Planning and Execution are the two key disciplines in IT. We plan deployments and then we execute those plans.  During the holiday season these activities take a twist in many non-retail companies.  The only project “executions” that occur are the ones scheduled specifically for the slowest business cycle. All non-essential deployments are postponed due to year-end change freezes. However, in many companies, the Holiday season is the perfect time for IT Leaders to get their Roadmaps refined or developed.

In North America the Holiday season officially kicks off with Thanksgiving Day which is held the last Thursday of November. This is when things begin to slow down and continue to get slower and slower the closer Christmas Day approaches. Many non-retail businesses shut down altogether the week of Christmas. This is the time many employees take vacation, take longer lunch breaks to shop and many are at work but shopping online. Anyone who tries to get work done during the holiday season knows how difficult it is to make contact with fellow employees, vendors or sales reps. If they are not out of the office on vacation, they are out of the office otherwise.

For IT, the holiday season presents a change in attitude and deliverables. There is a moratorium for most project activity.  Only critical systems (those that cannot be shut down for long periods of time) are scheduled for upgrades or maintenance during the long Christmas Holiday. As the Holiday approaches, these project plans have been finalized and they are preparing for the execution of their critical projects.

For non critical projects implementation during the holiday season is almost impossible. Most non-retail companies have a system “change freeze” enacted during this time of the year. No changes are permitted to the infrastructure unless they are emergency changes. This it to ensure no changes are made that can inadvertently disrupt the systems during the critical year-end closure of the financial records. i.e. closing the books.

Since most employees are distracted with office parties, gift giving and other holiday festivities, IT leadership has two options, throw up their hands and count the holiday season as lost productivity, or they can engage in some productive activity such as assessment and planning for their IT organization. Ironically, the slow time for non-retail business is also the slow time for Technology Advisors and Consultants. There is no better time than the holiday season to engage your outside technology experts. Sit down with them and discuss what new and emerging technology is available to help your company. If you don’t have a Technology Roadmap, they can help you put one together. If you have one, they can help you refine it based on current trends, technologies and best practices.

As the Holiday season kicks into gear you don’t have to spend another season unproductive.  These next week’s can become the most productive time of the year as you develop and/or refine your direction for the upcoming year.

Merry Christmas and Happy Holidays to all.

The CBS Evening news recently broadcast a story called “Copy Machines a Security Risk?” The information presented in the story was alarming to say the least but CBS only scratched the surface of the story. For companies who rely on securing confidential and proprietary information from competitors or hackers, there’s much more you need to know about the inconspicuous digital copier. In this article we’ll look at five areas where confidential information may be compromised.

If you haven’t seen the CBS story please click on this link and view the five minute broadcast before you continue with this article.
www.cbsnews.com/video/watch/?id=6412572n&tag=api

In addition to the risks presented by the CBS story here are 5 additional areas where copiers can compromise your security.

1. Many digital copiers are also network printers that store network information such as IP addresses, subnet masks and gateway IP’s. These settings are not stored on the hard drive and are not cleared by the digital copier “Purge” feature. Network settings must be manually cleared. Security experts will tell you to keep your network configuration private. You don’t want competitors or hackers to know your internal network configuration. The more information about your network infrastructure that’s accessible to hackers the less they have to figure out on their own and the sooner they can compromise your network.

2. Many digital copiers store the IP addresses of your DNS servers and/or Domain controllers. Depending on the type and model of your copier, this information may not be cleared by your copier “purge” function. You definitely don’t want competitors or hackers knowing the IP addresses of your Name Servers or Domain Controllers.

3. Many digital copiers store email addresses and some even download your entire Email Global Address List to the copier. Again, you don’t want this to be accessible to those outside your company.

4. The “purge” function used by older digital copy machines doesn’t delete any data from the copier hard drive. It only renders the data inaccessible to the copier software. It either deletes a file we techies would call a “file allocation table” or it will use other tactics to render the data unreadable to the copier software. The “Purge” button merely gives an allusion the disk has been cleaned. However, the data is still there and can be removed as shown on the CBS story. Most copier security policies rely on this built-in Purge function and think their data is cleared. It is not cleared. It can still be accessed with free scanning tools available on the internet.

5. If your copier has a fax capability, the copier also stores all the phone numbers it dialed and numbers that dialed it along with any information you provided in your Fax phone book. Again, the “Purge” function will not clear this information.

