Midwest IT Survival

Produce a Business Case Deliverable

In the first part of this series on senior management communication for those more comfortable with grep-ing an exception log or tracing through lines of code to find that elusive bug the conclusion was:

No matter how technically proficient you are in your respective discipline, not investing in effective communication skills will limit your over-all effectiveness in your organization.

In the second part of this series, we used an example of engineer Bob recommending his company invest some cash and resources into an operating system upgrade. The initial logical conclusion that a sequence of facts surrounding how awesomely technically cool the new OS is would convince anyone to make the investment. Yet, spewing facts isn’t as compelling as it is to:

Relate the facts and figures to senior management’s goals/vision

To do this, structure a presentation into a story following this sequence:

1. Describe the Current State including gaps/challenges/issues/problems
2. Describe the “Optimum” Future State
3. Describe the Roadmap to get from Current to Future State
4. Outline the immediate next steps to get started on the Roadmap
5. Throw anything ancillary or supporting to the above 4 steps in Appendices

In the Bob’s case, consider “telling the story” of ultimately what aligns to senior management’s goals/vision in this example context: computing capability at reduced cost.

Using the above sequence as a template for Bob:

1. Current State

• Number of servers running prior OS, server count over time
• CPU utilization
• Maintenance costs (total cost of ownership if it can be computed, support contract costs)
• Indicators when “bad news” like special support contract costs, etc. show “doing nothing” is a negative
• Intersection with any other projects that need capabilities provided by your Future State

2. Future State

• All servers running new OS phased in over timeliness
• CPU utilization
• Maintenance costs

3. Roadmap

• Upgrades broken into simple chunks
• Chunks representing some useful grouping (rather than random)
• Testing or other functions supporting the upgrade
• Costs over the duration

4. Next Steps

• $$$ approved to buy hardware
• $$$ approved for 2 resources
• Initial steps within your organization to get a formal project going

5. Appendices

• Data showing why 2 resources are needed, what happens if you get 1 or zero or 12
• Any other data, facts, figures around “hot button” issues that might come up like a trend to out-source or in-source work, strategic vendor partnerships, etc.

Your goal in telling this story is to have a compelling deliverable in the form of your presentation that conveys to anyone that it would be just plain silly not to execute your roadmap. That “anyone” needs to be both technical and non-technical people. I am certain your technical peers are going to be 110% behind anything that involves implementing new, cool technology. What techie holds the position of “nah, I still want to be a Windows 98 shop.” At the same time, the more holes that can be poked in your analysis the more likely your great idea is going to get trampled by the masses and not acted upon.

Sure, others might suggest not putting this much effort into a request that “should just stand on it’s own to support action”. A recent (how timely!) tweet from @rands suggests as such:

And although it might seem highly desirable to be able to convey your technical request in words and have immediate understanding and support, those veterans of large corporate IT shops know there is a big complex organization with overlapping, competing and sometimes contradicting priorities that can easily mount a campaign against your plan. Thus, those quick to dismiss the value of a slide deck deliverable in corporate IT might be missing a critical element of this series: producing a deliverable.

Sure, once you have a deliverable out there others can still mount a defensive. But, you also empower your management with a strong case to move in your direction that can be forwarded along and forwarded up. The more compelling your story, the more it stands on its own as a viable business case to make a strategic company investment the more the financial/business minded in IT will be able to comprehend and support your plan.

So, before you write-off the value of putting the effort into crafting a story deliverable that compels the non-technical decision makers to act on your plan, consider the alternative: a verbal request to spend money on some cool technology? If you are planning to invest a significant portion of your own money, do you want to buy some cool technology or act on a strategic technology investment with data backed returns?

Speaking in the Zone

Recently, @rands posted a very timely, for me, article on what goes through the conference speaker’s mind as he or she is about to get in front of a large audience and give a presentation. Everyone that presents at a technology conference, no matter how frequent a speaker, probably goes through the same thought processes that I found myself going through. I recently presented at a technology security conference. For fun, I’ve sequenced that thought process below:

Topic Submission/Call for Papers

Did I have a compelling enough topic that I will get selected?

Do I seem credible enough as a presenter in the first place?

The submission forms are usually well structured, but since the selection process is usually blind to the submitter, you really have no idea what the selection committee is prioritizing for topics and speakers. You may think you have the most brilliant topic but unless you have an inside source, you are completely at the mercy of the selection committee.

Speaker Acceptance

Awesome, I’m going to get present!

Holy cow, I have to put together a presentation!

It is quite exciting to find that a topic you proposed actually has enough merit for some folks, who are pouring through submission form after submission form, to actually select it. It is also a nice boost to your ego that you and your topic are compelling enough for a conference presentation time slot. This excitement is quickly followed by the immediate realization that you have only just started this very public commitment. You need to pull together a compelling presentation to justify the honor of being selected to speak. I would be fibbing if I skipped mentioning the slight panic that follows the boosted ego moment that you are going to have to actually give this presentation.

