Category Archives: Opinion

Thankfulness is a choice

Thankfulness is a choice, and it is about perspective.

If you are not thankful, then perhaps you are not seeing the complete picture of your life.

Are you bitter about a job with pressure, deadlines, and quotas, or are you thankful that you have a job?  Are you bitter about family relationships, or are you thankful that you have a family? Are you bitter about your living situation, or are you thankful that you have a roof over your head? Are you bitter about your health, or are you thankful that you are alive another day?

Thankfulness, like gratitude, is a choice. Thankfulness should come through any circumstance, not just when things go your way.

Do you notice that one or more of your co-workers always seem to have a good attitude? I doubt it is because their life is perfect and everything for them is going great. Instead, I propose that they have simply decided to be thankful, regardless of their circumstances.

An old saying comes to mind as I write this: “I cried when I had no shoes, until I met a man who had no feet.”

Clean out your contact lists

I recently watched Rob Braxman on the security of encrypted messaging apps like Signal and WhatsApp. In his video, Rob pointed out that many apps access our contact lists and build webs of associations. Even though the cryptography protecting message contents is generally effective, it may be possible for law enforcement and intelligence agencies to know the identity of a person’s connections.

Let’s dig deeper.

If a law enforcement agency considers you a person of interest, they may discover that you use encrypted messaging apps like Signal. While law enforcement will not be able to easily view the contents of your conversations, they will be able to see with whom you are conversing.

Image courtesy Aussie Broadband

Also, the appearance of using an encrypted messaging app could suggest that you have something to hide.

Let’s look at this from a different perspective. Consider an active law enforcement investigation focusing on a particular person. If you are in the person’s contact list, and if that person is known to be communicating with you on an encrypted service, then you may become another person of interest in the investigation.

I watched Rob’s video twice, and then I recalled something I see in Signal often: when someone in my contact list installs Signal, I get a notification from Signal that the contact is using the app. I recently noticed that I frequently do not recognize the contact’s name, and I dismiss the notification. I’ve had this occur dozens of times this year.

Then it hit me: I have been collecting contacts for decades, and they’re stored in multiple services (primarily, Yahoo and Google). In previous jobs, I’ve had associations with numerous clients, partners, vendors, co-workers, and other associates, resulting in an accumulation of thousands of contacts, most of whom I barely know.

Last week, I found it difficult to rationalize keeping all of these contacts and purged them. In Google alone, I had well over one-thousand contacts. After spending time last weekend deleting extraneous contacts, I’m down to about three hundred, and I might go back through them and remove many more.

Encrypted apps and your association with contacts are not the only risks related to maintaining a long contact list. Another issue is this: if someone breaks into any of my services where I keep many contacts, I don’t want people getting Joe Job and other attacks made possible through contact harvesting.

Until recently, I didn’t consider my accumulated contacts a liability, but I do now.

In my day job, one of my responsibilities includes leading numerous programs, including data governance, which includes data classification and data retention. And, having been a QSA for many years, the concept of data-as-asset and data-as-liability are clear to me. For instance, retaining credit card data after a transaction has been completed may provide value to an organization. Still, it also presents itself as a liability: if that stored card data is compromised, the consequences may significantly outweigh its benefit.  Somehow, I didn’t apply this concept to personal contact data. Thanks again to Rob Braxman for nudging me to realize that contact data can be just as toxic as other forms of sensitive information.

Postscript: think about this in another way: would you want others you worked with in the past to remove you from their contact lists?

Backups – the apparently forgotten craft

At the dawn of my career, I worked in two different old-school computer mainframe operations organizations. We spent a considerable amount of time (I’m estimating 20%) doing backups. Sure, computers were a lot slower then, and we had a lot less data.

We did backups for a reason: things happen. All kinds of things, like hardware failures, software bugs, accidents, mistakes, small and large disasters, and more. I can recall numerous times when we had to recover individual files, complete databases, and ground-up (“bare metal”) recoveries to get things going again.