One of the biggest obstacles surrounding this whole issue of Copier Security is the apathy and ignorance of the manufacturers. Most copier technicians today still believe the built-in Purge function deletes all information on the copier. To make matters worse, most copier technicians don’t know where the different type of information is stored. Some data is stored on the hard drive, some data in flash memory, and some data is stored in firmware. Sensitive information is stored in different places depending on the manufacturer and model of copier. Just when you think it can’t get worse. Let me drop the final shoe. There are no utilities that will scan a copier and certify that it has been completely purged for older digital copy machines.

As I mentioned earlier, this CBS news story only scratched the surface of the real risks associated with digital Copier Security. The Copier Security pioneers who were interviewed in the CBS story, Digital Copier Security inc., have done extensive research on these security risks and are working to provide services and resources to help companies thoroughly purge their older copy machines. I applaud Digital Copier Security for bringing this issue to the attention of Corporate America and for working diligently to address this significant security hole.

I encourage the Copier industry to take responsibility for ensuring new copiers have the capability to purge themselves of all sensitive information and to provide a certification report indicating what has been purged. This should be a standard feature on all Digital Copiers and not an add-on feature that comes at an additional cost. Additionally copier technicians should be trained to thoroughly purge all Digital Copiers.

Until such a time, Corporate America must take necessary steps to ensure their own safety. They must ensure they are not exposing themselves to unnecessary security risks or even breaking Privacy Laws. Digital copiers must have processes defined (and documented) that ensure appropriate actions are taken before copiers are released to third parties.

As discussed in the previous articles, the IT industry is faced with three major challenges; Legacy IT Paradigms and Copier Data Security and this articles topic. What makes these so significant is they are not on the radar of most companies. In this report I will address the third challenge we, as an industry, are threatened by, IT Workload Management. Although I can’t provide answers, my hope for this article is to expose the issues and launch a dialogue within the IT community.

Killing the IT Geese who lay the Golden Eggs

As an industry we must change course on our attitudes and behaviors towards IT Staff. Companies have come to expect, and even demand their IT staff work excessive hours. Please don’t shoot the messenger here. Everyone sees the excessive hours IT staff works and how little time-off or added compensation is provided. I understand that Leaders intend to give their employees time off but there’s just too much work to be done. And that’s the point. “There’s too much work for your staff to do!” If your staff is working excessive hours then you need to either improve your organizations efficiency or add more staff.

When IT staff is overworked they spend too much time fixing mistakes and not enough time on productive (value add) activities.

I challenge you to test what I’m saying. Ask your staff to document the number of hours they spend fixing mistakes; their own or other’s mistakes, and how much time they work on value add activities. I can provide numerous stories of overwork staff spending 50% of their time correcting problems caused by human error. This is not how you want your staff spending their time. This is not how successful companies spend their compensation dollars.

I have seen many good, quality, IT staff who have quit their jobs or are on the verge of quitting because they can’t keep up with the demands placed on them. To add salt to the wound, I know of a technology company who cut their employee’s salary this past year. Not because the company was losing money but because the company had not made “enough” money to appease the market analysts. Since they couldn’t “earn” the revenues they just lowered everyone’s salary.

My observation is that, industry-wide, IT staff is being taken advantage of. Because of this, it’s getting harder and harder to find IT employees who are loyal to their employers. I recently saw an employee survey report showing the following results;
- Thirty percent of Technical employees wouldn’t hesitate to leave if offered a comparable job elsewhere.
- Forty percent were neutral. As I interpret neutral, it means employees are not actively looking for another job but they can easily be convinced to leave should an offer be presented.

Only thirty percent would stay with their company if a comparable job were offered elsewhere.

When I started in the Technology industry almost 30 years ago, the Tech industry was the premier industry to work in. It was a reputable industry where people wanted to work. Not anymore. More and more I find Technical employees who are re-skilling and pursuing new careers outside the Tech industry. We’ve become an industry where too many experienced, quality, professionals are determined to leave. What was once a reputable profession has been relegated to one step above “blue-collar” labor.