Presentation Submission

Geez, did I get everything I needed into the presentation?

Did I spell check everything?

Did I even come close to what I originally proposed that got me selected?

No matter if you start your presentation before you got the official selection notification or if you procrastinate till the night before your sides need to be submitted, there is still a moment of panic immediately following your presentation submission. Just after you hit “send”, you wonder if you really got everything just right. Sure, in a moment of panic you can beg and plead with the receiver of all speaker materials to replace your original submission with a last minute revision, but do you really want to annoy the masters of the conference agenda? They could put you right after lunch on the last day. That slot is probably one of the most challenging given you have the entire conference to sweat about your pending public speaking including the very real concern that very few conference stragglers will actually come back to your session after that last lunch with planes to catch and general conference fatigue in full affect.

Tip: I have found that starting immediately on your presentation and then leaving a few days prior to submission to make final corrections to be the most effective for me. In between I make it a point to ensure I have a few days to completely ignore the presentation all together. I am amazed at when I pick back up after that break how many “What was I thinking; this doesn’t make any sense?” review moments I encounter.

Conference Start

I have plenty of days/hours. I’ll survey the room, take in a few sessions and size up my peers.

I still have a few hours, I’ll find a quiet stop and skim my notes.

Holy cow, I’m speaking in 10 minutes. Where did the time go?

It seems time both slows down and speeds up. Sitting in sessions makes you wonder if you have prepared enough. Reviewing your notes with tons of time remaining becomes a struggle to focus. Lastly, you find all the time you thought you had just zoomed by and your session is about to start.

Waiting to be Introduced

I am totally going to bomb.

Someone is going to throw me off track with a unexpected zinger question.

Why did I submit this topic in the first place. I could be sitting in one of those attendee chairs just zoning out right now.

Speaking in the Zone

In hindsight, I always wonder why I was stressed out at all. It seems for me, once I get started speaking, the process of giving the actual presentation just flows out smoothly. In volunteering to present on topics of which I’ve researched and have actual experience with, I am reminded that I really do have some solid knowledge in what I am presenting. “Zinger” questions are an opportunity to have a healthy exchange with the audience in a way that breaks up the sometimes methodological bullet point by bullet point nature of the slides.

All that stress evaporates as the session comes to an end replaced with a deep sense of a job well done. Feedback, of course, is the ultimate verifier of a good presentation. Most recently, someone came up to me at the conclusion of my session with:

“Great presentation. It was the only session worthwhile out of all I attended today.”

That one comment made all the hours of work and stress prior completely worth it … and I was  the last speaker that day.

As I mentioned in my previous post, I had the opportunity to present at the 9^th annual Information Security Summit 2011. The full title of my presentation was “Identity and Access Management Reference Architecture for Cloud Computing” and just about filled the room with attendees. I was impressed with the turnout given I was in the last speaking slot on the first day up against three other speakers with very interesting topics.

For those interested, I’ve placed my slides on SlideShare:

All in all, it was a great conference attracting mostly local security and audit professionals. Given my tenure in the area, I ran into all kinds of familiar faces going back at least 10+ years. It was great to catch-up with all those of which I’ve crossed paths.

Information Security Summit 2011

For any of those in the Cleveland, Ohio, USA area next week, I’ll be speaking at the 9th annual Information Security Summit 2011on the topic of Identity Management in “the cloud”.  More specifically, the title of the presentation is “Identity and Access Management Reference Architecture for Cloud Computing” which is in the last slot on the first day of the conference [agenda link].  I believe the Twitter hash tag will be #infosecsummit11 thus look for some of my observations and knowledge bits throughout the two day event.  I’ll post my slides on SlideShare shortly after my presentation slot.

If you are in attendance, please stop by and say hello!

Raw technical data won't speak for itself

In the first part of this series on senior management communication for those more comfortable with grep-ing an exception log or tracing through lines of code to find that elusive bug the conclusion was:

No matter how technically proficient you are in your respective discipline, not investing in effective communication skills will limit your over-all effectiveness in your organization.

Thus, if you were following the argument to support this claim, you appreciate the notion that, ultimately, there are diminishing returns to exclusively honing your technical skills to perfection without making investments in your executive communication skills. Your frustration level will continue to rise as you see decision after decision being made against your common technical sense.

You need to assist senior management with data to aid in shifting decision making to include your technical vision.

In being pragmatic, this “shifting” is more analogous to turning the Titanic than a row boat. No fancy PowerPoint deck with brilliant technical strategy in-line with corporate objectives backed by irrefutable financials will guarantee decisions in your favor. There is an element of decision making that involves emotion that just can’t be trumped by reason 100% of the time [evidence].

As an example, a certain executive may favor one vendor over another. No matter how many Forrester Wave or Gartner Magic Quadrants you quote touting a vendor’s industry recognized superior product, a weaker product from a different vendor can get selected.