We didn’t wait for these scenarios to occur to see whether we could do any of these types of restores. We practiced, regularly. In one mainframe shop early in my career, we completely restored our OS every Sunday night. Okay, this was in part a storage defragmentation measure and performed mainly for this purpose. However, we were still doing a bare metal restoration, precisely like what we would do if our data center burned down and we had to recover our data and applications on a different system.

Was this exciting work? Certainly not.

Interesting? Not in the least.

Essential? Absolutely.

So what am I getting at here? Am I merely reminiscing about the good old days? Hardly.

I’m talking about ransomware. At times, it’s difficult for me to sympathize with the organizations that are victims of ransomware. It’s hard for me to rationalize why an organization would even remotely consider paying a ransom (particularly when the FBI reported that only about half of organizations would be able to decrypt their data when they paid the ransom) (sorry, I cannot find the link to that advisory, I’ll keep looking and update this article when I find it).

A survey by Kaspersky indicated some facts that shocked me:

  • 37 percent of respondents were unable to accurately define ransomware let alone understand the damage it can deliver.
  • Of those survey respondents who suffered a ransomware attack, 40 percent said they would not know the immediate steps to take in response.

I’m amazed by these results. Do IT organizations no longer understand IT operations fundamentals that have been around for decades? I hate to sound harsh, but if this is the case, organizations deserve the consequences they experience when ransomware (or human error, or software bugs, etc.) strikes.

That said…. I am acutely aware that it can be difficult to find good IT help these days. However, if an organization is crippled by ransomware, they’ve already gone “all-in” with information technology, but neglected to implement common safeguards like data backup.

(image courtesy recordnations.com)

The CIA Triad is Dead

For decades, those in cybersecurity were fed the doctrine of CIA: Confidentiality, Integrity, and Availability – the pillars or foundational principles of information security. Advances and changes in information technology have rendered the CIA triad obsolete.

For many years, information technology has been used in numerous applications where life safety is a major concern. Examples include:

  • Patient health monitoring
  • Patient medication delivery (e.g., IV pumps)
  • Robotic surgery
  • Autonomous vehicles
  • Autopilots
  • Domestic robots

You can probably add more examples to the above list.

The former CIA Triad should give way to the CIAS pyramid: confidentiality, integrity, availability, and life safety. I first argued for this in my book, CISSP For Dummies, 5th edition (2016), on page 37, as well as in CISM Certified Information Security Manager All-In-One Exam Guide (2018) on page 382, where I called argued for confidentiality, integrity, availability, and life safety.

As a simple model and a reminder of foundational principles, the CIA triad has served us well. However, as a foundational principle, the CIA triad now falls short, as arguably the most critical aspect, when applicable, is safety and life safety.

CISOs are not risk owners

Many organizations have implicitly adopted the mistaken notion that the chief information security officer (CISO) is the de facto risk owner for all identified cyber risk matters.

In a properly run risk management program, risk owners are business unit leaders and department heads who own the business activity where a risk has been identified. For instance, if a risk is identified regarding the long-term storage of full credit card numbers in an e-commerce environment, the risk owner would be the executive who runs the e-commerce function. That executive would decide to mitigate, avoid, transfer, or accept that risk.

The role of the CISO is to operate the risk management program and facilitate discussions and risk treatment decisions, but not make those risk treatment decisions. A CISO can be considered a risk facilitator, but not a risk owner.

Even when embraced and practiced, this concept does not always stop an organization from sacking the CISO should a breach occur. A dismissal might even be appropriate, for example, if the risk management program that the CISO operated was not performing as expected.

— excerpt from CRISC Certified in Risk and Information Systems ControlTM All-In-One Exam Guide, 2nd edition.

Blameshifting is not a good defense strategy

Today, in my newsfeed, two stories about breaches caught my attention.

In this first story, a class-action lawsuit is filed against Waste Management for failing to protect PII in the trash.

In the second story, a South Africa port operator declares force majeure as a result of a security breach, in essence declaring that nothing could have been done to prevent the breach.

In both of these situations, the victim organizations attempt to shift the blame for the failure to protect sensitive information on others. Those of us in the profession have seen victim companies do this in the past, and it generally does not work out well.

