Month: April 2012

Another Wave of Security Breaches: Meeting It with Security Best Practices

    Jim D

With the latest breaches in the news, I felt it was important to map out base practices and well as some of the best practices in Information Security. In the age of LulzSec, industrial espionage, and everyday breaches, it’s more important than ever to be proactive about security. I consulted with several top security engineers that I have worked with in the past to construct these practices. Much of this post was first published in early April in Information Week and I have updated it further. Unfortunately, this area should be a top priority for IT leaders to protect their firms, customers and information. If it’s not at your firm, you need to change that. Best, Jim.

PS. Here is a good reference on the biggest data breaches the past 15 years to help you get the investment required to properly implement IT Security.

Mark Twain observed 150 years ago: “A lie can travel halfway round the world while the truth is putting on its shoes.” With the advent of social media, these days that lie has likely made it all the way around the world and back while the truth is still in bed.

And today it is not just the false information it’s the confidential information, your customer’s information or your company intellectual property that is spirited away. The pace and sophistication of attacks by hackers and others who expose confidential data and emails has increased dramatically. For their latest exploit, a group calling itself LulzSec Reborn recently hacked a military dating website releasing the usernames and passwords of more than 170,000 of the site’s subscribers.

Then there are the for-profit attacks by nation states and companies seeking intellectual property, and fraud by organized crime outfits. Consider the blatant industrial espionage conducted against Nortel and more recently, AMSC, or the recent fraud attack against Global Payments. These are sobering stories of how company’s falter or fail in part due to  such espionage.

One of a CIO’s most critical responsibilities is to protect his or her company’s information assets. Such protection often focuses on preventing others from entering company systems and networks, but it must also identify and prevent data from leaving. The following recommendations can help you do this. They are listed in two sections: conventional measures that focus on system access, and best practices given the profiles of today’s attacks.

Conventional Measures:

Establish a thoughtful password policy. Sure, this is pretty basic, but it’s worth revisiting. Definitely require that users change their passwords regularly, but set a reasonable frequency–any less than three months and users will write their passwords down, compromising security. As for password complexity, require at least six or seven characters, with one capital letter and one number or other special character.

Publicize best security and confidentiality practices. Do a bit of marketing to raise user awareness and improve security and confidentiality practices. No security tool can be everywhere. Remind your employees that security threats can follow them home from work or to work from home. Help your employees take part of your company’s security practices — there is a good post on this at How To Make Information Security Everyone’s Problem.

Install and update robust antivirus software on your network and client devices. Enough said, but keep it up-to-date and make it comprehensive (all devices)

Review access regularly. Also, ensure that all access is provided on a “need-to-know” or “need-to- do” basis. This is an integral part of any Sarbanes-Oxley review, and it’s a good security practice as well. Educate your users at the same time you ask them to do the review. This will reduce the possibility of a single employee being able to commit fraud resulting from retained access from a previous position.

Put in place laptop bootup hard drive encryption. This encryption will make it very difficult to expose confidential company information via lost or stolen laptops, which is still a big problem. Meanwhile, educate employees to avoid leaving laptops in their vehicles or other insecure places.

Require secure access for “superuser” administrators. Given their system privileges, any compromise to their access can open up your systems completely. Ensure that they don’t use generic user IDs, that their generic passwords are changed to a robust strength, and that all their commands are logged (and subsequently reviewed by another engineering team and management). Implement two-factor authentication for any remote superuser ID access.

Maintain up-to-date patching. Enough said.

Encrypt critical data only. Any customer or other confidential information transmitted from your organization should be encrypted. The same precautions apply to any login transactions that transmit credentials across public networks.

Perform regular penetration testing. Have a reputable firm test your perimeter defenses regularly.

A Thoughtful Set of Additional Current Best Practices: With the pace of change of technology and the rise of additional threats from hackers and state-sposored espionage, your company’s security posture must adopt the latest best techniques and be updated regularly. Here are the current best practices that I would highly recommend.

Provide two-factor authentication for customers. Some of your customers’ personal devices are likely to be compromised, so requiring two-factor authentication for access to accounts prevents easy exploitation. Also, notify customers when certain transactions have occurred on their accounts (for example, changes in payment destination, email address, physical address, etc.).

Secure all mobile devices. Equip all mobile devices with passcodes, encryption, and wipe clean. Encrypt your USD flash memory devices. On secured internal networks, minimize encryption to enable detection of unauthorized activity as well as diagnosis and resolution of production and performance problems.