I am not saying to give up on collecting data to support your recommendation. But knowing non-logical factors influence decision making, you can appease your engineering brain to some degree, when rejected, with the notion that you exhausted your resources and produced a compelling business case that stands on its own. Plus, you never know if the next re-org will change the senior management decision ownership. You may very well get a chance to make your pitch again with a new audience that might just have a different emotional dynamic that is more in your favor. And since re-orgs occur more frequently the large the organization, you might not have to wait very long. I’ve written about corporate IT leadership change prior.

So, back to the topic of communication and the first fallacy of executive presentations for the technically proficient:

Raw technical data will speak for itself

Fallacy: If you just put your accumulated knowledge down on paper (or PowerPoint) in a logical, fact based sequence, the recommendation will just speak for itself.

Rarely, if ever, have I observed a senior manager approve a decision based on the spewing of sequential technical facts without any questioning.

Bob: “We need to upgrade to RHEL 6 because it more efficiently uses multiple core processors reducing overall OS resource consumption by 10% freeing those resources up for applications to uses. Fact, fact, fact, fact … thus give me two people and $200k to start the upgrade process.”

Those maybe compelling, industry proven, lab test supported facts that indicate some new technical something is vastly superior to what you currently have and the company will benefit greatly, maybe even eliminate some current outstanding problems, reduce costs, and cure cancer … but what problem do they solve or opportunity do they create for the senior manager?

Quickly clarification, “what problem do they solve or opportunity do they create for the senior manager” is not be taken as you need to pander to the whims of the senior manager. This statement should be interpreted as: How do all these facts and figures relate to the senior manager’s goals and vision?

Relate the facts and figures to senior management’s goals/vision

One of the best ways I’ve learned to do this is to structure a presentation into a story following this sequence:

1. Describe the Current State including gaps/challenges/issues/problems
2. Describe the Future State
3. Describe the Roadmap to get from Current to Future State
4. Outline the immediate next steps to get started on the Roadmap
5. Throw any ancillary or supporting data for the above 4 steps in Appendices

In the case of Bob’s desire to convince senior management to invest in an operating system upgrade, consider “telling the story” of ultimately what aligns to senior management’s goals/vision in this example context: computing capability at reduced cost.

Keeping with this logical theme of presenting a story aligning your recommendation to senior management’s goals/vision, the next article in this series will built upon this theme.

Convincing senior management of technical direction requires new communications skills

As a server administrator, you invested in knowledge associated with configuring operating systems to perform optimally and be able to interrogate error logs to diagnose and report problems efficiently. As a software developer, you sought feedback from code reviews and combed forums and blog posts and (depending on when you were in this role) books to improve your code. In your role, you invested in the technical skills that expanded your ability to deliver solutions within your respective discipline.

Being measured on skill-set attainment wasn’t particularly evasive. Your servers were deployed live and they either performed their needed functions in support of applications and end users or they crashed after deployment with a flurry of functional issues reported to the helpdesk. Your code either met the functional requirements and was bug free after being tested or defect reports mounted. There was more direct feedback as to what skill-sets you have mastered and what areas of your respective discipline needed more investment.

Even communicating to your direct manager in these technical roles provided more instant feedback as to your ability to successfully articulate problems, issues and recommendations for improvements due to the frequent interactions between yourself and your manager. And from your manager’s perspective, they were tasked with delivering a service and needed you to execute tasks to meet commitments.

But what about communicating to senior management?

In most cases, you are not directly interacting with senior management on a daily or even frequent enough basis to build implicit trust. You can rarely walk blindly into a budget meeting with senior management and say:

“We need to upgrade all the servers to RHEL 6. In order to do that we will need to buy ten new servers at X dollars each for a total of Y dollars now and we will need two more people to build and swap in all those servers. Of course, we’ll need all the applications to test after each server is re-built. And …”

with senior management responding with:

“Sure Bob, let me get out the checkbook …”

It is almost painful to observe a solid, technical individual attempt to explain a technology need to senior management who hasn’t determined how to effectively communicate that need in a format that senior management can more readily absorb. Equally troubling is seeing a poorly communicated yet real technical need be decided against by senior management based on a weak presentation. You can almost predict the conversation that will happen some number of months later:

“Bob, how come we have to pay this huge support contract on our servers? How come I didn’t know about this earlier?”

“But Sir, I tried to tell you we needed to upgrade our servers before …” This conversation becomes more awkward with each subsequent exchange.

No matter how technically proficient you are in your respective discipline, not investing in effective communication skills will limit your over-all effectiveness in your organization.

So, what steps can one take to make this investment in their communication skills? For one who has focused on learning technology, the shift of focus to learning effective communication skills may seem elusive at first. Thus, consider spinning up a thread in your brain that breaks this down into a logical exercise.

Look for part 2 of this article to dive into some logical steps.

