Vista

January 29, 2006 from Canadian Business magazine – “It's been five long years since Microsoft booted up a new operating system and three since updating its popular suite of productivity software. So gird yourself for the sales pitch you're bound to hear in the coming weeks for the company's new Windows Vista OS and Office 2007 packages--both launched for businesses Nov. 30 and consumers Jan. 30--because it might sound a bit excessive for what, in the end, is just software. Microsoft has not reinvented the PC; it has merely made it easier to use.

"A lot of it is eye candy," says Naumi Haque, a research analyst at Info-Tech Research Group, based in London, Ont. "For the majority of users, what they have is already fulfilling their needs, so there's no immediate drive to upgrade to these products." And, Haque says, it's no different for corporations. A majority of Info-Tech's clients say Windows XP is exceeding their requirements--and, in some cases, even older versions of Windows suffice. The same goes for Office.

But if you're a Microsoft fan, you can't help but like the amount of work that has gone into Vista. For example, Vista automatically indexes everything on the hard drive and lets users quickly search for files and applications. A resizable preview panel reveals a thumbnail image of a file, and let's you scroll through its entirety before opening it. Also impressive is Vista's use of metadata tags, which are descriptive information about a file, such as the author and subject matter. The tags allow users to slice and dice search results in a variety of ways and customize how they sort categories of similar files. For example, growing digital music and photo collections can be organized on-the-fly by date, a star-rating system or personal tagging terms.

Much of Microsoft's focus on Vista for consumers has centred on solving digital-content overload and making the PC more fun to use. And, of course, there are updated 3-D glossy and translucent graphics. For business customers, Vista has tried to make IT departments happy with a more secure OS that's easier to back up and lock down. Vista also simplifies how corporate users adjust settings for presentations and find networks.

Similarly, developers of the Office 2007 suite of applications (Word, Excel, Outlook, PowerPoint, etc.) have directed their efforts toward some of the peripheral programs, such as SharePoint, to improve collaboration, workflow and document management for governance purposes.

But the big change everyone will notice in Office 2007 is what Microsoft calls the "ribbon," which replaces the familiar drop-down menus and floating palettes. The ribbon presents all the functions in buttons along the top of the screen, organized in contextual tabs such as Table and Review. It will take some getting used to, but it's supposed to put everything in plain sight and standardize the functions across all programs. The idea is that everyone, not just the experts, get more out of the applications.

And you might. But there is no killer feature that makes Office 2007 an essential purchase. "The decision to buy new hardware is going to be more important for the consumer than the actual decision to upgrade to Office 2007," says Haque. When it does come time to get a new computer, you won't miss the old Windows or Office--but you won't have that choice anyway.”

180 View –There has been so much in the press about Vista that is was difficult to figure out which article to quote. We have just completed our own review of the system, which will be published in CAmagazine in the near future. We recommend Vista if you have enough horsepower to run it, and your existing programs and devices will work. Microsoft does provide a free downloadable program called Upgrade Advisor which will tell you which of the various versions of Windows Vista is most appropriate and also whether you have any devices or software that may be incompatible.

CEO challenge

January-February 2007 from CAmagazine – “Since 2004, three waves of CEO and CFO certification have washed over corporate Canada, and there are more to come. All are aimed at restoring investor confidence in financial reporting and related controls by improving accountability and transparency — terms seldom heard during the ’90s, a time of heady growth, but which, since 2001, have resurfaced as key business, governance and disclosure principles.

Certification was introduced to Canada in 2004 when the Canadian Securities Administrators (CSA) required the CEO and CFO of a reporting issuer to certify the financial information in quarterly and annual filings. In 2005, that was expanded to include certification about disclosure controls and procedures. Last year, the third wave arrived. It requires certifying officers of TSX and TSX-V issuers to file the full annual certificate for financial years ending on or after June 30, 2006 — which, for many reporting issuers, means the calendar year ended December 31, 2006.

The full annual certificate in CSA Multilateral Instrument 52-109 expands the certification to require CEOs and CFOs to state they have “designed such internal control over financial reporting, or caused it to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with the issuer’s GAAP.”

In addition, they are required to certify that the annual Management’s Discussion and Analysis (MD&A) discloses any changes in internal control over financial reporting (ICFR) that occurred in the latest interim reporting period that have materially affected, or could materially affect, the ICFR.

This third wave of certification applies only to the design of ICFR, not its operating effectiveness. That will be introduced in a fourth wave of certification, yet to come…"

The Next Wave of Certification provides a straightforward, business-focused, top-down and risk-based approach for CEOs and CFOs to follow in assessing and certifying the design of ICFR. This approach will also help companies prepare for the future evaluation of the effectiveness of ICFR...

