2014 is finally closed, long live 2015 - What Now!

2014 is finally closed, long live 2015 but what a year 2014 has been for the tech industry.

With some of the worst cyber attacks in history, it will be a year to forget for many, raising data security straight to the top of the agenda for most CIOs.

Cloud adoption has continued to increase, helped in no small way by the pricing wars between Amazon, Google and Microsoft.

When it comes to the public sector, there has been a simmering tension between Whitehall, consultants and large suppliers on the back of several large contract problems.

So what does 2015 hold in store for us? IT Pro asked analysts and industry experts for their views.

1. The Internet of Things will finally make sense

Bola Rotibi, research director at analyst house Creative Intellect Consulting (CIC), believes the hype around the Internet of Things (IoT) will deflate.

She says: "The industry and market will flounder in trying to grasp exactly the definition of IoT and why it really is different from what has been evolving from the machine to machine world.

"In fact the initial hype of IoT will quickly subside as the reality of the fact that it touches so many industries that it cannot be determined the difference of what is actually an IoT market and the general evolution of every other technology sector."

But colleague Clive Howard says that the Internet of Things (IoT) will start to make more sense for businesses as more industry use cases come out of it.

“IoT will continue to be big news but we will start to see a lot more sense coming through,” he says. “Less about vending machines and thermostats and more about industrial applications that provide real value. I think generally we’re going to see more tech stories in the enterprise space whether mobile or IoT.”

Forrester Research believes the IoT trend will help CIOs  focus on longer term business change rather than cost-saving exercises.

The research firm’s Frank Gillett says: “Though most early IoT implementations are driven by line-of-business executives seeking specific operational efficiency improvements, the CIO’s tech management teams will eventually be drawn in to help with security, networks, software integration, interoperability, and analytics.

“Over the longer term, CIOs need to anticipate where business leaders will go after achieving operational efficiency improvements and plan for technology and infrastructure to support engaging with customers in new ways, creating new revenue streams, and offering new business models.”

2. Beware the second coming of the systems integrator

Georgina O’Toole, of analyst group TechMarketView, believes that after two years of trying to break free of the shackles of Big IT providers, the government will turn to those with system integrators (SIs) again.

“From collectively being on the ‘naughty step’, the Cabinet Office has accepted that they require suppliers with deep knowledge of the public sector to guide them on what will be a difficult transformational journey over the next few years,” she predicts.

“In the world of ‘digital’, systems integrators will be the bolt that holds everything together and helps the public sector ‘Join the Dots’.

“The large SIs are taking this approach to developing their business outside of Whitehall as well – using their integration skills to, for example, take data analytics capabilities to the table and open up new opportunities.”

She believes this reliance on SIs will grow as more SMBs work as subcontractors for large IT firms handling a public sector contract.

3. Apple Pay will introduce new cyber threat opportunities

Security firm Trend Micro believes the much-awaited launch of Apple Pay, Apple’s mobile payments app, will bring huge risks to consumers using it, because it has not been trialled in the real world.

“Apple Pay is not alone in the market – other payment systems have or will be introduced by other companies and trade associations,” the firm says. “Not all of these payment systems have been thoroughly tested to withstand real-world threats, and we may see attacks targeting mobile commerce in 2015."

4. There will be an 80% chance you’ll suffer a cyber attack

As Sony Pictures knows, the price to pay for suffering a cyber attack that results in a data leak is high, the film studio has seen embarrassing emails, feature films and staff’s personal details enter the public domain.

It’s 'cancelled not-cancelled' anti-North Korea movie, The Interview after hackers threatened ‘9/11’ style retaliations.

But even with new EU Data Regulations set to charge up to five per cent of a firm’s annual turnover (or up to €100 million) for breaches,

Forrester still believes eight out of ten enterprises will suffer a breach next year, whether they find out or not.

It says: “Forrester believes that in the coming year, breaches of sensitive data such as intellectual property and customer records will continue.

Given that more S&R pros will invest in detection and response capabilities, more security teams will be in a better position to detect and respond to breaches.

“Thus, we feel confident that while at least 60 per cent of enterprises will discover a breach, the actual number of breached entities will be much higher, as high as 80 per cent or more.”

5. Newbie 'Containerisation' will disrupt IT departments

According to 451 Research, 2014 saw an “explosion of activity” around Docker, the young upstart company specialising in containerisation.

The open-source technology of Docker enables sysadmins and developers to automatically deploy applications inside software containers, allowing those processes to run in isolation.

“[We] anticipate disruption in IT departments in 2015 as they start to use Docker,” says 451 Research. “While containerisation technology has existed for years, Docker is a more modern, lightweight form that is widely viewed as a next-generation virtualization technology

“451 analysts believe Docker will be adopted by large enterprises to work alongside, as well as replace, traditional  virtual machines because of its management and efficiency advantages.

“Docker has not yet achieved parity with traditional VMs in some critical areas, including orchestration and security, and a large number of vendors are rapidly addressing this.”

6. Private IaaS providers will compete with Amazon

Forrester believes the saturated public cloud infrastructure market will continue to be popular with customers looking to scale and benefit from economies of scale.

However, it predicts that while smaller infrastructure-as-a-service (IaaS) providers cannot compete, they will try to offer rival deployments in the private cloud.

“Many other cloud IaaS providers are turning to the possibilities of hosted private cloud IaaS and on-premises private cloud IaaS as possible ways to compete, since they have gotten limited traction in the public cloud IaaS market,” it says.

“Offerings where the service is identical to the customer and operated uniformly, whether multitenant or single tenant, on-premises or in the provider's data centre — are potentially attractive to many customers.”

It sees this development as the only way customers with a requirement for on-premise infrastructure can go to the cloud.

Additionally, Forrester believes 2015 will see Microsoft’s cloud business overtake its on-premise division in profitability.

“Microsoft will generate more margin dollars from cloud-based services than its traditional on-premises applications and Windows,” the analyst house predicts. “Under Nadella’s mandate, commercial product development teams are focused on driving innovation into the cloud versions of its properties first (on-premises second).

“And its sales engines are all rewarded for pushing as much cloud into each enterprise license agreement as possible.”

7. Citizens will demand greater control over their own data

Consumers are becoming increasingly wary of how their data is used by companies, believes customer identity management platform Gigya.

