IBM's New Risk Report: More Evidence for IT Governance

IBM just came out with its X-Force 2010 Mid-Year Trend and Risk Report.  Pointing out the biggest vulnerabilities to an organization's infrastructure, the report finds that the latest threats aren't from a single point of entry.  Rather, every employee and endpoint has become a potential threat of entry.

Some fast facts from the report:
    ⁃    There's a 36 percent increase in security vulnerabilities.
    ⁃    Web applications with security exploits accounted for 55 percent of all disclosed vulnerabilities.
    ⁃    In the first half of 2010, financial institutions represent 49 percent of all phishing email targets with more than two thirds of those victims in North America.

When you think about the sheer volume of technology that is strewn throughout a company, it's easier to understand how every computer and mobile device can also be a point of vulnerability.  

Just think about the amount of trial software that is downloaded, open source projects, social media check-ins, and company-created software and it's easy to get a bit dizzy when you think about how it's managed, protected and checked to make sure it doesn't violate corporate policies.  Further complicating the infrastructure are endeavors such as post-merger integrations and global expansion as well as initiatives such as cloud computing and virtualization.  Not to mention the impact of outside forces such as spam, phishing and malicious URLs.

While the IBM report focuses on security vulnerabilities, there is something to be said about an overarching approach to IT governance in order to further protect a company.   In an interview I did with industry analyst Dana Gardner for my upcoming book "Glitch," he suggested that perhaps security is a subset of IT governance.   

Along those lines, I recently spoke with a Textron IT executive who pointed out the fact that today there is less line-by-line software coding.  This makes sense in a world of mashups and object oriented programming that has proven to offer viable shortcuts to the software development process.  

With the vulnerability points of entry growing every time we log on, this seems to drive home the need for IT governance that makes sure the entire infrastructure is aligned with best practices and policies.

The entire report is housed on Scribd and is well worth the read for security experts as well as those who view infrastructure vulnerabilities as a threat to a larger IT governance strategy.

Technology is What's Stalling Tech Innovation

A quick scan around our homes and offices reminds us of the great strides the IT industry has made in recent years.  From clothes dryers that automatically know when to power down to protect the energy grid to the ability to connect remote countries to the Internet, there's a seemingly unlimited potential to what we can achieve individually and collectively through technology.  From the outside looking in, we don't lack for technology innovation; yet from the inside looking out, there are several stumbling blocks that are disrupting progress.

And they're not the obvious issues such as the recession hangover or less venture capital funding.  The irony is that technology itself is holding back the technology industry.  This is because the more technology we create, the more issues that arise in developing and managing it. 

Further, the more connected we are to each other through the Internet, the more those issues will grow because they are no longer isolated to an individual computer or mobile device. 

These issues will only become more widespread when you consider that IBM estimates that by year end 2010, there will be one trillion devices including cars, appliances, cameras, roadways and pipelines connected to the Internet and an estimated two billion people on the Web by 2011.

If not properly managed, the result of these massive amounts of technology will be the proliferation of glitches that halt business.  Many of these are everyday annoyances such as the inability to access funds at an ATM, flight delays and cash register errors.  Others are detrimental to the health of people and businesses such as cyber attacks that infiltrate our energy and water supplies, government data theft and radiation treatments for cancer patients gone awry.  

Overall, these obstacles to productivity are indicators that there are holes in the IT infrastructure that leave businesses and consumers vulnerable.  The cause of them varies yet a fair amount of them boil down to simple errors that are made in the software development process that aren't caught before the product is shipped and shared across a company or the Internet.

None of these issues are new to the IT industry though managing the complexity behind them is becoming increasingly more challenging.  This is especially true when you consider that the undergraduate population of computer science majors plummeted after the dotcom collapse and that demographic is only now starting to be replenished.  Adding to this are a retiring population of experts who are responsible for managing the mainframes that run nearly 70 percent of the world's financial transactions.  Those experts are not easily replaced because few college curriculums offer the required courses and students aren't as likely to enroll in them because the jobs available after graduation aren't considered as interesting or lucrative as other IT positions. 

Yet there are steps that businesses can take now to help reduce the amount and extent of these glitches.  Three of these include:

1. Create a Center of Excellence (COE): that includes a representative from each department including senior management. The COE is responsible for establishing best practices and processes that are followed by the software development team so that there is less vulnerability in the infrastructure.
2. Policy Enforcement: establish metrics and barriers that don't allow software to progress through its traditional development cycle unless it meets the established criteria for quality.
3. Cross Train: break down job silos and cross-train software developers so that there isn't an uneven balance of critical skills.

