companies have responded to regulatory mandates by implementing disconnected, tactical processes and point solutions that address a single regulation or corporate initiative. But these fragmented efforts can make compliance far more costly and complicated than it needs to be. You would need to purchase and deploy multiple GRC applications for each enterprise application and then define risks, set policies, and monitor compliance for each application. At the same time, you need to find a way to manage countless GRC policies, decisions and GRC data - data that is likely based on different metrics, standards, software, and methodologies. The resulting complexity can make it impossible to aggregate this data to gain complete view of enterprise risk.
A true cross-enterprise GRC solution dramatically simplifies management and execution of these activities - making it easy to compile data for comprehensive perspective on overall exposure, monitor compliance and risk effectively, and adjust business processes to meet changing business and regulatory mandates.
I propose to you that whatever GRC solution you are looking at, make sure you do a five year cost evaluation. Year 1 looks very good, but make sure you clearly understand the cost matrix for year 2- 5. Many of these vendors love to raise license cost(s) or maintance cost(s) after year 1.
In summary, it only makes sense to have a enterprise wide initiative and approach to compliance. A accurate and complete application inventory, data management (classification, retention, storage), and a security framework will help drive the success of this initiative. Don't be afraid to audit yourself internal to measure how you are doing, and how you can improve.
Keep engaged and postive!
Scott Arnett
scott.arnett@charter.net
Friday, July 16, 2010
Confrontation in the workplace - does it make you uncomfortable?
Ever have those days where you just dread going to work? Think about calling in sick? Have an employee issue you have to address? Really stressed over it aren't you - but why? Why is confrontation uncomfortable?
Confrontation in the workplace is impossible to avoid, but there are some ways of handling it that are better than others. Whether you are the one faced with having to confront someone, or whether you are being confronted, here are a few tips on how to get through it.
If you are the manager of a business it is most likely you will deal with confrontation often, that is simply the nature of managing. Because confrontation can have a seemingly negative connotation, you may wish to avoid this. But rather than avoid confrontation you must simply learn to rethink your perception of confrontation. Even the environment in which the confrontation will take place, and never in front of others.
Learn to recognize that confrontation can actually be a positive. The reason you confront your employees on their job performance, is simply to make better employees, not to unnecessarily rat on a friend. If you were appointed manager it is because someone believed in your ability to manage. To manage means keeping your employees doing their best and continually helping them seek to do better. In this way confrontation can clearly be seen as a positive. Keep it positive!
Your employees, at first, may not feel the same about confrontation. But whether they're flipping hamburgers or saving lives, as the manager you want to help them continually do their job better, so you must help to change their perspective. To do this when you first sit down with them state clearly the positives you see in them, and the things that you respect in the way they handle their job performance. Let your employees know that you are confronting them only to help the company as a whole function better. The topic may be better received over a lunch out of the office.
Be open to their feedback and perspective; remember that even though you're the manager, you can still learn from the little guys. After confronting them on whatever the issue is, be willing to listen to their perspective of the same issue. Sometimes they may not have a perspective and you will simply be telling them something new, but sometimes they may have a reason for doing things the way they are doing them so you need to listen so that together you can agree on a better plan. Don't be afraid to admit you don't have all the answers, and you are willing to listen and accept their input.
Be prepared for the employees who won't accept your advice. Being as nice as you can be, laying things out clearly, and recognizing the positive in your employee may still not be enough for some employees. Some of your employees may not feel they need the criticism and if so then confrontation may need to take a more negative face. You are the manager and regardless of how nice you are as a person, your job requires you be firm in managing your employees. If you have an employee who is unwilling to be managed, then you have to simply give them the do or walk out option. Do follow your criticism, or do walk out of this company. You might want to be everyone's friend but be prepared to be the manager first if the situation arises. If you are open, honest and to the point, they may not be happy, but they should respect you. Follow up on your meeting, and keep it positive.
Lastly, follow up with your employees. After you have confronted them on any topic, a part of managing is making sure your employees follow through. You may feel like you are micromanaging, but that is necessary after having given instructions to anyone. Meet with your employees weekly if you have to until they learn to take your advice and immediately learn to apply it. It can also be a simple hallway chat and manager check in. Keep tabs on the employee and their response and behavior changes.
After having confronted one or more of your employees, also make sure and recognize if they follow your instructions. Recognition of the good and the bad will help your employees to respect you a lot more than they will be able to if all they ever hear is the bad. Reward with thanks, but the big things a dinner certificate can go a long way.
I propose to you that it is human nature to want to be liked, appreciated and part of the team. As a manager you can at times feel isolated. Keep in mind what makes you feel appreciated or part of the team and leverage that on your staff. Shake hands, stay positive and informed, engaged and in tune with your team.
Scott Arnett
scott.arnett@charter.net
Confrontation in the workplace is impossible to avoid, but there are some ways of handling it that are better than others. Whether you are the one faced with having to confront someone, or whether you are being confronted, here are a few tips on how to get through it.
If you are the manager of a business it is most likely you will deal with confrontation often, that is simply the nature of managing. Because confrontation can have a seemingly negative connotation, you may wish to avoid this. But rather than avoid confrontation you must simply learn to rethink your perception of confrontation. Even the environment in which the confrontation will take place, and never in front of others.
Learn to recognize that confrontation can actually be a positive. The reason you confront your employees on their job performance, is simply to make better employees, not to unnecessarily rat on a friend. If you were appointed manager it is because someone believed in your ability to manage. To manage means keeping your employees doing their best and continually helping them seek to do better. In this way confrontation can clearly be seen as a positive. Keep it positive!
