Tag: CIO

To Insure Prompt Service T.I.P.S.

A recent article about tipping brings to the forefront of our “things to talk about;” tipping.

Europe has simply raised the cost of goods and services 20% to 30% in their restaurants and stopped tipping. The money “supposedly” used to increase the wages of the employees as well as pay for things like health care. I do not see any issues here, do you?

In theory, it sounds great but what accountability is there on the shop owners that they will use that money for those reasons? The answer is none.

I would prefer to TIP my server, as his or her service can be quantifiably assessed by his or her clients. They get immediate feedback.

Speaking of jobs if I could choose, I would like to be a restaurant critic. I already am a foodie and know something about food. I used to travel a lot, when on an expense account one of my companies allowed generous benefits in that area. Taking clients out to dinner often times I went to 5 star places and came to know the difference between good, mediocre and bad.

If I could have dinner with one celebrity, it would be Gordon Ramsey. In the world of IT, I am just like him, other than I can choose my vernacular better than he…I still have that style and appreciate an honest person.

Life is not fair.

Not everyone will have the same skills and talents. When you as a younger person piss off your opportunities afforded to you in school, you relegate yourself to jobs that are currently being taken by others from other countries that think those jobs are sweet; you limit your possibilities!

In the food services industry, servers that are good, earn more money than those that work in the back room.

I would point out that the kitchen helper position is not exactly a career choice that anyone should aspire to. Much like working in the mailroom in a large corporation, those are entry points into the job market. They are minimum wage jobs because they require little talent to perform.

Retail sales is not a career choice, it is an entry point. The problem is that managers that work there will tell their people anything to encourage them to keep their nose to the grindstone and work hard as they see management potential in them. Most of the time they are lying in an effort to placate you into giving them more of your time in return for part time minimum wage dollars.

“Time is expensive.”

When you boil it all down, what you are selling is bits and pieces of yourself through the time you invest. We are all whores if you think about it; we will do almost anything for money.

“Money truly is the root of all evil!”

People that find a way to live comfortably, without killing themselves to earn more money, are probably the true winners of the game of life.

Higher paying jobs are inherently more stressful, and stress kills. Stress produces a hormone known as cortisol. This hormone is the “fight or flight” hormone, released when danger is present. When we stay in a stressed out situation, that hormone is released in copious amounts, and often…that takes a toll on your body and your health suffers.

If corporations had a brain in their collective heads, they would look into ways to reduce the stress on their employees; as stress leads to job burnout, sick time and turnover. Those are costly!

If you can live on minimum wage, work your 8 hours and whistle while you work, your life might be sweet.

Those who chase the dollar their whole life, typically die young and leave their life’s work to their spouse or their greedy progeny to fight over, allowing attorneys to swoop in like vultures, and acquire the bulk of it.

Tips for success.

Get a good education.
Find a trade or skill that cannot be outsourced, and master it.
Discover all of your talents and skills. What are they? Take an inventory of them.
Are any of them marketable?
Figure out what you like to do…what makes you happy?
Can you find a job doing that?

Keep toxicity out of your life.

If you have toxic friends, develop boundaries and keep them outside of them. If your job is toxic, find something else as soon as possible. We all have worked around toxic people who bitch and moan incessantly. That is their own toxic cesspool, which they most likely have created. Stay out of their sphere of influence. Do not add to it and certainly do not marry into it. You cannot fix stupid and you cannot help someone that does not know either that they need help or that they do not want it. Some people actually enjoy being miserable. They like to be the victim. You cannot help them.

As a manager, identify those employees and try to work with them through HR, or get rid of them, that BS is contagious.

Tomorrow is never coming back. The time you spent reading this is gone, forever. The time I spent elucidating my thoughts on these subjects is gone as well. I hope that I spent that time wisely. I am optimistic in thinking that you got something out of it.

Time is your stock in trade. Time can be measure in heartbeats as you only have so many. There is a finite number of times that your heart will pump that life force around your body. Do not waste it.

Now go take on the day!

-Best

Open Letter to Apple or Darkware , the new frontier…

Problem: There needs to be an easy way to sync your existing iPhone and or iPad with a new computer, and here is why?

I met Steve Jobs years ago when I was working at an agency that used Next Step computers. Steve was an out of the box thinker “creating things in his garage” before the first apple anything ever was created.

Apple enjoys being one of the “big dogs” today not because of the mac, although it didn’t hurt but, the iPhone and of course tablets which they have excelled at.

Recently when the hardware crashed on my PC, even though I had a backup of the data, the iTunes files system to me was lost as it was tied to that computer. The OS with Microsoft dies with the computer so you get to buy everything over again.

One of the success stories of Microsoft was and is, to keep their software “intuitive and consistent.” Apple does this as well, once you know the basics, you can fumble your way through the rest. When however; you have an issue like this, what are the workarounds?

I need to move my data over to a new computer, migrate my iTunes stuff to the new computer, install the newest version of iTunes and sync the phone, iPad etc. right?

Folks, it should be this easy. It should not take more than just a couple of steps in keeping with “apple simplicity.” To recover from something like this.

I do not want or need a laundry list of things including standing on one foot while reciting the star spangled banner backwards, pressing a combination of half a dozen keys in separate sequences and purchasing some “Darkware” program that has no guarantee of working because, it too was invented in some basement by some pimple faced kid.

There is in fact no way that I can see to do this without wiping out the phone, iPad (s) and starting from scratch which would not aid me in importing my contacts into Outlook at all! I also have no idea how much data that is on the phone / iPads that I would lose!

Outlook by the way has an equally convoluted way of doing this but, at least they have a way!

Outlook, why don’t you write a program to do this all “programmatically” for your faithful users?

I de-authorized the dead computer but when I tried to authorize the new one, no such luck, still too many computers authorized! 3, three computers authorized and there are still too many! Out of a possible 5, 3 is too many! So, I de-authorized everything! Now what!? Now you have to wait something like 90 days to re-authorize things…..?

Doing the normal search thing, reading the blogs, researching all of the work around(s), I became frustrated to the point of thinking, “maybe it is time for a switch!”

Maybe, just maybe I really don’t need a smart phone at all. How about a flip phone that just makes calls and receives calls!? Have we come to that? Have we come full circle?

Not only do I need a device that works as I expect it to but, I need it to play well with other operating systems. I should not be forced to follow the threads of other frustrated users until I discover some clandestine piece of software that could cause your device to no longer work! I need something that “Apple” has invented, created or has included with iTunes as an easy way for people like me to recover from!

If I have to search the web and buy some third party software to fix Apple’s short shortsightedness for convoluted way of keeping people from sharing their songs with their teenage girlfriends, we have gone too far!

I would much rather find another product that has already done that. Things break and there needs to be some part of the program that allows for this.

This is Apple’s problem and they need to create a solution. A solution that does not include forcing people like me to drive to the mall and to wait in line at the Genius bar to find out how much of a genius they are or are not. Also to find out that I should simply “google the problem, someone may have written something!” Really, is that the best you got!?

One of the first issues I had with the iPhone is I needed a way to organize my apps with the computer. Do you think for a minute there is a way to contact Apple to get their attention? I posted the idea for “free” to them in a public forum and I will be damned in about nine months’ time, it was there. What would you care to guess that some employee who read my post offered the idea us as his?

Well Apple, here is another free Idea, just fix the damned thing so I can get on with my life!

Thanks!

-Best to you and those that you care about.

Www.guard-protect.com

Www.timedok.com

Attention #CEO, is your #network #Secure? #Sony thought so!

I received an email from someone asking me about the internet outage in North Korea.

Firstly, if we, (America) had anything to do with it, I think it analogous to punishing a pugnacious brat, by taking away their computer. This kid really needs a good spanking! For you who think that corporal punishment belongs in the dark ages, well you’re wrong, unless of course you consider North Korea is still in the Dark Ages!

This country, as stated in another blog; keeps its people in the dark. Looking at a picture from space one can tell that electricity is not even well distributed much less the internet or the free exchange of information and thoughts.

Contained inside the Red Outline is North Korea.

