What does it take to make it to CIO?

IT – A profession? 

Unlike established disciplines such as Accountancy and Engineering, IT has only recently started seeing itself as a profession. Therefore, it is lagging behind other professions in terms of training and career development. Whilst great strides have been made by such bodies as the British Computer Society and its SFIA (Skills Frame in the Information Age), there still appears to be a disconnect in convincing organisations to adapt such schemes.

What skills and attributes do IT professionals value? 

A significant proportion of IT professionals have come up through the “ranks” and have progressed quite often in organisations because of their technical skills. They will often have “management” thrust upon them and they have to adapt quickly, often without the comfort of a mentor or corporate development scheme. That said, the increasing importance of IT Service Management (ITIL) has helped IT organisations align closer to wider business need and processes.

What are the challenges for IT professionals in terms of career progression? 

Notwithstanding the contribution of ITIL, many businesses still see IT as an expensive overhead which harbors unfriendly pointy heads.  Often, IT is not seen as an important business driver (unless it fails) and the advance of consumer computing has created a perception by the business that “IT is easy.”

What skills and attributes do the business value? 

Businesses value those who know and understand the business whilst making a direct contribution to the bottom line. They expect leaders to be strong focused individuals who can communicate, influence and motivate staff and peers alike.  One important word here is influence. Quite often, those who climb the corporate ladder are those who can influence, usually through charisma, strong communication or sycophancy. The latter leads to the concept of seeking patronage which has been around since the days of Pharaoh’s court. A powerful patron will help his “student” create a strong personal brand and perception.

The previous paragraph probably makes uncomfortable reading for many IT guys because they probably believe that strong technical leadership in a meritorious environment will guarantee a passport to the top, i.e. becoming a CIO.

What can the poor nerds do? 

Well, if you could an write an app or software programme then it might look something like this:

10: SET CIO = DREAMS

20: SET POTENTIAL = (20 * PERSONAL_BRAND) + (10 * BUSINESS_KNOWLEDGE) + (2* LEADERSHIP) + (0.0005 * TECHNICAL_COMPETENCE)

30 IF POTENTIAL > CIO THEN GOTO 100

40 PERSONAL_BRAND = PERSONAL_BRAND + SYCOPHANCY + POLITICS + UNDERMINING

50 GOTO 20

100 PRINT “WELL DONE”

A new technical vocabulary

I thought that I would focus on two technical terms which have emerged in the last few years.

1) SEO – Search Engine Optimisation – This is basically about how you get your web site further up the rankings of search engines such as Google, E-bay and Yahoo. There are individuals and companies who offer this as a service.

2) Click Farms – These are companies where low paid workers click on web sites for fraudulent purposes. They are usually found in developing countries and they may generate click through revenue for unscrupulous people or try to deplete paid advertising credits ( e.g. Facebook) of client’s competitors.

In summary, one has to be judicious in assessing their page hits and likes in order to determine if a campaign has been successful. Perhaps, you should look at demographic statistic. For example, if you had marketed a US toothpaste and all your hits are from Decca or Cairo then perhaps you should rethink things.

So who hired the hacker?

Picture what would happen if you discovered that you had hired a suspected hacker in your IT department. Here are just a few thoughts to consider:

What can you do?

You might ask yourself a question – Is he a white or black hat? The former is an ethical hacker whilst the latter is non-ethical. What’s the difference?

As per the Wikipedia definition, An ethical hacker is usually employed by an organization who trusts him or her to attempt to penetrate networks and/or computer systems, using the same methods as a hacker for the purpose of finding and fixing computer security vulnerabilities. Unauthorized hacking (i.e., gaining access to computer systems without prior authorization from the owner) is a crime in most countries, but penetration testing done by request of the owner of the victim system(s) or network(s) is not.

A hacker is someone who seeks and exploits weaknesses in a computer system network. Hackers may be motivated by a multitude of reasons, such as profit, protest, challenge or enjoyment.