If we as an industry don’t take action to reduce employee workloads I fear there will be catastrophic consequence which will severely impact businesses everywhere. Not only will the industry experience a shortage of high quality IT professionals but I see three additional possible consequences. First, politicians may enact legislation to further protect worker’s rights. Secondly, class action lawsuits may be brought against employers by current and former IT professionals. Thirdly: the potential rise of IT Unions.

Right now employers have the opportunity to turn the tide of their own initiative. But if employers continue down this road I fear they will suffer catastrophic consequences. Consequences that will severely damage their companies reputations and financial viability…and in the process they’ll continue to kill the geese who lay their golden eggs. As I mentioned earlier, my intent is to open the door to further dialogue. Let us consider the door now wide open. I encourage you to propose your ideas and join me in a discussion on this topic at http://groups.google.com/group/itanswers4u

As we launch into 2010, the IT industry is faced with three major challenges. What makes these so significant is they are not on the radar of most companies. In this report I will address the second challenge we, as an industry, have ignored. Although I can’t provide answers, my hope for these articles is to expose the issues and launch a dialogue within the IT community as we search for answers.

Your Digital Copy Machine can’t keep secrets

You’ll never guess who’s walking out your front door with confidential data. Yes, it’s the guy who leases you your copy machine. When digital copy machines are replaced or come off lease they are wheeled out your front door with a disk-full of images that were printed, scanned, copied or faxed.

Digital copiers can’t erase their hard drive so, at the end of their lease, gigabytes of images inside the copier are wheeled out your front door. Newer copy machines can only make the data unreadable to the copier itself but your data is still on the disk! If you have a network connected digital copier, additional information is retained on the copier such as IP addresses, DNS server IP addresses, Email addresses, etc.

A company called Digital Copier Security Inc (DCSI) is a pioneer in raising awareness to this security hole which exists at most companies. DCSI claims they have obtained “off lease” copy machines where they scanned the hard drives with proprietary utilities and have recovered thousands of pages of documents fully intact. Here are some examples of what they’ve recovered.

• A complete home refinance application including applicant’s full name, SSN, current employer, previous employers, bank account numbers, etc.
• A Spreadsheet showing employee names and company issued credit card numbers.
• Full Tax Returns
• Confidential Medical records
• Confidential Executive Business Reports
• Over 20,000 documents were recovered from just one hard drive

You would never let a vendor walk out of your data center with a hard drive that is not scrubbed, but yet it is done every day with digital copiers.

Don’t even think about removing the hard drive before releasing the copy machine, doing so would make the copier unusable and void your lease agreement. You would become liable for the complete cost of the copy machine. Don’t expect the copy machine technician to purge the device; they don’t have the technical knowledge of where all your information is stored, or how to purge it. Most technicians believe the copier is purged when the scans are no longer visible to the display, don’t accept their ignorance. Also, don’t think you can push the purging responsibility onto the leasing company as I guarantee your lease agreement doesn’t require them to provide this service.

This is one of corporate America’s biggest risks, yet I haven’t found any company with security policies addressing digital copiers. Most end of lease copiers are sold overseas where recipients of these copiers (and your data) are not subject to US laws.

Do you know who has your old digital copy machine and all your data on its hard drive?

How many digital copy machines do you have that are ready to go off lease? How will you ensure your data doesn’t go off site with the copy machine? How will you ensure your competitors or hackers won’t get their hands on your data through your old copier? Are you at risk of lawsuits from employees or vendors that use your copy machines? This is a security issue we cannot ignore, and it’s an issue without an easy solution. The options available are limited and can be very expensive for companies with multiple copiers. DCSI provides a certified disk scrubbing service. Another option is to purchase a “Security Kit” which is expensive and very inconvenient. Most companies disable the kits over the course of time because they are so troublesome. For more information about the subject of Digital Copier Security visit the website of DCSI at www.Copiersecurity.com. (I am not affiliated with this company).

If you still are not convinced this is a major security issue, take a look at the following news video done by an investigative reporter. http://www.cbs13.com/video/?id=67643@kovr.dayport.com

If your company is regulated by SOX, GLB, HIPAA, FERPA or FTC Red Flags, a breach can be construed once your digital copier leaves your possession and control. Considering the costs of fines, penalties, sanctions, public notification, credit monitoring and damage to a corporate image, careful purging of these machines should be a top priority for every company.

