Category: Management Best Practices

Management Best Practices

Does IT Matter for Internet and Internet Technologies?

In his article, Nick Carr argues that in the current business environment Information Technology (IT) does not provide any strategic advantage but it is merely an operational necessity. He equates IT to a commodity much like electricity and mainly talks about IT infrastructure becoming a commodity. Let’s explore this in the context of the Internet and Internet technologies:

The Internet:

The Internet is a network of networks that connects varied computers via switches to allow transmission of data across multiple networks using Internet protocols. Some of the popular uses of the Internet include email, instant messaging, browsing the World Wide Web (WWW) to name a few. In today’s society, the Internet has become an important tool for individuals and organizations to conduct their business. It seems like the use of the Internet has become so ubiquitous that individuals and organizations don’t even think about it and assume it to be always available but does that mean the Internet has become a commodity. In this context, I would agree with Nick that the Internet has now become very similar to a commodity since we are all accessing the same Internet despite the mediums by which we access it.

Internet Technologies:

Internet technologies include browsers and search engines that help us navigate the WWW of the Internet. From Nick Carr’s perspective, these Internet Technologies are commodities and do not provide any strategic value. I disagree with this claim and here is why:

  1. Browsers: Currently browsers are used to browse the WWW and used internally by organizations to access their corporate systems such as Enterprise Resource Planning (ERP) and Customer Relation Management (CRM) systems via a web interface. Thus, the security and privacy capabilities of these browsers become paramount in safeguarding the organizations against malicious attacks. While from the surface it may seem that these browser issues are operational in nature but from a closer inspection we can understand their strategic importance. For example, if an organization chooses one browser over another browser that has less security then the organization becomes vulnerable to exploits of that browser. These exploits can entail simple hacking attacks on the siphoning of organizational data. So, the selection of a browser is not just an operational activity but I believe it to be a strategic necessity.
  1. Search: A McKinsey report, The Impact of Internet technologies: Search, indicated that web search provides value that includes the creation of new business models. An example of this would be price comparisons where users can essentially compare prices of what they are buying (e.g., airline tickets, hotel rooms, etc.) from various vendors on one website. This price comparison is not only useful for users but for corporations, this could also be used to determine if they are competitively priced. Since making your organization competitive is also a strategic consideration thus search capabilities are important for the organization’s future.

In conclusion, the oversimplification and lack of understanding of how the nuances of technology can affect organizations strategically are not only unsettling but also ill-informed. IT is not just one thing and by saying it is and cherry-picking the data to show this can lead to unintentional consequences.

References:

  1. http://hbr.org/2003/05/it-doesnt-matter/ar/1
  2. http://www.mckinsey.com/~/media/mckinsey/dotcom/client_service/high%20tech/pdfs/impact_of_internet_technologies_search_final2.ashx
  3. http://www.theverge.com/2014/2/25/5431382/the-internet-is-fucked

Target’s Network Breach

Target’s corporate network was breached between November 27th, 2013 to December 15th, 2013 that resulted in 110 million credit cards and personal records being stolen. This data breach happened during the busiest days for retailers between the hours of 10:00am to 6:00pm. When I heard about this data breach in the news, I assumed that the attack was so sophisticated that it might have been difficult for Target to preempt it. But as I started to read articles on the breach, it became clear that although the attack used a combination of social engineering, phishing, and malware techniques it was not a sophisticated attack.

The articles indicate that intruders obtained stolen login credentials from one of Target’s vendors. This vendor accessed information on Target’s intranet via a portal that was set up for Target’s vendors. Once the intruders were able to get into the network, they were able to access Target’s Point-Of-Sale (POS) payment systems. The intruders were able to install malware on these systems that provided them with consumer information.

From a technology perspective, a few gaps that standout include:

  • The lack of segmentation of the network to avoid access to payment systems
  • The inability to identify data transfers to an unauthorized File Transfer Protocol (FTP) server
  • The failure to detect that intruders were testing their malware on a few POS systems before they launched a full attack
  • The deliberate ignoring of malware warnings from their internal systems

From a business perspective, a few gaps that standout include:

  • The data breach was not made public until Brian Krebs (a blogger) broke the news
  • Lack of adherence to security processes and practices
  • Too much reliance on just security certifications

The following figure shows the network and the route intruders took to access Target’s POS systems.

Intruders path used for Target's breach
Intruders path used for Target’s breach

From the figure, we can visualize the multiple issues with Target’s network. Although Target cannot be held accountable for any vulnerabilities caused due to its vendors it should have considered the potential of exploits that may be caused due to its vendors. Since the underlying network was the same, it had to be secure and constantly monitored for systems spikes and unusual network traffic activities. What is interesting about this attack is that although a large number of consumer records were stolen it has not been reported that how many corporate accounts were stolen too. Since 54% of businesses are small in the US, I am sure there have been corporate accounts that have been compromised as well.

As I have looked at what happened in this case, security is a management issue. In Target’s case, its management failed to see beyond their corporate environment and did not see holistically how the business processes that they put in place could be their downfall. Management also failed to inform the consumer. How long management would have waited to inform the consumers? My guess is that if the story had not been leaked, Target management would have conveniently forgotten about it.

