Security Apocolypse

This week’s news about the Heartbleed bug is just a sign of things to come. And the resulting hassles this is causing the same.

Having to rush and change all your passwords is nothing short of an enormous hassle. And then realizing that likely I need to do this again in a few weeks makes it worse. I tend to think these things are going to keep happening and likely will get worse. The reasons are:

  1. Older systems that perhaps we thought to be secure, like this situation, can in fact be exposed as insecure at any time.
  2. IT shops (and everyone and everything) has an enormously difficult time keeping up on patches. Patches at the OS layers, equipment firmware, database layers, various services, etc. Some vendors bundle these up and do them less frequently which then means known problems are not patched for longer. Other vendors publish new patches all the time and it is practically impossible to keep the application of patches up-to-date because they keep coming out.
  3. Computing power to find vulnerabilities is increasing. Brute force attacks are getting easier.
  4. Using higher caliber password management tools like LastPass are great and add some levels of confidence. However, they too require a lot of focused attention to use. Having to go through 100+ different online services and change each of their passwords is a chore. And these tools, like LastPass, work well with some of the sites and others not so much. It is far too easy to get out of phase on which password is valid at which site. Sometimes the password change doesn’t work right for various reasons. It is just too complicated to manage these for many people.
  5. Two-step authentication is a great step addition to use where possible. Lots of high-end sites now provide this level of authentication and I recommend you use it everywhere you can. However, again, for many users this is still too complicated.

There is going to be more and worse problems with wide-spread security issues. I fear that the good guys are losing.

What do you think?



Weak Signals

There is a wonderful post called the strength of ‘weak signals’ which I must recommend specifically. Usually I just retweet articles that catch my eye, but I’ve thought about this one for days now and just wanted to highlight to those who might stop by.

The thought that “spotting weak signals is more likely when companies can marshal dispersed networks of people who have a deep understanding of the business and act as listening posts” is true. There are signals in your operations, in your sales locations, in your design centers and from your entire supply chain in both directions (suppliers and customers) and a successful company must get better at spotting those signals and that information.

The article talks about social media and senior leaders being engaged in such, but it applies to everything and everyone, not just social media channels. IT plays a role in making it easier for teachers to share and collaborate and learn from one another. This might be one of the most critical roles for IT in this age.

We’ve all got to be better listeners and we’ve got to purposely and actively be listening, watching, reading.

Good stuff.


I think I’ve seen the future and it looked pretty good. We visited Disney World last week and experienced their new Magic Bands.

magic bandThe band is issued to guests and it is used for several distinct purposes in the park. They are mailed to resort guests in advance or can be picked up upon check in and they stay with the guest when they leave. It seems that they are mapped to an individual and can or should be used across different visits.

The purposes that I saw include:

  1. Grant access to hotel rooms on the property.
  2. Map park tickets purchased to the band to then allow the wearer to enter the park by presenting the band to a reader. No tickets or other ID required. However, after the band is scanned, they want a finger print scan which is probably used to make sure the same band isn’t used by more than one person on that day. No pin or other identifier is needed.
  3. Purchases at WDW are completed by having the band scanned and then entering a pin number. Note that one has to have a credit card mapped to the band in advance to allow such purchases. The purchase requires both the band and the pin number.  The pin number is set by the wearer when the credit card loaded.
  4. And, some places in the park, custom experiences are mapped to the band and that person. In Epcot at the Test Track participants can design a car then after riding the ride, the performance characteristics for that designed car are graded against others. In short, part of the experience is customized and remembered in the park. The end of this is hard to imagine but I’m sure Disney is on it. The list of possible customization experiences are endless. I would guess this same thing is being done elsewhere or will be soon in the park.

Wearing the band probably let’s Disney track where people go in the park and they can do that by age, home, where they are staying, party size, etc. Again, the possibilities of data mining are endless.

The benefit to the park visitor is that you literally do not need to have money or credit cards or room keys to spend time on the property. You can buy souvenirs, food and whatever with the band, it allows you in the park and it opens your hotel door. It is an amazing experience to spend a few days where this is literally all you need.

I’d love to better understand the underlying security model, but I suspect Disney is on it.  And, some will be concerned about their privacy as Disney tracks their movements. However, it seems to me that you are choosing to go to the park and you can choose not to go.

Upon leaving at the Orlando airport, I had to go back to credit cards and cash. The women in front of me buying a drink paid with cash and then walked off with $1 bills falling on the floor. Somehow she didn’t close her wallet correctly. I would have rather paid with the band. I saw another person still wearing his in the airport. Guess he didn’t want to take it off.

Overall, an amazing glimpse into the future. Kudos to Disney for this advance.

Comments welcome.

Simplicity Needed

I’ve been thinking a lot about simplicity lately. The need for simplicity keeps surfacing in front of me over and over again.

We are doing some merger work and anywhere that we have customizations (one either side of the merge) we find that it dramatically increases the difficulty in completing the merge and integration. This complexity translates into slowing things down, which is deadly in today’s business, and it translates into more money(people, time, effort) to complete the integration.