Further strengthen access controls. Permit certain commands or functions (e.g., superuser) to be executed only from specific network segments (not remotely). Permit contractor network access via a partitioned secure network or secured client device.

Secure your sites from inadvertent outside channels.Implement your own secured wireless network, one that can detect unauthorized access, at all corporate sites. Regularly scan for rogue network devices, such as DSL modems set up by employees, that let outgoing traffic bypass your controls.

Prevent data from leaving. Continuously monitor for transmission of customer and confidential corporate data, with the automated ability to shut down illicit flows using tools such as NetWitness. Establish permissions whereby sensitive data can be accessed only from certain IP ranges and sent only to another limited set. Continuously monitor traffic destinations in conjunction with a top-tier carrier in order to identify traffic going to fraudulent sites or unfriendly nations.

Keep your eyes and ears open. Continually monitor underground forums (“Dark Web”) for mentions of your company’s name and/or your customers’ data for sale. Help your marketing and PR teams by monitoring social networks and other media for corporate mentions, providing a twice-daily report to summarize activity.

Raise the bar on suppliers. Audit and assess how your company’s suppliers handle critical corporate data. Don’t hesitate to prune suppliers with inadequate security practices. Be careful about having a fully open door between their networks and yours.

Put in place critical transaction process checks. Ensure that crucial transactions (i.e., large transfers) require two personnel to execute, and that regular reporting and management review of such transactions occurs.

Best, Jim D.

In some ways you can view it as no longer a matter of if you get hacked, but when. Information Week has a special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, where they take a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

Key Steps to Building High Performance Teams

    Jim D

Today I have returned to a topic that is at the core of Recipes for IT: High Performance IT Teams. While tax day did take a bit of time and I am slightly delayed in posting this, I have actually laid out three accompanying posts or pages for today’s post. I think it is a good start on the complex topic of how to build or energize your team and create a high performing team. I look forward to your comments! Best, Jim

Building High Performance Teams: The essence of being a leader is defining a vision and compelling others to pursue and achieve that vision. Recently a good colleague relayed an article in Harvard Business Review describing how it is more difficult today to be a outstanding leader due to a number of factors including the wider availability of knowledge and easier access to each other as well as a reduced perception of glory of institutions that leaders represent.

And while I would agree these factors may make things more difficult to be a great leader, I tend to believe that we have just as many, if not more, good and decent men and women who are effective and even outstanding leaders today as ever in history. But because the circumstances are less dire (e.g., there is not a world war to require a Churchill) and because the competence has risen (yes, management is a far more analyzed and practiced field than ever before), there are not the towering gaps between the best and the average that might have previously been. So with a positive outlook on the competence of today’s managers and leaders, I have assembled a set of practices that I have leveraged or I have seen peers or other senior IT leaders use to build high performance IT teams.

For the emerging senior IT leader with his or her senior management team, can use these practices to build a high performing team, in the following steps:

Today’s post covers how to set such a vision, then define and cascade the goals to match your vision, align the incentives, and set the proper expectations and behaviors. And I have constructed pages with links above on the next three steps.  Subsequent posts will cover the remaining steps.

I think the aspiration of building a high performing team is a lofty, worthwhile, and achievable vision. If you have ever participated in a high performance team at the top of their game, in other words: a championship team, then you know the level of professional reward and sense of accomplishment that accompanies such membership. And for most companies that rely significantly on IT, if their IT team is a high performing team, it can make a very large difference in their products, their customer experience, and their bottom line. But if you are to set out to build such a team it must be for a vision that is more than just the team, it must be to enable your company to achieve achieve outsized goals of appropriate scale and aspiration. You will not attract or retain top talent and inspire others if you and your company have only modest goals.

So, first, consider your company’s goals and then outline what IT must become and must accomplish to enable corporate success of major significance. And the draw out the IT vision and goals that will enable that success. Do not get trapped by cloaking your vision in uninspired definitions (e.g., don’t state your vision as ‘ Save $40M in costs’ instead ‘ Become top quartile in efficiency in IT for our industry and company size by 201x’). You can only state your vision in this manner, of course, if you mean it. So, I will assume you have true aspirations for your team to become a world class IT organization and you will meld those goals with your company’s goals for a compelling vision. Further, consider IT goals to match both your company’s service and operations goals as well as product and innovation. Make sure the vision you define for IT drives both areas as well looking to a two to three year horizon for the target. (Rebuilding or energizing a team usually takes such a time period to truly reach high performance and you must lift the sight line to the horizon to ensure your team does not get trapped in just extending the every day steps.)