In conclusion, there are three broader issues that come to mind (1) organizations are only as strong as their weakest link especially when that link is the corporate network (2) although organizations provide credit monitoring typically for a year but they assume that the intruders would only use this exploited information for a year and (3) consumers are left to fend for themselves during and after the one year period when their credit scores decline. In short, these data breaches have to be significantly eliminated since they not only cause loss of reputation but also loss of consumer confidence in an organization’s role as the protectors of our data. This is possible by not only credentialing but repetitively checking various ways how systems can be exploited from within and external to the organization even if the underlying network is perceived to be secure.

References:

http://www.computerworld.com/s/article/9246074/Target_breach_happened_because_of_a_basic_network_segmentation_error

http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline/

Click to access Target_Kill_Chain_Analysis_FINAL.pdf

http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/

http://www.sba.gov/offices/headquarters/ocpl/resources/13493

What should NASDAQ OMX, SEC and Congress do?

Last week, NASDAQ was closed for ~3 hours due to a software/computer glitch. Within 24 hours of this incident, the NASDAQ OMX CEO came on the news explaining what happened. Various news outlets criticized the company for not coming out sooner and informing the general public. On the surface, this incident seems like just a technical glitch and a communication breakdown but there might be deeper issues. Here are some recommendations to address this:

  1. Role of NASDAQ OMX
    • Create backup hot-sites on a different electrical grid
    • Document and test offline scenarios so that markets and exchanges continue to function even if technology infrastructure is affected
    • Have communications SOPs to timely inform the public
    • Upgrade technology infrastructure
  2. Role of SEC
    • Create policies and fines if something like this happens again
    • Create systems that provide real-time monitoring of markets and exchanges
    • Regulate the existence and maintenance of backup hot-sites
    • Regulate the technology infrastructure to check for obsoleteness
  3. Role of Congress
    • Increase the budget of the SEC to create systems that monitor markets and exchanges

5 Factors for Business Transformation

Business transformation entails assessing people, processes, and technologies of the organization in terms of the current state (where the organization is right now) and future state (where the organization wants to be). In these assessments people, processes and technologies are not standalone areas but are part of an integrated and holistic organization. If any of these areas are ignored or not given enough attention then true business transformation is just a pipe dream.

In order to have a holistic understanding of an organization and its broader role in society, there are 5 factors that need to be considered. These factors should have an inward focus and an outward focus. If the organization only has an inward focus then sooner or later it will be taken over by competitors and if the organization only has an outward focus then it will crumble under the weight of its own (mis)management. So, both are necessary. The 5 factors that will determine an organization’s success and longevity are Strategies, Politics, Innovation, Culture, and Execution or simply called The SPICE Factors. It is critical to remember that:

  1. Strategies are to be used as blueprints. They are not shelf-ware.
  2. Politics is a reality and needs to be understood.
  3. Innovation is the lifeline and not only the responsibility of the R&D department.
  4. Culture is the soul. Lip service is not culture but your actions are.
  5. Execution is evolution. Without it you become stagnant.

All of the above need to be measured constantly, managed consistently and reviewed periodically.

SPICE Factors
SPICE Factors

Below is a poll on what people think are the most important areas and factors for Business Transformation:

To the Cloud or Not to the Cloud

It seems like these days most organizations are interested in jumping onto the Cloud Computing bandwagon in one way or another. While there are many reasons why organizations want to move to the Cloud, I believe that optimization of business and technology processes should strongly be considered Pre-Cloud adoption. Additionally, organizations need to develop strong Key Performance Indicators (KPIs) and Service Level Agreements (SLAs) to measure against the performance of a Cloud vendor and take into consideration the consequences if the KPIs and SLAs are not met. Thus, the thought of improving your organization and inspiration from William Shakespeare’s Hamlet led me to write the following:

To the Cloud or not to the Cloud, that is the question:
Whether ‘tis nobler in the mind to suffer at the hands of IT
The processes and systems of extreme complexity
Or to take the decision to outsource against a sea of issues
And by opposing end them: to completely, to partially
No more; and by partially, to say we end
The headache, and the thousand business challenges
That implementation is heir to? ‘tis a consummation
Devoutly to be wished. To completely to partially,
To partially, perchance to dream; aye, there’s the rub,
For completely what new issues may arise
When the organization has shuffled off this essential support,
Must give us pause. There’s the respect
That makes calamity of a vendor’s contract;
For who would bear the disruptions and problems of time,
Is the management wrong, the proud man’s contumely,
The pangs of despised mind, the compliance delay,
The insolence of office and the rejection
That patient merit of the unworthy takes,
When he himself might his demise make
With outdated processes? Who would governance bear,
To complain and sweat under sub-standard operations,
But that the dread of something after completely,
The undiscovered lessons learned, from whose goal
No professional return, puzzles the will,
And makes us rather bear those problems we have,
Than ask to other that we know not of.
The conscience does make ignorant of us all,
And thus the native hue of resolution
Is sicklied o’er, with the pale cast of thought,
And enterprises of great pitch and moment,
With this regard their thoughts turn awry,
And lose the name of action. Soft you now,
The fair (insert company name here), in thy orisons
Be all my decisions remembered.

Cloud Adoption
Cloud Adoption

 

References:

  1. 5 Factors for Business Transformation
  2. 5 Questions to Ask About Your Business Processes