So what can you do to determine if the employee is exhibiting hacker behaviours

1) Check your that your security controls are working effectively – You might look at your firewall port profile, recent IDS, FIM, log analysis reports, etc. You could as far as undertaking a vulnerability scan of your internal network or external perimeter. The problem with vulnerability scanning is that often leads to false positives and more effort goes into sorting these out than addressing the other vulnerabilities. It usually requires a highly competent individual to undertake this. You might also want to check the employee’s authority levels.

2)  Is the Employee adhering to corporate standards?

Has he or she done something different which they claim is required to undertake security testing etc? Such things include:

– Setting up a “back door” WAN circuit which by-passes corporate perimeter security controls.

– Provision of anonymous access tools to the web and intranets etc – e.g. Tor Browser

– Weakening of security controls – e.g. replacing IMAP with POP3 on smart phones or moving from WPA2 to WEP on corporate wi-fi networks.

– Setting up new domains or networks.

I hope this has been useful.

Who would be an IT Security Officer?

Someone told me that protecting a corporate network is like protecting your land with a plastic fence. Not only is that bad enough, but it is like having your kids compounding things by continually punching holes in the fence. Think about the challenges for the company IT Security guy:

1) He has to ensure that there are controls which are delivered through policies, training and clever technology.

2) There are a lot of clever hackers out there. Take “Anonymous” – They seem to have the ability to take out government sites at will so what chance does our IT Security guy have (let’s call him SG from here on in).

3) SG has lots of enemies.

Who are SG’s enemies

a) The Hackers – obviously enemy number one.

b) Software and Hardware suppliers, particularly those who produce vulnerable software.

c) Employees of his organisation who fall into two broad categories. The first category are the normal users who will inevitably try to install “illegal” software, access dodgy web sites and use personal USBs etc. SG ought to be able to use clever technical controls to prevent this type of behaviour.

The second category, management, is much more difficult for SG to overcome. To illustrate this, let’s think of the steps in an IT security model.

– Risk assess the threat

– Put in place proportionate controls

– Assess if the controls are effective

Take the first stage – Risk Assessment. Quite often, non technical management will decide how IT Security breaches will impact on the organisation. Not being knowledgeable whilst comparing it to other business risks, they will more often than not understate the impact. This is like a bunch of civilians try to wage war against a belligerent enemy. Therefore, SG will probably not be able to put in place proportionate controls.

So SG will have to take a reactive viz-a-viz proactive approach to IT Security Management and there will be breaches. Let’s consider the stages of a breach:

Intrusion

Detection

Remediation

This sounds straight forward. You might think that it will work something like this: Your AV software tells you that you have a possible breach whereupon you just quarantine and remove the whatever it is which is causing the problem.

However, leaders in security incident response management such as Mandiant paint a different picture. Their recent report has some interesting highlights:

Nearly two-thirds of organizations learn they are breached from an external source.

The typical advanced attack goes unnoticed for nearly eight months.

Attackers are increasingly using outsourced service providers as a means to gain access to their victims.

Attackers are using comprehensive network reconnaissance to help them navigate victims’ networks faster and more effectively.

Advanced Persistent Threat (APT) attackers continue to target industries that are strategic to their growth and will return until their mission is complete.

Once a Target, Always a Target

This inevitably has a significant impact in terms of reputation, finance and employee morale. Furthermore, the remediation process will attract a cost circa ten times that of having had preventative measures in the first place.

SG will no doubt remind management of his recommendations but organisations have short memories.

Are technical strategies a thing of the past?

Let’s start with one definition of a strategy is: A plan of action designed to achieve a long-term or overall aim.

Most large organisations and indeed governments develop and implement strategies in order to  deliver objectives – think of health care, roads and public transport and most importantly, the economy  .  Once you come to technology,people often want to show they have a ‘CAN DO’ attitude, particularly if tactically minded managers are in charge. Another challenge to the strategists is that technology moves on so quickly that it does not make good business sense to get stuck in a long term quagmire. They probably know that “CAN DO” from amateurs often becomes “CANNED, WHO?”

