April 02, 2008
Late last week, a MacBook Air was cracked at the CanSecWest security conference as reported by Robert McMillen here in InfoWorld. The Web discussions about it show just how silly this whole security discussion has become.
Some pundits delighted in the fact that Apple's premier laptop was the "first to fall" again this year. Others noted that many of those attacking the systems were using Macs to do so. Others notes that Vista fell second and Ubuntu Linux was not cracked during the event.
From the perspective of a CIO who does the necessary analysis, none of these actually matter. There are too many variables. I think the good news was that nobody cracked any of the systems by attacking them from the network. That's good news for the direction of security overall.
As I mentioned in Mu Security for network protocol robustness testing and Veracode for application security analysis should be applied to all products before shipping them), so understanding the typical attack vectors and educating staff on mitigating the risks is the only real solution.
Of course, you must also protect your infrastructure from the possible compromise of systems. This is where policy-based networking comes into play. That's why we review the evolving world of policy management and enforcement (sometimes called NAC, but that's a hyped misnomer).
Anyway, don't buy into the mindless "security competition" masquerading as news. Focus on your users and getting them as productive as possible while managing the risks. It's a balancing act, and it's IT's job to do it.
Posted by Stephen Hultquist on April 2, 2008 12:30 AM
April 01, 2008
In a recent article in the Wall Street Journal, Ben Worthen writes, "Many IT groups have banned the iPhone from their workplaces, complaining that there is no way to force employees to protect their iPhones with passwords and that they can't erase sensitive corporate data from remote locations if the device is stolen or lost. Additionally, they say the iPhone doesn't support the software many businesses use and that it only works on one cellular carrier's network.
"But keeping the iPhone out of the office may be a losing battle. As a result, some technology experts say the iPhone could usher in a change in the way businesses adopt new technologies."
Attitudes like these show an utter contempt for the real purpose of IT and a misunderstanding of IT's role in a business. IT control freaks will not last because they miss the point: IT exists to support the business, not to decide what's allowed and what's not. Control isn't the point. Managing risk is.
The comment that IT staff are upset with the iPhone because they can't "force employees to protect their iPhones with passwords" sums it up quite well. How did we get this far from the real purpose?
Instead, IT should be working with staff to help them understand the importance of protecting corporate assets, the value in doing so, and the mechanisms for doing so. Mindshare is the goal, not enforcement. Forcing users into limitations that they don't want to accept never works, and it gives the illusion of security and compliance where none actually exists.
The iPhone is a perfect example. In most organizations that claim to limit iPhone use, there are iPhone users. Are they low-level employees with limited access to sensitive corporate information? Or are they senior executives who can do pretty much what they want?
You can answer that as well as I can.
Instead of living in a false sense of security, IT's job is finding ways to make the most productive options work well for the sake of the company's competitive advantage. Let go of the control and find ways to make staff happy and productive.
It's the right thing to do.
Posted by Stephen Hultquist on April 1, 2008 05:03 PM
March 28, 2008
Since my last blog post here, I have been actively working through the daily life of a CIO for a couple of my clients. As I provide them the executive management and strategic technology guidance that they require of a CIO, I also live the challenges of that position.
It's time, then, to give this blog a rebirth with an expansion of the original concept. Think of that expansion as, "What is the life of a CIO and how do you relate to it?"
Ultimately, this blog is an opportunity to develop a comprehensive perspective on the business application of technology, the pragmatic of its implementation, and the integration of technical possibility and practical business.
This is where the truth gets in the way, after all.
Together, I think we can move the industry forward as a result. And that's my commitment.
What do you think?
Posted by Stephen Hultquist on March 28, 2008 05:47 AM
September 10, 2007
Managed Services Protect the Core
Companies that are successful in the rapidly changing worldwide economy are those who stay focused on what makes a difference for them. For some years, business and technology pundits have spent an effort discussing "core competencies" and the necessity of organizations staying focused on them. It is often more difficult than it should be, though. Some companies do an exceptionally good job, though.
One of my clients is Firefly Energy, an energy storage company focused on greening the lead-acid battery industry. They are a company with a deep set of knowledge in materials science and a willingness to break the long-unquestioned beliefs of an industry.
But, they don't do IT.
Instead, they keep themselves focused on their core competencies and get managed services for the rest. Recently, I helped them find a way to do this during a move of some of their staff to a new facility. Instead of the typical approach of buying new equipment and spending time and energy bringing internal staff up to speed, we hired managed services companies to do the work. A combination of a local IT services company called NetPlatform and a specialty IT services company called q!bang Solutions allowed us to get more done with less.
The new facility will have a managed telephony system using an open source approach (SIPfoundry's sipX). q!bang configured the system, shipped it to the new facility, configured it after it was installed, and will manage it remotely for a very affordable monthly fee.
Similarly, NetPlatform is developing an approach that will allow Firefly to have a monthly controlled-cost managed service for all of their IT requirements based on the number of staff they have.
If a fast-moving, innovative company like Firefly can thrive without any internal IT staff, there is clearly an opportunity for each organization to focus on the core value to the business and purchasing services that aren't critical to it. For example, in many organizations, strategic information technology is often delayed or abandoned due to day-to-day support requirements. What if you handed that routine service off to a service provider and refocused on those things that will benefit the core business by improving the top-line or bottom-line?
That is the business value of IT.
Posted by Stephen Hultquist on September 10, 2007 09:19 PM
August 31, 2007
G'day, and welcome to this new entry into the InfoWorld blogs. CIO Views is a place where you'll find views on business and technology from the perspective of a guy who moved up through the technical ranks to senior management--and managed to keep his perspective.
In this little corner of the web, we'll be brutally pragmatic. We'll take a look at emerging technologies; case studies; examples of use and misuse of people, process, and technology; and may even find some time to discuss the challenges of leadership in the 21st century.
I welcome your comments, your recommendations for topics, and any insights you would like to share.
You can read my bio to learn a bit more about me if you'd like. This blog will reflect my fervent belief that life is worth living with passion, interactions among people are all effectively value exchanges, and it is the core requirement of all of us to serve others.
But more about all that as we explore technology from a pragmatic perspective.
...starting next time...
Posted by Stephen Hultquist on August 31, 2007 05:57 PM
TOP STORIES
Top 10 stories of the weekA new place to hide rootkits
Sun exec on OpenSolaris, Linux
AT&T: No free iPhone Wi-Fi info
MS to appeal E.U. fine
XP SP3 causes endless reboots
Vista as insecure as Win 2000
Google grilled on human rights
Java ubiquity an edge in RIA battle
The InfoWorld news quiz
ADDITIONAL RESOURCES
- Virtualization: A Step by Step Approach to Success
- Dialing up Agility with Business Transformation
- 5 Things You Need to Know About Storage Virtualization
- Virtual Test Lab Automation: Manage development infrastructure
- Improve Resource Utilization and Lower Operating Costs
- Protect Your Data with SSL
