Who cares if IT goes to the Cloud?

Who cares if your IT department moves to the Cloud?  Or doesn’t?  IT has a mandate to provide all of the data processing needs for the organization, and a budget.  IT is full of experts, expensive experts, and they are going to do what is best for us.  Right?  Besides, I don’t really understand it; it’s magic.

If you ask people to describe their IT organization, you get a lot of different answers:

• Magicians.
• Idiots.
• Enablers.
• Sales prevention.
• Slow.
• We have an IT organization?

Often the answer will change from one hour to the next.

When you ask what they mean by, for example, “slow” you often get multiple definitions: the system is slow in responding to my request, IT is slow to make the changes I need to do my job.

To your customers and your partners, your IT organization is like dust on the furniture.  When it is working perfectly, nobody notices and you do not get complements.  When it fails, everybody notices and nobody is happy and they tell you.  Customers and partners have the means to make that known, often in ways that have bad side effects.  As one example, I will never use AT&T for cell phone coverage.  I explain it to others that it is because Verizon has better coverage in the US.  The real reason is that AT&T customer support is, in my view, far worse than Verizon customer support.  Verizon: do not consider this a complement.  I had a trivial billing issue.  It took over four months to get resolved, and then only after escalating it and finally threatening to report the issue to the FCC and the Pennsylvania Utilities Commission, which got it escalated one more level.  I got a series of incompetent and not very friendly customer service reps that could not solve the problem, and more importantly thought that I would be happy with “we can’t do that.”  In reality, it was probably some issue with AT&T’s IT environment that made the problem non-fixable.  The end result, AT&T lost a customer that they will never get back.

Who are your IT’s customers: probably everybody in the company, and all of your company’s customers and partners.  A more critical question is, who are your IT’s stakeholders?  These are the heads of the organizations that require a responsive IT to get their job done.  Obviously, this includes the sales and marketing organizations, but also product development and production, HR, legal, and finance.  These heads often have different views on the purpose of IT, and place different, and sometimes contradictory, requirements on IT.  You can usually tell who really controls IT by whom the head of IT reports to. Just like everybody in an organization, the head of IT reacts to how he is rewarded.

If IT reports to the CEO, then it is usually very independent and acts like a black box.  Just give us money and we will give you everything you need, as we see it.

IF IT reports to the CIO (Chief Information Officer) or CTO (Chief Technology Officer), then it is usually very technology focused.  It may not jump to the latest technology fad, but it will almost certainly be running on the “best” that it can afford and is periodically updating its infrastructure to stay current with best practices.

If IT reports to the COO (Chief Operating Officer), then it is viewed as another piece of enabling equipment, like a milling machine or a truck.  Cost effective efficiency is what matters.  It has to be barely good enough, and no better, to keep the company going.

If IT reports to the CFO (Chief Financial Officer), then it usually very business focused.  It is difficult to get anything new without a financial analysis supported by at least the sales and marketing organizations.

Of course, these are just generalizations based on companies I have worked with, and I’m sure your company is different.

In my experience, it has been unusual for IT to report to the CFO.  What is really disturbing to me, however, is that according to research by Saugatuck Technology and others only a minority of financial organizations pay much attention to Cloud adoption in their company.  This can be a real costly problem.  Moving to the Cloud can have substantial financial implications.

• Reducing total IT infrastructure costs.  While this is usually a good thing, it sometimes leads to …
• Depreciation problems.  The CFO is not going to be happy if suddenly a lot of capitalized equipment becomes totally obsolete and has to be written off.
• Moving cap-ex to op-ex (capital expense to operating expense).  Again, this is usually a good thing, but can have serious financial implications for the company.  In most cases, the approval process for cap-ex is significantly different than for op-ex.  CSP contracts can have significant cost and often commit the company over time.

Two years ago in a currently unavailable report, Saugatuck recommended that finance should lead, follow and get out of the way on Cloud projects.

Lead by

• Working with IT leadership to plan where the Cloud will be used and build the financial model
• Establish and enforce Cloud procurement standards in cooperation with IT
• Develop, with legal, consistent  policies and practices for selecting and contracting with cloud service providers.

Follow by allowing IT and business leaders to lead finance into those areas of likely or existing Cloud use.  Without this, finance will not be able to develop the high-level picture of the financial impact of the journey to the Cloud.

Get out of the way by not trying to micro-manage the journey. Leave that to IT.  The key to maintaining control of the Cloud journey but staying out of the daily grind is to manage the relationships with your Cloud partners.

The last word:

When I start a Cloud project, I always start with “why.”  Why are you thinking about moving to the Cloud.  What do you hope to gain by the move?  If my client has not already done so, I strongly encourage them to survey the stakeholders.  What are their issues with IT today?  What do they need from IT tomorrow?  When you lay the requirements out, you often see some interesting mismatches and sometimes contradictions. Take the time to sort them out and determine a consensus set of measureable requirements.

If you do not do this up front, you will pay later in delays and possibly an externally ordered “stop that!”

Keep those stakeholders involved and informed throughout the journey.  Things will change, even those requirements “everybody agreed to.”

Comments solicited.

Keep your sense of humor.

Walt.