Once you have defined a compelling vision, the next step is to set the right goals to achieve the vision. The right goals will logically cascade as mileposts on the journey to high performance as well as be inevitable products of achieving corporate excellence. I recommend framing such goals as the primary measures by year that you will determine if you are to achieve the required progress to reach your vision. For the upcoming year, it is often worthwhile to set quarterly milestones as well. These measures should be relevant, well-defined, as quantifiable as possible and they should be set at stretch but achievable levels. If, for example, your vision is for your company to become an industry leader in service quality then you would want to set cascaded goals where the IT team dramatically improves its quality (so the systems now enable much better customer service for the company) as well as delivers key workflow improvements or feature enhancements to enable the company to lift its service directly (e.g., such as the package tracking capability that Federal Express uses to ensure extremely high quality service). Ensure that your measures are not uni-dimensional, that is, they only cover one aspect of what your company and thus your team must achieve. There should be clear focus in one area (e.g. quality and operational excellence, or product feature, or speed, or innovation) but it should not be a the full neglect of the other areas. Further, you should set at least modest goals for both cost and risk, otherwise these could become risk areas as your team pursues only one facet.

Once you have defined the right, cascading goals you will need to reinforce the goals with a set of behaviors and expectations as well as aligned incentives. And the approach to achieving the goals should reflect the strengths of the teamFor example, if one of your goals is to achieve outstanding quality then measures for the goals may include process definition work and metrics implementation if your team has low maturity or jump right to leveraging already reported metrics and driving improved feedback cycles if of high maturity. Further though, if your team has an engineering bias you may approach the solution through robust root cause and better design processes whereas if the team has a strong collaboration approach you may reach the same quality goal through better peer reviews and additional coordination and validation of changes.

More importantly though is to reinforce your goals through aligned behaviors and expectations and most importantly, incentives. For example, if you are looking to drive more predictable project delivery for the business than having incentives that reward firefighting for some of your staff when they contributed to the potential issues in the first place will tremendously undermine how much the rest of the staff support your goals. Similarly, if you reward those who while delivering a particular set of results cause significant damage to other team members or ignore other standards or principles, than you will minimize the likelihood that such principles or standards will be followed in the future. It is important, as a leader to reward not just factor in the results but more critically how the effort was achieved. Often in organizations, those who quietly and effectively carry out significant projects with excellent team behaviors are neglected by management when good leaders would call out the very same individuals for exemplary performance. Quite simply, your smartest team members, will observe what you reward, and if you do not reinforce the values you are looking to achieve (productivity, quality, initiative, etc), you will not get the changes desired.

Most importantly though, your behaviors as leaders must reflect the very same expectations you have outlined for your team. And you must demonstrate a tenacious focus on the goals and vision you have defined. Your behaviors must reinforce your expectations. Every day there are conflicts and setbacks that strong leaders would turn these into episodes that strengthen rather than weaken your team. Understand, that when you lead by example, you will make a daily difference and demonstrate to your team what should be done. Your focus, discipline, thoughtfulness, and sacrifice for the team and goals will not be lost and will result in better effort all around.

In sum, it is important to define a compelling vision and establish the right goals and incentives, but at each stage of the journey, there will be key moments where you as a leader will reinforce the vision, goals and principles you have set or you will undermine them. As a leader, perhaps we can easily step into the role of setting a direction, sponsoring a program or making  a major decision, but for all the visibility and importance of these actions, the time we spend interacting and communicating and coaching your team will determine the effectiveness and reach of our goals.

Now with the steps above you will have the foundation to build a high performance team and deliver sustainable and outstanding results.

What steps or approaches have you used to successfully define a vision and goals for a team? What would you change to this approach?

Best, Jim Ditmore

Using Performance Metric Trajectories to Achieve 1st Quartile Performance

    Jim D

I hope you enjoyed the Easter weekend. I have teamed up today with Chris Collins, a senior IT Finance manager and former colleague. Our final post on metrics is on unit costing — on which Chris has been invaluable with his expertise. For those just joining our discussion on IT metrics, we have had 6 previous posts on various aspects of metrics. I recommend reading the Metrics Roundup and A Scientific Approach to Metrics to catch you up in our discussion.