So think of a scenario in ACNE Food company – The strategic manager, Mister Good, approaches the HR director, Mister Evil, who is heading up the IT and Technology function.

Mister Good : “I recommend developing a technical strategy based on what the business need for the next five years. That way, we’ll ensure that we can offer an agreed and fit for purpose SLA by having a fully resourced and funded ICT service offering.”

Mister Evil : “I know what the business want. They need the latest I-pads so they can read minutes of meetings when they are on the train.”

Mister Good : “What about aligning technology to support the new commercial and sales strategy we heard about last week.”

Mister Evil : “I don’t want you navel gazing into the future. Just get your guys warmed up to get those I-pads with a few apps on them to see what the Press is saying about us.”

==========================================================================================

One year later, the ACNE Food company Board are very proficient in using I-pads despite one of them losing some personal data from accessing a rather dodgy site. In the meantime, the company’s finance and logistics systems are now becoming obsolescent and struggling to meet the increasing commercial demands of the company. It’s not all bad news though. The Marketing department have developed a number of apps and have received a marketing Industry award for them. However, the ICT budget has been blown trying to prop up the antiquated corporate systems.

===========================================================================================

The question I would like readers to answer is was the HR Director correct in pursuing his short term objectives? After all, his Board colleagues saw him as someone who is proactive and technically savvy. Conversely, they saw the Strategy Manager as a superfluous whining overhead.

Please let me have your comments.

Are Raspberry PIs a waste of money?

Introduction

This is a post which explains the reasoning behind why people should purchase a Raspberry Pi. It is not intended to be technical blog and is aimed at those who have some technical knowledge.

What is a Raspberry PI

A Raspberry Pi is a small barebones computer onto which an operating system (usually Linux) may be added. The recommended operating system, Raspbian comes preloaded with Python, the official programming language of the Raspberry Pi and IDLE 3, a Python Integrated Development Environment. This is accessible from the provided desktop and is designed for absolute beginners who wish to learn to program.

However, anyone with reasonable Linux skills can access the power of this operating system through what is know as a command line prompt. Such users can download other programming environments of their choice, such as Perl, PHP and Java.

What are the benefits of a Raspberry Pi

1) Procurement cost

2) Uses low cost common peripherals, such as micro USB power and SD cards etc.

3) The default desktop environment should get you programming in no time.

4) The Raspberry Pi user community and on-line documentation is superb.

5) It can interface easily with cameras, temperature probes and other electronics components as the backbone of say a home automation project.

6) In the hands of a knowledgeable technical person, it can be used as a powerful prototyping tool set without tying up expensive servers.

7) It is portable and can be used for such applications as remote CCTV or as an intelligent data sensor.

What are the limitations of a Raspberry Pi

1) It is a fragile piece of kit because it relies on an SD card which has a much lower life cycle than conventional storage devices. (It can use flash drives etc but the current Raspberry Pi must always boot from an SD card.)

2) It has limited computing power.

3) It does not come with a protective case and therefore may be susceptible to mis-handling and electrical or physical damage.

4) It cannot be used in a full production environment.

5) It is susceptible to security attacks if exposed to the web, without first hardening the system.

Are Raspberry PIs a waste of money?

To answer the initial question I posed, the answer is most certainly no, so long as the realities of the device are considered.

When your electronic documents turn to dust

You may have just written a world class* e-book or a thesis which outlines how cancer or HIV may be eradicated. No doubt, you will have used an electronic device of some description to record your masterpiece. You will probably assume that your Opus Magnum will live forever electronically and preserve your memory forever. However, electronic storage is intrinsically temporal and so it is up to you to develop preservation strategies. Firstly, let’s look at how you store your electronic documents.

1) On a personal non networked PC or Laptop

You will probably save this to the local hard drive with some primitive back up such as a USB memory stick or hard drive.