Back to the Waste Management story. Here, I argue that when an organization places something in dumpsters, they should take steps to ensure that no recoverable information is discarded. Unless the business arrangement between companies and Waste Management is more akin to secure document shredding by companies like Shred-It, I assert that the garbage company has no obligation to protect anything of value placed in the trash.

On to the South Africa port operator. Declaring force majeure as a result of a security breach is an interesting tactic. In my opinion (note that I am not a lawyer and have had no formal law education), this strategy will backfire. There are numerous examples of organizations that successfully defend themselves against attacks like this. Granted, these attacks are a global plague, and defense – while challenging – is absolutely possible.

Disruption of branch banking is of their own making

An experience late last week was an epiphany for me.

While managing the financial affairs of a relative, I needed to get a one-page document notarized. I live in a small town, where there are only two or three local bank branches.

One of the branches is K** Bank. On their website, K** Bank makes available the capability of making an appointment at a nearby branch. I filled in the appointment form, including the specific nature of the visit. Another relative who was visiting a few weeks ago got a document notarized there, so I knew that this branch of K** Bank had a notary.

I showed up, was greeted by branch staff, and invited to have a seat while someone came to assist me. Soon, another branch employee came over and said she was ready. I presented my document and my photo ID. The employee asked for my K** Bank account number, and I replied that I was not a customer. She replied that Key Bank only notarizes documents for customers. When I asked whether K** Bank would notarize my one-page document for a fee, the answer was, no, sorry. The branch was not busy: there were six employees in the branch, and I saw one or two customers come and go in the ten minutes that I was there.

I left and drove two blocks to the town’s professional building, where a lawyer, an accountant, a marriage counselor, and a financial advisor have small offices. I poked my head into the CPA’s office and asked, do you know of a notary here in town? The CPA got up, greeted me, and took me across the hall to the financial advisor’s office, where she introduced me to an independent financial advisor. He gladly took a couple of minutes to notarize my document. He refused to accept a fee. Since he was conversational and polite, I asked him about his business, asked for some business cards, and may have some business to refer to him.

Branch banking is going the way of the bookstore. Key Bank had an excellent opportunity to take a few minutes to meet a new potential customer by showing a bit of goodwill. Instead, they turned me away, and frankly, I will probably never set foot in that branch again.

The Breaches Will Continue

As I write this, it’s been one day since news of the latest LinkedIn breach hit the news. To summarize, about 92% of LinkedIn users’ information was leaked via LinkedIn’s API. LinkedIn is officially denying this is a breach but is just a data scrape that violated the API’s terms of use. Interesting twist of terms. This reminds me of a former President who explained, “It depends upon what your definition of IS is.”

During my six years as a strategic cybersecurity consultant, I learned that most organizations do not take cybersecurity seriously. Breaches are things that happen to other companies, those with larger and more valuable troves of data.

Organizations, up to and including boards of directors, are locked in normalcy bias. No breach has occurred (that they are aware of), and therefore no breach will occur in the future. It is normalcy bias that is also responsible for the fact that most citizens fail to prepare for emergencies such as extended power outages, fires, floods, hurricanes, tornadoes, identity theft, serious illness, and so many other calamities. I’d be lying if I said that I’m immune to this: while we’re well prepared for some types of events, our preparedness could be far better in certain areas.

A fellow security leader once told me, “Cybersecurity is not important until it is.” Like in our personal lives, we don’t implement the safeguards until after being bitten. Whether it’s security cameras, better locks, bars on windows, bear spray, or better cyber defenses, it’s our nature to believe we’re not a target and that such safeguards are unnecessary. Until they are.

2021: The Summer of Unions and Reunions

Last summer, I started a new job as Senior Director of Cyber GRC for GCI Communications, an Alaska-based telecommunications company. Being a resident of central Washington State, this was to be a mostly WFH job with occasional (monthly-ish) travel to Anchorage and elsewhere to meet with GCI personnel and others.

image from tcsp360.com

The COVID-19 pandemic lockdown was in full swing when I was hired, and non-essential business travel was prohibited. So our days were consumed with video meetings on Teams and Zoom. I met and managed my team of 13 managers, analysts, and specialists, worked with my director, senior director, and VP peers, and was accustomed to full days of video conversations and a bit of time to do real work. And over the past year, I hired five additional team members (including two managers) via video calls. WFH and remote work was the only way.