As I outlined previously, unit costing is one of the critical performance metrics (as opposed to operational or verification metrics) that a mature IT shop should leverage particularly for its utility functions like infrastructure (please see the Hybrid model for more information on IT utilities). With proper leverage, you can use unit cost and the other performance metrics to map a trajectory that will enable your teams to drive to world-class performance as well as provide greater transparency to your users.

For those just starting the metrics journey, realize that in order to develop reliable sustainable unit cost metrics, significant foundational work must be done first including:

  • IT service definition should be completed and in place for those areas to be unit costed
  • an accurate and ongoing asset inventory must be in place
  • a clean and understandable set of financials must be available organized by account so that the business service cost can be easily derived

 If you have these foundation elements in place then you can quickly derive the unit costing for your function. I recommend partnering with your Finance team to accomplish unit costing. And this should be an effort that you and your infrastructure function leaders champion. You should look to apply a unit cost approach to the 20 to 30 functions within the utility space (from storage to mainframes to security to middleware, etc). It usually works best to start with one or two of the most mature component functions and develop the practices and templates. For the IT finance team, they should progress the effort as follows:

  • Ensure they can easily segregate cost based on service listing for that function
  • Refine and segregate costs further if needed (e.g., are there tiers of services that should be created because of substantial cost differences?)
  • Identify a volume driver to use as the basis of the unit cost (for example, for storage it could be terabytes of allocated storage)
  • Parallel to the service identification/cost segregation work, begin development of unit cost database that allows you to easily manipulate and report on unit cost.  Specifically, the database should contain:
    • Ability to accept RC and account level assignments
    • Ability to capture expense/plan from the general ledger
    • Ability to capture monthly volume feeds from source systems including detail volume data (like user name for an email account or application name tied to a server)

For the function team, they should support the IT Finance team in ensuring the costs are properly segregated into the services they have defined. Reasonable precision of the cost segregation is required since later analysis will be for naught if the segregations are inaccurate. Once the initial unit costs are reported, the function technology can now begin their analysis and work. First and foremost should be an industry benchmark exercise. This will enable you to understand quickly how your performance ranks against competitors and similar firms. Please reference the Leveraging Benchmarkspage for best practices in this step. In addition to this step, you should further leverage performance metrics like unit cost to develop a projected trajectory for for your function’s performance. For example, if your unit cost for storage is currently $4,100/TB for tier 1 storage, then the storage team should map out what their unit cost will be 12, 24, and even 36 months out given their current plans, initiatives and storage demand. And if your target is for them to achieve top quartile cost, or cost median, then they can now understand if their actions and efforts will enable them to deliver to that future target. And if they will not achieve it, they can add measures to address their gaps.

Further, you can now measure and hold them accountable on a regular basis to achieve the proper progress towards their projected target. This can be done not just for unit cost but for all of your critical performance measures (e.g., productivity, time to market, etc).  Setting goals and performance targets in this manner will achieve far better results because a clear mechanism for understanding cause and effect between their work and initiatives and the target metrics has been established.

A broad approach to also potentially utilize is to establish a unit cost progress chart for all of your utility functions. On this chart, where the y axis is cost as a percentage of current cost and the x axis is future years, you should establish a minimum improvement line of 5% per year. The rationale behind this is that improving hardware (e.g., servers, storage, etc) and improving productivity, yield an improving unit cost tide of at least 5% a year. Thus, to truly progress and improve, your utility functions should well exceed a 5% per year improvement if they are below 1st quartile. This approach also conveys the necessity and urgency of not sitting on our laurels in the technology space. Often, with this set of performance metrics practices employed along with CPI and other best practices, you can then achieve 1st quartile performance within 18 to 24 months for your utility function.

What has been your experience with unit cost or other performance measures? Where you able to achieve sustained advantage with these metrics?

Best,

Jim Ditmore and Chris Collins

 

Better Requirements Definition to Improve Time to Market and Quality

    Fred Alsup

We have two features this week: the first and best is Fred Alsup has provided his perspective on best practices in requirements definition; and I have also added and slightly updated a post on Agility and Innovation in the ‘Asides’ page.  Enjoy and have a great week! Best, Jim Ditmore

To deliver cutting-edge, market-advantage systems for your company requires allying your company’s business and operations experts, as well as marketing and sales leaders with technology experts. For a large firm, you may have several if not dozens of projects with these multi-disciplinary teams. Complex projects with participants articulating requirements from different perspectives using terminology unique to their discipline without a rigorous approach is one of the primary reasons for poor requirements. Frequent issues include ambiguous or ill-defined requirements, missing requirements or poorly defined bridges between areas, or worse, a key expert is not focused on their area until late in the project (when it is far more difficult or expensive to correct). Further traditional approaches often result in team members feeling that “everyone’s speaking different languages” or “I’m not being heard”.