Its own survey found 80 per cent of people have abandoned online registration pages because they did not like sharing the information they were being asked to share.

“Businesses must put transparency at the forefront of their data practices in 2015 and proactively address these privacy concerns by letting customers know upfront what data they want to collect, explaining how it will be used, and allowing them to easily opt in and out,” the company warns.

8. Wearables, in their current form, will fail

While the tech industry awaits the launch of the Apple Watch and Google Glass (still) expectantly, no wearable has changed the way we live yet.

EMC’s president of products, Jeremy Burton, predicts wearables will almost entirely die off in 2015, only surviving by serving niche markets.

“Apple fanatics worldwide expect wearables will go mainstream following the emergence of the Apple Watch, but I’m not so sure,” he says.

“Let’s face it, nobody under 35 wears a watch anymore – they rely on their smartphones for everything.  A lot of wearables will fail, with the guys wearing their Bluetooth ear piece all day propping up the market.

“Now, that said, not all wearable technology will end in abject failure. Standalone, niche wearables that shake up industries for the better – such as FitBits or Jawbones that monitor vitals or health activity – will continue to flourish and be incorporated into sports clothing, shoes and equipment. “

CIC’s Howard broadly agrees. He says: “A lot of the heat comes out of wearables [in 2015]. There will be many more devices released but I don’t see adoption sky-rocketing and I think vendors will start to temper their expectations.

“We’re already seeing this with Google Glass. Wearables are more of an industry product than consumer. Unless someone discovers that killer app.”

9. Data scientists will become 'popular' as industry specialists

As firms wake up to the potential of big data, the role of data scientists has been a big topic of conversation in 2014.

And Hitachi Data Systems CTO for EMEA, Bob Plumridge, believes firms will start to hire them more and more as they discover just how much technical expertise is required to make sense of – and use – big data.

“They will also need to understand the business value of the data being generated and analysed in a specific sector,” he adds.

“By 2020, all businesses will need their employees to have the technical skills we associate with a data scientist today. The problem we currently face is that there is a significant skills gap in the UK for workers with the advanced data skills to meet business needs.”

This will be a tough challenge to solve in only five years and the development of UK tech talent must continue to be high on the agenda for both the government and businesses alike.

Next year will also see firms classify data more clearly, Plumridge contends.

“The issue for IT teams [right now] is that they are going in data blind. Often data isn’t classified at the point of creation, leaving businesses with no way of knowing whether they are looking at HR, sales or customer data.

“With the majority of data holding little to no value, the importance of classification is paramount to ensure businesses retain the crucial 20 per cent.”

Small businesses will benefit from an IT consultant's expertise

Running a small business often means time and budget are tight. You probably don’t want to spend hours filtering through online resources to find the best methods or solutions.

Because the first year of a new business tends to be the “make it or break it” moment, sitting down with someone who understands IT can help you avoid startup pitfalls and technical glitches that can hinder your company’s growth.

Small businesses can benefit from hiring an IT consulting firm for a number of reasons.

Buying help
When you hire an IT consultant, you can gain insight into which servers, programs and other hardware can meet your needs and your budget according to your business plans. Without spending time on IT purchasing decisions, you’ll be able to focus more on the core of your work.

• IT consultants with experience know the best methods that will help you meet your goals.
• IT consultants can advise you on purchasing decisions so you don’t overspend or get a product that won’t accomplish what you had in mind.
• Better, faster and cheaper solutions with proven success will save you time and money.
• IT service providers stay up to date on the latest in tech and understand which products are not worth the cost.

Access to a team
Hiring a single IT employee may seem to be the best idea, but hiring a consulting firm provides more support and information than one individual can.

You also won’t have to worry about benefits, salary or training that come from the employment of an in-house IT specialist.

• You’ll have access to a team of specialists that can provide support on the latest and greatest in IT without additional training on your end.
• When hiring an IT consulting firm, you get a flexibility that doesn’t come with an individual. On-demand support is a bonus when unplanned events occur.
• Through a partnership with a well-established IT consultant, businesses can have the benefits of priority (and sometimes discounted) access to various technology vendors.

Increased productivity
If you hire an IT consultant, you and your employees can spend less time worrying about the office network and more time getting the job done.

• Effectively planned and executed technology can ensure your company faces less downtime and fewer glitches.
• Gain peace of mind knowing that whatever problems you face, you have an IT support system that can provide insight and solutions.
• Because you won’t be the one focused on making sure everything tech at your business is running smoothly, even if a hiccup does occur, you can continue focusing on what’s most valuable: growing your business.

As a company expands, bringing in an IT team may be the best route. Or, you may want to stick with the methods you’ve been using.

Small businesses can benefit from hiring an IT consultant, but it’s truly up to you to determine if this is the route you want to take.

IT consultants! Who needs them?

Here are seven reasons why a prospect may resist the idea of engaging an IT consultant.

1: Consultants cost too much
You have to compare the cost of using a consultant with the cost of not using a consultant. The lost opportunities from not improving your operations could more than outweigh what you invest.

In IT, prospects might raise the objection that they can use their own employees instead. Given that excuse, you can raise the following questions in response:

• Are the in-house employees capable of performing the proposed work? A consultant can provide specialised and focussed knowledge and experience, as well as a fresh and objective perspective.
• Do the in-house employees have time to focus on it? If they’re going to try to conduct a separate project, in between their daily duties, there will be delays, shortcuts, stress and resentment of having more work piled on their plates, for no money.
• Are employees really less expensive? Don’t forget to count the costs of benefits, vacation and sick time, the reduction on quality efforts and the overhead on HR and payroll.

2: Consultants’ advice is common sense
Many employees say “I could have told you that” about something I have advised my client. My response is: “Why didn’t you?” If they come back with “I did, but nobody listened,” then I reply “Well then I’m here to help make your point and to offer an objective and unbiased viewpoint.”

Also consultants are more experienced in collating data, structuring a coherent argument and writing clear communication documents and reports that will appeal, and are acceptable to, stakeholders.

They also have influencing and persuasive skills that are difficult to find in-house, which ties back to the providing an objective viewpoint.