Your employees, at first, may not feel the same about confrontation. But whether they're flipping hamburgers or saving lives, as the manager you want to help them continually do their job better, so you must help to change their perspective. To do this when you first sit down with them state clearly the positives you see in them, and the things that you respect in the way they handle their job performance. Let your employees know that you are confronting them only to help the company as a whole function better. The topic may be better received over a lunch out of the office.
Be open to their feedback and perspective; remember that even though you're the manager, you can still learn from the little guys. After confronting them on whatever the issue is, be willing to listen to their perspective of the same issue. Sometimes they may not have a perspective and you will simply be telling them something new, but sometimes they may have a reason for doing things the way they are doing them so you need to listen so that together you can agree on a better plan. Don't be afraid to admit you don't have all the answers, and you are willing to listen and accept their input.
Be prepared for the employees who won't accept your advice. Being as nice as you can be, laying things out clearly, and recognizing the positive in your employee may still not be enough for some employees. Some of your employees may not feel they need the criticism and if so then confrontation may need to take a more negative face. You are the manager and regardless of how nice you are as a person, your job requires you be firm in managing your employees. If you have an employee who is unwilling to be managed, then you have to simply give them the do or walk out option. Do follow your criticism, or do walk out of this company. You might want to be everyone's friend but be prepared to be the manager first if the situation arises. If you are open, honest and to the point, they may not be happy, but they should respect you. Follow up on your meeting, and keep it positive.
Lastly, follow up with your employees. After you have confronted them on any topic, a part of managing is making sure your employees follow through. You may feel like you are micromanaging, but that is necessary after having given instructions to anyone. Meet with your employees weekly if you have to until they learn to take your advice and immediately learn to apply it. It can also be a simple hallway chat and manager check in. Keep tabs on the employee and their response and behavior changes.
After having confronted one or more of your employees, also make sure and recognize if they follow your instructions. Recognition of the good and the bad will help your employees to respect you a lot more than they will be able to if all they ever hear is the bad. Reward with thanks, but the big things a dinner certificate can go a long way.
I propose to you that it is human nature to want to be liked, appreciated and part of the team. As a manager you can at times feel isolated. Keep in mind what makes you feel appreciated or part of the team and leverage that on your staff. Shake hands, stay positive and informed, engaged and in tune with your team.
Scott Arnett
scott.arnett@charter.net
Wednesday, July 14, 2010
UTM - a great option
Unified Threat Management (UTM) is a great option for SMB infrastructure. I would also say it is a great option for enterprise customers as well. Many of you know that I am a great customer of Fortinet, as I think their products are a great asset to any organization.
Let's get down to what is UTM. In theory, it is the evolution of the traditional firewall into an all-inclusive security product that has the ability to perform multiple security functions in one single appliance. Functions such as firewall, network intrusion prevention (IPS), gateway antivirus (AV), anti-spam, VPN, content filtering, load balancing and management reporting. This seems to be the concern of many IT professionals - to many things in a single appliance. But is it really? Line speed processing, centralized management, and controls. The advantages of unified security lies in the fact that rather than administering multiple systems that individually handle anti virus, content filtering, intrusion prevention and spam filtering functions, organizations now have the flexibility to deploy a single UTM appliance that takes over all their functionality into a single rack mountable network appliance. From my lab experience, you can push a great deal of traffic through this appliance without performance impact.
The main advantages of UTM solutions are simplicity, streamlined installation and use, and the ability to update all the security functions or programs concurrently. So, not only are they a cost-effective purchase, but day-to-day network running costs are also considerably lowered. Such a great degree of functionality provided by a UTM appliance is held as the justification for the replacement of older, more basic Firewalls in favor of a Unified Threat Management firewall appliance that does it all.
The ultimate goal of a UTM is to provide a comprehensive set of security features in a single product and managed through a single console. Integrated security solutions evolved as a logical way to tackle the increasingly complex blended internet threats impacting organizations. As support staff get smaller, making security management easier and more efficient should be a goal.
I propose to you some key values to UTM:
Key advantages
1.Reduced complexity: Single security solution. Single Vendor. Single AMC
2.Simplicity: Avoidance of multiple software installation and maintenance
3.Easy Management: Plug & Play Architecture, Web-based GUI for easy management
4.Performance: Zero-hour protection without degrading the network performance
5.Troubleshooting: Single point of contact – 24 × 7 vendor support
6.Reduced technical training requirements, one product to learn.
7.Regulatory compliance
Many IT shops still feel it is better to have single devices in the core - your large enterprise shops. That is ok, use UTM technology on the perimeter, sales offices, remote employees, - there is a use for this technology at all companies. I propose for enterprises with remote networks or distantly located offices, UTMs are the only means to provide centralized security with complete control over their globally distributed networks. Enterprises, thus get zero-hour protection at branch offices against security attacks despite the lack of technical resources at these locations.
There are many UTM products on the market these days, so take a look at each one, do your homework. Don't buy into the single appliance can't handle the traffic or is a single point of failure. You can have HA options with UTM, and they can process a great deal of traffic before becoming a bottleneck. There is great value in UTM technology.
Stay positive and engaged!