As you can see from this series, IT has three pressing challenges; Old paradigms that cripple businesses, digital copier security and our “part 3” topic in the final article of the series. These challenges are easily ignored and have been to this day. However, ignoring these challenges only puts your business at continued risk of pending crisis. In 2010 we must take steps to limit our exposure with answers to these challenges. As I mentioned earlier, my intent is to open the door to further dialogue. Let us consider the door now wide open. I encourage you to propose your ideas and join me in a discussion on this topic at http://groups.google.com/group/itanswers4u

As we launch into 2010, the IT industry is faced with three major challenges. What makes these so significant is they are not on the radar of most companies. In this report I will address the first challenge that we as an industry have ignored. Although I can’t provide answers, my hope for this article is to expose the issues and launch a dialogue within the IT community as we search for answers.

This is not your Father’s IT

The first challenge I call “Your Father’s IT”, or better yet, “Your Grandfather’s IT”
We live in an age where technology is advancing at phenomenal rates. However, companies are slow to adopt these new technologies. The biggest reason is quite simply, legacy IT staff doesn’t know what to do with them! They are stuck in old IT paradigms and can’t see how their IT world could be improved with new technologies.

Old IT paradigms are the biggest obstacle to capitalizing on new technologies

In order to adopt new technologies IT has to think outside the legacy IT box. They have to be willing to redefine what IT can become. Let’s look at IT Consumerization as an example; Consumerization is the ability for business professionals to use their personal smart phones and other smart devices at their workplace. Today, the “Your Fathers IT” reaction is “No Way! This technology is a security risk and cannot be allowed into the workplace”. However, organizations with “New IT” paradigms will look at the new capabilities and determine how (or if) the devices can make their company more competitive. If so, they will find ways to secure the technology and make it work for them. I’m not suggesting all new technologies be implemented. I’m suggesting the IT industry gravitate to a new paradigm; a mindset that is determined to evaluate how new technologies will, or won’t, benefit their business.

Today, legacy “Your Father’s IT” waits until the technology is released and the bugs worked out. Eventually they evaluate the technology then fund and finally implement. I’ve seen this process take up to twenty four months. That’s two years without the business benefits offered by the technology. This mindset can cost a company millions of dollars over that twenty four month period. Imagine your competitors reaping the cost benefits and efficiencies of new technologies while your legacy IT is stuck in a wait and see mode of operation.

Companies who have adopted the “New IT” paradigm will be delivering value propositions to the business before new technologies are formally released. Successful companies won’t wait to deploy new technologies until current technology reaches end of life. They’ll do it when there’s a compelling business case to do so.

So how does a company break out of the legacy IT paradigm? How do they change their current mode of operation? Can a company teach their Legacy IT new tricks? Can a company’s culture adapt to a “New IT” paradigm without external pressures? What can push a company out of its “Old IT” patterns that are so comfortable today? I am convinced that if companies do not adapt to “New IT” paradigms they will not survive the next decade. However, changing paradigms and corporate cultures can be an impossible task. One doesn’t merely decide one day that their IT will think and behave differently from now on.

This challenge is easily ignored and has been for years. However, ignoring this challenge only puts your business at continued risk of becoming obsolete and uncompetitive. In 2010 we must take steps to limit our exposure to this and the next two challenges I’ll discuss in upcoming reports. If your company is going to survive the next decade you have to come up with answers to these challenges. As I mentioned earlier, my intent is to open the door to further dialogue. Let us consider the door wide open. I encourage you to propose your ideas and join me in a discussion on this topic at
http://groups.google.com/group/itanswers4u

We have seen extraordinary changes in IT over the past three decades. During this time we’ve seen new technologies and new IT strategies develop and mature. As we approach 2010 I’d like to share my predictions for the next generation of IT. Some companies have already awoken to see their new IT future but mostly IT organizations are still wrestling with the nightmares of past and present strategies. I hope this article will awaken more companies to the new world at their doorsteps and rethink their IT ways of the past, present and future.

Up until the 1980’s we experienced the era of mainframe exclusivity where strict controls and IT disciplines were the norm. This era limited us to mainframe reports as our exclusive medium for information. Custom report requests took weeks and months to deliver because of the sheer number of requests. There was a hunger within corporations for information: information to help guide decisions. But the mainframe reports only teased the taste buds of information hungry business leaders.