Of course, we can't eliminate all of the issues that will inevitably arise from the ubiquity of technology. Yet with a more focused approach on the way that software is developed from the very first keystroke, we can avoid a lot of the expenses associated with fixing these issues after the fact and trying to win back the trust of customers.

Toyota Technology: Not Just an Auto Industry Issue

On Friday, August 6, 2010 Minnesota resident Koua Fong Lee was released from prison after serving three years of an eight-year sentence for vehicular homicide.  While Lee maintained his innocence throughout the ordeal, it wasn’t until a second trial that he was set free primarily due to proof of mechanical failure in his 1996 Toyota Camry.

First, a little backstory.  In 2006, Lee’s Camry accelerated up to 90 MPH before it crashed into two other vehicles at an intersection causing the death of a man, his 10-year-old son and a 6-year-old girl. 

Flash-forward to 2010 and it’s impossible to miss the daily news feeds regarding the Toyota glitches, accidents and product recalls. To date, eight million cars have been recalled with the majority of these related to 2009 and 2010 models.  However, it’s clear that the mechanical issues go back even further -- especially in light of recent evidence that T.  Adding to Toyota’s troubles are the mounting lawsuits, including Lee’s, and further investigation into similar cases that are linked by Toyota vehicles.

From a consumer perspective, the sight of a Toyota on the road represents a very real threat.  From a business perspective, the acceleration issues and associated glitches will cost Toyota upwards of $3 billion dollars in the form of lawsuits, engineering and a diminished brand image.  Though keep in mind that many of these issues reflect the after effects of extensive and egregious mistakes in the software behind the design of the automobiles.

While Toyota is currently under the microscope, I suspect they will not be the only automotive manufacturer to suffer the impact of faulty technology in its products.  After all, since the introduction of technology into vehicles 30 years ago, the number of electronic system recalls in the U.S. has tripled.  In fact, today’s modern luxury car contains close to 100 million lines of software code.  This is easier to imagine when you think about the added features we continue to pile into a car – everything from GPS to Bluetooth to DVD players.

Yet if we’ve learned anything from the advancements of technology over the years, it’s this:

1. Rarely is one company or individual solely responsible for mechanical failures.  The information technology industry is built on collaboration, standards, and integration of different technologies.  The technology behind the building of an automobile consists of millions of lines of code -- many of which is written by software developers from all over the world who are on the payroll of technology companies, outsourcers and auto manufacturers.
2. The quality of the software code starts with the very first keystroke.  While there are established best practices to software development, the term computer science is a misnomer because it isn’t an exact science – there is plenty of room for variations in the way the code is written and makes its way into the automobile.
3. Many of the potential glitches and other software failures can often be identified and addressed before the product is assembled and put on factory floors.  This process is known in software circles as IT governance and in all likelihood should be making a comeback given the widespread issues that Toyota is facing.

I doubt that the software developers and engineers that inadvertently contributed to Toyota’s technology arsenal were fully aware of the impact of their efforts on the general population though it’s a point that management should make more clear.  And for companies outside of the auto industry, it’s easy to dismiss the Toyota problems as someone else’s. 

Though the core lesson that’s often overlooked here is that that fundamental approaches to ensuring safer, high quality products are increasingly rooted in technology and without more careful oversight of this function, the reputation of a company really can hinge on a few strokes of the keyboard.
 
 
 
 
 
 
 

SHARE 2010: Next generation mainframes in more ways than one

LIke any tradeshow, you can find a stash of give-aways designed to draw in potential customers.  T-shirts, candy, chair massages, etc.  At this week's SHARE conference, I noticed an interesting cultural shift in the conversations WebLayers was having with attendees (booth 224).  Our giveaways are some pretty nifty balls that light up when you toss them -- perfect for your kids or nieces and nephews, or even in the hallways at work.  

In any event, it wasn't that long ago that we would have a conversation with booth visitors who would ask for extra freebies for their kids.  No problem.  But at this week's conference, the requests are coming in on behalf of the attendees' grandchildren.  Makes sense when you think about  the stalwart mainframe which clearly isn't going anywhere anytime soon.

In fact, if there was any doubt in your mind that the mainframe was going anywhere but onward and upward, the past few weeks should have dispelled this myth entirely.

At SHARE, we've already seen a slew of announcements from all the major players in the mainframe space though the highlight of the show so far is the new IBM zEnterprise System.  Now I know not everybody gets whipped up about a new mainframe but this one is different. Really.  It even caught the attention of the New York Times when it was first announced in late July.

As with any new iteration of a computer, you can expect to hear the terms faster, stronger, and better bandied about.  But what makes the latest zSeries worth a closer look by your CEO is the claim that the latest version of the product is 40 percent faster and up to 90 percent more energy efficient.   This translates to lower MIPS costs and lower data center energy bills.