This week, I met my security department leadership peers in person for the first time, the director of security architecture and planning, and the senior director of security operations. None of us had met in person before, ever. Later, our CISO joined us (our CISO had not met the secops leader in person either).

We spent two long days understanding each others’ departments better, and we spent a lot of time doing some strategic planning. We had bits of time telling stories, and there was plenty of laughter as well.

Meeting and working face-to-face is definitely better than WFH and Zoom meetings. I always knew it, but after 15 months of hunkering down, finally meeting some of my colleagues face to face was confirmation for me. While the three of us live in three different states, we’ll spend most of our working time on video calls, but occasional in-person work is valuable and strengthens and improves work relationships.

I’m certain that thousands of you are having the same experience – as business travel and office work slowly return, you’re meeting many of your colleagues in person for the first time. Relish it.

Checkbox CPEs

Those of us with security certifications like CISSP, CISA, CISM, and others are acutely aware of the need to get those CPE hours completed each year. Typically, we’re required to accumulate 40 hours per year and that we keep accurate records of learning events, along with evidence that we did indeed attend those events. 

I was audited once, over a decade ago, and came up a bit short on my evidence. Since then, I’ve been meticulous in my recordkeeping and maintaining proof of attendance. But this piece is not about recordkeeping.

Are you finding your CPE events to check the box? Or are you pursuing new knowledge and skills?

I’ll tell you a secret: the certification organizations don’t know whether you are doing the minimum to check the box or pursue knowledge with enthusiasm.  They don’t ask, and they don’t care.

You should care, however, and the difference will show. If you are just checking the CPE box, you will not be learning much, and you’ll be a weaker contestant in the employment market. By not making a real effort to grow professionally, you’ll slowly fall behind.  While you may be able to fake it for a while, your learning negligence will catch up to you, and it will take considerable time and effort to dig yourself out of the hole you slid into. Not only will you have to spend considerable time catching up on security topics, but you’ll also have to undo the habit of doing the minimum to slide by.

Controlling the WFH Genie

As we turn the corner in the COVID-19 pandemic, many companies are beginning to bring their workers back on site. This return to the workplace phenomenon is starting a conversation at the worker level, the company level, and in society as a whole.

Many companies have succeeded with the transition to WFH. It may have been awkward at first, but millions of workers have tasted a better quality of life without a commute, and without many other related costs of money and time. Many workers do not want to give up WFH, now that they’ve seen that they can be effective while working from home.

I’ve been part-time WFH for almost twenty years, but I’ve also had jobs where I was commuting three to four hours each day, so I’m intimately familiar with both ends of the spectrum, as well as the middle. I am working today for an Alaska-based company while living in Washington State, so I’m a living subject in the great WFH experiment. And in the nine months since starting this job, I’ve hired workers on my team who live in Idaho, Texas, Arizona, Washington, and, yes, Alaska.

For workers, WFH represents a savings of hard money in terms of vehicle, mass transit, work wardrobe, lunches out, but also expenses to equip and maintain a home office. The soft benefits include commute time, quality of life, but also there’s the ability to work in person with colleagues and develop better in-person relationships than can be done only on video calls.

One can draw up a long list of WFH pros and cons. For most of 2020, we had no choice. But from now on, better organizations realize that WFH has many benefits:

  • Workers often put in more hours.
  • Organizations’ office space expenses are lower.
  • Employers can draw from a significantly larger labor pool when looking for new employees.
  • Existing staff have the freedom to relocate their families to other communities while keeping their same jobs.

Organizations unwilling to consider WFH workers will have a more difficult time finding qualified workers, as they will be drawing from a far smaller labor pool. Employers will have to pay more for people to work in the office to compensate for their additional time and hard expenses – AND employers will have the added cost of providing workspace for those workers they require to be on-site (and those workers who want to). Many workers will be willing to work for less if they can WFH as it is a fair exchange for a better quality of life.

