IT in a nutshell..
Most CEO’s or presidents of companies have no idea that the sword of Damocles’ is right over their head. They don’t know because they are blissfully ignorant of the workings of their IT department. Truth be told IT, is a cost center and frowned upon in most companies as they “don’t produce.” This is true in the mindset of the upper echelon. They put up with the CIO or his people and equivocate when it comes to allowing them money for projects, as they really don’t have a clue. Their job is to run the company, not IT.
There are three basics tenants of IT.
- Provide the infrastructure for people to be productive.
- Provide the security to safeguard the company’s assets both in intellectual property as well as physical property.
- Provide mechanisms for future growth and have a robust enough environment to handle ad-hoc projects.
In working with most companies the infrastructure grew behind the power curve out of necessity. This of course is the most expensive way to grow your infrastructure in that many things are done to “temporarily” get them through the “event”. Emergency projects are hardly ever well thought out, and hidden surprises are always lurking. Remember that old axiom; there are never any good surprises in business.
One of the things that I talk about a lot is hardware management. Each and every piece of hardware in your company has a life cycle. Not unlike your car or home computer or cell phone. Planning for the life cycle for equipment allows the company to budget for replacement of same and keeps the down time to a minimum as well as keeps the employees productive.
Down time is expensive both in hard and soft dollars. If you have 300 people who can’t work because the server is down, you are loosing money. If Sally can’t assist the outside sales people because her pc is moving at the speed of drying paint, they both are loosing time which is “MONEY!”
S.A.M. or software asset management is also something that the IT department seems to ignore and this is really something that should grab at least the attention of the CFO. Does each and every person need a full copy of office or do they simply need Word or Outlook. I was in one account where each and every machine had a full version of office on it. 40% of these were used as a terminal: that was it! Five hundred dollars times 120 machines is $60K wasted! Can you tell me one company that could not use an extra $60K?
Now, add to this scenario that this guy was installing this software on machines that were already past their life cycle. I don’t profess to be an attorney or a legal scholar on EULA but, it is conceivable that when that machine dies, that license will die with it. There may be hoops that you can jump through to get Microsoft to allow a transfer of the license but, what are the odds that this guy will do it. It is not his money after all.
There was one company who had 300 locations with 2.5 machines per location. These were servers so each had a copy of Microsoft “flavor of the day” server on it.
The application that was on there was a home grown point of sale. It was compiled to run on the Microsoft platform.
When I ask why they had not considered LINUX as an alternative I was laughed at. Here are the scissors that will cut the thread.
There support desk was equipped with PcAnywhere and each and every call for help meant that a remote session would be placed to assist the person with their machine. Push come to shove the machine was sent to the Depot where another was sent out as a replacement. As the hardware evolved some locations had newer equipment. The variables were mind numbing.
Had they used LINUX a simple telnet session would have allowed the help desk to terminate a daemon and restart it all behind the scene. Licenses for server software, remote connection software, anti virus software would have been avoided. The other thing about LINUX is that it is more forgiving of hardware platforms in that they could have used their equipment until it died vs. replacing it when the software dictated it. This particular CIO had no technical background other than he knew some programming. He did not embrace technology at all and did not have a computer at his home until his kids wore him down. Any CIO that does not embrace technology ought not be a CIO. Oh yes, LINUX is free and the kernel can be hardened so it can be very secure.
How is it that these two people were in the place that they were in? They were likable! The failure here cleary sits on the CEO or the person they report to. If I am hiring someone for a position, I don’t care if I like them or not. They must be able to perform the job that they are being hired for and, if I like them it is a plus, not mandatory!
Ethical hacking is becoming more and more in vogue. The bad guys are out there doing their thing and we simply buy anti virus software and hope for the best. Some of us don’t do that, we use something that is free or not at all. Free is not worth what you pay for it when it comes to anti virus software! Do your homework and see who is touting what and why.