If you want to control a people, take away weapons, power, their ability to communicate with others, and feed them a constant feed of Bullshit daily! Prevarication is called for if you want a submissive people who will do what you say without question.

The people of this country are brainwashed into “loving their dear leader” and believe anything that they are told. Any type of truculence on their part is met with swift, brutal retaliation.

If the evidence indeed points to North Korea in the attack of Sony, (the only people with motive,) Most assuredly, there was someone on the inside at Sony. Sony should be looking real hard with forensic experts to determine what happened!

As a security geek, I would love to be part of that team!

The sad truth today is that there could be a spook! Money talks, with our lack of morality on the rise, it could be anyone.

Most firewalls today are pretty good at keeping bad people out so, planting a spook or a Trojan or worm of some kind on the inside of the firewall, enabling communication from the outside through some spoofed port that is normally open like 80, would have to be employed.

Many of the remote control desktop software out there today which some people use, violate all security protocols. The problem is that a lot of companies don’t hire a security officer or have a limited IT staff who are too busy resetting passwords and posting on Facebook to be bothered with doing nothing more than putting out fires.

If you look at the OSI model (which I dare say few are familiar with, consist of 7 layers. The OSI model (open system interconnection model) is a packet-based structure of layers, or protocol stack.

Starting at layer one, we have the physical layer which is basically your cable and associated hardware which allows your computer to communicate with the host. This layer is responsible for the “frame bit.”
Layer two is the layer that established the protocol used to communicate whether it is frame relay or Ethernet or what have you. This layer is called the data link layer.
Layer three is known as the network layer and is responsible for transmitting data from node to node. This layer provides switching and routing information.
Layer four or transport layer is responsible for such things as error recovery and end to end flow control.
Layer five or session layer sets up, coordinates, and terminates conversations, exchanges, and dialogues between the applications.
Layer six or presentation layer works to transform data into the form that the application layer can accept.
Layer seven or application layer is just that Everything at this layer is application-specific. This layer provides application services for file transfers, e-mail, browser, Google, and other network software services, and yes, Facebook. This is the layer that the end user has the most to do with in that applications exist solely at this level.

Now that you have a small idea of how one communicates over the internet, looking at this model, how would you interrupt traffic between them and us?

Keep in mind that North Korea gets internet from China and most probably through a Russian satellite. Neither of these do we have control over, so pulling the plug leaves out the physical layer.

Again, I could not use layer two; as again I don’t have control over that either.

Ah, now layer three I do have control over. What if I change their known ip addresses to non internet routable or private, much like the 192,172 or 10 subnets? Now they have to go to Russia or China and beg for another subnet and… as soon as they do, we kill that as well.

Why do we have private addresses you ask? Most reading this far probably already know this however, there are simply not enough addresses to give every company that wants one, a block of private addresses.

If you look at RFC 1918 a private addresses scheme was created that are not assigned meaning, that they cannot route through the internet. In this way business’s and homes and even North Korea can use them to their hearts content, on their private networks and then using something called NAT or network address translation can make your home computer look as though it is talking on a public address.

This BLOG’s intent is to underscore the need to have a good CIO and a good security officer. Your company could be the next Sony and as you can see, if some rogue country like North Korea who has a very limited pool of talent can take down a giant like Sony, just think what a Russia or China or other country who does not stagnate its citizens, and keep them in the stone age could do.

-Best to you and those that you care about and if I don’t get to write again by Christmas…Have a Merry Christmas!

Single point of #failure, #programming and why a #CIO is important.

A few weeks ago we talked about, single points of failure. We talked about power lines and data lines having more than one place of ingress to the building. We spoke of multiple power sources, as well as multiple data paths; much like the internet has multiple data paths. See that post for more information about hardware single points of failure.

Today the subject closely relates to this but it is “software.”

Some companies use off-the-shelf solutions and some decide to “roll their own.”

Today we are going to look at the pros and cons of this practice.

Off the shelf:

PRO—

Ready to go with a company to back you up.

A “normal” IT guy or gal can install it and most probably support it as most of these types of software companies have classes on their software. They offer such classes because they want their product to be successful and they most probably offer some sort of certification for it as IT folk seems to be “gaga” over certifications!

If there is a problem there is a support path.

Depending upon the complexity of the software there may be add-on-modules for your particular needs. That translates to a cost savings of only buying what you need.

IT personnel are much less expensive than in house programmers and unlike in house software, there is an end to the expense.

Canned software is also easier to find IT people who can work with it vs some home grown software that no one has ever seen before.

Hiring your own in house programmers is like hiring a carpenter to do some project for you that charges by the hour and the project that you want him to do is ill defined.

There was a show not too many years ago called Murphy Brown who had Eldon the painter in her house. Eldon was always doing something and was in her house for the entire show doing something. While Eldon was a bit player and supposed to be there for this part, the analogy is that she left everything up to him and he had a job for life.

You don’t want an Eldon working for you, unless you really like his company.

With off the shelf or canned software you work within its limitations.

Scope Creep:

Having managed programmers in the past and reporting their progress to the president and or board, it never ceased to amaze me that someone would ask the question, what would it take to make the software do X.

The way that this works is the decision makers come up with a defined set of expectations, which allow a budget to be created. Once that process is done, so is the definition of the project. It is then up to the manager to manage the project and make sure that certain milestones are met and in budget.

The danger of developing things in house is that inevitably someone modifies the definition after the budget has been blessed. If you have no “extra” built in for unforeseen events, than you have to go back to the board and beg.

You can explain it is because they wanted something else but you still come off looking bad. You should have foreseen that they were going to ask for that and put it into the budget. (There is a little truth to that last statement.)

With canned software, the project is much more manageable as the cost is pretty much set in stone. Support contracts are easily budgeted for as is training of your people.

Designing in house software has more risk than payback.

Most probably you keep your staff small so if one person does this part of the project and another that part of the project and then something happens to them, well, you have a single point of failure.

Documentation of the software developed in house must be meticulously managed and like a DR plan, it must be tested! If it is not done in this manner the software becomes worthless when that developer is no longer there.

Around 10% of development time is or should be documentation time. Documentation should contain a version number much like the rev level of the software. Outdated documentation is worthless.

Unlike the mindset among some IT people that do not document anything, the programmer must document their software in such a way that a future programmer can pick it up and run with it. This documentation might include things like UML diagrams and key design features. Comments in the code are nice, but are not enough.

As with any DR, there is a “living document” as it also is with code. The documentation is a live process and must be updated as the code is developed.

Programmers certainly know the best practice techniques of this process but the CEO may not. Some people develop self documenting code.

The old adage “Don’t expect what you don’t inspect.” Is salient, germane and just damned important!

There are no good surprises in business and if you keep with that as your mantra, you will be served well.

The Cons to off the shelf are that it is fixed. Whatever you purchased is only as flexible as it was designed to be, “a one size fits all” solution. For most companies this may be enough.

Most companies are generic enough that they can work with that.

Some projects are just foolish to try and roll your own as the cost will not justify the ends.

I know of one company who has someone in the upper echelon of the company that is a developer. Instead of using canned software for such things as DNS, they wrote some scripts with pointers to a LMhost file. Of course there was no documentation so as an engineer figuring out why there were duplicate IP addresses or why IP addresses did not match the device and so forth was a nightmare! Wireshark to the rescue.

There are standards in the industry for a reason.

Canned software allows the CEO to get the best talent for the job and allows him a wider field to choose from. If their set up is so unique that only a select few can manage it, he is paying way more for a system that dies when the creator of it dies or just gets upset and quits. The golden handcuffs are than on the business owner as he must necessary play nice with his programmers.

Remember, no employee should be sacrosanct. Everyone must necessarily be treated as expendable because of the “hit by a bus scenario.”

In house code must be tested to make certain that it is supportable by outside people. If it is not, it should be fixed, scrapped or replaced with something that is, or is off the shelf.

This is a very important reason to have a “good CIO!” Any good CIO has the companies’ best interests at heart and knows better to save a penny here and waste thousands there. The CIO must be incredibly technology savvy as well as possess business acumen.

I have worked for many over the years that were one or the other or neither, but they did go to school with the president so they were buds.

