Security is a State of Mind much more than Product Selection

Information security is a systematic approach to protecting the assets of an entity - business or private.

I am deluged daily with offers of some new whiz-bang security product or service.  They offer to be "the complete and secure" tool for implementing information security.  If this is your approach to security, you need help.

First, security requires a thoughtful and well conceived approach which doesn't interfere with the performance of the business or person but does include the procedures, policies and tools needed in a complete system.  Don't misunderstand me, there are some great tools available but they need to be selected, implemented and monitored properly to offer the protection needed.

We need to understand that security is like many other aspects of IT - there are definite benefit to cost  features we need to evaluate.  Having secure data may or may not be important to you.  If it is important you will want effective and usable processes with reasonable costs based on the potential cost of lost or misplaced data.

First, determine what kinds of information need to be protected from discolure.  Consider scenarios such as these:

• What's the potential costs of a key executive's laptop computer being stolen?
• What happens if a Sales Manager quits and has the current customer lists on his or her laptop?
• What kind of information about upcoming products or marketing plans would be valuable to a competitor?

( More in progress ).

How to assess your security requirements

Here's some simple steps to help you determine what needs to be secured and how to go about it.


The most important step in security is determining what needs to be secured and its exposure if not secured.  There are several categories of information that you should consider.


High Value / High Risk

Information that WILL cause harm to your business if it is made available outside the people in your company that need to see and use it.  This could be trade secret information or information that could be used against you in legal processes.


Customer records and information are also typically in this category.  Information in this category must not be made public. 


Business operation information.

Accounting data and ERP data fit into this category.  It is used by persons in the performance of specific jobs and needs to be available for the business to operate.  


Disclosure would not be damaging but loss would cause loss of business process and revenue.




Publicly Available Information.

This information is already available in the public domain but is housed on your systems to aid productivity of your people and processes.  Disclosure has very little risk and the information is easily recovered from various sources.  The primary cost of losing this information is the time required to find it in other areas.






Now consider the cost of losing information in these categories.

What is the exposure if a laptop containing legal documents or new product plans is turned over to a rival company or other hostile entity?  What could it cost? 






Who needs this information?


For each category of information determine which groups or individuals need access to it.  Who should be able to change it?  AND WHO SHOULD BE ABLE TO MAKE COPIES?

What is the "Cloud" ?

The term "Cloud" is just another way of saying "The Internet".  If data is stored "somewhere" else and the physical location is not know to you or a concern, you could say that it is in the Cloud.  When someone says "it's in the cloud" it just means it's at a location reached by the internet and probably viewed as a web site.

The Cloud icon was used years ago to represent large networks.  Specifically, it was used to represent SNA ( System Network Architecture ).  The Cloud represented vast network connectivity and resources through which systems and users connected.

Today, we often use the Cloud to represent the Internet - not just the World Wide Web function and sites but the actual network.   As more and more function became available in the internet, lines became blurred as to where and who was doing work and storing data for us.  Sites started offering function either free or fee based through web sites and that business has been expanding very quickly since.

The simplest form of a "Cloud" application is something like DropBox or OneDrive.  Typically these apps or sites use a small application on the users local system which works with an application running on a remote system operated by the "Cloud" provider.  Some of these applications are initially free but encourage the user to purchase additional function or space.

Next up the chain for "Cloud" applications are fee based software products which actually run  in the "Cloud".  An example of this type application would be the Cloud version of Quickbooks.  Instead of running the software on a local machine or network server, it actually runs on a system owned by the vendor.  Typically, all functions of backup, etc. are done remotely as well.  The applications generally are subscription based.  Applications such as this offer reduced initial expense as their primary advantage.

At the top of the food chain for "Cloud" applications would be the use of virtual servers hosted by a large provider.  Examples of these are The IBM Cloud, Microsoft Azure, Rackspace and others.  In this scenario the customer pays a monthly or annual fee for servers which connect to their users over the internet.  Many organizations are replacing the traditional desktop computer with thin client devices connected by  Remote Desktop Processing to a virtual desktop running on one of the hosted remote servers.

In these cases, the level of backup, co-located backup processors, network bandwidth and support are individually defined based on the customers need and costs.

In the old world ( that I grew up in ) these services would be called a Data Center or Time Sharing Center.

So, we can see some of the advantages of using "Cloud" resources but there may also be some disadvantages.

Some customers are concerned about security at these "Cloud" sites.  Questions include:

• How secure are the physical resources?
• Where is the backup maintained?
• Are the networks internal to the site secure?  
• How Secure?

Recently, we've been hearing frequently about "Hacked" sites and the data loss that occurs.  

A standard in large enterprises and becoming standard in "Cloud" subscriptions is a thing call a Service Level Agreement.  A SLA defines expected and sometimes guaranteed performance levels - response times, availability, etc.  They also can, and should, define Security standards.  A SLA is something that should be carefully reviewed with a trusted advisor who is knowledgeable and experienced in environment you are looking into.