Project sponsor turnover can be handled smoothly

Hallway conversations and whispers in meetings have the grapevine quickly communicating the departure of a highly visible person in the corporation. “Did you hear Bob gave his two week notice?” “Yah, any idea where he is going?” “No, I don’t think he shared that.” “Who is going to lead the big FlimFlam upgrade project now?” “Don’t know that either. It hasn’t been announced. Bob has been it for as long as anyone can remember.” “This could get very messy.”

I was reflecting on my participation in a large, multi-track, multi-phase, multi-year project some time ago. So, safe to say, this was a big project involving substantial change across a variety of technology groups, products and business units. About a third of the way through the project, the day to day business sponsor left the organization for an outside opportunity. Since the project was well under way, being a third completed, a new sponsor was needed to step in quickly to keep providing direction to all the concurrent work streams.

Executive Leadership Steps In

The executive sponsor immediately started attending the regular program level status meetings. This provided much needed leadership. Thus, two big thumbs up for her participation. Instead of everyone looking around the table at each other wondering who was in charge, there was continuity in project leadership.

New Sponsor Arrives

The executive sponsor didn’t waste much time sourcing a new business sponsor for the project. With only a few weeks of drift, a new day to day sponsor was at the table. The executive sponsor gave a brief introduction and the new sponsor took charge. Following the introduction, it was clear to everyone that the new sponsor wasted no time getting up to speed even though he had no prior knowledge of the project nor subject matter expertise in the goals and objects of the project itself. The new sponsor already had had meetings with key stakeholders individually.

New Sponsor Sets the Tone

The new sponsor also gave brief summary of the current state of the project, the major open issues and summarized the strategic next steps. In summarizing the next steps, the new sponsor established an immediate credibility as the prior sponsor seemed to be struggling a bit with how to prioritize the cross-functional team’s focus for the in-flight work streams. All in all, the new sponsor, in the first formal meeting, established a strong confidence that had everyone leaving that meeting with a positive sense of enthusiasm that we were all in good hands for the remaining work ahead. The new sponsor clearly set the tone for project success.

So what made this potentially negative situation result in a re-energizer to the project team?

• Executive leadership presence immediately upon word the current sponsor was leaving the organization.
• Executive leadership remaining visible and actively engaged through naming the new sponsor.
• The new sponsor’s strong initial engagement and clear understanding of:
  • Project’s current state
  • Clarity surrounding open issues
  • Ability to articulate next steps.

Has anyone else experienced a positive project sponsor change? What contributed to the success of the leadership switch?

Just code a secure "app" for banking, right?

If you are inundated by the seemingly constant barrage of news surrounding people clamoring to get their hands on the lightest, thinest, most powerful mobile phone or tablet, you might be wondering: With all of that consumer demand, how come, if my bank even has a mobile application, why can’t I do all the things I already do on-line? Well, I’ve been digging deep into mobile device security capabilities lately and have a good appreciation of why the gap in functionality exists … and for good reason.

I’ve written before about the challenges of delivering banking functionality like moving money around on-line before here and here with the focus being your, now, classic web browser based Internet banking. Fundamentally, the interaction between a web browser and your bank via the Internet is essentially the exchange of text. There isn’t much programmatic logic running on your pc, laptop or even mobile phone/tablet with web browser based banking. Thus, there isn’t much one can do as an attacker except manipulate that text going back/forth. Assuming basic security measures are in place, short of stealing someones full credentials, there isn’t much opportunity for a big score for attackers. Of course, there are always exceptions.

So, what makes mobile device security such a big deal; isn’t it just Internet banking from your phone?

In short, a program or “app” that is given to the end user to install and run on their device is a huge difference from a security perspective.

Your initial reaction might be: big deal, just build a secure “app” and off you go!

Well, it seems that “building a secure app” isn’t quite as easy as it should be.

Short of the RIM Blackberry mobile platform, mobile devices are currently being built as 100% consumer focused, enable all functionality easily, devices. RIM has been the market leader in corporate managed mobile devices through their “Blackberry Enterprise Server” or BES software you install in your company. It acts as the great security gate keeper between all managed RIM devices, their configuration and what data they can and can’t access. Lose your Blackberry? The BES software can remotely wipe the phone of anything user or company specific the next time the phone is turned on. Want to specify what “apps” can be installed on a Blackberry? Just have the BES software forcibly un-install “apps” that aren’t on the approved list. To top it off, all communications between the various Blackberries and the BES software is encrypted without the end user being able to disable it.

This approach involving communication with a central security provider coupled with stronger on device data access protections has made the Blackberry the obvious corporate solution for security minded companies. It is too bad that RIM hasn’t found a way to enhance their device’s user experience as all other device platforms appear to be eclipsing RIM in that regard. The flexibility your iPhone, Android, WebOS and Windows device has in allowing end users to have nearly 100% control over device level functions means the expectation that a user hasn’t somehow disabled or manipulated or even installed malicious software (knowingly or unknowingly) is completely non-existent. Add in “jailbreaking” where even basic end user constraints are removed from a device and it is next to impossible to be assured a device is in any configuration baseline let alone “secure”. Sure, web browsers can have vulnerabilities as well as malicious plug-ins installed, malware, etc., but there exists some ways to detect that a users “device” has materially changed enough to engage in additional levels of authentication. More on this additional authentication later in this article.