In-house personnel are also open to criticism of mistrust because of their possible ambitions, career goals and targetted prospects. A consultant can stand outside the political cut and thrust of internal management teams and because of this they will have need to the backing and authority of the most senior executive.

3: Consultants Change things
That's their job. They are agents of Change. If things didn’t need changing, then the client would not have called on you.

Consultants do have to be careful to meld with the environment and their client’s operation in a way that promotes change but doesn’t disrupt the parts that are working.

We need to build trust and confidence with employees, so we can work together to avoid breaking things that don’t need breaking.

4: Consultants don’t fully understand our business
In the beginning this may or may not be the case. Consultants typically specialise in one business area, with a wide range of knowledge in most other areas. They need to be aware of their lack of knowledge and gaps in their client’s domain, and, because they are motivated, they will find ways to quickly bridge that gap.

You cannot be too specialised. Some consultants focus on serving very specific strong vertical markets. That only works, if the market provides enough business.

Most specialise by technology and can’t afford to further narrow our markets by being too focussed or too vertical. Instead, consultants need to have a thirst for knowledge and accept the limits of their expertise. They must be willing to receive input from and actively listen to others.

5: Hiring a consultant is too much work
The effort of interspection i.e. analysing and describing the business needs to a consultant, can be a large part of what the prospect needed to accomplish.

Hiring someone from the outside forces them into looking closely at what the organisation is all about. When only working with insiders, it’s easy to fall under the delusion that you fully understand all of your own requirements but you miss out on that different external perspective and the invaluable experience of what other similar organisations have tried.

6: Been successful to this point without them
Clients who say they are happy with the status quo are heading for a decline. Perhaps they lack the insight and imagination or knowledge, for what they might be able to accomplish, given the right support.

Part of your sales responsibility as a consultant is to describe the possibilities. Opportunities that are attainable because there is no benefit in overselling and promising impossible results. That's what gives consultants a bad name.

7: We’ve had bad experiences with consultants
Your challenge is to convince your prospect that all consultants aren’t the same. In contrast to “those other guys,” we’re committed to honesty, trust, establishing reasonable expectations and exceeding them, with the prospect of a long-term, mutually beneficial relationship.

In these occasions you are selling a trusted relationship to the client. A relationship that will last and grow over many years. Trust me I'm a consultant!

The Future of Human Interface: The Sixth Sense

The New New Thing in IT: Consumerisation

One of the newest trends in IT is consumerisation, and if you don't already know about it, you soon will. It's the idea that new technologies, the cool stuff people want, will become available for the consumer market before they become available for the business market. What it means to business is that people -- employees, customers, partners -- will access business networks from wherever they happen to be, with whatever hardware and software they have. Maybe it'll be the computer you gave them when you hired them. Maybe it'll be their home computer, the one their kids use. Maybe it'll be their cell phone or PDA, or a computer in a hotel's business center. Your business will have no way to know what they're using, and -- more importantly -- you'll have no control.

In this kind of environment, computers are going to connect to each other without a whole lot of trust between them. Untrusted computers are going to connect to untrusted networks. Trusted computers are going to connect to untrusted networks. The whole idea of "safe computing" is going to take on a whole new meaning -- every man for himself. A corporate network is going to need a simple, dumb, signature-based antivirus product at the gateway of its network. And a user is going to need a similar program to protect his computer.

Bottom line: antivirus software is neither necessary nor sufficient for security, but it's still a good idea. It's not a panacea that magically makes you safe, nor is it is obsolete in the face of current threats. As countermeasures go, it's cheap, it's easy, and it's effective. I haven't dumped my antivirus program, and I have no intention of doing so anytime soon.

Gartner Video: 'Worst year ever' for IT spending

Gartner: 'Worst year ever' for IT spending

Gartner says Silicon Valley no longer in the driver's seat
At the Gartner Symposium/ITExpo 2009 in Orlando, Fla., Peter Sondergaard, a senior vice president of research at Gartner, says 2009 was the worst spending cycle ever. He adds that Silicon Valley will no longer be in charge of the rebound and emerging regions will drive IT spending and how it's deployed.

Project Management uses IT and Business Relationships to Shape Successful Projects

The Trust Factor

Good relationships between IT and business partners, project managers and IT staff, and project managers and stakeholders keep IT projects on track, say IT leaders and project management experts. Bad relationships, however, are a leading cause of project failure. We've all seen projects that should have been successful fail purely because of relationship.

The impact good and bad relationships have on projects is clear: Negative relationships make people want to avoid each other or work against each other.

On the other hand, when mutual trust exists between IT project managers and stakeholders, IT project managers are more likely to discuss problems that could threaten the project as they arise. If bad blood exists between the two groups, project managers may not be inclined to point out those issues, or they may try to cover them up.

If you look at projects that fail, invariably someone on those projects knew things were going bad. If you don't have relationships and trust, those things don't surface and when you don't do something about problems in a timely manner, those problems invariably get bigger.

In many cases, minor problems become more serious because they're not addressed in a timely manner. A culture of openness is absolutely essential to good project performance. Ot should be part of your risk planning.

Furthermore, when something does go wrong with a project, business partners are less likely to place the blame solely on IT if they have some respect. In fact, they're more likely to give IT some leeway with the project schedule.

It doesn't matter what technology you're using, how talented your technology staff is, and how knowledgeable the business partners are on process and business improvement: Every system initiative will have issues.

If you don't have a relationship, you resort to pointing fingers as opposed to being transparent and admitting 'we messed up' or 'we didn't test that as well'. If you have a good relationship, you'll sit down and find a way to make it work.

Decisions affecting the project also get made more promptly when everyone involved gets along. Fast and good decisions are crucial to keeping projects on track. The failure of senior people to make decisions means decisions are made at lower levels of the organisation.

If you have a software developer who's waiting for input on a business requirement, there's three things that can happen: He can guess what to do and guess right. He can wait for a decision and while he's waiting he's not as productive. Third, he can guess and guess wrong. If those are equal possibilities, two-thirds of the time it will be detrimental to the project. And if you stack enough of those decisions on top of each other, it will negatively impact the project.

Relationships are easily Overlooked
Despite the positive impact good relationships have on project management, IT project managers rely more heavily on software and methodologies than on building relations when they need to improve their delivery.