Scott Arnett
scott.arnett@charter.net
Let's get down to what is UTM. In theory, it is the evolution of the traditional firewall into an all-inclusive security product that has the ability to perform multiple security functions in one single appliance. Functions such as firewall, network intrusion prevention (IPS), gateway antivirus (AV), anti-spam, VPN, content filtering, load balancing and management reporting. This seems to be the concern of many IT professionals - to many things in a single appliance. But is it really? Line speed processing, centralized management, and controls. The advantages of unified security lies in the fact that rather than administering multiple systems that individually handle anti virus, content filtering, intrusion prevention and spam filtering functions, organizations now have the flexibility to deploy a single UTM appliance that takes over all their functionality into a single rack mountable network appliance. From my lab experience, you can push a great deal of traffic through this appliance without performance impact.
The main advantages of UTM solutions are simplicity, streamlined installation and use, and the ability to update all the security functions or programs concurrently. So, not only are they a cost-effective purchase, but day-to-day network running costs are also considerably lowered. Such a great degree of functionality provided by a UTM appliance is held as the justification for the replacement of older, more basic Firewalls in favor of a Unified Threat Management firewall appliance that does it all.
The ultimate goal of a UTM is to provide a comprehensive set of security features in a single product and managed through a single console. Integrated security solutions evolved as a logical way to tackle the increasingly complex blended internet threats impacting organizations. As support staff get smaller, making security management easier and more efficient should be a goal.
I propose to you some key values to UTM:
Key advantages
1.Reduced complexity: Single security solution. Single Vendor. Single AMC
2.Simplicity: Avoidance of multiple software installation and maintenance
3.Easy Management: Plug & Play Architecture, Web-based GUI for easy management
4.Performance: Zero-hour protection without degrading the network performance
5.Troubleshooting: Single point of contact – 24 × 7 vendor support
6.Reduced technical training requirements, one product to learn.
7.Regulatory compliance
Many IT shops still feel it is better to have single devices in the core - your large enterprise shops. That is ok, use UTM technology on the perimeter, sales offices, remote employees, - there is a use for this technology at all companies. I propose for enterprises with remote networks or distantly located offices, UTMs are the only means to provide centralized security with complete control over their globally distributed networks. Enterprises, thus get zero-hour protection at branch offices against security attacks despite the lack of technical resources at these locations.
There are many UTM products on the market these days, so take a look at each one, do your homework. Don't buy into the single appliance can't handle the traffic or is a single point of failure. You can have HA options with UTM, and they can process a great deal of traffic before becoming a bottleneck. There is great value in UTM technology.
Stay positive and engaged!
Scott Arnett
scott.arnett@charter.net
Tuesday, July 13, 2010
SIP in the Enterprise
SIP - how many positive and negative things do you read these days on this topic? A great deal - right?
Multi-location businesses know the process of connecting multiple offices to facilitate effective site-to-site communications can be complicated, expensive and time-consuming. Enterprise SIP is a new solution designed for multi-location businesses that enables you to serve your distributed offices with voice and data services through one or a handful of centralized PBXs – eliminating the need for PRIs or business lines at each location. Can your MPLS network help drive enterprise wide communications and efficiency?
Do you feel we have reached another tipping point in the telecommunications industry? Do you agree that SIP trunking is the fastest growing service in our space right now and we all have an opportunity to capitalize on this trend, but we must be smart about our approach? Do you have SIP enabled devices on premise already?
SIP Trunking’s growth presents a new revenue opportunity, but only if the trunk offers services above and beyond PSTN quality voice. If a service provider simply provides VoIP connectivity, they will see their revenues erode. SIP Trunking offers service providers a tremendous opportunity to deliver valuable services to enterprises by providing new communication services in demand by the enterprise market. Enterprises are becoming more educated on SIP Trunking. Practically every large enterprise has read a case study that demonstrates how an enterprise can reduce their trunks by 30% - 40%, which is obviously a negative revenue proposition for the service provider. So service providers must develop a comprehensive managed service offering to enhance and complement their SIP Trunking service. So you need an internal driver on this project, not just leave it up to a service provider.
There are several market trends, which are driving adoption of SIP Trunking by enterprises. Over the next 5-years:
• Enterprise workforces will become increasingly mobile
• Video calling will be widely adopted
• High-definition voice will be the new standard for voice communications
• PBXs will migrate to unified communications
• Enterprises are demanding comprehensive business continuity capabilities
We can easily talk about how SIP Trunking is enabling new revenue opportunities for service providers of each of these trends, but in this post we will focus specifically on the prospects with Unified Communications.
ABI Research recently issued a report “Vertical Market Opportunities in Unified Communications,” which predicts that the unified communications solutions market will reach nearly $4.2 billion in 2014 – a sharp increase from 2008 when the market reached around $302 million. Should you make an investment in the same old technology of a PBX or is now the time to move to Unified Communications?
We all know that Unified Communications (UC) is the integration of varied communication options, like voice, video, email, instant messaging and conferencing, presence on a single IP platform. The primary benefit of UC is the ability to speed the rate of communications, keeping everyone more closely connected and improves collaboration among employees.
Another capability of UC is the greater control it provides a user over their communications options. With a single Web-based account, individual users can decide when, where and how they can be reached -- and users can define these parameters without the need for IT support. In addition, it gives greater flexibility to move between facilities, or home office.
SIP Trunking enables the delivery of Unified Communication capabilities now, from the “cloud, offering service providers an immediate, new revenue opportunity versus shifting that revenue opportunity to the PBX manufactures. With a “cloud-model”, enterprises no longer need to purchase additional equipment to have a full-featured UC solution. But is security a concern in this option?
I propose to you that as your aging communication systems need replacement, now is the time to look at next generation telecommunications. Integrate that MPLS network to deliver voice, video, data, and leverage your teams to enable SIP in the enterprise.
Take a holistic approach to looking at your Unified delivery of Communications.