Cloud Availability Requirements

The Cloud is not a product; it is a concept.  Unlike say a laptop, there are vast differences in the various Cloud offerings.  It is critical to determine exactly what kind of Cloud implementation you need, and that will likely vary from one application to another.  But even knowing that you need, as an example, a Public Infrastructure as a Service Cloud is not sufficient.  Different Cloud Service Providers (CSPs) offer different flavors of the same type of Cloud.  Sometimes this is deliberate as they try to satisfy a specific market; sometimes it is simply that is the way they do it.  These differences can be significant.  In a survey by Symantec and the Ponemon Institute, 75% of respondents said that the migration to Cloud Computing in their organization was occurring in a less-than ideal manner.

Why?  I suspect because companies did not pay enough attention to the details.  Moving to the Cloud is an important business imperative – companies that do not take advantage of the financial and agility benefits of the Cloud will be left behind.  But the Cloud is a new paradigm for IT.  Like all of the other disruptions in the data processing world over the past 50 years, it requires that IT management think differently.  It also requires that IT really understand the requirements.  In many of the organizations I have worked with, these requirements are not really understood and certainly not documented. Therefore, often the hardest part of moving to the Cloud is determining what your requirements really are.  Different workloads will have different requirements.

A while ago I posted a blog about Cloud Requirements that discussed the key requirement areas that influence Cloud implementation and CSP decisions:

1. Availability.
2. Performance.
3. Security.
4. Control.

Almost exactly one year ago I posted Availability in the Cloud about some of the strange things about availability Service Level Agreements (SLAs) that are in CSP contracts.  Not much has changed.  Like in a lot of things, you get what you contract, and pay, for.

This time I will concentrate on how to determine your availability requirements.  In some cases, this may be easy.  You may have included availability SLAs in contracts with your customers or partners.  If so, those SLAs will provide a good starting place.  One caution: check with your contracts people to make sure you don’t have different SLAs for different customers.

Even if you have documented availability SLAs, I suggest you also talk with your heads of marketing and sales.  They may have a different view, or no view at all.  It may be something they have not even thought about.

If you have a Customer Advisory Board, poll a few members to see what their view is.  Are they happy with the published SLAs?  Are they happy with your availability history?  Would they be willing to pay for a higher level of availability?

Then, just for grins, ask your CEO, CFO, CTO and CIO what they believe your availability requirements are.  If you get the same answer from all four (other than “I don’t know”) you are in an amazing position: you work for an organization that has a consistent senior management view of a critical attribute of your business that is usually totally overlooked by many of these executives.

At this point you should be able to create a set of availability requirements.  You will probably notice that different applications have vastly different availability requirements.  Use this as one of the means of dividing your total IT environment into separate groups, each group having similar availability requirements.  Consider each group separately as you move to the Cloud.

There are three levels of events that impact availability.

1. Local single failures.
   These events include the failure of a server, a disk drive, a network component.  These are usually quickly recovered. In most cases, the recovery time for this kind of failure is measured in minutes.  Depending on exactly what fails and what it was working on at the time of the failure, the event could force a database recovery which can lengthen the recovery time.
2. Complete database failure.
   These are events that force an entire rebuild and recovery of one or more databases.  These are often caused more by operational or software failures than a “simple” hardware failure.  Recovery may recover the complete reloading of a database from the most recent backup, and re-applying all of the transactions that were processed since that backup.  In most cases, the recovery time for this kind of failure is measured in hours.
3. 3.     Building failure.
   These are events that make it impossible to enter your building for a period of time measured at least in days.  This could be fire, weather, earthquake, government action due to civil unrest or terrorism, or a seemingly unrelated event that you are too close to (e.g., Fukushima).  Without any significant preplanning and preparation, the recovery time for this kind of failure is measured in days or weeks.

The third category is normally referred to as Disaster Recovery.  It is often considered separately because the cost of achieving a recovery time measured in hours is at least an order of magnitude higher than achieving a similar recovery time for the first two cases.  Unless your organization has an implemented disaster recovery plan, probably everything you learned so far was only to cover the first two cases.

The next step is to determine what you can actually achieve today.  Go to your IT operations leaders and ask them how long it would take to recover from each of the three cases.  Show them what you have learned about management’s expectations.  Be prepared to be astonished by reality.  On more than one occasion management’s expectation for the first two cases was two hours, but the IT operational reality for the second case was more like two days.  Often there is nobody on the operational staff that was there the last time they had a complete database failure, or the company is so new one has not yet happened, or at least one has not happened since the company became absolutely dependent on customer and partner communication over the Internet.  They have not been burned, so they don’t think about.  But, like a cyber attack, the question is not “if” one will occur, but “when.”

At this point you have a document that, probably for the first time, explains your company’s availability position. For each group of applications with similar availability requirements it details those requirements as specified by management or business needs, along with what is actually achievable today within each failure case.

Now it is time to get all the stakeholders in a virtual room and go over the current situation: what they expect, and what is reality.  Determine what the real availability requirements should be.  Determine if you really need a disaster recovery plan, and for what specific applications.  Get a project plan from IT to make any application, database, or operational changes necessary to get reality in line with these expectations.

Now you are ready to talk to the CSPs.  You have the requirements.  Get what you need for each group of applications, but no more.