Failure to plan is planning to fail!

Hire a CIO that knows his or her stuff.

If you are uncertain, hire a DR consultant to come do an audit.

The consultant, if met with truculence on the part of the IT staff, would be a good indicator that your staff know that they have bones buried.

Plan to look carefully at your software needs and if you decide to develop in-house, make sure that your CIO knows what his or her programmers are doing.

Programmers make lousy CIO’s, just like a surgeon makes a lousy GP.

If you have a belly ache and go to a surgeon for advice, what do they do? They cut flesh. Their first thought is to open you up and see why you hurt!

You go to a GP who takes your history and discovers that you had sushi some time back, has you checked for the helicobacter virus; a few antibiotics later you are fine and you don’t have some scar on your belly, not to mention a long recovery time.

Bad decisions in business cost money and bad decisions with your health also cost money and could cost you your life.

Programmers not only make bad CIO’s, they make bad managers. Most programmers are very myopic. They have to be to code. When you take someone with that skill set and throw them into management, they do not have the breadth of experience necessary to handle a wide variety of issues. I have seen too many over my career that started out as programmers and made convoluted programmatic solutions for an easy fix situation.

There was an old cartoon many years ago where there were two computers in a room. The Secretary and the exec, both on their computer. The IT guy played as Goofy, or a Goofy look-a-like was asked to find a way to get the file on a diskette from this computer to that one. Goofy takes the disk, scratches his head for a second and then like a Frisbee, tossed the disk to the secretary. K.I.S.S.

The CIO must know enough about all things IT, to know when smoke is being blown up his or her southern most orifice. The CIO must also have enough business savvy to be able to negotiate with the CFO who has a different skill set, as well as deal the CEO and those on the board of directors.

What you don’t want is some sycophant working for you and you don’t want a control freak either. The CIO must be very well rounded with lots of experience.

Management must not become your single point of failure.

-Best

Moving?

If you are a CEO, or owner of a company, you know that the logistics of moving are a nightmare!

I have moved data centers while keeping the existing company going. That is what got me interested in Disaster recovery. If you are going to provide business continuity during a disaster, providing the same for a move is a little simpler.

If you have a disaster recovery plan, this would be an excellent way to test it. If you don’t; may I suggest you create one before the move and then use the move as a way to test it?

The simple facts are that most CEO’s are oblivious as to the true state of their data infrastructure. It seems to work and beside the occasional glitch, business continues.

As a DR specialist I see things way too often that are far from “best practice” and usually so sub-par that the person in charge of the mess does everything they can do to get me out of there before their boss learns the tenuous situation that they have going on.

Rule of thumb.

You don’t have to understand too much of the technology to know if you are being snowed.

Go into the wiring closets and or data center and look at how things arranged.

Are the cables dressed as they should be or are they simply plugged in with no rhyme or reason?

Is everything in the computer room labeled?

Can your CIO or manager or sysadmin produce an up to date network map?

Can they produce your software licenses in case the SBA comes for a visit?

Can they produce an accurate inventory of all of the software in your company?

Can they show you the “run book.”

These are just real simple things that you can look for to get a feel for how prepared your company is to either move, or recover after a disaster.

Usually the turnover in such a company results in messes being piled on top of messes. Before the Gordian knot becomes truly inexorable; a review is necessary.

The review turns into an audit which inevitably makes those who are responsible anxious. My job is not to point fingers, but simply point out that which needs to change.

See my blog “attention Ceo CiO etc…”

https://thetimedok.com/2014/06/02/attention-ceo-cfo-president-cio-and-hr/

There are many things in there to ask of your staff.

The point to this writing today is simple this. If you are pondering a move, using your disaster recovery plan as an outline for the move, has lots of advantages.

The main advantage is that you get to test it, and work on it. While it may not be complete it is a starting point.

We live in difficult times; not having a DR plan is like driving without insurance, risky. While driving without insurance could get you a ticket, or paying for the other guy out of your pocket, not having a DR plan could cost you the entire company.

Feel free to contact me if you need some help.

Staylor AT guard-protect.com

Yes, robots see e-mails and spam me so simply replace the AT with the @

-Best

The CIO

Frequently young people ask me what it takes to be in IT or even the CIO.

Over thirty years of OJT has taught me a thing or two about management.

When I was working in Corporate America, often times I would do things that were for the “good of the company,” that my subordinates may not have liked.

In one of my previous post I speak about documentation being the bane of IT people. As a manager of this group, documentation is key.

Many times I go into a situation to “trouble-shoot” and when I ask for the network documentation, I am met with blank stares. If I task you with driving from Baltimore to LA without a map or GPS, the odds are good that even with the occasional road sign to assist you, you would make a few wrong turns along the way. While this is a real simplistic metaphor for the problem, you get the point.

While I encourage the creation and continual update of a “run-book,” most IT people laugh. One of them even told me straight up “that will never happen.” He was terminated soon after that remark. Attitude is a key component of any employee, and crappy attitudes I can do without. It happened, it just did not happen with him.

The data center and the associated infrastructure does not belong to you the geek; but the company. You are entrusted with its care and feeding. The direction of how, when, and why, comes from somewhere else. Understanding your role in this universe is salient advice, that I would give any techie that wants to stay employed.

While I have stepped on a few toes over the past 30 years; most of my previous employees would follow me to a new company if I asked; and have done so on many occasions over the years.

What does it take to be the “guy in charge?”

It takes a person who firstly loves technology. Eating and breathing the newest technology I believe is a trait that is indicative of a successful CIO.

Second, it takes business acumen. Technology is great; having the business prowess to realize that there is a bottom line and in order for the company to stay viable, purchases should be made with business objectives in mind. I cannot tell you how many times I see things that were ill-advised purchases, which were no longer in use, and lost revenue.

Having a vision of where the company is headed is key to purchasing the correct hardware and software.

If you have read any of my other blogs you know that I believe in leading by example. Gaining the mutual respect of your employees is paramount. Sometimes a new broom must sweep clean, and that too has been the case on a few occasions.

Be smart enough to utilize a VAR. The business case is simple…

Yes, they markup their products that they sell you however; you gain the expertise of their staff who see what works and what does not. They are in multiple businesses and have the advantage of working with all of the latest and greatest. They stand behind what they sell you. If it breaks, they deal with it. They deal with all of the major vendors and know what is coming down the road. Having access to their insight is invaluable.

Never buy from internet “cheapie” stores and here is why? If they have it and it is discounted, there is a reason. It may be buggy or is no longer supported or outdated.

If you want to take a chance for your home stuff, go for it. Business applications are more traffic intensive than your home network or pc. If you have routing issues or excessive collisions at home, the odds are good that you will never know it unless it becomes critical. In business, you have possibly hundreds of computers hooked to the network thus stressing the networks ability to perform. Do you really want to do that with cheap, no-name or outdated hardware?

If you want to shop your toner, go for it, other office supplies; have at it. Networking equipment, do not be tempted. The few dollars you “think you saved” will most probably cost you big time in the end.

Realize that there are things like hardware asset management and make sure you follow through. Repairing and putting new software on old hardware is a fool’s mission in that the license most likely dies with the hardware. Old hardware is already outdated and slower than what you would have today. There is also S.A.M. or software asset management, which also is a key element to the bottom line.

Desktops last no longer than five years.
Laptops, around three years.
Smartphones about two.

Since the software cost much more than the hardware you can see how keeping that old boat anchor alive is probably not a good idea. XP is dead, get over it and move on.

This is one reason why leasing for large companies might make good sense.

I once worked for a CIO who did not even have a PC at home. He reminded me of the old guy that did not even want a cell phone as there was nobody he wanted to talk to bad enough to have one. My point is that you must have a balance between the financial aspects of the business at hand, and the technological aspects. This guy cost the company millions of dollars because he was so inept where technology counted. While he did not have an abacus on his desk; he definitely was old school and inflexible.

Too many times I have been in companies where the CEO or owner wanted to play IT rather than run the company. The CEO did not get there by being stupid but, IT is not his forte’; it is yours. Unlike we “the nerds of the world” who eat breath and defecate this stuff on a daily basis; he or she may read something in some periodical and think, wow this looks good “do this!”