Stay positive and engaged!
Scott Arnett
scott.arnett@charter.net
Multi-location businesses know the process of connecting multiple offices to facilitate effective site-to-site communications can be complicated, expensive and time-consuming. Enterprise SIP is a new solution designed for multi-location businesses that enables you to serve your distributed offices with voice and data services through one or a handful of centralized PBXs – eliminating the need for PRIs or business lines at each location. Can your MPLS network help drive enterprise wide communications and efficiency?
Do you feel we have reached another tipping point in the telecommunications industry? Do you agree that SIP trunking is the fastest growing service in our space right now and we all have an opportunity to capitalize on this trend, but we must be smart about our approach? Do you have SIP enabled devices on premise already?
SIP Trunking’s growth presents a new revenue opportunity, but only if the trunk offers services above and beyond PSTN quality voice. If a service provider simply provides VoIP connectivity, they will see their revenues erode. SIP Trunking offers service providers a tremendous opportunity to deliver valuable services to enterprises by providing new communication services in demand by the enterprise market. Enterprises are becoming more educated on SIP Trunking. Practically every large enterprise has read a case study that demonstrates how an enterprise can reduce their trunks by 30% - 40%, which is obviously a negative revenue proposition for the service provider. So service providers must develop a comprehensive managed service offering to enhance and complement their SIP Trunking service. So you need an internal driver on this project, not just leave it up to a service provider.
There are several market trends, which are driving adoption of SIP Trunking by enterprises. Over the next 5-years:
• Enterprise workforces will become increasingly mobile
• Video calling will be widely adopted
• High-definition voice will be the new standard for voice communications
• PBXs will migrate to unified communications
• Enterprises are demanding comprehensive business continuity capabilities
We can easily talk about how SIP Trunking is enabling new revenue opportunities for service providers of each of these trends, but in this post we will focus specifically on the prospects with Unified Communications.
ABI Research recently issued a report “Vertical Market Opportunities in Unified Communications,” which predicts that the unified communications solutions market will reach nearly $4.2 billion in 2014 – a sharp increase from 2008 when the market reached around $302 million. Should you make an investment in the same old technology of a PBX or is now the time to move to Unified Communications?
We all know that Unified Communications (UC) is the integration of varied communication options, like voice, video, email, instant messaging and conferencing, presence on a single IP platform. The primary benefit of UC is the ability to speed the rate of communications, keeping everyone more closely connected and improves collaboration among employees.
Another capability of UC is the greater control it provides a user over their communications options. With a single Web-based account, individual users can decide when, where and how they can be reached -- and users can define these parameters without the need for IT support. In addition, it gives greater flexibility to move between facilities, or home office.
SIP Trunking enables the delivery of Unified Communication capabilities now, from the “cloud, offering service providers an immediate, new revenue opportunity versus shifting that revenue opportunity to the PBX manufactures. With a “cloud-model”, enterprises no longer need to purchase additional equipment to have a full-featured UC solution. But is security a concern in this option?
I propose to you that as your aging communication systems need replacement, now is the time to look at next generation telecommunications. Integrate that MPLS network to deliver voice, video, data, and leverage your teams to enable SIP in the enterprise.
Take a holistic approach to looking at your Unified delivery of Communications.
Stay positive and engaged!
Scott Arnett
scott.arnett@charter.net
Monday, July 12, 2010
Mailbag
I have gotten several emails, and what I thought I would do is collect them for a few weeks and then do a mailbag posting to answer some of the questions received. Many good questions received - so keep sending them.
Q. What do you think of the Wisconsin smoke free law?
A. I am trying to keep this blog technical in nature, how it pertains to information technology. But I do appreciate the question. I believe as Americans we all have the liberty to make choices. Business owners should be able to make choices, and as a customer/consumer - we can make choices. If I want a smoke free environment to eat my dinner, then I will make a choice as to what establishment I will spend my money at. Today it is smoking, tomorrow it will be soda, food - where does it stop? Is this really the government's place to dictate? I think it crosses a sacred line and opens the door for future controls that take away our liberty.
Q. What is your opinion on the Arizona Immigration Law?
A. I am trying to keep this blog technical in nature, how it pertains to information technology. But I do appreciate the question. I will continue to do business in Arizona and I believe we need tighter controls at our borders. I don't support any boycotts.
Q. What is your opinion on IT offshoring - particular North Korea?
A. Do we not have the talent in America to provide this service or knowledge? That is right, it is cheaper - right? Do we, as consumers really want our data offshore? Do these countries have the same privacy, protection and copyright laws? Is our sensitive data really secure offshore?
IDG News Service — Think of North Korea, and repression, starvation and military provocation are probably the first things that come to mind. But beyond the geopolitical posturing, North Korea has also been quietly building up its IT industry.
Universities have been graduating computer engineers and scientists for several years, and companies have recently sprung up to pair the local talent with foreign needs, making the country perhaps the world's most unusual place for IT outsourcing.
With a few exceptions, such as in India, outsourcing companies in developing nations tend to be small, with fewer than 100 employees, said Paul Tija, a Rotterdam-based consultant on offshoring and outsourcing. But North Korea already has several outsourcers with more then 1,000 employees.
"The government is putting an emphasis on building the IT industry," he said. "The availability of staff is quite large."
At present, the country's outsourcers appear to be targeting several niche areas, including computer animation, data input and software design for mobile phones. U.S. government restrictions prevent American companies from working with North Korean companies, but most other nations don't have such restrictions.