This happens both when little time is spent on requirements or, most disappointingly, when even when a great deal of time is spent. Such a result is often due to the requirements elicitation approach and results in negative consequences for the project. The project financial loss includes the extended cost of the system, all of the time spent in meetings trying to elicit the requirements or review documents. And, of course there is the lost opportunity of not having the system that would optimize the work or provide market advantage. And the relationship between the business and IT becomes or remains strained.

Traditional requirements elicitation or gathering methods are often the cause of these issues. Cycling over and over the requirements definition with individual users and experts or small groups in a document-based, waterfall approach results in many issues:

  • A lengthy process where each contributor often only sees a part of the envisioned system (e.g., like the 4 blind men touching an elephant and coming up with 4 different conclusions as to what it is)
  • Business and technology roles are not clearly defined and often have overlap resulting in user requirements and technical solutions mixed together
  • The requirements definitions in a document based capture approach are often overly complex and miss the essence of of what should be done
  • Key experts are often overloaded, thus frequently cannot spend adequate time on the area in a traditional process  resulting in either delays or gaps
  • The spark of innovation due to bringing multiple different areas to solution for the business together never occurs

In essence, by gathering requirements in such a methodical but piecemeal and lengthy process causes these outcomes. In order to break out and develop far higher quality requirements and spark innovation and outstanding solutions, you should apply a rapid requirements process that brings the contributors together in a structured and intense manner. You will be able to define requirements in a far shorter time period with much greater quality. Very similar to Agile approaches where scrum sessions with a focused set of users drive a tight cycle time to define interfaces or small systems, rapid requirements enables requirements elicitation for large and complex systems with many disciplines to occur in a tight, joint set of cycles.

The essentials for executing a rapid requirements approach are as follows:

  • Set aside two or more days for the requirements elicitation. If the system is to reengineer or deliver a business process, add one day for each additional business area the process impacts (e.g., if back office and middle office, then 3 days total, if front office as well, 4 days). Usually it is best if the sessions are 5 or 6 hours per day versus 8 as users can then handle regular priority work rather than interrupt the session.
  • Utilize a facilitator and scribe in the sessions. For larger sessions, multiple scribes or assistants are needed. The scribes should be strong analysts, not just note keepers. The facilitator must be skilled at communications and elicitation as well as effective at driving for results.
  • Bring together all the key users and providers for the session. Attendance is mandatory, delegation should be frowned upon. Having even one contributor missing can make a major difference, lead to a major omission. And individuals must operate in one role only (e.g., users cannot define how to implement, first this is a requirements session not a system design session and second, this overruns the provider role). Having individuals act in one and only one role during a session, in my experience is of critical importance, if not common practice.
  • Facilitators have full control and responsibility for running the meeting, asking questions, and directing other role players in the question and answering. The facilitator should have the ability to build deep rapport, quickly with each participant in the session while balancing that with the need to be assertive and even commanding if necessary.  The facilitator should understand whether expansion or closure on a topic is appropriate and then formulate the right question to include suggesting user requirements (but not make decisions about user requirements).
  • Scribes listen and document requirements using a defined grammar. A scribe may suggest user requirements but not make decisions about user requirements or user prioritization.
  • Users define the user requirements and determine prioritization. It is best if the users (business experts) also seek to improve business process or synergize during the session. It can be helpful to have process experts (e.g., lean, etc) assist the users in defining their target process as part of the requirements session.
  • Solution providers (e.g., technology or operations) ask clarifying questions concerning user requirements. A solution provider may suggest user requirements but not make decisions about user requirements or user prioritization.
  • It can also be helpful to include risk or legal experts as part of the team.
  • Ensure that your target process includes inherent measurement and quality management as part of each subprocess as appropriate.

By bringing everyone together in a structured and facilitated session, connections are made, misunderstandings addressed and synergies achieved that just would not happen otherwise. Full and engaged customer and supplier representation is a common sense that does not commonly occur with traditional methods. With this rapid requirements approach you will get higher quality requirements in far less time with greater participation and better solutions. And you will start your project off with high quality requirements that are much more likely to lead to project success. For more information on Rapid Requirements, don’t hesitate to visit the site.

Fred Alsup