It's no wonder: Compared to the time it takes to build relationships, software seems like a quick fix. IT project managers are also most comfortable with tools.

As IT professionals, we're raised on technology. Almost all the training we get throughout the years is about tools and processes.

Consequently, IT professionals think process and technology is the answer to everything, including effective project management. While project management frameworks and tools certainly help, projects are fundamentally people-driven.

When things go wrong with a project, it's people who have done something that didn't work. Problems start and end with people.

Yet project management training and certification programs are only just beginning to address the people-side of projects and the importance of relationship management. Most still emphasise task management.

Thus, project management training and certification programs reinforce the idea that project management is glorified task management. That's a big mistake.

A typical project manager follows the 80/20 rule: spending 80 percent of his time on task management and 20 percent of his time on relationship management, but he should be devoting more of his time to relationships.

I would suggest that the more visible, big-budget the project, the greater the percentage of the project manager's time should be spent on relationship management.

Agile Development and Relationships Using Scrum, an agile software development practice, to improve relationships between IT and business partners and ensure project success is one good approach.

With Scrum, business partners meet with IT during a four- to eight-hour planning meeting to look at all the projects in the backlog and to jointly determine which one will bring the greatest value to the company.

IT then divides the project into sprint's 30-day increments of work. When IT completes a sprint, business partners assess IT's progress and suggest any necessary changes.

The agile development methodology, just by design, promotes better relationships. Scrum and Agile force interaction between IT and business partners on a more frequent basis. By doing so, IT delivers solutions on an incremental basis to the business, as opposed to the waterfall or cascade method, where it's a year and a half before the business sees the fruits of an initiative.

It's not necessary for IT and other business functions to get along swimmingly for Agile to work effectively. Agile can work even if there's some initial tension between the groups.

We've all had groups with troubled relationships, and certainly most initial meetings are not always effective out of the gate. But at least we all can agree that we're going to focus on 15 key items in the next 30 days, and at the end of the 30 days, we'll get back to you.

The process forces IT and business partners to prioritize projects together and agree on the 15 items IT will complete in 30 days. Scrum also then drives IT's behaviour. At the end of that 30 days, IT has to show something for its work. Scrum makes IT accountable to the business.

When business partners see IT making tangible progress every thirty days, their confidence in IT grows. If the business partner sees results more frequently than they used to, relationships can get better. Agile promotes better relationships just by forcing a process, forcing interaction.

Between the structure that Scrum imposes and the relationships that grow out of it, project delivery improves. Better collaboration results in better value for the business.

NYPD Spend $1M on New Typewriters! Change what change?

They say you can't stop or turn back Time but the NYPD have found another option for not progressing, avoid change and live in the Past!

Why is IT Change so Difficult for Political and Government bodies alike? It is bad enough that Typewriters are still in use by the NYPD but now the city of New York has signed a new three-year, $1 million deal for MORE typewriters, the majority of which will be used by the NYPD.

While the department has endured a major, multiyear technology overhaul, with some big success, it demonstrates that IT change is often well intended, meticulously planned but not always carried out or implemented in its entirety.

New York Post
Technological change is never easy, or quick, or perfect, especially for big bureaucracies. Unfortunately, the NYPD made news this week when the New York Post reported that the City of New York had signed up a $1 million contract with a typewriter vendor to purchase thousands of new manual and electric typewriters, during the next three years.

Improvements made
The NYPD's typewriter requirements, accounted for the bulk of the contract. The article describes how NYPD Deputy Commissioner and CIO Jim Onalfo, who took over the reins in May 2003, had invigourated the NYPD's IT department and brought them into the 21st century.

The article also reported that changes to the insular and bureaucratic culture and legacy loaded IT environment, had been vast. Massive improvements were made in areas of disaster recovery, wireless communications, networking infrastructure, and many others.

Three Years In
Even three years into Onalfo's serious IT overhaul in 2006, glaring disconnects were still present: "Each of the 76 precincts is now connected by a videoconferencing system that ties into a command center at One Police Plaza," the article stated. "Within some of the precincts, however, there are still detectives using typewriters to fill out paper reports and filing carbon copies."

Essential Typewriters
NYPD cops "still use typewriters to fill out property and evidence vouchers, which are printed on carbon-paper forms. There are typewriters in every police precinct, including one in every detective squad." This is not felt to be part of a strategic disaster recovery solution but the NYPD stated; "We are working on software to eliminate the old machines," a police representative stated.

Huge Strides with RTCC
It should be noted that NYPD IT and CIO Onalfo have made huge strides in overhauling how the NYPD uses new technologies. The NYPD relies heavily on the Real-Time Crime Center (RTCC), a high-tech "war room" where detectives are able to tap into dozens of police, government and other related databases. As an example of the RTCC's power, real-time information from police officers at the scenes of crime can be meshed with the sophisticated database queries made at the RTCC to help to track down criminals.

Crime Stoppers Hotline
In addition, emergency 911 capabilities allow citizens to directly transmit photos and videos to the police at the RTCC. New Yorkers can also send text messages and multi-language e-mails to its Crime Stoppers hotline program.

Typewriters Everywhere
In truth, there are probably a lot of businesses and government agencies that have stashes of typewriters in their offices, just like the NYPD does. But until everything is digitized, there will be a seemingly mind-boggling need for typewriters.

The NYPD's typewriters are both a lasting vestige of the way things were and how they uses to be done in the past but it is a shocking reminder of just how much more change and education needs to be done.

Re-thinking IT Security in tough times

The current economic downturn is forcing a corporate change and metamorphosis that, when combined with ever broadening security threats, presents information security groups with an opportunity to radically change their identity and add more value to the business.

To capitalise on the moment, security groups need to reassess their approach, add visibility and transform the very role of security.

It is good timing because maintaining security during tough economic times is critical. Besides external threats that evolve even more rapidly in economic downturns, business slumps increase the probability of disgruntled employees striking out using intimate knowledge of corporate systems.

Risk is further exacerbated by the fact that, since the last economic crisis of this magnitude, companies have become far more reliant on information technology systems, which are now highly complex and essential to sound operations.

Your current security path represents existing programs, capabilities, processes, etc. The goal is to create a parallel path that influences existing practices and allows you to refine a new strategy without disrupting current expectations. In time, the new path will become a dominating force and take you in a new direction.