One thing is for sure: the WFH genie will not be going back into the bottle. Ever.

In terms of cybersecurity and ransomware, most organizations are anti-vaxxers

Prologue: There are many opinions and points of view with regards to the origin and nature of COVID, response to the pandemic (or plandemic if you prefer) and vaccinations. I’m not here to express any opinion, but will borrow from these events as I briefly use vaccinations as a metaphor. And thanks for my former colleague Jason Popp for coining the phrase that I’m borrowing.

In a comment to a LinkedIn post about ransomware, Jason said, “If ransomware is a pandemic, then most organizations are anti-vaxxers.”

Brilliant.

I’ll state this another way: the tools and techniques for ransomware prevention have been around for decades. Decades. By and large, organizations hit with ransomware are not employing these techniques effectively, if at all. Implicitly, most organizations choose not to employ the safeguards that would prevent most ransomware attacks.

Why? Good question. Perhaps it’s normalcy bias. Or that cybersecurity is too expensive, or inconvenient to users, or that it’s too hard to find good cyber persons. Or, cybersecurity is a distraction from the organization’s mission (and ransomware isn’t?).

Ransomware presents several challenges. First, most companies that pay ransoms still don’t get their data back. And, more recently, the U.S. Treasury department Office of Foreign Assets Control (OFAC) has cited that paying ransoms to cybercriminals is a violation of OFAC laws.

The solution? Perform or commission a risk assessment. Hire cybersecurity professionals who knows how to fix deficiencies and manage effective security governance, operations and response.

Or, just stop using computers.

Where Are You Going?

While hiking in the hills near our mountain cabin one day, I realized that I was looking down at each step. The terrain was unlevel, full of brush, rocks, critter holes, and other obstacles. In a moment of realization, I stopped and looked out in front of me. I realized that, for several minutes, I was not looking at where my walking was taking me.

Our jobs and our careers are like a hike on uneven ground. We make small and large decisions, interact with people, often only in the moment, without pausing to look up to see where these daily activities are taking our careers. When working only in the moment, we are surrendering control of our careers to others and to chance, rather than taking the reins and going where we want.

Like walking or hiking, it’s essential to make good in the moment decisions, but we must occasionally stop to see where our steps are taking us, and change direction when needed.

Also, remember to stop and enjoy the view.

FPRM is the new TPRM

The recent Accellion-related breaches (a recent one here) are shining a light not just on third party risk management (TPRM), but fourth party risk management (FPRM).

When we bring on a new service provider, in a healthy TPRM program, we assess the service provider’s security (and maybe privacy) programs to see whether their security posture is something we can live with. I see a new set of questions to be asking our third parties, including:

  • What third-party service providers do your third-parties send your data to?
  • What third-party service providers are used to facilitate data transfer and other aspects of your service?

TPRM managers – these recent incidents should be sending us back into our methodologies to ensure we don’t have blind spots.

That is all.

Do Not Use Browsers to Store and Deliver Passwords

Since their inception in the 1990s, web browsers have been packed full of useful features like bookmarks, tabs, granular cookie control, and so much more. It’s no surprise, then, that most browsers now include the ability to store your passwords and to manually or automatically insert them into website login pages. Talk about convenience.

Don’t do it.

The browser makers mean well. However, when a single program accepts untrusted input from the Internet and that same program has access to sensitive login credentials, one can imagine that it would be possible to craft malware that can reach across and pluck out those credentials at will, possibly without the user’s knowledge.

A browser that stores passwords is vulnerable to attack. First, passwords are often stored in plaintext (see this article and also this article, and here is a useful article from the University of Minnesota that instructs users on how to retrieve stored passwords). Malware that has access to your computer’s file system may be designed to look for, and retrieve, these stored passwords.

Also, you should be aware of autofill attacks that trick browsers into pasting in sensitive information on hidden variables in otherwise-innocent looking forms. One day, such an attack may be able to trick a browser into auto-filling login credentials into hidden fields without your awareness or consent.

As long as we use login-and-password to log in to websites, you need to be the air gap between your stored credentials and your browser.