So, what plausible options exist?

First, from a security perspective, if there is no way to completely know a device is “secure” (whatever that means), then one has to assume the device is “un-secure”.

This means one has to expect that any “app” deployed on a phone is completely vulnerable to attack.

Thus, any thought of storing any information, such as a password or even a user name to help save typing for logging in to a bank system is out of the question. Anything that the “app” creates for some security purpose also can’t be trusted. Thus, generating any unique device identifiers or user identifiers needs to be assumed compromise-able. Even trying to re-use the current on-line “device profiling” security technique where unique, seemingly, non-changing device attributes (like OS levels, browser versions, video and audio hardware configurations, etc.) are used to link a human to their device accessing their bank data isn’t available today on mobile devices.

The security concept in “device profiling” is that if you are logging in from a “known” or “registered” device, then there is a stronger likelihood it is the same user compared to a user that was logging in from a “known” or “registered” device for the last umpteenth logins but now is logging in from a new device. In this new “device” scenario, the ability to ask the user knowledge or challenge questions or send an email or SMS message with a one-time password helps to further determine who the user really is. Mobile devices currently don’t allow “apps” to gather such “device profiling” data from the device. The positive for privacy fans becomes a negative for legitimate uses of such device identifiable information such as banks.

The data, like a device or SIM card serial number, which is not programmatically accessible to marketers or other folks looking to track your device and your where abouts is also now not available to banks which could use this to aid in the customer authentication process. Example explicit technical discussions confirming this challenge on the Andriod platform here.

Lastly, the growing/mainstream typical “out of band” mechanisms for authenticating on-line users is leveraging the user’s mobile device. Need an extra factor to authenticate a user on-line? Send a random 8 digit number as an SMS message to their phone. Then, if the user attempting access on-line can type in that 8 digit number in a reasonable amount of time, it is more likely the user and not someone else. A banking “app” is already running on the user’s phone, so any phone call, email or SMS text message to that user would arrive on their … phone. Thus, so much for that additional useful authentication factor.

Thus, with in-secure devices running end user manipulatable applications without a strong mechanism to tie a user to their device programmatically, it is going to take some significant improvements of any kind in order for the functionality one enjoys interacting with their bank on-line to be matched feature to feature on mobile devices in the near future.

How do you survive without SMART goals in today's Corporate IT?

There are plenty of great resources on the Internet that offer excellent perspectives on management and leadership that can be readily applied to those working in corporate IT. And one would think with the vast amount of excellent free advice, all managers would excel at their jobs. Alas, today the demands on IT management make readily putting that advice into practice exceedingly challenging. Recently I’ve been contemplating on how to best articulate what I feel is the dichotomous role a corporate IT professional has in today’s workplace.

Dichotomous Role:

1. Deliver on what your manager of the moment expects
2. Deliver on what your role is expected to deliver to the organization

Why “dichotomous”? More often than not, what your manager expects can be incongruent with what the organization expects.

One might think all you have to do is understand your job description, your department/team/personal goals and objectives and go off every day and do your job. And for some they maybe enjoying this straight forward, obvious job function clarity. But for most, I would feel confident in saying that seeking this expectation clarity can consume a significant number of brain cycles everyday with varying degrees of success. Frequently, your manager’s expectations differ with what the organization expects. What forces are at play creating this dichotomy and what can you do to stay sane over time?

Biggest Contributors to Role Dichotomy? Lagging Goals + Manager Shuffling

First, Lagging Goals

I know of no study or statistical evidence to support my claim, but I feel rather confident in saying that the rate of change in IT has increased dramatically in recent compared to prior years. Step back and take a sample of recent IT management articles. How many are asking the CIO role to change? How many are saying you have to have a mobile work force, outsource development or leverage “the cloud” or risk falling behind? With all that rapid change, in my opinion, pragmatically, gone are the days of SMART goals. Recently, Pawel Bordzinski posted an article similarly calling SMART goals into question here. Sure, MBA academics and management blog pundits will tout the benefits of clearly articulated goals leading to reports having increased delivery success and improved job satisfaction.

Let me be clear up front; I am not contradicting the sound fundamentals of solid goal setting. But unfortunately, with corporate fiscal cycles starting/ending and thus “trickle down” goals trailing six months or more from the cycle start, the average corporate IT employee is lucky to get written goals if they get any goals at all. In looking back over my last five years I probably can point to only two situations where I actually was given documented goals for my job role. In both cases, the fiscal year had already been underway for a good five or six months before I got those written goals.

