28.06.2012 by Mike Small

There is an old joke that circulated amongst IT professionals during the 1980s – this joke goes as follows.  A man goes up to an ATM puts his card in the machine and requests some cash.  The machine accepts his card and PIN but doesn’t give out any cash.  He goes into the bank and tells a cashier what has happened.  The cashier replies – “that’s strange because we just had brand new software installed this morning”.  This joke is probably not funny if you bank with RBS in the UK.

I normally write about IT security issues so – why is it that this entry is about managing change.  Well – security is about confidentiality, integrity and AVAILABILITY. Good IT security ensures that you have access to the information that you are entitled to whenever and wherever you need it.  One of the most frequent causes of non-availability is poorly managed changes.  In the world of software – a change is often a change for the worse.

The older the software system the more difficult it is to patch and most of the retail banking systems are very old.  The people that originally wrote it may be long gone; the change you are applying is probably on top of many previous changes.  You did your best and it looks like it should work but unfortunately you didn’t fully understand the complex interactions that now exist within the program.  So you test it, and your test contains all the expected cases plus all the previously detected bugs that have been fixed.  However these tests don’t include every possible case and so when it goes live – whoops the impossible happens and the system crashes.  If you are lucky this unlikely event only causes minor damage.  If you are unlucky – as seems to have been the case with the RBS systems – this unlikely event causes major damage.  It becomes the nightmare of IT security: a low probability, high impact event.

Now you have to recover from the problem.  Can you roll back the software to the last working version?  Are you able to restart or re-run the failed transactions?  How can you make sure that you don’t repeat the successfully processed transactions?  You need to have planned for all of these contingencies BEFORE you applied the change.  You need to have tested your plan BEFORE you applied the change. 

Now it may well be that RBS did all that it could and should have done – only a detailed investigation will reveal whether there were avoidable shortcomings.  Nevertheless RBS’s experience should be a reminder to all of us in the IT industry to be careful about managing change to IT systems.  It shows the need for IT professionals to really understand the impact they have on the business.

The fundamental role of IT within an organization is simple to describe: It must provide the IT services that business requires in the way business wants them – nothing more, nothing less.  Unfortunately, many corporate IT departments tend to concentrate more on technology than on the needs of the business.  This is a major paradigm shift for many IT professionals.  To explain this business led approach to managing IT services KuppingerCole has written a research note “The Future of IT Organizations”



Posted in Uncategorized | Comments Off

Security out of the Blue

26.06.2012 by Mike Small

If you were asked to think of an IT security firm perhaps IBM would not be top of the list.  However IBM has a significant set of products in this market and it manages the security of its customers’ outsourced and cloud systems, as well as that of its very large internal IT operations.  Following the acquisition of Q1 Labs late last year IBM is reorganizing to bring together all the security products under one division.  Well large companies are forever re-organizing so why does this change matter?  In short this is important because it reflects the increasing level of cyber risk and the recognition of this risk within the boardroom of the organization that are customers of IBM.

Over the past 12 months there have been a number of widely reported cyber-attacks on large organizations and these attacks have been intended to steal information of significant value or to cause commercial damage.  The organizations affected include Sony whose PlayStation Network was targeted and the details of 77 million users compromised, RSA has offered to replace the SecurID tokens following a compromise of information relating to those tokens, and according to the Verizon 2012 Data Breach Investigations Report there has been a huge rise in politically motivated attacks. Even the head of MI5, the UK’s internal security and agency, has said it is working to counter “astonishing” levels of cyber-attacks on UK industry.  The trend, identified in the Verizon report, is a large increase in data breaches stemming from external agents.  So is this a watershed for boardrooms to take an interest in cyber- security?

According to a study conducted using double blind interviews by the IBM Centre for Applied Insights with 138 security leaders, that “while many security organizations remain in crisis response mode, some security leaders have moved to take a more proactive position, taking steps to reduce future risk.”:

  • Business leaders are increasingly concerned with [IT sic] security issues.
  • Budgets are expected to increase,
  • Attention is shifting towards risk management.
  • External threats are the primary security challenge.
  • Mobile security is a major focus.