For those companies that are going to be a little slower in replacing their existing zSeries with the newer models, there are ways of saving expenses right now.  One of them is by getting a better handle on MIPS consumption.  In fact, your company may not even be aware that a mainframe modernization effort can be a valuable, cost saving step between mainframe upgrades.  Essentially, by applying IT governance as part of a modernization effort, you can:

• More effectively preserve legacy assets
• Extend mainframe capabilities
• Reduce CPU utilization

Actually, Ron Karas, WebLayers vice president of client services maps this out in more detail in an educational article in Mainframe Zone.  While the new mainframes from IBM are compelling and will definitely change the landscape (yet again), there's something to be said for taking a closer look at what you already have and squeezing a bit more out of it.  Of course, the cost analysis of an interim modernization step versus purchasing the new mainframe will take into account the existing CPU and energy costs.  

In the meantime, I'll know it's time to step back from the industry when I hear about the freebies for the great grandchildren.

Crowdsourcing elevates role of distributed IT governance

With the release of more than 90,000 government documents related to military operations in Afghanistan making headlines around the globe, from a technology perspective, it's certainly putting the idea of crowdsourcing into the mainstream.  

For those who have heard the term but aren't fully versed on it, crowdsourcing is essentially a way to gather the collective knowledge of the public to complete a business related task.  It's based on the premise that the experience and intelligence of  an interested community will contribute to the greater good of a project.  (The folks over at BNet have a really good summary available here.)  

The immediate pluses and minuses of crowdsourcing are somewhat obvious in terms of free labor versus you get what you pay for.  However, it's not always that black and white as variables such as size and scope of project as well as the pool of experts in the particular field will impact the outcome.  

For example, just look at what the open source movement has done for the tech sector in the past 15 years or so and certainly crowdsourcing aims to take a page from that playbook. 

One open source project in particular that I find of high interest is the work around the Jazz platform from the folks over at IBM Rational.  They're making software development more collaborative through open source.   

The crowdsourcing movement has picked up steam of late in the age of Web 2.0 and the sheer volume of people and tools that are connected throughout the world whether it's through Flickr, LinkedIn, dedicated crowdsourcing websites, etc.  

The one area that shouldn't be overlooked in crowdsourcing and open source contributions is the role of distributed management and oversight of the projects.  It just seems logical that there needs to be some sort of system of checks and balances to assure that contributed content is valuable, constructive and moves the project forward. This doesn't mean that contributors will be evaluated as that's an obvious turn-off to inspiring group brainstorms.

 
However, if you're making certain aspects of your business and/or software code available to the public, there should be some sort of oversight of the contributions.  And it doesn't have to be obvious.  In fact, it may be more valuable if it's run in the background and only presents itself when there's a potential contribution of something that doesn't align with the project's mission.

Of course, there are systems in place at most crowdsourcing sites and code reviews conducted with open source initiatives. These systems often track back contributions, confirm registrations, etc.  Though as the aperture opens even wider for group collaboration, it calls for a distributed approach to governing the activities.

Before a crowdsourcing project kicks off or contributions are accepted, consider the role of distributed IT governance as a safety net.  The IT community is embracing distributed IT governance when it comes to open source so it stands to reason that crowdsourcing also takes a closer look at the mechanisms in place that foster collaboration while cutting through the clutter and accelerating a project's success.

BP and Toyota: 2010 Poster Children for IT Governance

My good friend Joe McKendrick, a blogger at ZDNet and eBizQ recently forwarded me an interesting article from the Associated Press.  The article, "Technology's disasters share long trail of hubris," looks at the BP oil spill disaster and also recounts a long line of massive disasters that may make you think twice about the reliability of technology as we continue to innovate.   

Some of the more recent issues, along with the exploding oil rig, include the technology behind space shuttle failures, levee failures and buckling bridges.

The article raises some questions that, in my opinion, never get tired.  Essentially, it begs the question of whether technology-related mistakes are a matter of arrogance or oversight?

Too often, management ignores warning signs and only responds after disaster hits.  This was the case with BP when they ignored some of the fundamentals of their profession and didn't address the rig's battery issues and loose hydraulic fittings.

While the BP oil spill is the largest in U.S. history, in my mind, it is up there with Toyota as this year's poster children for IT governance gone awry.  Too little, too late is what is being uttered in light of BP's relative success in capping the spill.   Same goes for Toyota, unfortunately.  