What I Was Doing On 9/11/2001

In 2001, I was the security strategist for a national wireless telecommunications company. I usually awoke early to read the news online, and on September 11 I was in my home office shortly after 5:00am Pacific Time.  I was perusing corporate e-mail and browsing the news, when I saw a story of a plane crashing into a building in New York.

I had a television in the home office, and I reached over to turn it on. I tuned to CNN and watched as smoke poured from one of the two towers in the background, as two commentators droned on about what this could be about. While watching this I saw the second airliner emerge from the background and crash into the second tower.

Like many, I thought I was watching a video loop of the first crash, but soon realized I was watching live TV.

I e-mailed and IM’d members of our national security team to get them aware of these developments. Before 6am Pacific time, we had our national emergency conference bridge up and running (and it would stay on all day). Very soon we understood the gravity of the situation, and wondered what would happen next.  We were a nation under attack and needed to take steps to protect our business.  Within minutes we had initiated a nationwide lockdown (I cannot divulge details on what that means), and over the next several hours we took more steps to protect the company.

——–

Since being a teen-ager I had a particular interest in World War Two. My father was a bombardier instructor, and his business partner and best friend was a highly decorated air ace.

——–

We are under attack and we are at war, I thought to myself early that morning, and while I don’t remember specifics about our national conference bridge, I’m certain that I or someone else on the bridge said as much.  Like the sneak attack on Pearl Harbor on December 7, 1941, we all believed that the 9/11 attacks could have been the opening salvos of a much larger plan. Thankfully that was not the case. But in the moment, there was no way to know for sure.

For many days, I and probably a lot of Americans expected more things to happen. The fact that they didn’t was both a surprise and a relief.

Neat Receipts Has Forgotten (or never knew) How to Earn Customer Loyalty

I’ve been a happy user of Neat Receipts for years, having purchased one of their portable scanners. It has worked pretty much  trouble free on PCs and Macs since I purchased it. But that was all about to change.

I upgraded my Mac to El Capitan a couple of months ago, and today needed to scan some diagrams that I’ll be using in an upcoming book. The Neat software did not recognize the scanner, so I went through the usual troubleshooting, including special steps on the Neat website for El Capitan users. Still, no luck.

Neat

I went to Neat’s customer support page, and found that their chat function was working (today is Saturday). I discussed the matter with the support rep, who asked me for the model of my scanner (it’s NR-030108). The rep told me that this model was no longer supported and would not work any longer. Oh great.  I asked whether there was any kind of a trade-in allowance, and he answered that there was not.

So, Neat has obsoleted my scanner.  I can get over it – it’s a part of the regular improvements in information technology. I get that. But, Neat is offering nothing in order to keep me as a customer.  There is nothing keeping me from considering other good products such as Fujitsu ScanSnap S1100i, for instance. In fact the Fujitsu is a little less expensive, it works with Mac, does everything I need, and has a slew of good online reviews.

Apparently Neat is going to just let me walk.

Security: Not a Priority for Retail Organizations

Several years ago, VISA announced a “liability shift” wherein merchants would be directly liable for credit card fraud on magstripe card transactions. The deadline for this came and went in October, 2015, and many merchants still didn’t have chip reader terminals. But to be fair to retailers, most of the credit/debit cards in my wallet are magstripe only, so it’s not ONLY retailers who are dragging their feet.

My employment and consulting background over the past dozen years revealed plainly to me that retail organizations want to have as little to do with security as possible. Many, in fact, even resist being compliant with required standards like PCI DSS. For any of you who are unfamiliar with security and compliance, in our industry, it is well understood that compliance does not equal security – not even close to it.

I saw an article today, which says it all. A key statement read, “There is a report that over the holidays several retailers disabled the EMV (Chip and Pin) functionality of their card readers. The reason for this? They did not want to deal with the extra time it takes for a transaction. With a standard card swipe (mag-swipe) you are ready to put in your pin and pay in about three seconds. With EMV this is extended to roughly 10 seconds.” Based on my personal and professional experience with several retail organizations, I am not surprised by this.  Most retailers just don’t want to have to do security at all. You, shoppers, are the ones who pay the price for it.