The 80’s

This hunger led to the explosion of distributed computing of the 80’s. I use distributed computing in a very broad sense here to include all distributed systems of the time including midrange (Unix), Wintel (Novel, PC LAN) and desktop PC’s (DOS, Windows 386). A multitude of others have sprung up since these “pioneering” systems were introduced and are included in this category. In this decade smaller departments took their standard mainframe reports and imported them into their own distributed systems and created their own customized data stores…with customized reporting. These new “distributed” systems sprung up throughout the enterprise. Different systems in different locations: all creating storehouses of information…all using different operating systems and different databases and different applications that didn’t talk with each other.

The 90’s

In the early 90’s corporations realized for the first time that with all these departments running their own distributed systems they lost track of how much was being spent on IT. Each department had their IT cost buried in their own departmental budgets. In these distributed environments many IT support staff performed dual roles. We saw Accounting clerks performing systems administration functions and tech savvy clerks become the informal help desk that department users called when help was needed.

By the mid 90’s we saw a major effort in corporations to centralize their IT functions into one IT organization. This was the only way corporations could regain their grasp of their total IT spending. Through this IT Centralization effort, departments once again lost control of their systems, data and most importantly, their information. Central IT became the Technology Police telling departments what information they could have and what they couldn’t.

The new Centralized IT’s of the 90’s had several challenges. Their charter: provide the whole enterprise with IT support within a set budget. Within these new centralized IT organizations many questions had to be answered. Should the new Centralized IT force departments to surrender their systems and technical staff or should incentives be provided for them to comply? What services should the Centralized IT provide? Everything the departments needed or wanted or only pre-defined services? How would Centralized IT services be funded? Will the departments pay by user or will it be a corporate expense? How should IT projects be funded, by the requesting organization or a Centralized IT budget? Consequently every corporation wrestled through these questions and came up with different IT models.

The New Millenium

When the 2000’s rolled around we saw IT formalizing on best practices. These practices developed around a set of basic services provided across most system types such as Hardware/Software Standards, system updates/upgrades, tape backups, off-site storage, help desk services, Change Control, etc. These base services evolved from efforts to trim down IT overhead. In the 2000’s Outsourcing of data center operations became more plausible as companies sought additional cost reductions. During this period the phrase “managing your mess for less” became the unofficial mantra for IT Outsourcing who took over the mess Centralized IT created and charged a lower rate for delivering the same basic services.

By 2005 we heard a new battle cry to lower costs even further. Enter the age of “off-shoring”. IT providers heeded the call for lower rates by delivering services with low-cost overseas resources. If the early 2000’s mantra was “your mess for less”, the mid 2000’s mantra was “your mess for even less”

2010 and Beyond

As we embark on the next decade of 2010, IT leaders will awaken to a new day where they realize “your mess for even less” still costs too much! Their new mantra will be “why are we living with this mess in the first place?” IT leadership will stop and evaluate why they are providing the services they are providing? Why are they backing up everything at each site to tape and sending it to off-site storage as if everything at remote sites is critical information? Why are they backing up everything at their data centers to tape when the only things that must go to tape are critical records for archiving? What low-value services are they providing that don’t need to be performed? Over the next decade IT will redefine themselves and eliminate their mess altogether.

In 2010, IT Organizations will restructure themselves around three strategies. First, IT will fine tune the services they offer. For example, they will provide full services to critical systems/data only and they will tolerate longer outages on non-critical systems. They will change their approach to backups and incorporate temporary disk storage as a replacement for tape backups for non-critical systems, particularly in remote branch offices. IT will surgically eliminate all “low value” services on a “system by system” basis. They will provide services only where needed.

Secondly, IT will outsource their basic services such as helpdesk and systems administration to IT providers who will deliver those services for a fraction of their own costs. Thirdly, IT leaders will redirect their focus from providing generic IT services to providing essential technologies that key business groups need to grow the business. IT will transition from being cost centers/overhead to revenue enablers. IT once and for all will get rid of “their mess” and transform into a true business partner.

In 2010 the new IT Organization will put less emphasis on system specific technical skills and more towards senior technology professionals who can generate business value by incorporating technologies. By the end of the next decade IT organizations will consist of high-end technical resources that design business specific solutions across multiple frameworks. They will have diverse, multi-platform, solution designers with a handful of implementers and system administrators.