We are replacing some IT systems now and I’m adopting the position that we must use the new system out of the box with only the system configuration options used for customizations. We aren’t going to change anything in the system we are buying. Making this shift takes purpose and focus because there is a huge tendency to make the system behave how you are used to things behaving. I remember putting in an ERP system years ago and the system had 18 ways built-in to do cycle counting of inventory. None of those 18 seemed to work for us. Funny. I said they had to pick one of the 18.

This complexity is one reason why companies tend to orbit around a single ERP vendor and its eco-system and they avoid interfacing to other systems. Any time you integrate with something outside the central core system, that complexity raises its head again. If you are one of the main vendors (that start with an O or an S) then this favors you.

The complexity also surfaces in how you do things with systems. We’ve built an account approval process that in one case requires 8 approvals in the system before a person can get permission to do whatever. 8 approvals! I suspect one could start a war with less approvals. But now unwinding this complexity takes work and focus and purpose to achieve.

IT has got to be more vocal about stamping out such complexity. I’ve not done enough.


Rebooting Work

Last year (2012) I attended Dreamforce in San Francisco. As a CIO, I was invited to be part of an executive track of some kind and the first night of the conference, a reception was held at a nearby location. At the reception, I knew just about nobody. Well, nobody. However there was food, music, etc. I walked around for a while, got a drink, then got a plate of food. I looked around and saw someone standing off by themselves with a plate of food. I decided to join him.

Through our conversation, I learned that he was former CIO and that he was now on the board of His name was Maynard Webb. We proceeded to have a great conversation for about an hour and the we parted ways. During the conversation, I learned he was working on a book which is now out and called Rebooting Work: Transform How You Work in the Age of Entrepreneurship.

In the book he references a time at work where, “Maynard wondered if the people he encountered throughout his life would walk over to say hello or turn and walk away. He then stressed the value of conducting oneself in ways that draw people toward you.” which made me laugh given our encounter and conversation.

The book is about how work is changing and how one needs to be the master of their own career. Things are a changing.

What does all this—mobile, cloud, social, platforms, and applications—have to do with work and with you? In one word, everything. You can think differently about how and when you work, and you should. Technology, and applications of this technology, will continue to improve and evolve, providing unprecedented, global access to information, individuals, training, and opportunities. But perhaps most important of all, technology provides individuals with unequaled flexibility. You don’t have to be bound to geography anymore, and you don’t have to be tied to one company anymore.

If you are starting out or in the middle of a career, I recommend Maynard’s book to you. It is complete with stories and ideas that just might make a difference.

You can read more about Maynard here.

What is the Cloud?

Listen, I don’t want to start another discussion about the cloud. What is a cloud anyway? However I’ve recently been in two different conversations where someone indicated that they thought everything in corporate IT was the cloud.

It occurs to me that from the point of view of of an organizations staff, where they access all IT services via a browser or a smart device of some kind, that it sure looks like everything is the cloud. Everything is just out there and they aren’t having to install fat clients on their desktops to get things done anymore. It is no unreasonable to start thinking of all the things that IT does as ‘the cloud’ when you have that perspective.

Here are some thoughts on this:

  1. Any conversation that an IT professional has with someone related to the cloud better start with definitions and a common understanding, or starting point. I’ve been in several cloud conversations lately where I’ve realized later that we were talking about different things. I’ve got to get better about starting with a common foundation on these conversations.
  2. I think the cloud is IT related services provisioned via the internet with a pay as you go model. No capital expenses up front and can scale up or scale down based on changing needs by the buyer.
  3. Corporate IT has many legacy applications running on dedicated hardware in private data centers or hosting sites. It looks like the cloud, but it is not the cloud. There are capital costs, upgrades strains and little reuse. Little scaling too.
  4. The cloud is not hosting. It is not contracting with some company where they will just run an application on hardware in their data center and your employees will get access to it over the internet. That is not the cloud. That is just putting the hardware in their data center. Doesn’t matter if it is a pay as you go model or not. This is not the cloud.
  5. I think real cloud applications are multitenant. To really get economies of scale the hardware needs to be shared by many users at the same time. Google apps are an example where all the people running Gmail or google apps are running on shared hardware in Google data centers. This last point everyone won’t agree on, but I think real, scale-able cloud based applications have to be multitenant.

Well, am I getting this wrong? Do you agree with these viewpoints? Or is corporate IT the cloud too?


The Health of the Network

I haven’t thought much about our network in a while. There were times that we used to talk about it all the time and consider uptime, bandwidth utilization and outages as well as network technology transitions. I don’t seem to do that much anymore. I just stopped a series of posts on things for new CIOs to consider and I didn’t even mention anything about the network.

I’m thinking that we’ve gotten to a point that the network availability and its capacity/speed have become like the lights. They simply work all the time (most of the time) and their support has transitioned to the background. We seem to have reached a place where the network is just there.

There is an article is Forbes recently entitled, Thriving with New Technology Starts with a Strong Network which I think is right.

  • The ‘internet of things’ where we are capturing data everywhere inherently requires us to move the data through the network to a data warehouse or equivalent.
  • Wi-Fi must just work and work well everywhere your people are located.
  • Video and telepresence is taking off and that requires high quality bandwidth.
  • All your messaging solutions need the network to move those messages. email, chats, alerts, etc.

In short, our network is critical and necessary but our thinking (or mine) has transitioned to the point where it is a utility? Like the lights?

What do you think?