The last word:

Currently there is little uniformity in the contracts or even the terminology among CSPs.  It can be difficult to compare availability SLAs across CSPs.  The best way is to sit down and figure out exactly what it means to be “down.”  Determine what is excluded from counting as down time. For most CSPs it is anything that is “planned.”  Many will make a “best effort” to notify you of pending planned outages.  Does that make it any better?

Most importantly, make sure that anything that was committed to you in verbal or written conversations during the negotiations is part of the contract.  If you provided a RFP (Request for Proposal) or any documented set of requirements that the CSP responded to, make sure your requirements and the CSP’s response are included in the contract.

Comments solicited.

Keep your sense of humor.

Walt.

Spring Has Sprung

(This is another special posting by Suzy. I hope you enjoy it.)

Spring is well underway and we can hear summer running down the hallway behind us and gaining quickly.   Walt’s Mother has been telling us how beautiful the flowering trees are this year.  She thinks that it has been one of their more magnificent showings.  So I have been chasing Walt outside to take photos of them, which I then tweak a bit before creating stationery for her to use when she writes to her friends.

Spring is the season that energizes us.  Everything wants to start fresh and grow with vigor.  So we go out with the first soft breezes to ready our gardens.  We decide that it is time to tackle that drawer or closet that has been growing more dense and darker for how long?  We find ourselves gathering all the gadgets and chemicals that assist in cleaning everything in sight.  Anyone picturing little lambs frolicking in the pasture of new, spring green grass?  Of course, it never quite works that way.

Our weather turned very early this year and the plants and trees rushed to enjoy the light and warmth, while we people held our breath waiting for the inevitable freeze that would kill the beautiful new growth.  We have been slow getting to the yard this year, so when the frost came all we lost was some young leaves on a couple of hydrangea that had been overly eager to grow.

A friend I was talking with this week said she was sorting through clothing that had just been being pushed to the back of her closet for about twenty years.  Mother, who has always been very organized about caring for her clothes, finds herself having to look at everything as her body shape has changed with her illness.  Before this she had been one of those people who stayed the same her entire adult life.  Now she is close to tears over no longer being able to wear so many of the outfits she had so enjoyed creating.  For me, this is when I miss not living in a place where the weather is mostly the same all year.  Having to pack and store winter weight things to make room for the summer wardrobe is a lot of up and down the stairs.  If I could only bring myself to do as Mother and my friend are doing and toss stuff it might not be as wearing.  Yes, pun intended.

The most labor intensive and my least favorite is the house cleaning as it is mostly filled with tedious and mind numbing chores.  Throughout most of the year I hit vacuuming and dusting with a lick and a promise.  But that isn’t enough for spring.  In spring it’s time for the old top-to-bottom cleaning.  Luckily for those of us contemplating this endeavor, houses today seem a bit easier to keep reasonably clean and our tools to do so have improved.  I remember my grandmother beginning at one end of her house and taking everything down.  The drapes came down, windows washed with vinegar and newspaper, sills scrubbed.  The tracks in the window frame were scrapped of all the old dust, which had become caked on mud.  The walls had to be wiped.  Then the summer weight curtains would go up.  Yes, there were two weights of window coverings.  Drapes in the winter lessened the drafts from windows, whereas summer curtains were to allow in soft breezes.  In today’s climate controlled homes, the same window covering generally do year round.  The furniture was shifted so that the rugs could be rolled, then carted outside, brushed and beaten.  The carpet sweeper or vacuum would suffice most of the year, but not in the spring.  The rugs needed beaten and aired.  Some of the rugs wouldn’t go back down until fall.  Those needed to be stored.  My grandmother’s house had beautiful hardwood floors.  Over the years the floors and woodwork had darkened, but the contrast between the relatively light floors to the darker inlayed borders was very nice.  She would clean and wax the floors.  I don’t remember the products she used, but I remember it as being a lot of work on hands and knees.  One would wash the floor with one rag and wipe them dry with another.  Then one would apply hard wax from a tin.  This provided one of the bright spots of spring-cleaning.  After the wax had dried to a dull haze, it needed to be rubbed until it glistened.  To do this she would command anyone she could get hold of to don gym socks and skate.  One needs to be inventive when you don’t own a mechanical polisher.  Moma told me that she remembered skating with her girlfriend on Grandmom’s and her girlfriend’s mother’s floors each year for as long as they lived in those houses.  They moved there when Moma was six.  If we were visiting during spring-cleaning Moma and I would put on the socks and continue the tradition.

The furniture, after being brushed, would be covered with the summer slipcovers.  In un-air conditioned homes bodies would sweat in the summer.  That moisture was to be absorbed by the slip covers rather than the upholstery of the furniture.  The slipcovers, after all, could be washed and ironed.  Yes, ironed.  It was imperative that the pleats at the bottoms be crisp.  Slipcovers were often much lighter in color and pattern and would brighten the room as well.