Step 1: Tuning the Approach
During the last decade security has been virtually defined by compliance. For many companies, it has been less about security than it has been about ensuring that certain regulatory demands are being met. Unfortunately, compliance does not necessarily enable the business, align with core initiatives, and alone may not thwart debilitating attacks.

Understanding this, some security groups have strived to use compliance efforts to improve their security posture.

Unfortunately, not all companies see the value of such activities and instead simply see compliance as a cost of doing business.

You have to convert the security practices that fall under the banner of "mandated for compliance" into specific activities that resonate with the business. For example, a predominant force in business is time to market and the rapid conversion of investments to revenue generation. This can materialize as a new service, application, communication platform, network or alliance. The key to tuning your approach is to optimize security features to help the business move more quickly, reduce barriers or accommodate a requirement quickly.

Key to being able to accomplish this is institutional knowledge within the security group and leveraging and combining resources in ways that benefit the business as much as it does security, for example: supporting secure coding practices through collaboration with the development team, optimizing standard builds to stand up servers more quickly, security testing as part of performance testing, or utilization of directory services to support streamlining of access controls for a new partner.

Fundamentally, it is about operating in a risk/reward model. Prioritize activities based on risk as well as where the greatest opportunities are for the business. By becoming intimate with business goals and mapping against elements of risk, what begins to surface is a common thread that demonstrates a point where the business and security goals become more closely aligned.

A good place to start is within the project management arena, where risks to the initiative or life cycle will become apparent, in addition to helping identify critical paths and what is most important or critical to the business unit. By using information of this nature, combined with institutional knowledge that the security group possess, you can begin to interpret demands and risks in business initiatives and quickly find areas of common ground.

Step 2: Adding Visibility
Security groups typically make security efforts visible to executive management by presenting security metrics, risk dashboards, and the like. However, along the way, many encounter some key challenges.

The first challenge is that the measurements are only focused on security and typically do not provide insights to other aspects of security operations that demonstrate effectiveness. For example, a dashboard may present compliance risk, operational risk, technical risk and current threats. It is assumed that keeping the values in an optimal or desired range means that security is doing its job.

However, company executives are increasingly focused on efficiency, effectiveness and overall alignment to business initiatives. They want to know how well these objectives are being met, what influence they have had on other key business performance indicators (such as time to market, customer retention), and how resources and other valuable assets are being utilized.

Executives are concerned about inefficient or wasteful activities and want to ensure all activities focus on the bottom line. Presenting to the board a risk dashboard can be helpful to demonstrate your alignment to security concerns, but that's only one part of the equation in the eyes of executives. The more effectively security can reduce the need to translate security results into something meaningful for the business, the better.

The second challenge relates to the "gap" factor. The gap refers to the difference in what security is providing to executives as visibility and the ability for the security group to influence the system to enact change.

For example, a report may demonstrate that the number of vulnerabilities in Internet-facing applications is increasing significantly quarter over quarter. However, the security group may not have the capacity or capability to reduce that number to a reasonable value. As a result, some senior security managers find themselves tasked to correct an issue they simply do not have the ability to accomplish.

In short, information from the security program is misaligned with its ability. Some use this to justify investments that would address the gap. But unfortunately this pattern is growing increasingly ineffective as business owners demand more accountability. The solution is to create a security program that not only presents good and bad trends, but more importantly, has the ability to have a meaningful impact in changing them.

The challenges can be summarized as providing visibility into more than security in security terms, but also in a manner that is more readily digested by executives and easier to align to business goals. Secondly, build a security program that not only produces meaningful information relative to security and business metrics, but also has the inherent capability to institute change and thereby meet expectations.

Providing additional visibility to existing risk-based perspectives can be enormously valuable. To accomplish this, you need to become more intimate with what resonates with the executives -- the measurements they focus on day in and day out, the performance indicators they study beyond the financial ones. Each company is different and each business unit may have a different spin. Moreover, many may seem like the furthest thing from security, such as shipping metrics, warehousing, capacity indicators, system use or even collaboration indicators. You have to look behind these to begin to see where security can begin to mimic the same philosophies.

From a security perspective, look to report on areas within your domain of influence and help reflect how well you're running as a business. It can be as simple as resource utilization, project involvement or performance quality scores from your peers.

From there you can start tying to other reported information and trends, such as the planned decline in effort to perform regular vulnerability testing, but an incline in report quality and effectiveness, essentially demonstrating that you are meeting security and business objectives. Or show how, through collaboration activities (which have been measured) and modifications to technologies, you've helped reduce the number of security related helpdesk tickets. These are, of course very basic. Nevertheless, the point is to find related information between what you are doing for security and how well you are doing related to business expectations.

This approach helps form your new path for security, drawing from your original strategies and enhancing them. Start small, test the waters and seek mentorship within the organization. As more confidence grows in providing additional perspectives on activities, you can move into closing the gap.

Step 3: Service orientation
By this point you've learned how to orchestrate your core competencies to help the business reach its goals using a risk/reward method. And you've started experimenting with adding visibility to the executives on alignment. As a result, the identity of security is beginning to shift. It may not be obvious, but it's happening. However, this is a critical stage and the time to innovate. Once executives see something they like, they want more, expectations increase, and that "good job" turns into "what have you done for me lately?"

One of the common pitfalls is not following through to ensure a foundation exists to keep up with new expectations. As a result, massive ground is lost and you're back to square one.

Adopting a service orientation can help you continue to move forward. Service orientation has three primary objectives:

1) Convert tactical best practices that were once hidden within compliance efforts into business services that can be consistently utilized.

2) Close the gap between what you can control/influence and what you're reporting on.

3) Create a foundation for building a highly agile security approach.

The key is to learn from experimental practices in tuning activities and report on additional metrics and indicators relative to business goals. For the development of security services, it's the tuning of the approach that provides the information you need to get started.

In the most simple of definitions, a security service is a well-formed package of related processes, technologies and capabilities that has a predictable outcome that is needed or in demand by the business. What makes security services differ from traditional security activities is input.