In this study security leaders rank themselves according to their organization’s maturity and ability to handle a breach and from this three types of organizations appear:

  • Influencers: those that have business influence and authority – who rank themselves highly in maturity and preparedness.
  • Protectors: who recognize the importance of information security – but who lack measurement insight and budget authority needed.
  • Responders: who do not have the resources or business influence to drive significant change.

So the challenge for IT many security organizations remains one of dispelling the idea that IT security is just another technology support function but is something that has to be designed to protect the whole enterprise.  This involves being able to communicate to the business that the cyber-threat is a real and present danger to the organization.  It is also important because many organizations are moving to outsourced IT or the Cloud and this brings additional IT security challenges.

So what about security products? Well IBM has chosen focus at the higher levels of IT security management rather than low level threat protection.  The rationale behind this is that threats to organizations are both targeted and persistent.  If the threat is blocked in one way the attacker will continue to look for other approaches that bypass the block.  Therefore behavioural analysis of what is happening around and inside the organization’s network and systems is a better indicator of an attack in progress, and this often provides the security intelligence needed to counter these threats.

The other area that IBM has focussed on is mobile security.  The increasing trend towards BYOD and the proliferation of tablets and other end user devices that can be connected to the corporate network has increased the risks of data loss.  Although people value their smartphone they are not careful with them. (According to a study by Plaxo – 19% of people reported that they had dropped their smartphone down a toilet!).  When the device is lost the data it contains is often more valuable than the device itself.  In the KuppingerCole’s opinion BYOD brings many challenges and the key to mobile security is to start from a data centric position rather than a device centric one.  Understand what data you have and then to make sure that you protect it properly.  IBM say that their strategy in this area comes from ”following the data” – if so that is good news.

So – in summary – the risk of cyber-threats to organizations is increasing, and it is clear that IT security professionals need to do a better job of explain these risks in business terms.  KuppingerCole’s view is that IT Organizations have to adapt to become much more business aware or they will fail.  This includes, but is not limited to security challenges.  It is good to see IBM is providing a lead in this area.


Posted in Uncategorized | Comments Off


17.06.2012 by Mike Small

I just returned from NISC – the National Information Security Conference – held this year in Cumbernauld in Scotland. The theme of this event was “the diminishing network perimeter”. With the advent of smart phones, tablets, Kindles and BYOD, the boundaries between the work and home environment have dissolved so how do you maintain the security of your corporate network? How does this impact on the corporate network, and how much can you put into the cloud?

There were many interesting sessions around this theme and, as well as giving a talk on the Deadly Sins of Cloud computing, I sat on a panel which discussed the diminishing network perimeter.

Amongst the other sessions – one by Dr Simon Shui of HP labs provided an interesting and different perspective on Cloud computing. Dr Shui has been working with Professor David J. Pym at the University of Aberdeen on the subject of “Information Stewardship in the Cloud”. They have developed a series of economic and mathematical models that explore various aspects of the emerging cloud ecosystem. These models allow the exploration of different priorities on information stewardship as well as the relative success of different policies and the attributes or platforms and providers.

I was honoured to be part of a panel, chaired by Gerry O’Neill, which discussed the diminishing network perimeter.  In my opinion – the network perimeter is and always was an illusion created as a comfort blanket. We need to get over the idea that the whole organization can somehow be isolated – it can’t. The business perimeter is long gone. What is commodity is outsourced, only what adds value is retained. We need to remember that, in general, IT is now a commodity.
In this new world indirect governance now replaces hands on management. This approach is essential when you acquire services rather than produce them yourself. In general internal IT organizations have focussed on how to do it themselves and are not good at indirect governance. For indirect governance to succeed it is important to:

a. Really understand the business requirements (which include need for compliance and risk appetite)
b. Understand what data you have and the value of this to your business.
c. Base IT architecture, and decisions about how to acquire IT services on these requirements.
d. Assess risk and choose risk response on real need rather than theoretical possibilities.
e. Make sure that responsibilities are clearly defined and set controls and measure performance against this business need.

We can no longer design IT systems on the assumption that they will be run in-house. We can no longer rely on a notion of a secure perimeter as the basis for IT security. IT systems should be designed to run in whatever location is best from a point of view of cost and risk.

Posted in Uncategorized | Comments Off
© 2015 Mike Small, KuppingerCole