2) On a personal networked PC or Laptop

This is a smarter option and nowadays it probably means that you are using some sort of cloud storage service, such as Google Drive, Office 365 or Dropbox. Your assumption is, perhaps correctly, that these guys will look after the backup for you.

3) On a business PC or Laptop

You will probably save your documents on corporate network storage device with back up, or perhaps a cloud storage service, although government departments are loathe to do this. Additionally, your files may be stored as e-mail attachments or part of a corporate document management system.

Over a period of say two to five years, all of the above methods of managing documents are quite effective although I have personal experience of tears shed by those who use the first method exclusively. Now, let’s look at how instability of your electronic files increase as time goes on.

A) Change of Personnel – For 1) and 2), should you become hospitalized, leave an organisation or worse then unless you have made shared passwords with someone then protected documents may not be available to the world. In 3) organisations try to remove this risk by having policies which mandate users to store documents in the so called corporate memory which usually means a corporate document management system. Despite possible censure, many corporate users resist this electronic files held in e-mail systems and personal drives are often lost.

B) Applications – The software that you use to open documents can change over time and render information unavailable. This is probably truer for business applications such as finance systems but many common word processing packages from the 1980s have vanished – think of Wordperfect. Therefore, don’t assume that Microsoft Word will be here forever.

The other main consideration is that people are moving away from formal documents to social media and smart phone apps. Big organisations no longer use exclusively applications such as Customer Relationship Management (CRM) systems to record customer complaints and compliments. Therefore, structured databases are starting to morph into a record mixture held in e-mail,tweets and apps which has led to the emergence of sophisticated data analytics system under the Big Data umbrella.

C) Hardware – This by definition degrades and becomes obsolescent, sometimes without any notice. The users who fall into the category of – 1) On a personal non networked PC or Laptop – are at greatest risk. The primary hard disk usually has a life expectancy of 3 to 5 years whilst most back up devices, including back up tapes, SD and USB drives, may survive for up to ten years, depending on read / write cycles. The exception to this is Mdisc or optical disk technology which purports to have a life expectancy of 1000 years. Obviously, this has not yet been tested.

Category 1 users are very exposed to single points of failure – in other words there is no resilience in the event of failure. It is like an airplane with just one propeller. The users who use network devices will usually avail of solutions which don’t have single points of failure. However, there have many well publicised cases where data has been lost or stolen and the regulatory authorities have slapped great big fines on organisations.

Networked and Cloud solutions will use tape back up and other devices to counter hardware failures. However, considering that hard drives are going to fail eventually, you can see that your files will probably go through many copy routines to prevent loss. This in itself introduces a significant risk in terms of loss and cost. The chances of your files surviving extensive copying for 50 to 100 years is pretty slim.

D) Other factors

Cost

Today, many cloud storage providers offer free or lost cost storage solutions on the basis that you are eventually going to purchase something from them. Think of some recent big name technology providers who are no longer around – Altavista, to name but one.

Politics

There is no such thing as political stability and you will read in the press how certain countries prevent or open up at will access to internet services. Can you imagine how internet would be affected by world war three, if it ever comes. Information is power.

Catastrophes

A lot of data centres have been build historically on flood plains, earthquake zones and near mountains and oceans. Let’s hope that we don’t have any dionosaur experiences.

==============================================================

What can we do

Firstly, there is no easy answer but I certainly recommend moving away from being a user in the category 1) On a personal non networked PC or Laptop.

It is obvious that you should use back up and storage – maybe using 1 to 2 cloud services such as Dropbox and Google-drive. Be sure that you share all of your documents with close friends and family to ensure they are still around even if you aren’t. Perhaps you should archive some of your most valuable documents to an M-drive and leave it in a safe somewhere.

Lastly, have you ever thought of having your most important documents printed out – maybe even ornately through a printer / bookbinder – and distributing copies to your friends, family or even your local library.