Your relationship with this person should be on a solid enough footing where you can tell them the truth of the matter.

Falling back to re-group and gather pricing, TCO and an ROI is always a crucial part of the decision, not to mention, does it make business sense to do it in the first place.

Don’t be afraid to tell the truth. I have had a yes man working for me that I had to get rid of. I depend upon my subordinates to debate with me if they think that I am wrong. They might very well loose anyway but, differing opinions are necessary, and crucial to the process. Having the humility to listen to them is part of being a good CIO.

Project management is a key part of being an IT manager. Yes, you can hire a project manager but let’s face it; it is really not all that difficult. We have all of these certifications for everything in the world. While a piece of paper gives the clueless hiring entity a metric of your ability, it is not the end all be all.

I have inherited “certified employees” that were academically sharp but, not able to do the job at hand. They can read and regurgitate information but could not turn a screwdriver. Book sense and practical; not one or the other.

I was a project manager before there were such things, at least certified project managers.

I ran as many projects as 30 at one time, most in a spreadsheet, well several spreadsheets. I knew what it was going to cost and how much I was going to have spent on each and every milestone. I knew who would be doing which task at what time and how long it should take. If I can do that in Excel, do I really need to hire a PMP?

In order to be a good manager having the ability to do each and every job, makes life much simpler. You cannot be “BS’ed. Can you do it as fast as someone who does it day in and day out? Probably not but, you could do it if needed which gives you a leg up and makes each and every employee under you “expendable.”

I don’t mean to sound harsh. There is this attitude among most IT guys that if they are the only person who can do it, they are sacrosanct. So, they don’t document their job and of course they don’t let on their tricks or where the bones are buried. Nobody in any company should be untouchable.

This is dangerous for you the CIO and damned hazardous for the company.

This is why the owner or CEO of any company should have a disaster recovery plan and test that plan with people other than his or her employees. If a technical group of people can bring your company back from the brink, in an offsite location, in a short amount of time, than your documentation is solid. If not, than your guys have some “splainin to do.”

Plans such as these rarely work perfect the first time and I expect that. That is the process by which the documentation is refined in such a way that it will work. No one can get every detail the first time around but eventually you can nail it down in such a way that the company would survive if a disaster was declared.

These have been my precepts from day one of management. There are lots of things that go with this but you can see the logic and of course you can see how this would intimidate the person who may be out of their comfort zone to start with. This is one of the problems that I am forced to deal with when I am called in to do a DR plan. The employees are seldom on board with giving me information, which means that I have to go and get it. This is where I end up stepping on toes. If I have to go dig it up, it is much more costly and it extends the project time. Nobody wants their “mess” exposed during the audit so it is seldom easy to get through this process. Even though upper management is on board, the employees are most of the time, evasive if not truculent; and unwilling to share.

So my last thing that I would offer is patience. Weekly meetings with upper management your progress will ferret out issues like, uncooperative employees.

-Best to you and those that you care about.

Attention #CEO #CFO #President #CIO and #hr

Here is some food for thought for you who own or control or have vested interest in corporations.

If you were to go to your CIO or your IS manager and ask the following; what would their response be?

Can you show me the network map?
Can you show me the documentation on the V-LANS?
Can you give me an accurate inventory of the servers that we have including their age and configuration?
Can you tell me what is on each server or device and what it does?
Who has access to what on each server and who decides what that access is?
Can you tell me how they are connected to the network, is there a redundant path?
Can you produce an inventory of what software is on each server?
Can you show me the recent log files of each server and tell me about what concerns you have regarding what those log files say?
Where is the actual software that is on the servers and where are the license keys?

No Excuses!

You would be surprised how many Sysadmins tell me that they don’t keep the software, they just download it when they need it. Really, you have just had a disaster and your internet is down and will not be up for at least 72 hours, now what? Not only does it make sense to have the disk for this reason but it takes time (valuable time) to go and find and download software. They have argued that it is not the most current on the disk. Why not? Why have you not updated your Software Library? There is a lot to being a Sysadmin, (SA) it is not about sitting on your butt in your office surfing the web, reading the news and updating Facebook while being annoyed by the occasional request for a password reset! Old software that is a few versions behind the curve is still better than none! Even if you “don’t have time” to keep your library updated; something is better than nothing.

Speaking of passwords, most companies really need a security officer and really don’t understand why. I have seen some Sysadmins that are so lazy that they assign passwords to people and then keep an excel list of them on the server. These are not really Sysadmins because that is genuinely stupid. To open the company to so many different kinds of fraud, industrial espionage, and other forms of abuse of the system; just because the guy does not want to be bothered with password resets is incredible. This guy would not be working for me as there is no excuse for this! I don’t care how “nice a guy he is.” Laziness and stupidity are a bad combination for a Sysadmin to have.

What software revision level are we at and is it the most recent? If not, why not?
Are Firmware rev levels kept up with and checked regularly?
Are the drivers up to date?
Can you produce a list of the passwords for each server?
What are the power requirements for these servers?
What are the cooling requirements for the equipment and are there any issues?
How long can we run if there is a power outage?
When is the last time that the batteries were changed out in the UPS’s?
Is each and every device in the server room labeled?
Is all networking cable installed in a manner that not only makes sense but looks like it belongs there vs. haphazardly plugged in on the run?
Can you show me a map of the switches, what port is doing what?
Tell me about load leveling.
Have all of the intelligent devices SNMP passwords been changed from the default?
If so, what are the passwords? If not, why not?
Are there traps being sent to a syslog server?
Who reads the logs, how often; and are there any concerns?
How are the concerns addressed?
Show me the notes from change control or change management meetings?
Are these notes managed in a responsible manner and are all changes noted in the living document?
What is the average age of the workstation on the floor/building?
Describe the policy regarding passwords? How often are they changed?
Describe your Hardware asset management strategy?
Describe your Software asset management strategy?
Who handles the maintenance on the HVAC in the server room?
When was the HVAC last serviced?
Tell me about your fire suppression.

It has been my experience as an IT manager and a Disaster Recovery Specialist who does many audits; the majority of Sysadmins do a horrible job of Hardware and software management much to the loss of the company and chagrin of the CFO.

Desktops last about 5 years, Laptops 3. When they are put into service a clock should start running to replace it in X years. You don’t want employees working on outdated equipment, and you don’t want to install new software on old computers as the license may very well die with the computer.

I have seen too many companies try to get everything they can out of a box. Amortize the box and when the IRS says it is dead, let it go. If there is a use for it in some non-critical function, “user discretion,” but add no more software and remove it from critical areas.

I have seen many people struggling along on a machine that is well past its usable life. Loosing files or data or waiting around for the machine to catch up cost money. While it may be soft dollars those soft dollars turn into real dollars quickly if you lose enough data and or time.

I used to install older computers in the break room with internet access and the usual windows Facebook type games. Employees could use them for their private needs before or after their shift or while on break or lunch, and they were non-critical and on their own V-Lan where company data could not be accessed!

Not everyone in the company needs a full version of Office? A lot of companies have a standard load for all computers. That should be re-visited as it is wasteful. While Microsoft would like you to purchase everything for every computer that is simply laziness and wasteful.

Software and Hardware management is in itself a job and proper management of it will produce and ROI. This is necessary also to provide a budget requirement which the CFO might cringe when he or she sees the request but, at least it is planned and not a surprise!

What antivirus software is on them? How did you decide on that software?
Are the workstations locked down?
Do any users have admin rights? If so, why?
Are the USB ports locked down?
Are the CD burners locked down?
What ports are allowed through the firewall?
Is the firewall updated to the latest software?
Are traps from the firewall being sent to a syslog server?
Who has access to their workstation PC from home? Why?
Who has access to their home PC from work? Why?
What software is on each workstation?

I run an inventory program like Spiceworks or some other commercially available software, to obtain an inventory of all of the software on all of the boxes and then go through the task of identifying each executable. I have found numerous Trojans and viruses, remote control software, games galore, software that was not licensed and oh yes, software that they used and did not know that they had as it was installed by previous regimes. This type of activity is mandatory if you want to recover in the case of a disaster. It is also mandatory if you want to be licensed properly and not have your neck on the line if some employee gets upset and calls the software police.