All the shelves in cupboards and cabinets would be emptied and relined with new shelf paper.  One of the advances in my mother’s generation was shelf paper impregnated with bug repellent.  This delighted Moma when we moved into Southern states.  Who knows what it left on the dishes and glasses we used.  Defeating bugs was more important than insecticide residue, especially to Moma.  She would say that if she ever “flipped completely” it would be caused by some bug.  After taking the dishes, glasses, or knick-knacks off shelves, those that weren’t used often would need to be washed before being returned to their places.  All the silver would need to be polished.  This one did while wearing white cotton gloves so body oils would not be deposited on the silver.  I would be perched at the end of the kitchen table with the silver polish and allowed to wipe on the polish before rubbing it off until the silver sparkled.  Looking at oneself in the newly polished silver was like looking in a fun house mirror.  Too much of that and not paying enough attention to all the swirls in the design could bring a disdainful look from Grandmom.

Moma also had a penchant for spring-cleaning.  She was far more conscientious about cleaning than I.  She had a day of the week for every household chore:  vacuuming, dusting, changing linen, washing, ironing ….  Each week one room would be given a bit more careful attention, which would include woodwork and windows. The only time she missed on the windows was if the weather were in a deep freeze as the cleaning liquid turning into ice on the window was counterproductive. Just thinking about this makes me feel that I’m a slacker.  What a nasty little secret to admit.

Moma’s cleaning was also enhanced by all the moving we did.  Actually, that is my favorite style of spring-cleaning.  It is also the jumping off spot for a little booklet Walt and I recently wrote for an extended family member who just married an Air Force Officer.  The basic premise is that one contacts a moving company.  They come and box up all of your belongings.  Then a moving van arrives and all the boxes and your furniture get put into the truck.  As they pull away in route for your new house, you take out the cleaning supplies you had hidden in the bathroom so they wouldn’t be packed.  You then proceed to clean the empty house.  Remember toothpaste in the holes where you had hung pictures.  But only if the tooth paste matches the walls.  Any detritus left from the cleaning or that you didn’t want to take to your new home can be put at the curb for the next trash pick-up.  One then dashes to the car and attempts to arrive at the new place before the moving van.  You prep the new place.  The van arrives.  You unpack and start with a clean house.  It is just so much easier to clean an empty house.  We have been here almost a dozen years.  I’m beginning to think I should empty some of the closest instead of waiting for the next moving van to arrive.

The last word:

Enjoy the season.

Comments solicited.

Keep your sense of humor.

Walt.

2012 Data Breach Report

Since 2004, the Verizon RISK Team conducts an annual study of incidents of cyber crime.  I previously wrote about the 2010 and 2011 reports.  This year, the US Secret Service, the Australian Federal Police Cybercrime Operations Investigations Teams, the Dutch National High Tech Crime Unit, the Irish Reporting and Information Security Service, and the UK Police Central e-Crime Unit joined Verizon to cover 855 incidents around the world.

2011 was a good year, if you were trying to steal data from people, companies or governments.  The incidents Verizon studied involved the compromising of 174 million records, way more than the four million studied in 2011 (which was, admittedly, the lowest of any year in the eight-year history of the Verizon study).  Cybercriminals improved their attacks, mostly against weaker targets.  However, there were increased attacks against governments and companies targeting trade secrets, intellectual property and classified information.

Who is attacking us?

• Virtually all of the attacks were exclusively from external sources (95%) up from 86% in 2010 and 72% in 2009.  More importantly, these attacks represented 99.9% of all compromised records.
• Thus, very few of the attacks involved exclusively internal sources (2%) down substantially from 12% in 2010 and 48% in 2009.
• Less than 1% involved business partners, no change from 2010 and down from 10% in 2009.
• 2% of attacks involved multiple agents.

How are they attacking us?

• Hacking was involved in 81% of the breaches (up from 50% in 2010 and 40% in 2009) and 99% of the compromised records
• Malware was involved in 69% of the breaches (up from 49% in 2010 and 38% in 2009) and 95% of the compromised records
• Physical attacks were involved in 10% of the breaches (down from 29% in 2010 and 15% in 2009) and <1% of the compromised records
• Social tactics were involved in 7% of the breaches (down from 11% in 2010 and 28% in 2009) and 37% of the compromised records
• Privilege misuse were involved in 5% of the breaches (down from 17% in 2010) and <1% of the compromised records.

As in last year’s report, these percentages add up to more than 100% because a single attack may use multiple mechanisms, such as malware introduced by hacking.

94% of all compromised data involved web, application or database servers (up from 76% in 2010).

The head-in-the-sand approach of many organizations continues:

• 97% of the breaches were avoidable through simple or intermediate controls.
• 92% of incidents were discovered by a third party.
• 85% of breaches took weeks or months to discover.
• 96% of victims subject to PCI DSS had not achieved compliance.

PCI-DSS (Payment Card Industry – Data Security Standard) covers organizations that handle or process payment cards, including credit, debit and ATM cards. I think it is encouraging that only 4% (down from 21% in 2009) of the victims were PCI-DSS compliant and still successfully attacked. However, it points out that being compliant is not the same as being secure.

While attackers are getting ever more sophisticated, organizations still are not making it hard for the professionals to steal their data: 96% of the attacks were not highly difficult (up from 92% in 2010 and 85% in 2009).

What is new is the prominence of activist groups, like Anonymous and WikiLeaks.  While only 2% of the attacks were attributed to activist groups, 58% of the compromised records were tied to them in 2011.  These groups are not motivated by simple greed, but by ideological dissent.  Since every company, government or other organization has probably irritated somebody, the “I’m not very big” defense is no longer valid.  Simply being associated with a product or group or belief can be sufficient to become a target in some group’s sights.