So the bottom line is that the "Cloud" can offer some exceptional improvements in terms of initial expense, ease of propagation of software and data, ability to connect from anywhere and reduced staff but they can also introduce exposures that you need to very carefully understand and plan for.

Basics of the CIO function

OK,  the primary job of the CIO is to serve the functions and users of the business.  They are the customers and they and their jobs are the important factors - not IT.

• IT is an expense.  It, in most cases, does not produce revenue.  However, IT can and should provide tools and innovative processes to assist the people who do produce revenue.
• IT exists to support the functions of the business and NEVER inhibit performance.
• The good CIO will provide guidance to the business on ways to help the functions of the business increase sales, control expenses and provide better customer service using technology WHERE appropriate.

So the first function of the CIO is controlling costs.

CIO - The Primary functions

Like a physician, the first priority of a CIO should be to do no harm.   I have seen some "Rent-a-CIO" folks come in and immediately begin changing everything - without having a clue what needs to be done or what the business needs.

So rule #1: Learn what the business is and what it needs.  The needs of the business, also, fall into two major categories.  First, what essential services need to be always available ( eMail for example ) and second, what does the business need. 

Whatever is running, keep it running.  Learn the people, the applications and the processes that help the people conduct business.  If the essentials need immediate attention ( and most do ), take immediate steps by asking the people there in IT and users what needs to be done and get it done.  In many cases, at this point, it does make sense to bring in a trusted advisor to help with critical processes.

I have also seen companies where the CIO reports to the Accounting Officer and follows explicit directions from accounting without having any idea what the people using the system or systems actually do or need.  So the second rule is learn the business process and involve users in EVERY step of the process of determining what needs to be done and how to implement it.  Remember, they can't gripe about the plan if it is their plan!

The biggest improvement any new CIO can implement IMMEDIATELY is communication.  Don't confuse time wasting meetings or volumes of reports as communication.  That stuff is important to some folks but probably not to the users of the systems or the executives of your company. 

Plan regularly scheduled, brief, breakfasts or lunch meetings to quickly bring everyone up to a summary level on key events and near term plans that affect the user groups.  Also use this time to briefly ( and in English - meaning ZERO acronyms ) describe trends in technology that they might want to consider.  The key of these meetings, though, is for the CIO to listen to what the user groups are saying. 

Ok,  we've got the current stuff running and everyone is getting email and accounts are being posted, etc.  Now what is needed?

1.  What is the business process - forget IT - just what does the business do?  What do the sales people do and what do they use to do it?  This part must include going out and working with the users and department heads.  Listen to the executives.  What is their business plan?  What are the company's goals? 

What can IT do to help these processes?  The answers to this must come from the operations and executive offices.  I once saw a "Rent-a-CIO" blindly agree to implement a new ERP without consulting the user groups at all.  The result of this was a disaster.  Not only did the users not want or use it, they couldn't do their job and reverted to order to paper to old system to new system. 

Only by completely understanding all the processes in sales, ordering and accounting plus the product acquisition processes can any intelligent recommendation be made.  I'm not talking about exhaustive studies here.  Involve the users - let them tell you what they want. 

While we're on this topic, let's talk about structure.  Many companies setup applications as separate from IT.  Tons of paper, memos, requests and meetings go on to perform changes and additions to application systems.  I think that it makes more sense to have applications and systems reporting to the same path.  It simplifies everything as long as the CIO and everyone below realize that they are in business ONLY to support the business - that they have the same customer!

2. IT is an expense. ( period ).  So one thing the CIO can do to help the bottom line is control expense.  Depending on the company and size, routine support of existing systems is roughly 40 - 50% of the entire IT budget.  Find ways to reduce this!

I have recently worked with a medium size business to apply patches to around 300 servers.  So far this has taken 8 months and we're not finished yet.  There are typically 10 to 15 people involved for each step and they attend meetings, exchange requests and spend nights and weekends applying and testing the patches.  Find an automated process for doing this.  Reduce the number of servers by replacing ( as needed ) with more robust systems.

3.  Plan the future.  What is coming?  Who knows?  A couple of things that are clearly going to be changing are:

• Work environment:  We will need to prepare for many more work at home people who are not employees.  Many companies are going to be using contract employees for a number of reasons and these people will be connecting with your systems.  While you must make this a painless and idiot proof process, it must be secure ( SOX, etc.).  We're already using good quality VPNs with secure connections but we'll need to go further.  The home user's laptop or desktop must also be secure. 
• IT is moving rapidly back to the "Mainframe".  IBM and others are offering extremely powerful machines capable of handling many users concurrently for web based apps, remote data bases and remote execution of ERP applications.  These systems have huge advantages in terms of cost savings from support.  They offer the opportunity of reducing the number of servers which reduces the amount of dollars for support.  The new systems such as IBM Pure Systems do much more to manage themselves and apply patches and heal them selves in addition to being much easier to distribute and implement applications.
• PCs themselves are dying!  In a few short years, EVERYTHING will be running on "CLOUD" systems.  For the non IT folk, cloud just means connected via the Internet.  It's similar to the old "Service Bureau" environment where you pay based on usage.  This has enormous savings potential in terms of support.  In the near future your users will be on a pad of some type or a "thin client" ( meaning a pad with a keyboard and mouse ). 