Recently the SBA has been advertising a lot trying to get employees to snitch on their company. The rewards to the snitch are inconsequential as the penalties and fines to the company are enormous. Having that inventory and those licenses and even receipt in a safe place I would think to be a really good idea.

Some companies are so cheap that they use free anti-virus software which is not worth what you paid for it. I fight viruses daily. Free is not an option. If you think that it is, you are diluted and clearly, don’t know what you are doing.

Free software by definition cannot be maintained as well as commercial software. Who in the hell has money to pay for programmers and security experts and then give the product away?!

Good Anti-Virus software is Patriotic

I made the argument the other night at a speaking engagement that it is actually patriotic to use good anti-virus software. Why? If millions of computers are taken over at the drop of a hat by some “bad guys” and they target let’s say the FAA or the FEDS, or some other institution and are able to cripple the banking industry, or what have you, and your computer is part of the problem; what then. A Trojan could be sitting on your computer unknown to you, just waiting for the instruction to start a DOS attack. Stop being cheap and buy the damned software and protect your computer(s) from being controlled by “evil.”

If a government had more than two neurons firing in their collective heads, they would create a “government approved” anti virus software and give it to its citizens. Now I know how that would be received by most, if I had a choice I would buy my own as I really don’t want anything big brother has to offer on my computer, but lets face facts. You probably have things on your computer right now made by the Russian Mafia or worse! I am certain that a government grant could be created to support a group of “white hat hackers” to help keep America Safe from cyber terrorism. If you do this remember whose idea it was…

Here are a few more questions for you CIO, /owner types who might actually have some skin in the game.

Do you have licenses for that software?
Where is that software?
Where are the licenses kept?
Can we prove that we bought a license for each and every piece of software in the building? If so, do it. If not, why not?
How many employees use laptops?
Are they secure?
Are they encrypted?
Are USB drives or thumb drives that are necessary for business use, encrypted?
Do the laptops have up-to-date anti-virus software on them?
How old are they?
Do they use a VPN to get into the servers from outside of the office?
How secure is their VPN? What challenges, if any are there?
Do you use security tokens?
Can you show me a map of the building depicting which PC is hooked up to which drop?
If you are using VOIP can you show me that same map for the phones?
Is the map updated as changes occur?
Describe your backup policies and procedures.
Where is the data being sent off-site?
Are we using the cloud for backup?
Walk me through the procedure of getting access to the data if this building is blown away.
Walk me through the procedure of restoring the servers in another location.
Tell me who can do this if the Sysadmin is not available?
Have we tested a restore of the data, if so when was the last test and where are the results; if not, why not?

These few questions and comments are off the top of my head and it took about ten minutes to list them. There are plenty more but, this gives you a small flavor of the kinds of information you should already have and that I gather in a disaster recovery project.

The simple facts are that IT people are loath to document anything. It is kind of like editing your own work, you know what you meant to say and your mind fills in the blanks. Documentation should be written in such a way that a technical person not familiar with your company should be able to pick up the document and pieces and re-build your company without you there.

Often I am met with complete truculence and arrogance and lots of attitude by the IT staff of a company that I do a DR for. They don’t want me there as they don’t want me messing around in their sandbox. Truth be told they don’t want the the facts that they are remiss in their jobs to get to their boss who thinks everything is running perfectly, until it isn’t!

About Me:

If you happen to watch or ever have watched Hells Kitchen, or Kitchen Nightmare, or know who Chef Ramsay is than, you have a clue of who I am, without the foul mouth. I take IT departments and fix them, and I take no prisoners (no excuses). Not only do I fix the hardware and software components, but I fix the personnel issues as well. It may be a training issue or an employee that is a poor fit. It may be a lack of people as most companies try to run too thin on staff. There should be no one person who is sacrosanct. In a disaster you may lose them, so we need things documented in such a way that a rent-a-geek can restore your company. If there is no documentation, I create it. Through a test of the DR, we can then hone that documentation to a fine point.

I am a troubleshooter. Not only am I a problem solver; I have been in management of IT for a large part of my life. I get to the bottom of issues and take corrective action. IT is ancillary to the business. IT is a tool that has to be running smoothly; like a Swiss watch. Your job as CEO is to run the company, not IT. I have built data centers from the ground up, as well as re-built them while the business kept going all over the country.

From Data, fire suppression, HVAC, power requirements, UPS requirements, floor height, easy access to the equipment, MDF and IDF design’s Data and Voice, from the east coast to the west from the north to south. I have worked in Union areas of the country to the Wild West where “anything goes.” Been there done that.

Go ask your IT people some of these questions and see if you are satisfied. After 30 years in this business, I would be surprised if you were.

From me, or someone like me, among the deliverables, will be the documentation that so many just don’t do. Without that documentation, you are playing with galloping dominoes. Your risk might be small as you yourself know something about it, or it may be huge in that you, like most who run a company, run it from 20,000 feet, through your management. There are seldom any pleasant surprises in business.

Has anyone at your company done a risk assessment? Where are you located geographically? Are you in an area that is prone to earthquakes, Hurricanes or Typhoons? How about tornadoes or fire?

One of the largest risks to a company surprisingly is none of the above. It is employee error. I have worked for companies where the Owners were the issue. One company had their child who played video games work on the equipment and of course screwed it up constantly. Stay away from those companies as they don’t want to hear the truth. Their child is perfect, knows everything about anything so it must be the fault of the internet or the software or something else. I worked for companies where the owners themselves who ran the company, also thought they were the end all be all of IT. Pride comes before a fall; and believe me, when you own a company you really don’t want to have that fall. Stick to what you know best and leave the technical things that change daily to those that keep up with it. We who know this stuff are constantly involved with forums and our peers. What works today may not work tomorrow. Unless you can devote your life to this, let those of us who do, do it!

“NO”

One owner takes a passing interest in the latest greatest through a magazine and orders or asked his IT guy to make it so. If you have a yes-man working for you, do your self a favor and fire him. Your people who do this for a living should have the ability to say no. If they say no, you should listen to them. If you want a second opinion, call your VAR. If those two don’t jive call another. Bottom line is you never install REV 1.0 of anything into production, ever! If your guy cant be honest with you, get real and hire a person who will tell you “no!” It may save you tens of thousands of dollars, if not your company. I have had yes men working for me in the past and got rid of them. I depend on Team Cooperation, and that means I need their input. While humbling oneself to listen to a subordinate can be a challenge at times, they may know something that you don’t.

I once worked for a guy who ran a company selling and servicing office equipment. This was actually my first real job out of school. The guy was from Georgia and had been a tank commander in WWII. His manner was gruff, but he was sincere as the day was long. We became close over the years as I have always made it a point to look at what successful people are doing, how they got there, and basically what made them tick.

He promoted me to the position of service manager of one of his locations. He drove me over there to introduce me to the new team and show me around. While on the road, he told me that one secret of a successful person is to hire people smarter, or at least as smart as you were. To me, that was probably one of the most salient bits of advice that I could pass on. That means that the man had humility and, also he must have thought something of me.

While I still struggle with humility today, I am aware of it and work on it.

Hours of Operation.

I had a guy interview with me. Towards the end of the interview, he asked me if there would be any overtime as he had obligations after work and on weekends. This guy clearly had no clue about the job for which he was applying. Hourly jobs are Burger King, not Sysadmin or Network specialist, etc. We get paid well because this becomes the biggest part of our life! If you are a 9 to 5 guy, don’t look at IT as a career.

As anyone who has been in IT any time at all can attest; this is not a nine-to-five job. One never knows when something will stop working and you are suddenly pulling an all-niter to fix something. With VMware and the technology we have today, we can minimize that risk which is something that we do through proper configuration of the servers, building in some redundancy and keeping up with the age of our hardware.