Why the lag in goal delivery when all sound management principles suggest timeliness equals improved organizational success? In a phrase:

The current corporate business climate expects IT change at such a rapid rate that lagging goals can’t easily, if at all, keep up with the organizational change and subsequent overlapping vision changes.

These typical corporate IT scenarios may seem extremely similar to many and they help illustrate my point. Consider how established goals would need to be handled in each case:

1. The company hires a new “chief marketing officer” who has a new chunk of budget to spend on a “mobile strategy”. Suddenly, new IT projects are kicked off to deliver mobile solutions.
2. An IT Director of the “something” department retires and a new Director is hired from outside the organization. Managers reporting to the previous Director either start reporting to new areas of the organization or start leaving the company. The new Director starts hiring replacement mangers from his prior company.

In the first scenario, assuming managers, teams and individuals had goals that reflected pre-CMO priorities, all now have to wind down a bit on what was previously being worked on and wind up on what the new CMO sponsored projects entail. Sticking to pre-CMO priorities are just not an option. The company clearly has a strategic gap hence the CMO was hired in the first place. Thus, ignoring the CMO’s “high priority” projects because they don’t fit nicely into prior communicated priorities and goals is effectively ignoring the business needs of the company.

In typical corporate IT fashion, the priority of these new CMO projects has been communicated from the top of the house down thus the entire IT delivery management structure is trying to figure out how to reshuffle in-flight work in order to accommodate them. The crisis of the moment has shifted from whatever was the previous crisis to the new CMO project delivery crisis. The company wasn’t strategic enough to see the need for a CMO earlier as new media outlets were creating new demand, what is to say the organization is strategic in addressing new IT project priorities? Lastly, with IT departments cut staff and budget-wise due to the recent recession, what management structure is going to stop and revise all previously documented goals? The demand for flexibility, agility and rapid change makes it next to impossible to be able to cleanly re-write goals as priorities shift.

If the goal setting challenge faced a stagnant organizational chart, then there might be some HR efficiencies all could leverage, but on top of priorities changing, org structures rarely stay static for more than a few months. The second part of this article will dive into what compounds the goal problem for corporate IT employees: rapid organization and management reporting structure changes.

Security teams need a louder voice

Yes, I’m a few weeks late commenting on the long awaited release of the FFIEC’s updated on-line banking security guidance to US financial institutions since the last major revision back in 2005. Of course, every security analyst, blogger, vendor and pundit had to offer some perspective on what the FFIEC presented. One particularly analyst, Gartner analyst Avivah Litan, of whom I’ve communicated with in-person and blogged about before here, is critical of the guidance (here) and in general, her critiques are valid from my perspective as she has presented them. One perspective that hasn’t been extolled enough in my opinion is the extra push this guidance gives to security folks in the trenches trying to merge good security with product teams trying to push as many new features as possible on to over stressed IT delivery teams. I’ve described this typical inter-dependent set of challenges in more detail before here. Lastly, for those that didn’t see the comments on my previous post on the recent pressures on banks to secure the on-line delivery channel, I’ve captured a comment dialog between myself and Jim Woodhill, founder of security company Authentify that supports the challenges of this cross-team security prioritization effort.

Again, if you are looking for more focused commentary on what the guidance did or didn’t address well, I urge you to read Ms. Litan’s article or simply Google “2011 ffiec guidance” and you will get a number of returns before you will see a link to the actual guidance itself. But what the guidance arms the “fight the good fight” security and IT teams with is additional ammunition to be heard louder in the cacophony of voices wrangling through the typical corporate IT on-line product delivery project. So before you get caught up in the groundswell of commentary that the FFIEC didn’t go far enough or didn’t account for this risk or this vulnerability, take some comfort that the fact that the guidance was updated to come closer to reflecting the currently multi-channel, multi-threat landscape that wasn’t appreciate back in 2005.

In closing, consider the comment conversation Mr. Woodhill and I had on my previous post on this topic as more evidence that security focused individuals need additional ammunition to wedge themselves into the product set feature and function discussions with a louder voice on baking in more security.

[cut/paste word for word from the commentary]

Jim Woodhill – There is no need for new security startups. The security solutions needed to beat the current-generation commercial-account online banking funds transfer fraud attacks are as much as 12 years old. Taking just two of the security solution layers recommended in most-recently-leaked draft of the FFIEC’s long-awaited 2011, totally out-of-band transaction confirmation and transaction reasonableness analytics, one vendor of the first, Authentify, Inc., was founded in 1998 and one vendor of the second, Guardian Analytics, was founded in 2005. Each has something like a dozen competitors by now. America’s cyber-security problem is one of adoption of long-proven solutions–no innovation required. Just ask Gartner’s Avivah Litan, from whose blog post on the wrongly-decided PATCO Construction vs. People’s United Bank case up in Maine linked to this entry (from a comment you posted to her blog post)–malware-based attacks are a long-beaten problem. (DISCLOSURE: I founded Authentify.)