Just about everything requires input to feed a process to produce an output. For security, the input is usually "self-assigned," meaning the business must meet a specific policy or some other documented requirement to have security perform an action. For example, a policy may read, "Any material change to an Internet-facing application requires a penetration test." That's a sound approach, but it's reactive and misses the opportunity to gain valuable insights to underlying business needs and goals.

While looking for risk/reward scenarios, you will see a pattern emerge and the tuning efforts outlined above should help you identify opportunities to incorporate specific business attributes into what you're performing.

The basis for security services is taking advantage of this pattern. In fact, you're doing this today to some degree. For example, an application is due for a test, but you've learned that the changes relate to one of several roles defined in the system. As a result, you may limit testing to that one area because of your knowledge and comfort with the application from previous tests. Now, extrapolate this to all things in security. It's less about simply doing what you do and more about giving the business additional opportunity to feed the process in order to refine the activity -- or service in this case -- to the business need.

The next important characteristic of security services is how people, processes, tools, methods and technology are architected to perform the service relative to input and output. This is a lot easier to say than to do. Organizations tend to approach these elements as independent or loosely coupled. Moreover, some security architectures and frameworks facilitate segmentation, making alignment of them seem alien and uncomfortable.

One challenge is internally developed standards that are either overly comprehensive or too granular. Successful implementation of security services typically starts with reviewing the standards and looking at them as a common foundation to services as opposed to specific elements for a given security function.

As with all things of this nature, a slow and methodical approach wins the race. Don't try to create a services model over night. Take what you've learned in tuning, couple it with something you're already doing today (such as vulnerability testing, patch management, identity management, data protection, monitoring), and then pilot a services approach with a friendly business unit.

As this approach begins to solidify, several interesting things start to happen. The identity of security and perceived value continues to shift in a positive direction. Nevertheless, you will quickly realize that you have far more capabilities to measure operational details of your organization, and more importantly -- you inherently have more influence over them as a result.

This essentially slams the door on the gap. Services facilitate the risk/reward model, they make it possible to organize activities specific to demand, provide the means to measure those activities more effectively, and allow for the controlled management of each element to ensure that what is being reported can be influenced. This can be a perfect storm, but you're not done. To truly transform, you have to close the loop with governance.

Step 4: Governance Loop
The "governance loop" is the final step and provides the opportunity to realize real transformation. To this point, you've tuned, experimented, tested and created the early stages of services and are beginning to rely on the new path and less on the old one.

This has helped increase visibility, initial alignment to the business and promotes effectiveness. Nevertheless, at this point, time becomes your enemy -- without governance, the services will eventually break down. Governance, interestingly, provides the mechanism to ensure expectations are being met, but also the means to promote adaptability, closing the loop with the business.

Governance acts as the bonding agent between ebbs and flows in the business, compliance, risk and security activities. More importantly, this is where risk/reward is measured and fed back into the system to instigate change. It is also important to realize that risk (management, assessments, reporting) has played a pivotal role throughout the journey, and governance is the means to realize full potential. Risk remains at the top of the pyramid, but now with services underlying it, supported by governance, it can move far closer to the business.

In short, governance is analogous to "inspect what you expect" and influence change. That means creating a set of responsibilities and practices with the goal of providing direction as well as ensuring objectives are achieved and resources are used responsibly. In so doing, measurements from the oversight of security not only ensure efficient and effective execution, but also facilitate change in the program through intimate connections with risk management and the business offering feedback into the system.

In some companies governance is associated with enforcement. Although partly true, a security group empowered by services and close interlinks with overall enterprise governance through risk management activities will be able to put governance to work for them. This is similar to how, over the last several years, many security organizations have changed their perspective of the audit group.

Historically seen as a regular and painful exposure of operational weakness in security, audit processes are now being seen as a way to strengthen security. It's turning what is usually thought of as a negative into a positive force. The same is true with governance processes that are outside of the control of the security group or where security is part of a governance committee.

Nevertheless, an important aspect is to understand that the security group is ultimately responsible for its activities -- good and bad. Therefore, it is recommended that governance be reflected in the security services and program owned and operated by management resources within the group. This is not a replacement for enterprise governance -- rather, it's an extension focused on the betterment of security.

Organizations need security more now than ever, and as a result, are more receptive to security as a community. What you do with that attention today could have enormous influences on the future of security within your company. Although times are tough, don't assume this means opportunities don't exist. The economy will correct itself and businesses will emerge stronger and with a new sense of determination and demands for operational maturity. Taking advantage of what appears to be short-term focus on security for long-term gains is the crux of the opportunity, and opportunity favors the prepared.

This article is by James Tiller, author of The Ethical Hack and Technical Guide to IPSec VPNs, and contributing author on several other books, including the Official (ISC)2 Guide to the CBK, is vice president of security services for BT in North America. He consults with organizations globally on how security can enable business. You can reach him at james.tiller@bt.com.

Babies can't do an adult's job

Walking by the netbook display at PC World, Media Markt and others, you're likely to hear cooing and exclamations of how cute the little baby laptops are.

Beware, if you take one home, your new baby is not yet fully grown and it is barely on solids. It has not built up enough of the resources to do the work that a standard Momma and Poppa notebook or Laptop can do. Its got some growing to do.

Cheeky new Netbooks are just about the only thing these days that are generating any kind of excitement in the hardware market space. The visual appearance and form factor is appealing to many. The idea of having a good workhorse laptop that can carry your workload at half the size and weight is a dream, but I am sorry it has yet to come true.

With a 10-inch screen, these babies are much smaller than the standard-sized notebook, and yes, much lighter. They are also quite a bit cheaper too. Some are as inexpensive as €200, while others can get as expensive as the €1,000 range. Take note, there is a good reason why they are cheaper.

It's hard to walk by a netbook display at a consumer electronics store without hearing someone coo-ing at them and talk about how cute they are, as if they really were little baby notebooks.

Their magnetic appeal to consumers, means that netbooks have been doing their part to boost sales and make PC manufacturers happy. If you look at the earnings report of any PC maker who makes netbooks, you'll notice that netbook unit sales are just about the only thing growing at a healthy pace. This year other hardware sales look positively bleak, with Gartner now forecasting a decline of almost 12 percent in 2009, the worst in IT history.

Although netbook sales seem to be increasing, some in the industry say that netbooks are suffering a greater return rate than other PCs. If that is the case we can predict an increase in th enumber of netbook orphanages opening up. Netbook for sale. 1 disappointed owner!