Over the past three decades we saw IT evolve from Mainframes to Distributed Computing. We saw IT Functions sprawl as companies moved to Distributed Computing. We saw IT make full circle by Centralizing IT to include both Mainframe and Distributed Computing. We saw Centralized IT  mature into a service model and Outsourcing it’s operational services. In the next decade, we’ll see IT transform “their mess” to “no mess” revenue enablers. Instead of being viewed by business units as the obstacle to overcome, IT will become the “go-to” team that enables business units to reach their revenue goals.

How do you cut $7 Million from your IT budget? The same way you eat an elephant, one bite at a time. After 20 years of helping companies manage their Infrastructure Technology (IT), I’ve seen too many companies go into paralysis when faced with major cost cutting opportunities. Most will tackle the low hanging fruit, but once that’s achieved and only the “large effort” cost savings opportunities remain, paralysis sets in. I’d like to challenge businesses to take a long-term approach to cost reductions instead of the quick and dirty cost cutting I see so often. By taking a long term approach you are able to injects controls over technology spending and ensures maximum returns on your IT dollars.

Let’s look at a real life example of how this can be done using server consolidations as our example. The low hanging fruit many companies embrace is to consolidate servers using two basic strategies. Consolidating small applications onto single, departmental servers without implementing any type of virtualization. (Yes, some small applications will play nicely on shared departmental servers). The second strategy is to implement virtualization where high-end servers are deployed and software is installed on them allowing the hardware to be carved out into smaller “virtual” servers. This enables one large server to be used more efficiently than several small servers. Each virtual server configuration is allocated based on application demand instead of hardware configurations established by server vendors. Both of these approaches can be done with relative simplicity and minimal effort resulting in tremendous cost savings.

There is a third consolidation strategy that is where most companies experience paralysis. It is the most complex and the most avoided approach to consolidation; that is Application Rationalization. Many companies have grown through mergers and acquisitions, others companies have operated for eons without a centralized IT department and consequently many businesses operate duplicate or “like” applications throughout their enterprise. Take a look around your organization and see if you have two or more of these types of applications running;

• Financial applications – Are different business units or remote sites using their own financial applications?
• Document Tracking (Imaging) systems – Do you have Engineering units at different locations using different vendor’s products to develop and track their Engineering documents?
• Manufacturing systems – Do you have more than one manufacturing site and do they use corporate “Enterprise class” systems or do they have their own flavors?
• Time Clock systems – Do you have different time-clock systems at various sites?

The cost and effort to consolidate (or rationalize) applications can be overwhelming. This is where I see companies freeze up like someone staring at their elephant dinner. The typical response I get from IT is “this is going to take years and I don’t have the staff or funding to tackle this large an undertaking”. Wrong! This is where a long-term view comes in to play. A project of this magnitude is done in phases… one bite at a time!

Here are the simple steps to develop your 5 year plan to eliminate excess costs from running duplicate systems in your enterprise.

1. Determine priorities – Pick one application to start with. Identify which application will support your company’s business objectives the most and start there.
2. Develop the budget – Determine what this consolidation project will cost in terms of hardware upgrades, software upgrades, network upgrades and temporary staffing, vendor and/or consulting fees.
3. Determine the return on investment – How much will your company save over the life of the systems. This should be actual dollars in terms of hardware, software, vendor support fees, consultant fees for upgrades, etc over the lifecycle of the system and compare these costs with the projected costs of operating in a consolidated environment. Be sure to compare the additional costs for the enterprise system to support the additional users with the cost of duplicate systems.
4. Formally request funding to leadership – Present the recommendation to Sr. Leadership for funding in next years budget.

When you’re done with steps one through four, repeat the process starting at step one again. Pick the next application to consolidate and go through the same process for the second application. Depending on the size of your organization and the size of the project budgets, senior leadership may choose to fund more than one project at a time.

You now have “year one” of your multi-year plan complete!

Now go back through steps one through four of the remaining environments where you have duplicate applications and develop the rest of your multi-year plan.

There is no reason for companies to live with excessive costs associated with running duplicate applications. There’s also no reason to be frozen by paralysis gaping at the size of their opportunities. By taking a long-term view of technology spending, companies can take their first bite out of their elephant budgets and begin their journey to cost reductions and technology efficiency.