Once you get past a twelve hour day, statistics show that you are much more error-prone, thus shooting yourself in the foot; and possibly the company. Best practice planning and implementation from the beginning mitigates this risk. Having up to date documentation as well as partnerships with VAR’s will allow you to recover faster, and employ fewer full-time people. Staff augmentation through a VAR is an excellent way to keep the number of FTE’s down but, that relationship really needs to be solid.

If you want to experience what “cold running blood is” come in late at night to update some software on the server, reboot it and then you see the prompt, drive 0 not found. This was before the days of raid. This was when ginning a server started with installing 25 5.25 inch floppies followed by a 12-hour compsurf. We have come a long way since then, and so have the folks who create viruses. This is one of the most dynamic industries that I am aware of. One really must be dedicated to be any good at this.

By dedicated, I mean just that. Keep up with what is going on through periodicals, peers in the industry, and again I can’t stress this enough at least one good VAR.

On one of my data center re-builds a vendor was doing our cable plant. They ran long into the night and someone made a mistake. Instead of pulling the old data lines and stopping, they cut and pulled the phone lines as well. On another cable job that I was aware of about 3 in the morning a 32 pair conductor cable got stuck. Instead of seeing why the installer reared back and pulled for everything that he was worth. He snapped an ionized water line and flooded the computer room in a huge hospital. Water poured out of the elevator shaft like it was some sort of an elaborate fountain. Thank goodness that was not my job.

Much like driving less than 500 miles a day on vacation is a good idea; so are the number of hours worked by each person, as mistakes happen. Make sure you have adequate staff to do the job, especially when you are taking on a new project. How do you do that? Proper project management methodologies and relationships with VARS… That is another story…

That is another story…

Here is an example of what a sysadmin is as defined by this site.

http://www.supportingadvancement.com/employment/job_descriptions/advancement_services/system_administrator.htm

ESSENTIAL FUNCTIONS:

The System Administrator (SA) is responsible for effective provisioning, installation/configuration, operation, and maintenance of systems hardware and software and related infrastructure. This individual participates in technical research and development to enable continuing innovation within the infrastructure. This individual ensures that system hardware, operating systems, software systems, and related procedures adhere to organizational values, enabling staff, volunteers, and Partners.

This individual will assist project teams with technical issues in the Initiation and Planning phases of our standard Project Management Methodology. These activities include the definition of needs, benefits, and technical strategy; research & development within the project life-cycle; technical analysis and design; and support of operations staff in executing, testing and rolling-out the solutions. Participation on projects is focused on smoothing the transition of projects from development staff to production staff by performing operations activities within the project life-cycle.

This individual is accountable for the following systems: Linux and Windows systems that support GIS infrastructure; Linux, Windows and Application systems that support Asset Management; Responsibilities on these systems include SA engineering and provisioning, operations and support, maintenance and research and development to ensure continual innovation.

SA Engineering and Provisioning

Engineering of SA-related solutions for various project and operational needs.

Install new / rebuild existing servers and configure hardware, peripherals, services, settings, directories, storage, etc. in accordance with standards and project/operational requirements.

Install and configure systems such as supports GIS infrastructure applications or Asset Management applications.

Develop and maintain installation and configuration procedures.

Contribute to and maintain system standards.

Research and recommend innovative, and where possible automated approaches for system administration tasks. Identify approaches that leverage our resources and provide economies of scale.

Operations and Support

Perform daily system monitoring, verifying the integrity and availability of all hardware, server resources, systems and key processes, reviewing system and application logs, and verifying completion of scheduled jobs such as backups.

Perform regular security monitoring to identify any possible intrusions.

Perform daily backup operations, ensuring all required file systems and system data are successfully backed up to the appropriate media, recovery tapes or disks are created, and media is recycled and sent off site as necessary.

Perform regular file archival and purge as necessary.

Create, change, and delete user accounts per request.

Provide Tier III/other support per request from various constituencies. Investigate and troubleshoot issues.

Repair and recover from hardware or software failures. Coordinate and communicate with impacted constituencies.

Maintenance

Apply OS patches and upgrades on a regular basis, and upgrade administrative tools and utilities. Configure/add new services as necessary.

Upgrade and configure system software that supports GIS infrastructure applications or Asset Management applications per project or operational needs.

Maintain operational, configuration, or other procedures.

Perform periodic performance reporting to support capacity planning.

Perform ongoing performance tuning, hardware upgrades, and resource optimization as required. Configure CPU, memory, and disk partitions as required.

Maintain data center environmental and monitoring equipment.

KNOWLEDGE/SKILLS:

Bachelor (4-year) degree, with a technical major, such as engineering or computer science.

Systems Administration/System Engineer certification in Unix and Microsoft.

Four to six years system administration experience.

COMPLEXITY/PROBLEM SOLVING:

Position deals with a variety of problems and sometimes has to decide which answer is best. The question/issues are typically clear and require determination of which answer (from a few choices) is the best.

DISCRETION/LATITUDE/DECISION-MAKING:

Decisions normally have a noticeable effect department-wide and company-wide, and judgment errors can typically require one to two weeks to correct or reverse.

RESPONSIBILITY/OVERSIGHT –FINANCIAL & SUPERVISORY:

Functions as a lead worker doing the work similar to those in the work unit; responsibility for training, instruction, setting the work pace, and possibly evaluating performance.

No budget responsibility.

COMMUNICATIONS/INTERPERSONAL CONTACTS:

Interpret and/or discuss information with others, which involves terminology or concepts not familiar to many people; regularly provide advice and recommend actions involving rather complex issues. May resolve problems within established practices.

Provides occasional guidance, some of which is technical.

WORKING CONDITIONS/PHYSICAL EFFORT:

Responsibilities sometimes require working evenings and weekends, sometimes with little-advanced notice.

No regular travel required.

———————————————————————————————————

This is close, but I would add to this list… I see nothing in this description about documenting anything. Maybe that is why it is not done in so many places? Does your SA do this type of thing?

-Best

IT in a Nutshell

IT in a nutshell..

Most CEO’s or presidents of companies have no idea that the sword of Damocles’ is right over their head. They don’t know because they are blissfully ignorant of the workings of their IT department. Truth be told IT, is a cost center and frowned upon in most companies as they “don’t produce.” This is true in the mindset of the upper echelon. They put up with the CIO or his people and equivocate when it comes to allowing them money for projects, as they really don’t have a clue. Their job is to run the company, not IT.

There are three basics tenants of IT.

Provide the infrastructure for people to be productive.
Provide the security to safeguard the company’s assets both in intellectual property as well as physical property.
Provide mechanisms for future growth and have a robust enough environment to handle ad-hoc projects.

In working with most companies the infrastructure grew behind the power curve out of necessity. This of course is the most expensive way to grow your infrastructure in that many things are done to “temporarily” get them through the “event”. Emergency projects are hardly ever well thought out, and hidden surprises are always lurking. Remember that old axiom; there are never any good surprises in business.

One of the things that I talk about a lot is hardware management. Each and every piece of hardware in your company has a life cycle. Not unlike your car or home computer or cell phone. Planning for the life cycle for equipment allows the company to budget for replacement of same and keeps the down time to a minimum as well as keeps the employees productive.

Down time is expensive both in hard and soft dollars. If you have 300 people who can’t work because the server is down, you are loosing money. If Sally can’t assist the outside sales people because her pc is moving at the speed of drying paint, they both are loosing time which is “MONEY!”

S.A.M. or software asset management is also something that the IT department seems to ignore and this is really something that should grab at least the attention of the CFO. Does each and every person need a full copy of office or do they simply need Word or Outlook. I was in one account where each and every machine had a full version of office on it. 40% of these were used as a terminal: that was it! Five hundred dollars times 120 machines is $60K wasted! Can you tell me one company that could not use an extra $60K?

Now, add to this scenario that this guy was installing this software on machines that were already past their life cycle. I don’t profess to be an attorney or a legal scholar on EULA but, it is conceivable that when that machine dies, that license will die with it. There may be hoops that you can jump through to get Microsoft to allow a transfer of the license but, what are the odds that this guy will do it. It is not his money after all.

There was one company who had 300 locations with 2.5 machines per location. These were servers so each had a copy of Microsoft “flavor of the day” server on it.