What is a CIO ?

I hear the title "CIO" often these days, but what does it mean? Chief Information Officer is a position that is essential in any business - large or small. Whether or not it is an official position in the business or is part of the job of the owner of a small business it is very important. Too often today's CIO is a glorified IT manager more focused on technology than on the business. A CIO SHOULD be focused on how to assist and support the business through the use of existing and future technology. The users of technology in his or her business should be viewed as customers and their satisfaction should be the number one goal of a good CIO. Many companies have a CIO but that position reports to either the CFO or HR Director. I disagree strongly with this structure. The CIO ( remember it's an officer ) should report to the CEO or COO. ( More to come ).

Wait for recovery or recover now!

When this current downturn began, one of the first indications was the reduction of sales or marketing people and positions. This, unfortunately, is nearly always the group to feel reductions. This is followed by reductions in producing areas such as manufacturing and lastly by reductions in corporate accounting and management staff.

Now, many companies are asking their marketing and sales departments to do more with fewer feet on the pavement and we're all waiting for the "turn-around" to begin. But how will we know?

The most important customer is the customer we have, yet we're spending less time and energy on them as well.

When the "turn-around" does begin, the landscape WILL NOT look as it did when the downturn began. Competitors who were there will be gone and there will be new competitors who were not in business two years ago and we will ALL be after the same business.

There will be improvements in product areas as well. Take Cisco during the Y2K fiasco. Instead of hunkering down and trying to ride out the storm, they aggresively revamped their product line both by development and by acquiring existing companies. The result being that when business began improving, they had a new, competitive product line and new distribution channels while their competition was trying to sell older products in older channels.

I believe that if we wait for improvement, it will be too late. The time to improve, re-tool and rethink our business is NOW. What products to you have that need improvement? What processes are you doing that you know need improvement? When business begins to improve, we'll be scrambling to catch up and to get our share of the new landscape. We won't have the time, then, to change much of anything.

Now is the time to analyze the business and climate we think we'll see in a year or two. To strategize on where we want to be and how to get there. And it is definitely time to review our current systems and improve where improvement needs to be made.

I spent 5 dedicated years at IBM doing exactly this planning process with many customers - large ( GM/EDS, Norwest Banks, etc. ) and small. I'll be glad to share this methodology with you and help you spend a day or two now which might be able to change your business for years.

Another thing we need to do now is SAVE THE CUSTOMER we already have. Do you have a plan for covering existing customers while aggresively pursuing new ones? Does it work? How do you know? How are you managing your sales force of fewer people to do more? Here's an answer: CRM!!

CRM stands for Customer Relationship Management. Generally speaking it's a way of combining knowledge of existing customers, lists of potential new customers with developed communication strategies to get more and more effective coverage done with fewer dollars and fewer people.

For example, CRM allows a structured process of combining mailings, emails, telephone calls, planned events and face time in a step by step process which becomes automated in terms of execution. It provides feedback to management in realtime about which customers have been contacted with what message, their response or lack thereof and gives management graphical and statistical views of what is happeng NOW in each territory.

It also provides ticklers and reminders to the sales people about which calls need to be made, when and a place to record the result.

Most CRMs also allow direct input from existing ERP / accounting systems so that past sales, actions, etc. become information to be used in triggering events. For example, you could have a trigger setup so that a customer who has purchased less than 90% year over year might get one action while a customer who has dropped 40% gets another type of action or alert.

You'd also be able to get your message ( typically a brochure or similar device ) sent to prospective customers so that they are aware of your offerings and are kept up to date on what you offer and your business so that when you do call on them, they already know something about your business and products.

Now the good news. In the past CRM systems as I've described would be very expensive, difficult to setup and require new hardware and staff. Now, there are offerings though companies like Microsoft which provide you access to these systems ( via the internet ) and costing a small amoung ( typically $49.00 per month per USER ). Users are people entering the data and would typically include sales persons and a manager or two. The beauty being that it's running on Microsofts hardware and maintaned by them.

A very effective way to implement CRM is to have strategic sales planning sessions which identify the processes you want followed, then implement and tune with a small number of sales people and finally going with all!

This is something that needs to be part of every company dealing with sales to new customers.