The September 2006 CICA publication Internal Control 2006: The Next Wave of Certification provides a straightforward, business-focused, top-down and risk-based approach for CEOs and CFOs to follow in assessing and certifying the design of ICFR. This approach will also help companies prepare for the future evaluation of the effectiveness of ICFR.

180 View – Note that requirements kick in “for financial years ending on or after June 30, 2006”. Also note that the certification is limited to design and not operating effectiveness, which means that the most onerous work required in the US under Sarbanes-Oxley is not required in Canada – at least not yet. But because of the backlash by public companies related to the cost of Sarbanes-Oxley compliance, the U.S. may water down their compliance requirements to be similar to Canada.

The article later goes on to say “The Next Wave of Certification provides a straightforward, business-focused, top-down and risk-based approach.” Straightforward sounds great in principle, but it’s not clear what is meant by it. Risk-based leads to efficiency in that there is no point on spending time unnecessarily if risks are minimal. Business focus means “companies should view their assessment of ICFR (Internal Control over Financial Reporting) as a business improvement opportunity, not just a regulatory compliance task.”

Enron’s Last Victim: American Markets

January 3, 2007 from the Cato Institute – “When the new Congress begins its session tomorrow, two familiar faces will not be present: Senator Paul S. Sarbanes and Representative Michael G. Oxley, who are both retiring. Mr. Sarbanes, a Maryland Democrat, has served for 30 years; Mr. Oxley, an Ohio Republican, for 26 — and their main legacy will be their joint attack on corporate corruption, the Sarbanes-Oxley Act of 2002.

The act, which was passed hastily in the wake of the Enron scandal, was surely well intentioned. But it has proven counterproductive in the extreme, and Congress would best honor the departing lawmakers by repealing it.

Sarbanes-Oxley has seriously harmed American corporations and financial markets without increasing investor confidence. The section of the law requiring companies to perform internal audits has turned out to be far more costly than proponents projected, especially for smaller firms. These costs have led some small companies to go private, hardly a victory for public oversight, and some foreign firms to withdraw their stocks from American exchanges.

In addition, the average "listing premium" — the benefit that companies receive by listing their stocks on American exchanges — has declined by 19 percentage points since 2002. This explains why the percentage of worldwide initial public offerings on our exchanges dropped to 5 percent last year, from 50 percent in 2000.

Other costs associated with the act may turn out to be more important. For example, more stringent financial regulations and increased penalties for accounting errors may make senior managers too risk-averse. Most chief executives are not accountants, so the requirement that they personally affirm their companies' accounts — at the risk of jail time should anything be amiss — may make them reluctant to partake in perfectly legitimate activities.

Paradoxically, Sarbanes-Oxley's strict rules on oversight by boards of directors would have been insufficient to prevent the collapse of Enron. By the act's standards, Enron had a model board; most members were distinguished professionals. The chairman of the audit committee was a former accounting professor and dean of the Stanford Business School.

Nor would the act's provisions to create a stronger Securities and Exchange Commission have made a difference. The commission had been aware of Enron's accounting techniques since 1992 and had never thought to question them.

Nor was Sarbanes-Oxley necessary in prosecuting the senior managers of Enron, WorldCom and other corporations where fraud was committed — all have been convicted of accounting fraud under laws predating the act.

The negative repercussions of the act on businesses might have been worth it if the act had achieved its primary goal: substantially increasing the confidence of investors in the accuracy of the accounts of firms listed on the exchanges. But that does not seem to have happened.

The best measure of investor confidence is the price-earnings ratio — the price that investors are willing to pay for each dollar of a company's reported earnings. The overall price-earnings ratio for the Standard & Poor's 500-stock index, however, has declined continuously since the Sarbanes-Oxley Act was being drafted in the spring of 2002.

Several leaders of the new Democratic Congressional majority have endorsed a relaxation of the audit requirements and other parts of the act. That is encouraging, but it is not enough. The basic structure of Sarbanes-Oxley is unsound.

One big problem is that the act nationalized the rules for corporate governance, reducing the value of the competition among the states for setting such rules. In addition, the act failed to resolve the major conflict of interest created when auditing firms are paid by the companies they audit. Rather than creating a regulation to change the system, Sarbanes-Oxley created an expensive and arguably unconstitutional new regulatory agency to regulate the audit firms' activities.

And, as is too often the case, Congress has rewarded the failures of the very bureaucracies that failed to keep up with Enron — doubling the budget of the Securities and Exchange Commission.

Tinkering is not enough. Sarbanes-Oxley continues to discourage smaller companies from trading publicly and foreign companies from listing their stocks on American exchanges. In the eyes of investors, it hasn't cleaned up any corruption, it has only forced companies to jump through hoops. As Senator Sarbanes and Representative Oxley drift into retirement, their act should retire with them.”