The application that was on there was a home grown point of sale. It was compiled to run on the Microsoft platform.

When I ask why they had not considered LINUX as an alternative I was laughed at. Here are the scissors that will cut the thread.

There support desk was equipped with PcAnywhere and each and every call for help meant that a remote session would be placed to assist the person with their machine. Push come to shove the machine was sent to the Depot where another was sent out as a replacement. As the hardware evolved some locations had newer equipment. The variables were mind numbing.

Had they used LINUX a simple telnet session would have allowed the help desk to terminate a daemon and restart it all behind the scene. Licenses for server software, remote connection software, anti virus software would have been avoided. The other thing about LINUX is that it is more forgiving of hardware platforms in that they could have used their equipment until it died vs. replacing it when the software dictated it. This particular CIO had no technical background other than he knew some programming. He did not embrace technology at all and did not have a computer at his home until his kids wore him down. Any CIO that does not embrace technology ought not be a CIO. Oh yes, LINUX is free and the kernel can be hardened so it can be very secure.

How is it that these two people were in the place that they were in? They were likable! The failure here cleary sits on the CEO or the person they report to. If I am hiring someone for a position, I don’t care if I like them or not. They must be able to perform the job that they are being hired for and, if I like them it is a plus, not mandatory!

Ethical hacking is becoming more and more in vogue. The bad guys are out there doing their thing and we simply buy anti virus software and hope for the best. Some of us don’t do that, we use something that is free or not at all. Free is not worth what you pay for it when it comes to anti virus software! Do your homework and see who is touting what and why.

As another add on to the cost center and depending upon your desire to be safe, I would consider hiring a security person who has been around the block a few times. This is not some kid fresh out of college who is academically savvy but, someone who has the scars on their back to prove that they have been there.

In a nutshell, any connection to the outside world is a portal for the bad guy to get in. Even if you have a secure firewall you have people on the inside who may be working for the competition. There are many products that allow a PC to be remote controlled from outside the building. Some are actually viruses and others are installed by an unwitting employee or worse, a spy. Software audits are a necessity; not something you do if you have time. Speaking of which; the anti piracy folks are at it again offering huge rewards if you report someone using business software without a license. Another reason for SAM.

While you may think that I am paranoid (a little paranoia is a good thing btw) I assure you that industrial espionage is real and there are those that do it for a living. Your security person would be actively monitoring the traffic coming in and leaving the building, looking for anything on ports that are typically used for such things. Activity during off hours should be a red flag. There is something called SYSLOG which is basically a service that talks with a server and creates logs of events. Along with server logs this log should be monitored for unusual activity.

One way a person might gain access to your stuff is to drop a thumb drive or dvd in the parking lot. Label the dvd X pics or have bunny rabbit ears on the thumb drive. I would be surprised if someone did not pick it up and stick it into their machine to see what was one it. Of course it would contain a program that would install a remote control host and the person would never know as he would be too busy looking for pictures.

Physical security is also a must. Keycards with picture ID’s on them would be ideal. Cheap and effective. With this you can track employees movements through the day / night. Along with security cameras if things turned up missing one could read the keycard report and know who it was and where they were and then look at the footage with that timestamp to see if they were carrying anything.

Biometrics are becoming in fashion as well. While I would want to stay with tried and true I would definitely be monitoring this to see when and if it made sense to move that way.

This scratches the surface and as you can see, security is physical, it is Cyber and it is employee education along with policies. Any configuration of a user’s machine should be done by IT. Users should not have any more rights than they need to function. That allows for protection of your data, declines viruses administrative rights as they usually assume the rights of the user and, protects the machine from being altered making more work for the IT department when it breaks or more often than not broken.

A little forethought and planning on the IT department can help them to run lean on employees as well as protect the company’s assets.

The statement is an excellent ingress into the last thing that needs addressing.

More times than I can write about I find that data centers are a cobbled together disaster waiting for some event to push them over the edge. There is a web site dedicated to such things and if I had had a mind to, I could have created such a site like that with just what I have seen.

Along with hardware management and software management a strong dialogue needs to exist between the CEO and the CIO. Business needs and or possible needs to be accounted for and anticipated. Looking back at the past one could extrapolate what may be needed into the future and at least make plans for growth. A robust well thought out network that is well managed and maintained is a crucial starting point.

I could write on entire book on what that means but, what it does not mean are knee jerk throw it together solutions “because we needed it yesterday!” Any change might effect some other part of the business and or company or have unintended side effects. If they don’t have one I stress the importance of change management. This is crucial to the success of just about any company with technology.

Proper consideration should be given to each and every device and or software that is to be installed.

Parting thoughts:

There is no room for emotions in Information systems. Emotions cloud judgment and, judgment is crucial for success.

You do not hire or fire someone because you find them likable or distasteful. Either they are well qualified and have a well defined track record or they don’t. The rest does not matter unless they are insubordinate or are deemed unfit. They are not your friend and don’t think that they are.

Never hire anyone that you cannot fire. Family and friends even if the company is ok with it are a liability as employees. At best they will be a burden upon yourself, and at worst you will loose them as friends and they might compromise your job.

Surround yourself with people that are smarter than you, you will be well served.

Keep your ego in check as it will defeat you. Humility will allow you to “hear” from those that probably know what you are seeking.

When you get in too deep, call for help; admitting trouble is always preferable than suffering defeat because of pride.

There is never any case for listening to or passing on rumors. Small people talk about people, others talk about ideas and things.

Your employees and vendors job is to make you look good; your job is to make them look good.

-Best to you and those that you care about!

Disasters Big and Small

As a Disaster Recovery Specialist, I walk into many companies that are one step away from disaster. Some of them have been living on a wing and a prayer for a long time and are absolutely oblivious to the precipice on which they are perched.

One of the largest challenges one faces in this line of work are people. By that I mean more specifically egos. People are threatened by someone that “knows more than they do.”

Let me tell you a secret. This is a Jack Palance type secret, (from City Slickers) “This is the one thing” that will save your keister as well as change your attitude.

I worked for a man who owned this business that was very successful. I was a young guy fresh out of school and this guy saw something in me that I remember to this day. As time passed he took me under his wing and helped me knock some of the rough edges off of my “perception” of the world as it was. He took me out one day to JC Penny and had some sales clerk measure me for a suite and then he picked out a couple of them. We went to the shirts and he purchased a few of them right down to the shoes. While these were not super expensive, they were not cheap and his generosity never escaped me. The only thing that he did not replace were my shorts! Some might have taken offence to this but I am no creature of fad or style and while I would not qualify for a candidate on “what not to wear,” I did know that style was not my strong suite. “Knowing your limitations” is good advice, but not the secret.

Later he had me take over the service manager position in one of his branches which came with a company car and credit card. This was before the tax laws changed. He told me to use the car as I wished and if I took it on vacation to at least “pay for some of the gas myself.” He took me over to the office which was a good drive from the Dallas office. He regaled me with stories of advertisement and marketing. He told me the story of the sign with the waterfall on it by downtown Dallas. Back then it was a Pearl Beer sign. This man was pretty close to deaf. He was from Georgia and his accent was still very thick. It turns out that he was a tank commander in WWII. He told me that the secret to survival is to “surround yourself with smart people.” That not only applies to war, but business and oh yes, life in general. If you want to be successful, surround yourself with people smarter than yourself and learn to humble yourself. It is only by this step of humbling yourself will you realize the advantage of being around these people. I have never forgotten this and to this day I still practice this.

I offer this advice to all IT people in that “you are not the end all be all.” You cannot know it all even though you think that you do. We become focused on what interest us and then the rest of technology passes us by. Learn to control your ego for it is your enemy. No doubt you have heard the phrase “you are your own worst enemy.” Think of the truth of this statement and then marry it, own it and then change it. When someone starts talking to you about something which you think you know about and you feel that “anxiousness” start to well up inside, recognize this for what it is, you’re undoing. Squelch the feeling, take a deep breath and listen to what this person has to say. It may be worthy of hearing or it may be total crap. Before long this will be habit and you will have trained your ego to stand down.