So given this country's unstable government, communist environment, cyber threats and bad behavior - why would we want to have our IT development, or offshore staff in this country? We have to stop managing by spreadsheet and take a good look at what we are doing with our data, skills, and employees. Ask yourself, is this decision good for the company? Employee? Customer? If you can't say yes to all 3 - stop and take a look at it again.
Keep postive and engaged!
Scott Arnett
scott.arnett@charter.net
Q. What do you think of the Wisconsin smoke free law?
A. I am trying to keep this blog technical in nature, how it pertains to information technology. But I do appreciate the question. I believe as Americans we all have the liberty to make choices. Business owners should be able to make choices, and as a customer/consumer - we can make choices. If I want a smoke free environment to eat my dinner, then I will make a choice as to what establishment I will spend my money at. Today it is smoking, tomorrow it will be soda, food - where does it stop? Is this really the government's place to dictate? I think it crosses a sacred line and opens the door for future controls that take away our liberty.
Q. What is your opinion on the Arizona Immigration Law?
A. I am trying to keep this blog technical in nature, how it pertains to information technology. But I do appreciate the question. I will continue to do business in Arizona and I believe we need tighter controls at our borders. I don't support any boycotts.
Q. What is your opinion on IT offshoring - particular North Korea?
A. Do we not have the talent in America to provide this service or knowledge? That is right, it is cheaper - right? Do we, as consumers really want our data offshore? Do these countries have the same privacy, protection and copyright laws? Is our sensitive data really secure offshore?
IDG News Service — Think of North Korea, and repression, starvation and military provocation are probably the first things that come to mind. But beyond the geopolitical posturing, North Korea has also been quietly building up its IT industry.
Universities have been graduating computer engineers and scientists for several years, and companies have recently sprung up to pair the local talent with foreign needs, making the country perhaps the world's most unusual place for IT outsourcing.
With a few exceptions, such as in India, outsourcing companies in developing nations tend to be small, with fewer than 100 employees, said Paul Tija, a Rotterdam-based consultant on offshoring and outsourcing. But North Korea already has several outsourcers with more then 1,000 employees.
"The government is putting an emphasis on building the IT industry," he said. "The availability of staff is quite large."
At present, the country's outsourcers appear to be targeting several niche areas, including computer animation, data input and software design for mobile phones. U.S. government restrictions prevent American companies from working with North Korean companies, but most other nations don't have such restrictions.
So given this country's unstable government, communist environment, cyber threats and bad behavior - why would we want to have our IT development, or offshore staff in this country? We have to stop managing by spreadsheet and take a good look at what we are doing with our data, skills, and employees. Ask yourself, is this decision good for the company? Employee? Customer? If you can't say yes to all 3 - stop and take a look at it again.
Keep postive and engaged!
Scott Arnett
scott.arnett@charter.net
Wednesday, July 7, 2010
Hey - what about end user training!
Don't you think the lack of end user training makes IT look bad at the company? It amazes me how some companies don’t see the value of proper end-user training. They’re willing to pay thousands of dollars for a new product that is supposed to improve productivity but aren’t willing to do the one thing that will help with that product’s adoption in the enterprise. A good end-user training strategy will make new software deployments more cost-effective. You get the full value of the new product by using it to the fullest - right?
And I understand how frustrating it is for IT when they’re work is not used simply because end-users don’t know how to use it. In addition the help desk is now flooded with help or panic calls.
If your CIO agrees with you about the need for a formal training program, he should create a business case for it. Be sure to include as many numbers as you can to make your case, stressing the bottom-line benefits. Without them, the concept of training can seem kind of soft to those who don’t get it, and a significant expense. The end user training should be included in the project plan and in order for a end user to get their login credentials, they need to complete their training. I would also recommend you record the training session(s) - both audio and video for future use. You will have new hires coming in the future and they should receive the same training. Never a good idea to have co-workers the only form of new hire training - they will learn bad habits, shortcuts and maybe even the wrong way.
I find the trend, more so when budgets are tight, that training is one of the first things to go away. You will hear comments like - read a book, they are smart folks they can figure it out, IT can teach them and other offensive comments. What do you really get in that approach is just trying to get by, rework, frustration or even lack of adoption of the new product in the enterprise. When budgets are tight, you need to increase productivity, efficiency and morale - to get those 3 components, requires appropriate training.
I propose to you that all new applications, software or hardware comes with training. Believe it or not, even IT professionals need training. Having your staff with the right knowledge and tools to do the job is a key to success and a good ROI. If you can't afford the training - can you really afford the new product or application? Don't take shortcuts that will have a long term impact.
Stay engaged and stay positive!
Scott Arnett
scott.arnett@charter.net
And I understand how frustrating it is for IT when they’re work is not used simply because end-users don’t know how to use it. In addition the help desk is now flooded with help or panic calls.
If your CIO agrees with you about the need for a formal training program, he should create a business case for it. Be sure to include as many numbers as you can to make your case, stressing the bottom-line benefits. Without them, the concept of training can seem kind of soft to those who don’t get it, and a significant expense. The end user training should be included in the project plan and in order for a end user to get their login credentials, they need to complete their training. I would also recommend you record the training session(s) - both audio and video for future use. You will have new hires coming in the future and they should receive the same training. Never a good idea to have co-workers the only form of new hire training - they will learn bad habits, shortcuts and maybe even the wrong way.
I find the trend, more so when budgets are tight, that training is one of the first things to go away. You will hear comments like - read a book, they are smart folks they can figure it out, IT can teach them and other offensive comments. What do you really get in that approach is just trying to get by, rework, frustration or even lack of adoption of the new product in the enterprise. When budgets are tight, you need to increase productivity, efficiency and morale - to get those 3 components, requires appropriate training.