These activist groups also can confuse the statistics.  For example, a very few but very large attacks against a handful of companies in manufacturing and information technology make those two industries have 97% of the compromised records.  Those few attacks were probably more after intellectual property than immediate financial gain.  If you remove those few attacks, the industry groups with the most compromised records were finance and insurance (40%) and retail (28%).  In this analysis, information technology comes it with only 7% of the compromised records, and manufacturing is a piece of the “other” category.

Over 70% of the successful attacks were against relatively small organizations with 100 or fewer employees.

Two different trends seem to be going on.  One is the sharp rise of attacks by activist groups, sometimes called “hacktivism.”  These groups do all-out sophisticated attacks targeted at very specific individual organizations.  These groups are not in it for the money, but for the grief they can cause.

Criminals, on the other hand, have changed their focus to opportunistic attacks against weaker targets.  This may be because police and similar organizations around the world have been successfully finding these criminal groups, and legislatures have been giving the police and judicial branches the laws necessary to lockup these people.  “Instead of major (and risky) heists, they pilfer smaller hauls of data from a multitude of smaller organizations that present a lower risk to the attacker. Think of it as a way to streamline business processes. Find an easy way to prey on the unsuspecting, the weak, and the lame, and then simply repeat on a large scale. This high-volume, low-yield business model has become the standard M.O. for organized criminal groups.”

The biggest action type threats:

• Use of stolen, default or easily guessable login credentials (implicated in 82% of compromised records)
• Exploitation of backdoor or command and control channel (implicated in 49% of compromised records)

Almost all of the compromised records contained personal information, including government ID numbers (95%).  Payment card numbers and related information, while involved in almost half of the breaches, only represented about 3% of the compromised records.  Personal data is obviously valuable to the criminal attacker as a means to financial gain.  Personal data is also sought by the activist groups because it can embarrass the attacked organization, but also makes the attack personal to its customers or members.  It makes a real statement and can do real damage to the attacked organization.

For the first time, the report tries to correlate data breaches with the Cloud.  As expected, they found it hard to determine whether the Cloud itself was directly implicated in a breach, or just represented the hosting environment where the breach happened to occur.  For the breaches studied specifically by Verizon, about a quarter of the breaches occurred where the assets were externally hosted, and 46% occurred where the assets were managed by an external organization. However, only16% of the breaches involved assets that were externally owned.  As Verizon states, “because working definitions of “the cloud” are legion, it can be difficult to answer questions about how this paradigm factors into data breaches.  It’s really more about giving up control of your assets and data (and not controlling the associated risk) than any technology specific to the cloud.”

I recently wrote about BYOD – “bring your own devices,” including tablets and smart phones.  In this report, they were not implicated in any of the breaches studied in this report.  However, I suspect that is more due to the relative rarity of those devices last year.  As their presence explodes in 2012 and beyond, expect them to become part of the risk picture.

The last word:

Who is safe?  No one.  The criminal attacks are shifting to the small and individually more vulnerable organizations.  Since these criminal attacks are looking for the weak to cull from the herd, don’t look weak.  Making it even a little hard will go a long way.  Implement a firewall on all remote access.  Establish and enforce password rules for everybody, and train your people on the importance of securing your data and their role in keeping it secure.  Make sure your software is up-to-date with all security patches.  Use and keep updated effective malware software.

The Cloud can help.  Most Cloud Service Providers are really good at helping you manage these issues.  Work with them, but also verify that they are doing what they say they are.

Comments solicited.

Keep your sense of humor.

Walt.

Are You Still Making Matches?

It is strange what an insignificant comment can start.  Or maybe I’m just strange.  A while ago I noticed a statement on the “Years Ago” page of the November 2011 Scientific American magazine.  In November of 1911, “it has been estimated that, for each minute of time, the civilized world strike three million matches.”  It went on to note that matches were a lot easier to carry and faster than the flint and steal that had been used before.  Then just last week a friend pointed out some old marketing films from Burroughs Corporation in the 1960s.  They showed a lot of history and some people I knew from back then, but the thing that jumped out at me was people smoking cigarettes and, in one case, a pipe in a computer room.

The Chinese had a “fire inch-stick” in 577 A.D. that required a spark of your own devising.  The friction match was invented in 1826 by John Walker, an English chemist.  He dipped a small wood splint in a paste composed primarily of sulfur and potassium chlorate.  To light, simply pull it through a fold of sandpaper.  It did have one minor problem: it tended to drop flaming balls to the floor, setting carpets and dresses on fire.  It was banned in France and Germany.  Sulfur was replaced with white phosphorus, which unfortunately had very bad side effects, afflicting those who made the matches with serious bone disorders.  There was enough white phosphorus in one pack to kill you.  Eating the heads of matches became a “popular” suicide method.  An International agreement in 1906 banned white phosphorus in matches.  Meanwhile, in 1898 two French chemists patented a match based on phosphorus sesquisulfide and potassium chlorate.  In 1899 two Englishmen developed a safe way to make commercial quantities of phosphorus sesquisulfide.  The Diamond Match Company obtained the rights to manufacture the chemical in the US in 1900.  In 1911 at the request of President William Howard Taft, the Diamond Match Company released the patent “for the good of mankind.”