As we watch the news threads about BP and Toyota, our jaws drop at the staggering clean up costs in terms of repairing the actual damage as well as the brand image.  If we've learned anything this year, it's that a lack of sufficient IT governance will far exceed the costs of more strategic planning and preventative measures.

While CNN reports that oil has not spilled for four days, I don't believe any of us are quite ready to exhale when it comes to that situation.  While governance may not be the sexiest area of IT, it's one of the most necessary and relevant in today's market.

IT Governance: Where the Invisible Man Meets the Incredible Hulk

IT Business Edge blogger Loraine Lawson posted an interesting piece last week on data governance.  The very compelling headline, "Data Governance: As Popular as Root Canal" takes a closer look at a recent survey of 100 companies conducted by the folks over at Initiate Systems.  Sidenote: you may recall that IBM acquired Initiate back in February for their data integrity software that targets healthcare and government agencies.

The Initiate survey discovered that only about five to eight companies of the 100 had data governance directives in place.

Now I get that people often equate IT governance with life's greatest pleasures such as root canals, paper cuts and smoke in your eyes.  However, I think that the bad rap that IT governance has -- okay, perhaps has earned -- is largely due to a misunderstanding about how and where to apply it.  

There was certainly a time when it was labor intensive and intrusive but just as every piece of the IT industry continues to evolve, so do governance capabilities.  With automated processes that streamline a lot of the review cycles and simply help create better code, its time to rethink how we think about governance as the necessary evil.

If the goal is to apply governance so that it actually is effective in making sure that policies and best practices are followed, the role of governance in helping achieve that goal should be in fostering adherence to those policies and not gumming up the existing processes and creating extra work.   

One way to think about IT governance is to perhaps view it as the fusion of the best traits of two of my more favorite fictional characters -- the Invisible Man in H.G. Wells's book of the same name and the Incredible Hulk.  Okay, I can almost see the eye rolls now but stay with me for another minute.

The Invisible Man was able to enter a room and only make his presence known when it was necessary or if there were obvious indicators such as wearing a hat or glasses.  The same can apply to governance -- it can be running in the background and only make its presence known when necessary.  

As for the Incredible Hulk character, well, Dr. Bruce Banner was a pretty mild mannered scientist unless something set him off and unleashed his Hulk alter ego. The angrier the Hulk got, the stronger he became.  Now think about this from an IT governance enforcement perspective.  

A company always has the choice of how much policy enforcement to apply and how many exceptions to waive.  For some companies, IT governance is an active part of the IT infrastructure meant to guide the development process -- a passive Bruce Banner type who's there for clarification.  For other companies, it's about enforcement at the most critical stages and halting software from moving further along in the development cycle if it doesn't follow all the established policies.  At these companies, you don't want to upset the Hulk that's potentially lurking inside the CIO.

If we could just get a better understanding of the role that governance can play in actually accelerating development cycles and reducing the amount of glitches that continue to run rampant through our networks, perhaps it wouldn't be equated with root canals.

An iPhone Walks Into a Bar... and Meets a Glitch

Not sure why our culture focuses the relatively minor faults of the industry giants.  We seem to watch with eager anticipation as a Goliath gets a few stones thrown at it.  

With this in mind, it's hard to miss the latest news about the new iPhone 4 and its glitches.  First it was the less than stellar performance if the phone was held a certain way.  Then it was the glitch in the bars that showed the wrong levels of signal strength.  The latest and perhaps the most serious glitch hit the news feeds on Wednesday.  

It turns out that a software glitch in the Alcatel-Lucent network is limiting the uploads speed of the iPhone 4.   While AT&T has a fix in the works and the glitch affects only two percent of the customer base (according to AT&T), this glitch speaks to a larger issue about the stability of the mobile infrastructure as we become more reliant on smartphones.

Coincidentally, on the same day the latest iPhone glitch was announced, the folks over at Pew Internet Research came out with its Mobile Access 2010 Report.  The report finds that cell phone usage is up over the past year.  Specifically, 59 percent of adults are now accessing the Internet wirelessly using a laptop or cell phone -- up from 51 percent which was reported by Pew in April of 2009.

The rise in cell phone dependence and the degradation of mobile network service is a signal (no pun intended) of the potential issues we could be facing as more people are connecting to each other and to work through their mobile devices.  

Just thinking about the flurry of concerned Twitterati regarding the potential for the Fifa World Cup to deliver a load of beached fail whales is further concern that we're not entirely confident in our mobile infrastructures.

While I don't wish these types of glitches on anyone, it certainly does call into question the role of IT governance that is in place and/or being applied to the mobile network.  

Could IT governance have spotted that potential issue before it became a headline?  Perhaps.  While certainly not a cure-all, depending on the level of IT governance applied, it may have been able to raise a flag to the fact that the infrastructure performance speed may not exactly match the way it was touted in the marketing materials.