I propose to you that all new applications, software or hardware comes with training. Believe it or not, even IT professionals need training. Having your staff with the right knowledge and tools to do the job is a key to success and a good ROI. If you can't afford the training - can you really afford the new product or application? Don't take shortcuts that will have a long term impact.
Stay engaged and stay positive!
Scott Arnett
scott.arnett@charter.net
Tuesday, July 6, 2010
Bring your PC to work - a good idea?
Great discussions these days around allowing employees bring their personal devices to work, and use them on the enterprise network. It brings with it some great questions, like data ownership, repair or replace expectations, virus control, an so forth. So is this really a good idea? What benefits the organization from allowing this?
If you recall, there was a time, not so long ago, when a major challenge for IT departments was making sure that users didn't take corporate software home in violation of license agreements. That gave way to the challenge of making sure that employees didn't bring software from home into work and install it on their desktop PCs. Better yet, install it on multiple machines.
Today, users' technical sophistication is such that they often have better technology at home than they have in the office. That situation has led some businesses to allow users to bring their personal laptops to work. Some have gone beyond that concept by letting users buy their own PCs for work, with some corporate subsidy. This also means you have many models, versions, and yes, the MAC shows up. Right?
One advantage of what is often referred to as BYOPC, or bring your own PC , is that it frees IT from carrying the capital expense of a lot of resources. It also neutralizes the problem of trying to make one size fit all in a way that's appealing to users. Users appreciate being given a choice, and there's plenty of choice in the marketplace to assure that every user can find the machine that best fits his needs. But are consumer based devices ok for the corporate enterprise? What are the user expectations around device support now?
Naturally, a lot of IT departments are going to think BYOPC sounds like an expensive proposition that leads to a proliferation of varied devices to support. But any corporate purchase programs should include guidelines, as well as recommended vendors and systems, that aim to avoid unruly proliferation while still giving users an ample number of choices. As long as IT manages the standard software loads and enforces security policy, the cost of allowing far more diversity in machines, and even platforms, becomes relatively minor over time. And by setting a cap on expenditures and reimbursements, IT can keep costs under control. A good rule of thumb is to allow for a new device every 12 to 18 months, depending on how the asset depreciates. Then again, in this scenario you are putting corporate software on employee owned device.
A well-organized BYOPC program can help IT make users happy, no small thing for a department in constant danger of reorganization and outsourcing . Properly done, it can be an easy way to make friends and win internal support. BYOPC programs generally subsidize laptops, with the policy being that users can also make personal use of the machine (which only makes sense, since we all know that users already commingle their business and personal information on their devices). If a lot of your users are now restricted to desktop machines, the change could provide a boost in productivity, since laptop users are more likely to work beyond business hours.
So how does this really benefit the organization, and maintain IT controls? Do the users really care what the laptop is? Do I, as an employee want to spend my own money on buying a computer to do my job? What about those employees who can't buy their own computer, are they now at a disadvantage? Does BYOC change the playing field at work for employee equality? If I leave the company, am I going to delete that software and data on my device? Allow the company IT department to wipe my device?
I propose to you that BYOC type programs are a benefit to the few and not the many. Not every employee is going to want to participate or have the means to particpate. I also think it is mistake to load corporate software and allow corporate data on personal own devices. I recommend a virtual desktop environment utilizing a Citrix XenDesktop type solution and employee owned devices access this solution to have applications presented to them. Data, software and access remains in this virtual environment and not allowed on the local employee owned device. Therefore, ownership of data, applications and the access all remains internal. I would also force all the machines connecting to the enterpise network through a clean access checkpoint to ensure compliance with security controls.
I am still old school I guess, where the employer provides the tools necessary for me to do my job.
Scott Arnett
scott.arnett@charter.net
If you recall, there was a time, not so long ago, when a major challenge for IT departments was making sure that users didn't take corporate software home in violation of license agreements. That gave way to the challenge of making sure that employees didn't bring software from home into work and install it on their desktop PCs. Better yet, install it on multiple machines.
Today, users' technical sophistication is such that they often have better technology at home than they have in the office. That situation has led some businesses to allow users to bring their personal laptops to work. Some have gone beyond that concept by letting users buy their own PCs for work, with some corporate subsidy. This also means you have many models, versions, and yes, the MAC shows up. Right?
One advantage of what is often referred to as BYOPC, or bring your own PC , is that it frees IT from carrying the capital expense of a lot of resources. It also neutralizes the problem of trying to make one size fit all in a way that's appealing to users. Users appreciate being given a choice, and there's plenty of choice in the marketplace to assure that every user can find the machine that best fits his needs. But are consumer based devices ok for the corporate enterprise? What are the user expectations around device support now?
Naturally, a lot of IT departments are going to think BYOPC sounds like an expensive proposition that leads to a proliferation of varied devices to support. But any corporate purchase programs should include guidelines, as well as recommended vendors and systems, that aim to avoid unruly proliferation while still giving users an ample number of choices. As long as IT manages the standard software loads and enforces security policy, the cost of allowing far more diversity in machines, and even platforms, becomes relatively minor over time. And by setting a cap on expenditures and reimbursements, IT can keep costs under control. A good rule of thumb is to allow for a new device every 12 to 18 months, depending on how the asset depreciates. Then again, in this scenario you are putting corporate software on employee owned device.