All of these matches were “strike-anywhere” matches.  Suzy remembers her great-grandfather striking a match on his shoe to light his pipe, and I think we’ve all seen the smart alecks who could strike a match with their thumbnail.

“Safety matches” can only be struck on the rough side of the box or pack.  That is because the two reactive agents are separated: one on the match and the other in the rough surface on the container.

By the end of World War II, Diamond was making ten million matches a day, and they were just one of many matchmakers in the US.  In 1951, Diamond Match Company had over US$100,000,000 sales in matches.  They still make matches, but also toothpicks (obvious expansion), straws (hollow toothpicks?), and disposable cutlery.  They are now part of a conglomerate, Jarden, which does not break out revenue or sales by components.

There has been pressure against matches.  Zippo started manufacturing lighters in 1933.  You can get your very own 80^th anniversary edition.  BIC was founded in 1945 to manufacture parts for fountain pens and mechanical pencils, and launched the BIC lighter in 1973.  Their lighter sales grew 25% from 2009 to 2010.  Perhaps the most significant pressure has been the 2% a year decline in smoking in the US since 1998.  Perhaps the least significant pressure has been the surge in battery-powered candles for tables and other decorations. The 1980’s saw the collapse of the American match industry, caused primarily by rising production cost along with decreasing demand.  Diamond is now the only remaining US matchmaker.

In reality, Diamond was not selling matches.  They were selling advertising.  They made a lot of their money by selling matchbooks with company logos and messages.  Almost all of Diamond’s advertising was to sell these ads to business, not to sell matches to consumers.

Are matches an important product?  Sure.  Like the World War II c- and k-rations and the MCI (Meal, Combat, Individual) used in Korea and Vietnam, the current US military’s MRE (Meals, Ready-to-Eat) each contain a couple of matches.  We still buy matches, usually the package of ten boxes of 32 matches each from Diamond every five to ten years.  Does it make sense to add matches to your product line?  Probably not.  Are matches unique in having a declining market caused by factors outside of the manufacturers control?  Also probably not.

Demand for products grow and shrink influenced by events and influences outside of our control, resulting in chaos for many businesses.

But there is even more chaos for businesses.  In 2010 Chris “Spence” Spencer, an IBM Emerging Technologies Strategist, published some interesting numbers about the amount of data that we all create.

The world is complex, and the amount of data that is generated every day is growing. In 2010, that number is expected to exceed 988 exabytes of information. It’s as if every man, woman, and child on the planet wrote 294,620 novels. This year. It’s also more than every grain of sand on every beach on the planet. In fact, it’s about 131 times more.

That was back in 2010. A petabyte is 1,000,000,000,000,000 bytes, or a thousand terrabytes.  An exabyte is a thousand petabytes.

We send about 200 billion emails every day.  There are a billion people on the Internet every day.  There are nearly 4 trillion RFID events every day.

The Internet is capable of handling over 65 exabytes every day, the equivalent of every person exchanging six newspapers every day.  Google alone processes about 24 petabytes every day.

There is great potential value in all this data.  That is, after all, how Google increases their power and revenue, by combining and interpreting all of that data.  Like Diamond, Google is in the business of selling advertising.

Your customers can watch their kids come home, turn on the lights, shut the garage door, and lock their car all over the Internet.  They watch TV, read books, and have video conference calls with their far-flung family on their phone. The tablet, or more appropriately, the user interface of the table will soon replace the current desktop and laptop computers.  Look at Apples new Lion OS X – a desktop / laptop operating system with many of the user interface capabilities of your smart phone.  In their private lives, people are more connected than ever before.  They can “talk” to their friends and family at any time.  They know where they all are.

Does your company fit into these new models?  Can your customers “talk” to you anytime they want?  Can they reach you from their smart phone?  Are you part of their social media network?

Most companies are growing their internal storage requirements at around 20% a year.  I have worked with one organization that is growing their data at 20% a month – they will increase their storage needs by a factor of 8 this year.

How can you keep up with demand and the new technologies?  For most companies, the only viable answer is the Cloud.  The Cloud can grow to exactly match your storage and processing needs.  The Cloud can keep your business running 24/7 through its disaster recovery capabilities, at far less cost than you could do it yourself.  Events like Katrina can impact locations 500 miles apart.  The Cloud can allow you to get into new geographic markets with a “local” presence, enabling you to compete with local companies.

The last word:

Do you periodically check your product lines for matches, a product or service with declining demand?

Do you periodically look at how you can take advantage of the new technologies your customers have to give yourself a competitive advantage?

Have you figured out how to take advantage of the Cloud?

Comments solicited.

Keep your sense of humor.

Walt.

Should You Allow BYOD?