One of the first steps in the DR process is an AUDIT. In order to prepare for a disaster one has to know what one has. This is done by an audit of the technology, how it is configured and of course managed. We look at policies and procedures and just really get into your business in a big way. The more you work with us the more you will get out of it. Conversely the more truculent or evasive that your staff is, the more it will cost. This is a “by the hour” service and time is money.

Audits are never fun but necessary, in that no one is perfect. Audits uncover the “dirt” so to speak and no one wants to acknowledge that they have dirt. Nobody wants to look bad so they are either un-helpful or become very defensive and blame the guy before them and so forth. No one in their right mind would welcome an IRS audit because of this. You know that you are playing by the rules but the rules are thousands of pages long. What if? Individuals should budget for an accountant for this reason. Companies should have more than one accountant “even if it is a small company” in that they can check one another. (another story for another blog)

While IT audits wont land you in front of a judge, it could have an effect on the bottom line in that deficiencies could be uncovered which could end up in with un-budgeted expenditures. Having an up to date DR and BC plan will not only prevent this but, will keep your IT department on their toes and up to date. A fresh set of eyes looking at how things are done contrasted against your business processes and needs, often bear fruit in that there may be a better way to do things. Personally I subscribe to “best practice” methodologies and policies.

Some companies don’t take IT seriously and look at it only as a necessary evil. An attitude which must be changed as IT is much more than a necessary Evil. IT is a resource which ties the entire company together. This department is the glue that binds most departments together as well as the interface between the customer and the company. In looking at the want ads occasionally one might notice ads for IT people with the following “PC Wizard” needed. Really? Does this person come from over the rainbow? The simple facts are that some HR people are totally bereft of any ability to interview for this position and the company as a whole does not take the department very seriously. I would liken this to the “audio visual club” at school. Know this all you who mock them, the nerds will inherit the earth. I digress..

If you really look at the way that your technical infrastructure touches every person in your company and your customers; your attitude on this matter might change.

During the process of a disaster recovery plan, this becomes very clear in that one of the pieces of this plan is a Business Impact analysis. It is during this process that the lights turn on in the CEO’s, or CFO’s head. I have heard the question posed to the CIO or CFO on many occasions “why hasn’t anyone told me this?” The simple facts are that the CEO’s job is to run the company, not the IT department. He or she depends upon the CIO to look out for the company on all things IT and a DR plan is simply one small part of it.

Simple programs like asset management and S.A.M. “software asset management” are not only not in play, but not even thought of. How can one budget for new stuff if one has no clue what one will need down the road? A complete Asset management program should be SOP in any company. This program accounts for hardware from the cradle to grave.

The same is true regarding software. Often time’s, companies pay way too much for software as it is installed by policy on computers with users who will never use it. Users may bring in their own software and install it, leaving a liability for the company to contend with should there be a software audit and it is done by the SBA.

While there are no good surprises in business there are certainly no good surprises after an event has been suffered by a company. A fire in the data center could take the entire company out of the marketplace for good.

Fire caused by poor cable management practices.

Human error accounts for a large percentage of the events which caused companies to fail. Doing a root cause analysis on failed companies who suffered a disaster you find that they did not value such a thing as “it will never happen to me.” You don’t have to suffer a Sandy or Katrina type event to bring your business to its knees. A simple mistake from some employee, working for a company without a business continuity or disaster recovery plan can ruin your day, if not your career.

It is at this time many companies wish that they had spent the money on such a plan. Too Late… If you fail to plan you plan to fail.

You can purchase insurance which will assist with the closing of the company but, that is not the way to go out of business, with a whimper, because you failed to plan.

Updated documentation of your infrastructure otherwise known as a “living document,” should also be SOP. IT folk absolutely do not like documentation, more specifically creating it. There are many schools of thought on this reason, but I suspect that laziness along with a “need” to have proprietary information so they are not expendable weighs somewhere in their decision. If the latter is your reason for not doing what is right for the company you need to re-examine your life.

If you are taking the paycheck you owe your employer the best that you can offer. If you managers feel like you have people in your department who are not expendable you need to address this post haste! One rule of preventing a disaster is avoiding single points of failure; and that means people as well.

Part of disaster recovery is averting disasters to begin with! Through solid best practices in policies and procedures, a large percentage of disasters can be negated.

One last topic on the subject that comes up from time to time. “Do I have a legal obligation to have a DR/BC plan?

The answer is not as clear cut as one would like. The interesting thing however from a legal perspective is that there is legal precedence whereby companies were held liable for failing to provide a more error tolerant system. They in fact were found to be negligent and case law purports to award large sums of cash to the plaintiff. These cases not only hold the owners of the company negligent but any and all officers of the company are liable. Think carefully about that promotion and VP title.

While companies are apathetic towards spending the money on such a plan, doing so is not only moral, it is strategic and most likely a legal obligation. As Billions of dollars are spent annually on technology to maintain a competitive edge “standards of care” and due diligence are required of all corporations both public and private. Not having such a plan violates the fiduciary standard of care.

-Best to you!

staylor@guard-protect.com

www.guard-protect.com

Big Red Button or Time to Panic!

Nothing says “push me” like a big red button. One of the office supply stores even created a big red button that says “EASY” on it, to advertise how they can simplify your work life.

One of the data centers that I was responsible for had such a button. It was covered with a little plastic rectangular box that said “emergency shut off” on it.

I have been in many data centers during my career. There were several that had a big red button by the door with it sole purpose to release the magnetic latch on the door, to open it.

Like any other location, security in a data center is paramount. Not only are network security firewalls and such important but physical security as well. Only those who needed access to the data center, could access it with their security card. Not even the CEO had access as he did not need it. Their entrance was logged and in fact throughout the building one could forensically track any employee’s movements as this card was necessary to gain access to just about anywhere. With the technology available today, I could design such a better system, but that is beyond the scope of this document.

One day, a vendor was visiting with a proposed solution to a problem. Like any other vendor, if access to the data center is required, they are escorted at all times by one of, if not more of my staff or me. The data center was in the middle of a retrofit and redesign while keeping the company running in parallel. (This is much like changing the tires on a race car while it is moving down the track.) On their way out of the data center, just as quickly as anything, the sales guy in front reaches up to the left of the door pops the cover open and pushes the big red button! By the time that the sound of “NO” had left my lips, there was an eerie quite in the room.

The chain of events that this action triggered, were phenomenal. Lights went off, the air handling unit went off, the Battery back-ups clicked on and for the moment; it looked as though the carefully engineered back-up power supplies were working. I should mention that the look on this guys face was priceless, and I am just about certain that he had to change his shorts afterwards. It dawned on me that no one had tested this button, and nobody knew where all of the circuit breakers were; well almost no one. As I was the one that specified the power requirements for this data center and oversaw the installation of the new transformer, I knew where the main breaker was. Within moments I had most of the power back on however; there was one legacy system that was still not on main power.

In another closet in another part of the building were still more circuits for this room. I did not have a key to this and getting building maintenance involved was time consuming as they typically think like union employees; (don’t care if the place is on fire, when it is time for a break, they take it.) Before the UPS was totally drained for that system I had gained access to that closet and found one tripped breaker.

I had inherited a mess of a data center that was put together on a shoestring budget. Not because the company could not afford to do it right, their boss was cheap beyond reason. They had cut corners at every place they could, including splicing old type 3 wires to cat 5 wires and running 16mg token ring over it. They could not understand why 5250 and 3270 traffic would constantly be garbled and why connections to the server would be dropped frequently. When I say spliced, I literally mean wires twisted together and a wad of electrical tape stuffed in the wall and or ceiling. (Another story)

It did not take me long to get that circuit changed over and documented with everything else. I also got to check off the list “test emergency shut down.”

Moral of the story; if you have a big red button, find a time to test it. Secondly make certain that the button is labeled in big white letters on a red sign etc EMERGENCY SHUT OFF!

I am a stickler for documentation, which IT personnel are loath to do. A living document should exist within each and every company that explains the ins and outs of everything, so if need be, someone else can take over. It is part of the audit process for a disaster recovery plan and is one of the deliverable s.

-Best to you and all those that you care about!