A well-organized BYOPC program can help IT make users happy, no small thing for a department in constant danger of reorganization and outsourcing . Properly done, it can be an easy way to make friends and win internal support. BYOPC programs generally subsidize laptops, with the policy being that users can also make personal use of the machine (which only makes sense, since we all know that users already commingle their business and personal information on their devices). If a lot of your users are now restricted to desktop machines, the change could provide a boost in productivity, since laptop users are more likely to work beyond business hours.
So how does this really benefit the organization, and maintain IT controls? Do the users really care what the laptop is? Do I, as an employee want to spend my own money on buying a computer to do my job? What about those employees who can't buy their own computer, are they now at a disadvantage? Does BYOC change the playing field at work for employee equality? If I leave the company, am I going to delete that software and data on my device? Allow the company IT department to wipe my device?
I propose to you that BYOC type programs are a benefit to the few and not the many. Not every employee is going to want to participate or have the means to particpate. I also think it is mistake to load corporate software and allow corporate data on personal own devices. I recommend a virtual desktop environment utilizing a Citrix XenDesktop type solution and employee owned devices access this solution to have applications presented to them. Data, software and access remains in this virtual environment and not allowed on the local employee owned device. Therefore, ownership of data, applications and the access all remains internal. I would also force all the machines connecting to the enterpise network through a clean access checkpoint to ensure compliance with security controls.
I am still old school I guess, where the employer provides the tools necessary for me to do my job.
Scott Arnett
scott.arnett@charter.net
Friday, July 2, 2010
Internet - with an EPO button?
We have been hearing it in the news - the President can have a big red emergency power off (EPO) button on his desk to take down the internet. This a good thing or a bad thing?
The Protecting Cyberspace as a National Asset Act, which is being pushed hard by Senator Joe Lieberman, would hand absolute power to the federal government to close down networks, and block incoming Internet traffic from certain countries under a declared national emergency. Protecting our cyber infrastructure, organizations and even government networks.
Why all the debate and fuss? Why do we have folks up in arms that this could be an attempt or attack on free speech? Really? Isn't this a measure to shut down internet access in the event of a cyber attack? How real is the cyberwar threat? Have we not seen an increase in attacks coming out of China, Iran and other roque countries? Why not shut down those that attack others and misuse the internet - how is that an attack on free speech?
The other side of the coin is that as we move more of our companies, jobs and IT infrastructure oversees - as a company how do you handle internet shutdown and still have access to your systems now sitting in China, India and others? DR plan take the EPO button into consideration?
Consider this, as an organization you should have a zoned network design, no longer is a flat network acceptable. You have a PCI zone, a engineering zone and others to segment users, traffic and provide additional security. Should Homeland Security start classification of key business or infrastructure to protect from cyber attacks? Take that classification and start building additional security practice around them?
I propose to you that cyber attacks will continue to increase, and threats to our infrastructure are real. It will only be a matter of time before our vital systems are taken down or interrupted by a foreign agency. Disruption of power, water, or distribution channels can have a significant impact on our daily lives. Having the ability to shut down the internet to stop a cyber attack or war is essential to our National Security. Having organizations stand up and start taking responsibility for their infrastructure security and be held accountable when they are not has to happen. It is up to all IT professionals to bring security best practice into all we do, point out shortfalls and bring light to cyber opportunities or vulnerabilities. Gone are the days when organizations hide under the blanket of security is to expensive - if you have internet access, you become secure. In addition, time for AT&T, Verizon and other internet backbone providers to step up to the plate and get serious about this threat. If an organization orders internet access - there has to be a mandate penetration test done, and remediation mandatory.
It takes everyone to ensure our National Security - including IT.
Happy 4th of July!
Scott Arnett
scott.arnett@charter.net
The Protecting Cyberspace as a National Asset Act, which is being pushed hard by Senator Joe Lieberman, would hand absolute power to the federal government to close down networks, and block incoming Internet traffic from certain countries under a declared national emergency. Protecting our cyber infrastructure, organizations and even government networks.
Why all the debate and fuss? Why do we have folks up in arms that this could be an attempt or attack on free speech? Really? Isn't this a measure to shut down internet access in the event of a cyber attack? How real is the cyberwar threat? Have we not seen an increase in attacks coming out of China, Iran and other roque countries? Why not shut down those that attack others and misuse the internet - how is that an attack on free speech?
The other side of the coin is that as we move more of our companies, jobs and IT infrastructure oversees - as a company how do you handle internet shutdown and still have access to your systems now sitting in China, India and others? DR plan take the EPO button into consideration?
Consider this, as an organization you should have a zoned network design, no longer is a flat network acceptable. You have a PCI zone, a engineering zone and others to segment users, traffic and provide additional security. Should Homeland Security start classification of key business or infrastructure to protect from cyber attacks? Take that classification and start building additional security practice around them?
I propose to you that cyber attacks will continue to increase, and threats to our infrastructure are real. It will only be a matter of time before our vital systems are taken down or interrupted by a foreign agency. Disruption of power, water, or distribution channels can have a significant impact on our daily lives. Having the ability to shut down the internet to stop a cyber attack or war is essential to our National Security. Having organizations stand up and start taking responsibility for their infrastructure security and be held accountable when they are not has to happen. It is up to all IT professionals to bring security best practice into all we do, point out shortfalls and bring light to cyber opportunities or vulnerabilities. Gone are the days when organizations hide under the blanket of security is to expensive - if you have internet access, you become secure. In addition, time for AT&T, Verizon and other internet backbone providers to step up to the plate and get serious about this threat. If an organization orders internet access - there has to be a mandate penetration test done, and remediation mandatory.