Many companies are trying to prevent the BYOD revolution.  In this case, BYOD means “Bring Your Own Devices,” where your employees are connecting their own stuff to the corporate network.  This all started late in the last millennium with some employees using their own laptops in order to work from home or on the road.  Back then, some companies had not figured out that if their employees could work on an airplane, in a hotel, or a customer’s office they could be more productive.  For many people, spending a day at the home office can be much more productive than fighting the constant interruptions that can occur in the corporate office.  Even when companies issued laptops, they usually did it with the same four or five year update schedule they used with desktops.  Back then, a four-year old laptop was fairly useless as it probably did not support the latest versions of software that corporate IT mandated.  Most companies have figured this out, with many going to a “subscription” mechanism where the company pays the employee so much a year and gives the employee’s the authority to get whatever the employee wants.  The employee still has the responsibility to adhere to corporate security and IT standards.  In most cases, this is a real win-win situation.  The corporation still controls the expense and the employee has the needed tools.  Currently, most company IT organizations have figured out how to secure the data and access with laptops.

Then along come smart phones and tablets.  As I wrote back in August, the laptop is likely to completely become just another size for the interface model developed by RIM, Apple, Android and others for the “telephone.”  It was in 2003 that Research in Motion released the first smartphone Blackberry as a Personal Digital Assistant.  RIM had used the name “Blackberry” back in 1999 with a two-way pager in Germany.  In a decade, the concept went from “who needs that?” to “how can you live without one?”

Most companies react very slowly to innovation driven bottom-up by the employees.  IT departments especially are very reluctant to give away any control.  This is with very good reason, as the horror stories of lost or stolen data, or worse passwords from unsecured smart phones are many.  Yet the pressure from employees and especially senior management can’t be ignored, nor can the benefit to the company from allowing their people to be always connected.

Cisco Systems recently surveyed 1,500 IT managers and executives in the Canada, France, Germany, Spain, U.K, and U.S.  Some of those results:

• 48% of global survey respondents say their company would never authorize employees to bring their own devices to the office for work.

• 57% of respondents say some employees use personal devices for work without consent.  In the US, it is 64%, which is the highest of any nation.
• 51% of survey participants say the number of employees bringing their devices to work is on the rise.
• 75% of IT managers in the U.S. say new rules are needed with regard to security and device usage.
• 64% of survey participants say access to company servers and lost or stolen devices are “huge problems” caused by using personal devices for work.
• 44% of IT managers say dealing with personal-device issues distracts from other important projects, their “real job.”
• 48% of all IT managers worldwide feel access to company applications should be restricted for all employees.
• Globally among IT departments, there are three smartphone requests from employees for every tablet request.
• 21% of the workforce in the U.S. requests a tablet from IT – tied with France for first worldwide.

However, viewed from the other side, Symantec surveyed over 6,200 IT managers world-wide about their plans and attitude around mobile devices.  Some of those results:

• 73% of businesses have achieved increased efficiency through mobile computing.
• 59% of businesses already run line-of-business applications on mobile devices.
• 51% run sales force automation or CRM tools on mobile devices.
• 63% run task and project management applications on mobile devices.
• 71% of businesses have plans to deploy custom mobile apps in the near future.
• 66% have implemented, are implementing or are discussing rolling out private app stores where employees can get supported apps.
• 48% indicated that mobility is somewhat to extremely challenging, with 41% identifying it as one of the top three risks by 41 percent of organizations, above Web 2.0, virtualization and cloud computing.
• 71% of organizations reported that they at least break even on the risks versus the rewards of mobile deployments.

As with Social Media, companies are not going to be able to stop the use of mobile devices.  Even if companies decide to embrace the concept by providing employees with “approved” devices, employees will still BYOD.  Matching the variety of form factors, capabilities, connection options along with your employee’s personal preferences is an impossible task.  Your employees also need to be connected to their family and friends which influences device choice.  If IT imposes too many restrictions it will just increase the number of employees who decide not to care about the company’s policy, which will lead to even more security dangers.

Those IT managers that understand that they can’t stop this revolution, and instead embrace it and meet the challenge successfully will position their companies, and themselves, to thrive. “Mobile workers and virtual workspaces are here to stay,” says Tom Puorro, director of product management, IPCBU, Cisco Systems. “But so are the demands on IT to continue to ensure enterprise-grade security, manageability and interoperability. IT leaders are a critical component in unleashing innovation and enabling organizations to take advantage of the next wave of business growth and opportunity.”

Mobile devices are critical to an organization’s success.  “We’ve crossed the tipping point in mobile adoption and mobility in business,” says CJ Desai, senior vice president of the endpoint and mobility group at Symantec. “What’s startling is how quickly that’s happened. With PCs we’ve built quite an ecosystem to support enterprise infrastructure that allows us to be productive and secure. The problem with mobile is that it has come up so fast that people are trying how to get from zero to sixty in no time and have that entire ecosystem there and ready.”

Mobile computing is inherently part of the Cloud, and can take advantage of the location independence and reliability of the Cloud.  When you take data off of the laptop and put it in the Cloud, as most Software as a Service (SaaS) provide, you make the loss or capture of the device less critical; there is not much data there to steal.  With standard office word processing, spread sheet and presentation capabilities available as SaaS, documents can be accessed from almost any device from anywhere.  Your traveling employees can carry just a small smart phone, then pick up a tablet from the rental car company or hotel, and access the presentation just updated on another continent.

The last word:

Expect to see the rise of MaaS (Mobility as Service).  Companies like Centrify Corporation are announcing Cloud-based services to allow an enterprise to centrally secure and manage mobile devices, in most cases using existing data center access management services, skill sets and processes.  If your company tries to stay in the pre-mobile world, it will find it very lonely and not very profitable.