• On the consumer side, it's said that once users get the machines home and play with them for a little while, they soon realize the smaller machines can't do all the things that their more Momma and Papa (standard-sized and standard-priced) notebooks can do. The very inexpensive netbooks generally come with Linux, an well respected operating system in the techie world but still a little unfamiliar to the Microsoft masses.
  
• On the enterprise side distributors say netbooks have yet to take hold.

So what's the real story? Can that little baby PC do the big jobs you need it to do? Is there a place anywhere for the netbook in 2009? Is it a serious business contender? Consider this;

Screen size. The size really negates th eus eof Windows style operating systems because you only have space for 1 window. Do your users want to run multiple applications and have more than 1 window open at one time? Do they use spreadsheets? Well, while the netbook's small form factor makes it convenient to tote around, but you will not be able to see everything you need to see. Certainly not at the same time and that can get very frustrating.

Storage. To save space, most netbooks are shipped with a small amount of solid state memory rather than a rotating hard drive. This makes sense in a world where memory prices are always falling and solid state, is faster and more reliable. However, many users have become accustomed to more than 100GB of memory and even in netbooks with hard drives, those users may be disappointed.

Processor performance. You would be foolish to buy a PC that isn't dual core, at least. That is, unless your looking at a netbook. Most standard notebooks come with a dual core processor, either from Intel or AMD, but most netbooks use Intel's Atom single core processor. Intel has said that Atom processors have about half the performance of Intel Celeron processors. Party on!

The other features you and your customers have gotten used to have also been downsized or bypassed. You can get the Microsoft Vista Premium OS on some of these notebooks, and you can buy an external DVD player and an additional external hard drive but by the time you have financed that, you could have configured a standard Momma and Poppa low-end laptop that comes with a higher-performance processor.

Some companies are coming out with some interesting new innovative netbooks, including ones with an ARM processor and a detachable keyboard, making it appear more like a tablet notebook.

In Summary. Unless you want what the netbook really is (a lightweight client that functions well in a cloud computing environment for tasks such as e-mail and Web browsing, but is not as capable of heavy lifting) you are probably better off with a standard Momma and Poppa notebook for a few euros more.

If you want something cute and cuddly around the office that can be easily picked up and taken anywhere, there are other more appropriate and interesting things.

Reduced Security

An urgent demand for talent in several areas is eclipsing broad, knee-jerk reactions to greatly reduce budgets and cut staffing levels, projects and fixed asset purchases, without thinking carefully about the consequences and future requirements.

Undeniably employers made mistakes in past downturns, huge miscalculations founded in the white hot heat of cost-cutting that wounded them badly later on. It limited their ability to respond quickly and when the smoke cleared and the rebuilding started, they were left floundering.

It just shows how little IT management has learned since last time. Managers have not learned the lesson that it's not just about cutting spending, it's about managing the risks and being smart within their spending limitations. Know your boundaries and work within them.

One of the worst instancies if this in the IT security field. Current economic conditions are having a negative impact on the majority of security budgets. Many companies have initiated a hiring freeze or staff reduction exercise, necessary measures due to the financial crisis.

Security-decision makers in over 100 companies have been asked about their spending plans for the coming year and to gauge the impact current economic conditions are having on budgets. Of 159 respondents, 64 percent indicted that the economy was having a negative impact on security spending. Another 19 percent said the economy currently had no impact. Just 6 percent said the crisis was having a positive impact on their organization's security budget.

Security budgets will decrease for 35 percent of respondents and remain the same for 42 percent. Just 23 percent thought spending would increase in the coming year. Those numbers are a switch from last year, when more companies expected to increase security spending. In 2008, 38 percent of companies planned to increase their security budget and just 24 percent expected to see a decrease in spending.

One firm is actually in the minority and plans to spend more on security in the coming 12 months. "We are increasing from previous years. I would have to say the increase is around regulatory issues as well as general responsible security program expansion."

Security spending is often driven by compliance and policy decisions. This falls in line with what other companies also said, with a majority indicating that policy and compliance are the main justifications for security spending.

Security decision-makers were asked if they planned to increase or decrease spending in the following areas: Business Continuity/disaster recovery, data loss prevention, identity management, compliance and regulations, outsourced security systems, physical security, policy and risk management, and staff.

In all but one category, more than half of respondents expected spending to remain at similar levels.

However, when it comes to spending on staff, 41 percent expect to see a decrease in spending. Close to 60 percent have either implemented, or plan to implement, a hiring freeze.

Additionally, 35 percent of companies asked, indicated they have had to go beyond a hiring freeze and have actually reduced security staff, or plan to reduce headcount in the next 6 months. It will be interesting how this affects security in the coming months and whether we will see more outsourcing of protective measures. A dangerous path to walk and one that can only increase the threat to organisations.

Let's hope we soon see an end to these 'interesting times'

Stay Focused - Tough Times ahead

Budget cuts. Layoffs. Doing more with less. Sound familiar? Every manager is suddenly tasked with putting out fires on multiple fronts, as businesses struggle to survive amid the economy's smoking ruins. Don't forget your day job, little things like keeping the service levels (SLAs), servers and network availability in the greenest of green.

The mounting responsibilities and demands can be both personally distracting and professionally discouraging for some IT and business managers: The US's work-related worries jumped from 62 percent to 67 percent between April and October 2008, according to the American Psychological Association.

Now, more than ever, focus is the name of the game, especially when people and money are tight.

Finding and maintaining your office Zen isn't as easy these days. Drawing on past experiences, here's how some current and former CIOs have maintained focus in their role and within their department during a crisis.

"After the dotcom bubble burst in 2000, business was struggling and the workplace was pretty tense," recalls Les Duncan, then senior vice president and CIO at Joann Stores.

To ease staff concerns, Duncan held regular meetings where he could speak directly about business conditions and highlighted that week's or month's hot issues. His staff knew how the company planned to weather the difficult times so they could focus on their work, he says. "This transparency also helped me to stay focused on what was really important i.e. the success or failure of the business during hard times."