It takes everyone to ensure our National Security - including IT.
Happy 4th of July!
Scott Arnett
scott.arnett@charter.net
Thursday, July 1, 2010
ITIL - Where do I start?
Through the course of the year, I have colleagues ask about ITIL, what will it do for their organization and where to start. ITIL is a very large under taking and should really be a multi year adventure. Because it's impractical -- if not impossible -- to implement the IT Infrastructure Library (ITIL) in a wholesale manner across all IT processes, organizations must decide exactly where they want to begin.
Ideally, this starting point should be determined based on a careful assessment of practices and a convincing analysis of where the greatest business gains can be achieved quickly. A large percentage of IT organizations, however, have historically started with incident management. This decision has often been based on "gut feel" more than anything else. After all, incident management is what allows IT to quickly restore services to the business -- so by using ITIL to improve these processes, business should be able to reduce downtime, improve IT staff productivity and ensure end-user satisfaction. In addition, most already communicate - "we have a tool already in house to help us with that..."
But do CEOs really measure the value of IT based on how quickly it's able to solve problems? Will IT organizations be able to garner executive-level support for ITIL implementation based on time-to-fix and other incident management performance metrics? Does the CIO have a good handle on some key performance indicators?
Probably not. In fact, as IT performance is increasingly measured based on alignment with the business and the delivery of quantifiable business value, many IT organizations are focusing their initial ITIL efforts and investments on change management. I always recommend to my colleagues - start with Change Management. If you don't have a good handle on changes occuring in your environment - you are out of control.
There are two fundamental reasons why change management is increasingly the initial focus of ITIL implementations: It can prevent problems before they occur, and it works.
I propose to you that Change is the root cause of many incidents/issues in the environment. A significant percentage of the problems that threaten critical IT services have their origins in poorly executed changes. The consequences of these changes are often dire in terms of both service availability and regulatory compliance. So, instead of focusing on incident management -- which deals with the problem after it presents itself -- IT organizations need to be looking at change management to prevent problems before they occur.
In fact, if you don't improve the way you manage change, your IT department will be predisposed to constant firefighting. If incidents related to changes are not brought under control, IT service provisioning -- and consequently the business itself -- can spiral out of control. IT becomes locked in a deadly embrace where the number of incidents rises and each incident requires a firefight, leading to more and more incidents.
ITIL change management breaks that embrace by balancing flexibility (facilitating change) with stability (preventing changes from creating problems). Corrective measures reduce the number of incidents and IT can then drive innovation and improvements. I also recommend a technology review board or committee to sign off on all significant changes.
Once you get your change management established, a change review board weekly meeting, a change tracking system and meeting minutes are all key to this process, move to next step. You can then tackle incident management, configuration management, release management and onto a CMDB. I recommend you get one working very well and then move onto the next. Don't overload your staff, keep this process positive and staff engaged.
One last thing, don't forget your metrics and measurements. Know that ITIL is making a difference, that IT performance has improved and that you are doing things right. This will help drive a good working relationship with the business.
Good luck!
Ideally, this starting point should be determined based on a careful assessment of practices and a convincing analysis of where the greatest business gains can be achieved quickly. A large percentage of IT organizations, however, have historically started with incident management. This decision has often been based on "gut feel" more than anything else. After all, incident management is what allows IT to quickly restore services to the business -- so by using ITIL to improve these processes, business should be able to reduce downtime, improve IT staff productivity and ensure end-user satisfaction. In addition, most already communicate - "we have a tool already in house to help us with that..."
But do CEOs really measure the value of IT based on how quickly it's able to solve problems? Will IT organizations be able to garner executive-level support for ITIL implementation based on time-to-fix and other incident management performance metrics? Does the CIO have a good handle on some key performance indicators?
Probably not. In fact, as IT performance is increasingly measured based on alignment with the business and the delivery of quantifiable business value, many IT organizations are focusing their initial ITIL efforts and investments on change management. I always recommend to my colleagues - start with Change Management. If you don't have a good handle on changes occuring in your environment - you are out of control.
There are two fundamental reasons why change management is increasingly the initial focus of ITIL implementations: It can prevent problems before they occur, and it works.
I propose to you that Change is the root cause of many incidents/issues in the environment. A significant percentage of the problems that threaten critical IT services have their origins in poorly executed changes. The consequences of these changes are often dire in terms of both service availability and regulatory compliance. So, instead of focusing on incident management -- which deals with the problem after it presents itself -- IT organizations need to be looking at change management to prevent problems before they occur.
In fact, if you don't improve the way you manage change, your IT department will be predisposed to constant firefighting. If incidents related to changes are not brought under control, IT service provisioning -- and consequently the business itself -- can spiral out of control. IT becomes locked in a deadly embrace where the number of incidents rises and each incident requires a firefight, leading to more and more incidents.
ITIL change management breaks that embrace by balancing flexibility (facilitating change) with stability (preventing changes from creating problems). Corrective measures reduce the number of incidents and IT can then drive innovation and improvements. I also recommend a technology review board or committee to sign off on all significant changes.
Once you get your change management established, a change review board weekly meeting, a change tracking system and meeting minutes are all key to this process, move to next step. You can then tackle incident management, configuration management, release management and onto a CMDB. I recommend you get one working very well and then move onto the next. Don't overload your staff, keep this process positive and staff engaged.
One last thing, don't forget your metrics and measurements. Know that ITIL is making a difference, that IT performance has improved and that you are doing things right. This will help drive a good working relationship with the business.
Good luck!
Subscribe to:
Posts (Atom)