As another add on to the cost center and depending upon your desire to be safe, I would consider hiring a security person who has been around the block a few times. This is not some kid fresh out of college who is academically savvy but, someone who has the scars on their back to prove that they have been there.
In a nutshell, any connection to the outside world is a portal for the bad guy to get in. Even if you have a secure firewall you have people on the inside who may be working for the competition. There are many products that allow a PC to be remote controlled from outside the building. Some are actually viruses and others are installed by an unwitting employee or worse, a spy. Software audits are a necessity; not something you do if you have time. Speaking of which; the anti piracy folks are at it again offering huge rewards if you report someone using business software without a license. Another reason for SAM.
While you may think that I am paranoid (a little paranoia is a good thing btw) I assure you that industrial espionage is real and there are those that do it for a living. Your security person would be actively monitoring the traffic coming in and leaving the building, looking for anything on ports that are typically used for such things. Activity during off hours should be a red flag. There is something called SYSLOG which is basically a service that talks with a server and creates logs of events. Along with server logs this log should be monitored for unusual activity.
One way a person might gain access to your stuff is to drop a thumb drive or dvd in the parking lot. Label the dvd X pics or have bunny rabbit ears on the thumb drive. I would be surprised if someone did not pick it up and stick it into their machine to see what was one it. Of course it would contain a program that would install a remote control host and the person would never know as he would be too busy looking for pictures.
Physical security is also a must. Keycards with picture ID’s on them would be ideal. Cheap and effective. With this you can track employees movements through the day / night. Along with security cameras if things turned up missing one could read the keycard report and know who it was and where they were and then look at the footage with that timestamp to see if they were carrying anything.
Biometrics are becoming in fashion as well. While I would want to stay with tried and true I would definitely be monitoring this to see when and if it made sense to move that way.
This scratches the surface and as you can see, security is physical, it is Cyber and it is employee education along with policies. Any configuration of a user’s machine should be done by IT. Users should not have any more rights than they need to function. That allows for protection of your data, declines viruses administrative rights as they usually assume the rights of the user and, protects the machine from being altered making more work for the IT department when it breaks or more often than not broken.
A little forethought and planning on the IT department can help them to run lean on employees as well as protect the company’s assets.
The statement is an excellent ingress into the last thing that needs addressing.
More times than I can write about I find that data centers are a cobbled together disaster waiting for some event to push them over the edge. There is a web site dedicated to such things and if I had had a mind to, I could have created such a site like that with just what I have seen.
Along with hardware management and software management a strong dialogue needs to exist between the CEO and the CIO. Business needs and or possible needs to be accounted for and anticipated. Looking back at the past one could extrapolate what may be needed into the future and at least make plans for growth. A robust well thought out network that is well managed and maintained is a crucial starting point.
I could write on entire book on what that means but, what it does not mean are knee jerk throw it together solutions “because we needed it yesterday!” Any change might effect some other part of the business and or company or have unintended side effects. If they don’t have one I stress the importance of change management. This is crucial to the success of just about any company with technology.
Proper consideration should be given to each and every device and or software that is to be installed.
There is no room for emotions in Information systems. Emotions cloud judgment and, judgment is crucial for success.
You do not hire or fire someone because you find them likable or distasteful. Either they are well qualified and have a well defined track record or they don’t. The rest does not matter unless they are insubordinate or are deemed unfit. They are not your friend and don’t think that they are.
Never hire anyone that you cannot fire. Family and friends even if the company is ok with it are a liability as employees. At best they will be a burden upon yourself, and at worst you will loose them as friends and they might compromise your job.
Surround yourself with people that are smarter than you, you will be well served.
Keep your ego in check as it will defeat you. Humility will allow you to “hear” from those that probably know what you are seeking.
When you get in too deep, call for help; admitting trouble is always preferable than suffering defeat because of pride.
There is never any case for listening to or passing on rumors. Small people talk about people, others talk about ideas and things.
Your employees and vendors job is to make you look good; your job is to make them look good.
-Best to you and those that you care about!