Get busy and stay busy. We've all worked at businesses where large numbers of employees were cut from the payroll. Most of the employees ran around huddling in small groups talking about the latest rumour, but you want to be in the group that stays busy and focused on delivering. So busy that you don't have time to whine.

Positivity and flexibility is essential in staying on target at work. "Anticipate changes by checking in frequently with business decision makers and stay on the offensive by killing projects that are going nowhere".

Try to see the opportunity in any major change. It's a good time to offer assistance to colleagues and take on tasks that might normally be outside your scope. This is not the time to hide in an IT or business silo, but the ideal time to step out of it. Create the space and opportunity to innovate. It costs very little and can result in new opportunities and growth.

Project failure starts at the begining

We are all familiar with countries, towns and destinations that are difficult to reach, either by road, rail or public transport and yet people exist there and thrive. It is not in another dimension or another planet, where predictable 'difficulties' are numerous e.g. expensive ad hoc rocket ship service, an atmosphere of sulphuric acid, temperature variations in the region of 'scorchingly off-the-scale', etc. No, our difficulties in reaching our earthly destinations are because we do not start from the correct location.

This is a lesson I learned when lost in Dublin and forced to ask for directions. It was made clear to me that to get to point B I should have started at point A and not the point that I was currently at, which was currently unknown and would henceforth be referred to as X. Thus, making the logic more mathematically predictive.

The start point and the end point, part of the defining structure of a project and thus lifting it away from the realms of a simple action or activity, are critical in the initiation and definition of the project and the associated project plan. You will never reach the end destination if the start is left to serendipitous happenstances.

• Plan the beginning of your project meticulously
• Involve as many of the stakeholders as possible
• Hold a workshop with all the allocated resources
• Seek out Subject Matter Experts (SMEs)
• Do your research, technical, business, historical, etc
  
• Assess the Risks (qualitative and quantitative) and
  
• Look where you are going

The dark matter of Projects failing

IT projects suffer from a similar force to that of the astronomically evasive 'dark matter'. A force that is not so much negative in its manifestation as it is in its effect, especially on other matter. It has an ability to occupy space without contributing anything, interacting with 'light matter' only to drain its energy and restrict its ability to move freely.

'Dark matter', and its ability to absorb and retain energy without contribution, is a universal anomaly for physicists. A puzzle yet to be solved. A question unanswered but not for project managers and team leaders. We know this effect and understand the consequences very well. It is a similar force to the one that will cause your project to fail. It is your greatest adversary. Its invisible. It can be detected but not controlled, without the right tools and level of experience.

Corporate Defense Domain

The Corporate Defense Domain is a convenient way of describing the sum total of numerous secure approaches, tools, processes, etc. that incorporates the entire environment security of an organisation, from end to end or perimeter to perimeter.

The concept of Corporate Defensive Domain is an aid to perception evolving from a vision of Physical Risk through IT Risk, Operational Risk to Governance, Compliance, Legal and Reputation Risks.

Corporate defense
Corporate security is purely defensive. There is no moral imperative that allows positive attacking action against threats and those that attempt to, or unequivocally, inflict damage on your organisation. Some but not all, of these attacks can be very determined and sophisticated because they are goverment funded and are either commercially or politically motivated. Most are just motivated individuals that can be classed as intellectual vandals.

As with all the good guys, you must work within the framework of the law and this only allows vigilance, defensive action, and possibly post-event retribution and compensation. The subsequent capture and imprisonment of a perpetrator may become a public spectacle. An apparent show of the success of your strategy and hopefully it will act as an example to others but in reality it is of limited effect and brings little solace to the organisation.

Showing your hand
There is also a view that public trials act as a learning curve for other attackers. The attacker creates an action on your perimeter and you display a measured reaction. Thus revealing some of your defensive strategy, processes and tools.

Security realms
There are many realms that exist in the land of security e.g. physical, electronic, virtual, etc. and there are many ways to look at and examine security. It can be viewed as a) a physical obstacle b) a process inflicted on reluctant personnel without explanation or c) an acceptable mindset that is instilled in the environment with the full involvement of the personnel. This latter approach should produce the best results, giving staff a sense of involvement, empathy and a real feeling for the potential consequences.

Secure personnel
It is critically important that your staff buy into securing the corporate domain because they are typically, the weakest link in the security of organisations.

Staff issues

• They are not so easily or reliably programmed,
  
• They don't always retain or apply knowledge appropriately,
• They are swayed and diverted by social engineering techniques,
• They have good and bad days,
  
• Their attention is inconsistent, etc.
• Their human!
  

Threats & Vulnerabilities
There are many ways to examine Threats and Vulnerabilities in an organisation e.g. by geographical location, business type, resources used, historical or political instability, etc. Do you know and understand what criteria and imperatives are being used to drive changes in your defenses? Are they appropriate, operationally maintainable or cost effective.

Analyse the Risk
Organisations are are driven to respond to threats and are compelled to adopt more and more complex defense strategies to address and defend their security needs. Security policies and strategies dictate that a full gambit of approaches should be adopted, from standard process implementation to strict and intricate application frameworks but this has an operational and business cost implication.

The questions that are not always being asked are;

• What is the real cost of defending your business?
  
• How much are you likely to lose?
  
• Where will the danger come from and in what form?
  
• How will it impact us?
  
• What is our response capability?
  
• What is the overall Risk profile?

Feal the fear and hold your ground
With the constant threat of intrusion and compromise, regular and detailed testing and re-examination of all your defenses are necessary but before you can realistically and effectively apply what you have learned, you need to conduct a detailed analysis and assessment of the Risks, the potential business impact and your response options .

7 Points to build stronger, more secure Corporate Defenses

• Create executive level authority and responsibility for Corporate Defense, policy and implementation
  
• Assess your strengths and weaknesses using mature Risk management methodology
• Examine the interdependencies between your tools, processes and defensive positions. Strengthen the perimeters and communications
  
• Map and review your Corporate Defense Domain strategy, continuously, in a structured and determined manner.
  
• Determine, test and examine areas of Convergence, for overlap and gaps. Establish strong boundary defenses and stringent hand-over criteria
  
• Develop a single hardened core entity, an authoritative cross functional discipline, incorporating Governance, Compliance and Risk
• Lock the perimeter gatesways, give the spare keys to your organisation to the central hardened core and prepare yourself for the next attack