Comments solicited.

Keep your sense of humor.

Walt.

Another Era Gone

(This is another special posting by Suzy. I hope you enjoy it.)

Tuesday, 12 March 2012, a day that will not reside in anyone’s memory for any great period of time.  At least not for the reason I’m referencing it.  That’s the day I heard that after 244 years the Encyclopaedia Britannica will no longer be printing a hard copy, though they expect to maintain an online presence.  First published in Edinburgh, Scotland, in 1768, the Britannica became famous for its quality of writing and expert contributors. In an effort to remain current, it had begun publishing every other year. In an earlier, more leisurely era, most encyclopedias’ major revisions were done about once a decade.  The 2010 Britannica 32-volume set will be the last.  Jorge Cauz, the president of Encyclopaedia Britannica Inc., is assuring people that the company will maintain a digital edition for a cost of $70 a year;  a great savings in money, currently $1,400 for the 32-volume set, and shelf space.  In an effort of keep its readers, the company is marking the end of the print version by making the contents of its website available free for one week.  By the time you read this that week will have expired.

When I shared this woeful news with Walt he said, “True, but it has no significance.”  In other words, overtaken by events.  Our knowledge of our world is growing at ever increasing speeds.  We live in an immediate gratification society where we expect to have the most current information at our fingertips 24/7.  We don’t even say twenty-four hours a day for seven days a week. Still, it makes me sad.

I fondly remember my first reading of an encyclopedia.  I’d learned to spell the word with Jiminy Cricket.  Then we went to stay with my father’s parents while he was transferred to a new duty station.  My grandparents had a small bookshelf at the top of the stairs of their Philadelphia row house.  On the second shelf was a series of red bound books approximately 5 by 7 inches and an inch and a half or so thick.  They had gotten it for my father when he was going through school.  It had been published during what we now refer to as the Great Depression.  First pass, I paged through all the volumes looking for pictures.  Most drawings were pen and ink, but each book had an insert of photos, black and white, of course.  Then I began reading.  I learned about Afghanistan, an exotic place famous for keeping the British out.  There was no United Nations and the League of Nations had already become a non-entity. It was the Great War, as the Second World War with Germany was still several years off when the books were printed.  We did have 48 states.  I wish we still had those books.  As a snapshot of an era, they were a treasure.  Within a year, we were living in Rhode Island and I was frequently babysitting for the neighbor’s four children.  After I saw them to bed I would begin reading the family’s encyclopedias.  Yes, they had two!  One was a children’s edition with many stories on animals, our historic figures, and crafts.  They also had a World Book. The children’s set had been the premium gift for their purchase of the adult version.  I was in heaven.  I couldn’t wait to be asked to sit for their children at night so that I would have quiet time to read.  This set told about the world I knew, not the musty version in my grandparent’s house.  I could still smell the newness of these volumes.  I think I may have been the first to open some of them.

As I entered 8^th grade, we moved to Italy.  The DoD school we attended had a room devoted to being a library, but we were bussed to school just before class and taken home as class was dismissed.  Unless your teacher scheduled the library during class time to enable you to research a topic of her choosing we had no access.  My parents decided they had to afford an encyclopedia.  By then I had read all or part of many of the offerings on the market.  I preferred Collier’s, which seemed to be concise, readable, and more academically rigorous than some without being quite so sophisticated as the Britannica where I had difficulty understanding many of the articles in the sciences.  Our parents bought us a 24-volume set of Colliers, which came with the promise of the annual for the next decade and the Harvard Five-Foot Shelf. When the boxes came, Moma and I went through the opening of the new books as one was then taught to do for the first opening of hardbound volumes.  We lovingly took each book and set it, closed, spine down on a table.  Then we opened the hard covers and gently ran our fingers near the binding.  We then opened a few pages from the front holding the center pages together, and again ran our fingers close to the binding; then a few pages from the back, again pressing down softly close to the spine.  We kept repeating until the book was open flat on the table.  Setting that book aside we would resume the exercise with the next volume.  They smelled so good.  And as we caressingly opened the pages we got tantalizing views of the articles that I could barely wait to read.  Moma was more interested in the Harvard Shelf.  It promised that having read all of its volumes one would have the breadth of knowledge offered for a liberal arts degree.  For the next several months, when I returned from school, I would find Moma curled in her favorite corner of the sofa, reading.  She would barely be able to sit still and would begin the afternoon’s conversation with, “Oh, wait till you hear what I just read!”  And then she would begin with the best of what she had found that afternoon.  Thus began my introduction to Plato, Herodotus, Dante and so many others.

Now we are being encouraged to use e-readers, or to do our research on the Internet.  All of which has much to recommend it.  The tactile reward of holding a book, that solid embodiment of learning and entertainment; however, is slipping away.  The sense that a synopsis of the world’s knowledge could be held in one persons mind, always somewhat apocryphal, has vaporized into the ether.  If you still are lucky enough to own a set of hardbound volumes of an encyclopedia, save and preserve it.  You possess an historic treasure.

The last word:

We still have that Harvard Five-Foot Shelf, but, alas, no print encyclopedia.  It did not make the cut on one of our moves.

Comments solicited.

Keep your sense of humor.

Walt.