jfbauer – Jim, You bring up a great points in your comment. I should have been more articulate in my closing comments about a potential influx of new technology aimed at trying to position a product that balances stronger security with minimal impact to the on-line customer experience (if such an appraoch exists). Being a veteran of the last round of FFIEC on-line guidance issuance in 2005 from the financial services (FI) in-house security side, the FI product teams were struggling with just how much change/impact to the on-line experience would customers tolerate. The perception that security is the inverse of convenience was prevalent. The bank that implemented something as significant as out-of-band transaction authentication/authorization where previously not implemented was concerned uneducated/unappreciative customers would revolt and take their banking business to a perceived more “convenient” bank. Plus, the sheer marketing hype and security punditry at the time that fraud was rampant and banks were doomed unless they implemented some crazy, half baked new security “thang” didn’t help. Much repressed in-house security staff jumped on the hype bandwagon for it gave them a seat at the table rather than being pushed to the background. Add in traditional bank IT/security budgeting cycles suggesting an unfunded mandate competing with product road maps and in-flight multi-year product project investments and the pragmatic need for real security enhancement got muted with all this noise. Thus, the device based authentication trend codified by PassMark and Bank of America seemed to be the safe play for FIs, the middle ground for executive decision making. Device based authentication suggested: meet the letter of the guidance, minimize the customer experience impact, increase the security toolbox in case this on-line fraud stuff accelerates and contain unfunded mandate expenditure all in one approach. I am not saying this was massively strategic thinking on the part of FIs, but given all the noise and emotion surrounding the 2005 FFIEC guidance, it seemed the risk adverse play for banks (given ACH fraud was mired in Reg Z, who has to pay for fraud losses which is still being settled in the courts). I had the opportunity to work directly with security technology copies at the time, such as the Arcot and PassMark technical folk but more so with the Bharosa team of sharp folks assembled by Jon Fisher and Thomas Varghese that provided new security technologies involving rules/risk engines and device based forensics with built in integration for out-of-band auth/az services (such as Authentify’s offerings). Hopefully the organizations that were more strategic and invested in these more comprehensive security products will be able to leverage that investment and finally extend into the full transaction out-of-band security space. So maybe one of the current challenges is: Does today’s on-line consumer appreciate the security value of out-of-band transactional auth/az and look for it as a market differentiator in bank product selection/use rather than resist it as onerous/intrusive? Jim, thanks for stopping by and taking the time to share your thoughts. (DISCLAIMER: IF my current employer has a relationship with Authentify I am unaware and I am not actively pursuing a relationship with Authentify on behalf of my employer.)

Jim Woodhill – Thanks for taking the time to write such a long and thoughtful response to my post. Even greater thanks for your being one of the few people in your generation who writes clearly without the reading “speed bumps” of errors in English usage! Information security for financial services needs a “terminology transplant”. Strong authentication (e.g., RSA token cards before RSA let hackers steal all their “seeds” <sigh>) was the the focus in 2005 because the assumption was that if the online banking server could be certain who logged on, then all transactions done in the session set up at logon time could be trusted. Session hijacking via man-in-the-browser malware has put paid to that happy simplification. Now, if a bank is serious about protecting its depositors’ funds, it will follow the “Krebs Rule” (after the central reporter on the commercial-account online banking funds transfer fraud beat, Brian Krebs of http://www.krebsonsecurity.com/) and employ security solutions that work even if the online banking user’s PC is totally controlled by cyber-criminals. What is need is for our industry to add “transaction confirmation” to its conversation about online security as a necessary backup to “user authentication. Transaction confirmation entails communicating the substance of security-critical online requests to the end user by some means independent of the technology with which the transaction was initiated (because it has to assume that the PC/its browser has been compromised) and then accepting his confirmation of that transaction through that same out-of-band means. Of course, transaction confirmation requires a high confidence in the identity of the person doing the confirmation, but there is more to it than that. > The perception that security is the inverse of convenience > was prevalent. Security is usually antithetical to usability. For example, I find it tremendously convenient to have some of my residences in locations where I never have to lock my door. So the typical question is how much inconvenience to the end users, and also how much cost to the service providers is justified to stop how large a threat? > The bank that implemented something as significant > as out-of-band transaction authentication/authorization > where previously not implemented was concerned > uneducated/unappreciative customers would revolt > and take their banking business to a perceived more > “convenient” bank. This is the great concern of your typical community banker, at least among those who have even *heard* of cyber-attacks against banking customer accounts. However, security measures can *enhance* customer satisfaction, as Jim Van Dyke, CEO of Javelin Research presented at the September 22-24, 2010 meeting of the Online Trust and Cybersecurity Forum. According to Javelin’s research, financial services customers prefer to be “touched” out-of-band by their financial services institution occasionally rather than never hearing from it. An example is a phone call to check on the validity of credit card charges. Such “touches” give the customers comfort that their F.I. is on top of things, as long as they are not so frequent as to impair the usability of the service. Authentify’s real-world experience shows that Javelin is right about totally out-of-band transaction confirmation in online banking and the conventional wisdom in the financial services industry is wrong. Of course, this would not be the case if the end user had to take a phone call for every payment he initiated, and taking a voice call just to log on would be beyond the pale. Fortunately, only the addition of a new payee (or employee) and certain very rare account-control transactions (e.g., change of the address on the account) need be “Authentified” (to coin a term <grin>) to prevent theft. The cyber-crooks cannot make away with a company’s money by sending it to a valid, established payee. The must add new ones–domestic money mules or just accounts they control overseas. For the typical American small- and medium-sized enterprise, the addition of a new payee is a “rare” transaction. For example, in the infamous PlainsCapital Bank vs. Hillary Machinery, Inc. case, Hillary did fewer than one such transaction a *month* during the life of its banking relationship with PlainsCapital. One of the central points in making the trade-off between the dollar cost to the service provider plus the hassle factor for the users vs. the cost of the attacks is that this is a decision about how much *crime* should be allowed, and it is a maxim of public policy that “decisions about crime are always and everywhere political decisions.” This is especially true for a crime like commercial-account online banking funds transfer fraud, where the proceeds are flowing to foreign organized criminal gangs, if not outright enemies of the United States. Thus, only the elected representatives of the people can legitimately decide what should be done. Hence, Avivah’s recruiting me to get this issue before the Congress. (Anyone who has followed her writings on this issue will know what she would like the Congress to do!)