Actually, there's more to the mobile infrastructure challenge and glitches -- it's covered in chapter five of my upcoming book, "Glitch: The Hidden Impact of Faulty Software."  

Nevertheless, I still eagerly anticipate the arrival of my iPhone 4 that's currently on order.

Penny Wise, IT Governance Foolish?

 

I just caught this news story by IDG reporter Robert McMillan about a recent Internet fraud ring that resulted in the theft of millions of dollars from U.S. consumers.  

A patient band of thieves who basically stole spare change from consumers went undetected for years because the thefts were minimal -- ranging from pennies to a few dollars -- yet totaling $9.5 million. It turns out that the ring was able to uncover a loophole in the IT infrastructure of credit card processing companies that allowed the fake credit card transactions to get through.

Given the speed and volume of these types of online transactions, it's often difficult to proactively pinpoint the source of the thief and the location of the loophole until after the damage is done.  Certainly there are mechanisms in place and security tools throughout the infrastructure that can halt a majority of theft before it takes place.  One of the most common and widely used industry standards for credit card issuers to help prevent fraud is the PCI DSS (payment card industry data security standard).

Yet the sheer volume of data, speed of online transactions and growing complexity of our IT infrastructures will continue to leave us with these infrastructure gaps that allow less than scrupulous characters to pounce.   It's these types of multi million dollar scams that elevate the need for applying standards and introducing and enforcing IT governance throughout the entire infrastructure.

Of course, PCI compliance and IT governance won't prevent online fraud.  But it can decrease its impact if it's part of the early stages in software design and development.  (As a sidenote and in the spirit of transparency, back in February WebLayers announced its Policy Annex, a sort of apps store if you will, that validates IT governance policies to support PCI compliance.)

Yet more than applying technologies and standards, preventing the exploitation of gaps in the infrastructure requires a combination of developer and management skills that are applied to technology.  

Falling Starr and the Lack of IT Governance

Kenneth Starr is the latest money manager to be arrested for cheating clients out of millions of dollars. Bloomberg BusinessWeek has a solid overview of the news story here if you're looking for the pure business side of the situation.  For me, it raises the question of the lack of IT governance from a pure technology point of view and how this affects businesses and investors.  

Having managed over $700 million for close to 200 well known, wealthy clients throughout the years, Starr & Co. was well connected in the elite Manhattan circles.  While his theft was nowhere near the scale of Bernie Madoff's, you have to wonder why it is so easy for these so-called money managers to get away with stealing so much money for so long.

Of course, there are a lot of reasons why this happens.  First and foremost, individuals are responsible for their own investments to a large extent.  However,  when you're talking about his clients' levels of wealth accumulation, it makes sense to hire an expert to manage and grow the funds.   

While Starr & Co'.s client roster dwindled as lawsuits and client audits piled up over the years, it wasn't until a lawyer for a former client combed through recent financial transactions that federal agents stepped in.  It was the uncanny coincidence that millions of dollars in wire transfers aligned with Starr's purchase of a $7.5 million condo that tipped off the lawyer. Without the due diligence of an outside party, who knows how long Starr could have continued.

From an IT perspective, I have to question where the IT governance is or was when it comes to these wire transfers, especially multi-million dollar transactions.  In such a heavily regulated industry, there are obviously reports and legal filings that accompany these activities though for the well trained thief, these hurdles are easy to clear.

As we discovered from the Madoff situation, Bernie was the sole overseer and quasi CTO of the company's mid-range system that executed those false transactions for years.   Let's not forget that Madoff  turned himself in to the FBI  -- it wasn't the government's discovery of the fake trades that led to his incarceration.  In one positive outcome, the Madoff Ponzi scheme led to new regulations by the Securities and Exchange Commission, not the least of which is the prioritization of transparency.  However, some would argue too little too late.

Given the latest news about Kenneth Starr, you have to wonder if there are other robber barrons on the edge of being caught after investors are bilked out of millions of dollars.

Can IT governance squarely address this issue?  While it can't solve crimes, it can help in the following three ways:

1. Establish policies and processes with regard to the execution of electronic fund transfers so that potentially questionable activities are proactively flagged.

2. Create more transparency throughout the IT infrastructure.

3. Securely verify the transactions in a more efficient way.


On a sidenote, there's actually more to the Madoff and IT infrastructure story that's included in my upcoming book, "Glitch: The Hidden Impact of Faulty Software."

Do you think IT governance could have caught Kenneth Starr sooner?  Share your thoughts below or send me a note at jeff@weblayers.com