IT Lacks Engineering Discipline and Rigor

Every week we read the news about new, spectacular security breaches. This has been going on for years, and sometimes I wonder if there are any organizations left that have not been breached.

Why are breaches occurring at such a clip? Through decades of experience in IT and data security, I believe I have at least a part of the answer. But first, I want to shift our focus to a different discipline, that of civil engineering.

Civil engineers design and build bridges, buildings, tunnels, and dams, as well as many other things. Civil engineers who design these and other structures have college degrees, and they have a license called a Professional Engineer. In their design work, they carefully examine every component and calculate the forces that will act upon it, and size it accordingly to withstand expected forces, with a generous margin for error, to cover unexpected circumstances. Their designs undergo reviews before their plans can be called complete.  Inspectors carefully examine and approve plans, and they examine every phase of site preparation and construction. The finished product is inspected before it may be used.  Any defects found along the way, from drawings to final inspection, results in a halt in the project and changes in design or implementation.  The result: remarkably reliable and long-lasting structures that, when maintained properly, provide decades of dependable use. This practice has been in use for a century or two and has held up under scrutiny. We rarely hear of failures of bridges, dams, and so on, because the system of qualifying and licensing designers and builders, as well as design and construction inspections works. It’s about quality and reliability, and it shows.

Information technology is not anything like civil engineering. Very few organizations employ formal design with design review, nor inspections of components as development of networks, systems, and applications. The result: systems that lack proper functionality, resilience, and security. I will explore this further.

When organizations embark to implement new IT systems – whether networks, operating systems, database management systems, or applications – they do so with little formality of design, and rarely with any level of design or implementation review.  The result is “brittle” IT systems that barely work. In over thirty years of IT, this is the norm that I have observed in over a dozen organizations in several industries, including banking and financial services.

In case you think I’m pontificating from my ivory tower, I’m among the guilty here. Most of my IT career has been in organizations with some ITIL processes like change management, but utterly lacking in the level of engineering rigor seen in civil engineering and other engineering disciplines.  Is it any wonder, then, when we hear news of IT project failures and breaches?

Some of you will argue that IT does not require the same level of discipline as civil or aeronautical engineering, mostly because lives are not directly on the line as they are with bridges and airplanes. Fine. But, be prepared to accept losses in productivity due to code defects and unscheduled downtime, and security breaches. If security and reliability are not a part of the design, then the resulting product will be secure and reliable by accident, but not purposely.

So Long, Microsoft, And Thanks For All The Fish

Word Version 1.1a

Word Version 1.1a

I have been using Microsoft software since 1985 when I purchased Microsoft Word and Microsoft Multiplan for my new Zenith Z160 “portable” PC. I’ve used Word continuously for thirty years at home, at work, as a university instructor, and as a published author.

I wrote my first three books in FrameMaker, a superior but far more expensive word processor ($500 per user in 1998) as required by my publishers at the time. But by the early 2000’s most had moved to Word since Microsoft had sufficiently closed the feature gap.

I’m coming to realize that this weekend might be the last time I use Microsoft software – at home anyway (I use a PC running Windows 7 and Office for work).

z160

Zenith Z160 portable computer

I ordered a new MacBook Pro yesterday, and it will arrive on Monday. The MBP comes with Apple’s versions of office programs, called Pages, Keynote, and Numbers. Next week I will try them out on my university teaching and on my current writing project. If it goes alright and I figure out all of the subtle differences, I will probably not purchase Office for the new Mac.

Part of this comes down to economics. Office for Mac costs $150 or more, and the same programs from Apple cost $20 apiece (if you don’t have a new Mac that came with them), or free with your Mac since some time in the past year or two.

I’ll post a review of Pages, Keynote, and Numbers in a month or so after I’ve been using them a while.

Still, I can’t help but feel somewhat nostalgic, as I’ve had Word with me nearly all of my adult life. But as the dolphins exclaim in Hitchhiker’s Guide to the Galaxy, “So long, and thanks for all the fish.”