jfbauer – Jim, thanks for the kind words on the effort I’ve put into the level of professionalism in my blog. I appreciate knowing readers find more traditional/formal language enjoyable. “Information security for financial services needs a *terminology transplant*.” I couldn’t agree more with your statement. Upon reading your response, I was wondering if one of the things the FFIEC, BITS, ABA, FDIC, OCC, NIST or other universally perceived as authoritative in the industry organization could benefit all involved by establishing a common vernacular that business, product, security, technology and customers could all use to have healthy discussions about on-line fraud. I recall the FFIEC issuing a follow-up glossary-like clarification document but for some reason it didn’t resonate well since I can’t even recall any details other than it didn’t become helpful in the ensuing regulatory compliance morass that was post Q3 2005. Without clear terminology, I believe one of the challenges is the preponderance of terminology thrown around in mixed stakeholder conversations. Security folks tend to throw out obscure domain terms like “cross-site forgery” as if everyone knows the exploit and its impacts. Or worse, in an attempt to confuse others or achieve a level of arrogance that creates barriers to continuing a healthy conversation. Security professionals do themselves a disservice in the enterprise when they conduct themselves in this way. This approach leads to their further frustration when the rest of the organization doesn’t perceive them as open and credible. I aways found significant success in be open to be challenged and being open to having real, fact based not fear based discussions to arrive at more understood and appreciated security solutions. With well agreed upon terms, Bank product teams could help educate and raise the level of awareness in their customer base thus calming their own fears that they will be challenged for creating a perceived negative user experience surrounding security features which leads to your comment: “ security measures can *enhance* customer satisfaction”. I do recall the FI I was working at on FFIEC compliance fretting over changing the look/feel of the login process. The FI was adding some “user personalization” changes to match what BofA was doing when they implemented PassMark. Yes, “what is BofA doing? (consumer) or what is Wells doing? (corporate/TM)” was a common theme at this institution among product teams. The fretting reached a high enough level that they felt they needed to preview the proposed changes with a customers in a focus group setting. They went to decent length to explain the changes, what the security benefits were and were not (helped with avoiding being phished but didn’t prevent it, etc.) Much to their surprise, and exactly what you described, once the customers were informed of the enhanced security of the changes, they were completely on board. In regards to your position that “Fortunately, only the addition of a new payee (or employee) and certain very rare account-control transactions (e.g., change of the address on the account) need be “Authentified” (to coin a term <grin>) to prevent theft.” , do you/Authentify have any research/published material to help support this? There is a competing approach that suggests that analyzing the transactions themselves for fraudulent or unusual payment patterns/characteristics coupled with out-of-band confirmation only inconveniences the user at the extreme minimum yet still stop fraud compared to more frequently as payees and payee details change. Of course, this based on the supposition that on-line customers would make odd payments less frequently than add/change payee details and (big and) the FI would have the level of sophistication to determine, quickly, that a particular transaction is abnormal. I just recently ran across Avivah’s articles. I’ll need to spend some time reading her past posts to better understand her position on these topics. I doubt I can, but if there is anyway I can assist with your/Avivah’s efforts to educate congress on the real security needs I will make myself available. Lastly, is Authentify participating in the Gartner Security and Risk Management Summit 2011 (http://www.gartner.com/technology/summits/na/security/)? I would enjoy participating in any Authentify sponsored presentations/events as well as talking with any Authentify individuals at the conference.