180 View – We think a risk-based approach to Sarbanes-Oxley coupled with a business focus (objective includes business improvement) would go a long way to restore the value in Sarbanes-Oxley.

Daylight-savings changes: No Y2K but there could be headaches

January 25 from Network World – “At first blush it may seem like no big deal: clocks will move ahead by an hour three weeks earlier than usual this year. But for today’s networked businesses, the simple change could mean complex problems if IT shops aren’t prepared, industry experts say.

The trouble goes beyond missed meetings and messed-up schedules to errors within time-reliant applications that are critical to a company’s business — processes such as operating room scheduling, billing and contract deadlines and ensuring record compliance, for example, could be at risk. Any applications dependent on timestamps will run into trouble after March 11, the new day for the daylight-saving time change, if actions aren’t taken.

For more than two decades, daylight-saving time has begun on the first Sunday of April and reverted to standard time on the last Sunday in October. But beginning this year, due to the Energy Policy Act of 2005, the daylight-saving schedule will be extended by a month, with the period beginning on the second Sunday in March and ending on the first Sunday in November. Legislators backing the change say it will save some 100,000 barrels of oil a day.

But the change also could throw a wrench in IT systems set up to automatically handle the old daylight-saving schedule. As a result, IT professionals need to take a close look at their systems and applications to determine which could be off when the change occurs and then take the necessary steps to correct them.

180 View – It seems like a reasonable precaution to check this out on your systems.

BI and CPM markets in 2007: When two become one

January 22, 2007 from IT Director – “For years analysts have asked suppliers "so which market are you in - BI (Business Intelligence) or CPM (Corporate Performance Management)?" Suppliers were somewhat coy about the answer. BI and CPM were perceived as distinct and separate markets. BI was the high margin Cash Cow and CPM was the Question Mark in the portfolio. Suppliers did not want to risk cashflow from the large $7bn BI market by gambling on the smaller $1bn CPM market. Hence supplier commitment to a CPM marketing message or a BI marketing message vacillated depending on whether cashflow or new market penetration was the current key directive. But all has now changed.

2006 was a great year for the CPM vendors and most registered 30%+ revenue growth. Sniffing opportunity, supplier indecisiveness vapourised overnight. The answer to the "which market are you in?" question has been categorically answered: "BOTH".

All the BI vendors are now firmly positioning themselves in the PM market. Business Objects will shortly unveil ambitious PM plans based on their acquisitions of ALG and SRC. Cognos boasts an Innovation Centre that delivers industry sector CPM solutions in Cognos Performance Blueprints. It now talks openly of "Cognos BI/PM solutions". SAP (with SEM) and Oracle (touting both its own CPM suite and the ex-PeopleSoft EPM suite) are pushing new BI and CPM solutions as part of their 'enterprise solution stacks'. SAS is leveraging its analytics market leadership position into enterprise PM products. Microsoft will launch its PerformancePoint PM suite in 2007.

Paradoxically Hyperion is moving in the opposite direction. Having led the CPM market from its inception it is now reverting to its BI roots and will present 'Why Buy BI from a Performance Management Vendor' at the upcoming Gartner BI Summit.

So what's next for the BI/PM vendors? BI as a category will gradually disappear, as OLAP did before BI. "Content Intelligence" will become the new category and the next holy grail. Already SAS, IBM and Cognos are offering enterprise search for unstructured data - emails, Word, PDF documents and the like.

If the BI/PM vendors can combine their mastery of data intelligence (as in BI) with text intelligence (as in document management) to slice and dice, drill down, and aggregate data and text for any question a user might care to ask, then customers will really have something to rave about - a way of emulating the way we currently work with paper. The answers to "where did I put that file?", "what does this information and data mean for the business?" and "what is the context for these conclusions?" will become only a mouse click away. The adoption of SOA will make this easier. Structured and unstructured data management software tools will converge facilitated by SOA.

Expect more acquisitions and new competitors in the Content Intelligence space. HP's recent acquisition of BI/PM provider Knightsbridge is ominous, as is Google's emerging presence in the Corporates with its Google (enterprise) Search Appliance - British Airways is a reference customer.

But what of the pure-play BI and PM vendors? In PM the likes of CorVu and Pilot will provide specialist niche market solutions to government, healthcare, and other markets where specialist non-standard PM solutions are required. BI 2.0 will emerge, but in a slightly different form than most commentators are predicting. High growth vendors such as QlikTech, Spotfire, and Tableau offer fast, flexible, highly interactive and visual solutions for knowledge workers. BI 2.0 will be for the scientific, technical, and professional knowledge workers - the rest of us will access more basic BI functionality and reporting as part of enterprise-wide performance management systems.”

180 View – We disagree with the author that BI and CPM are becoming one. All organizations require BI but only the larger ones need CPM that includes consolidation, strategic planning, scorecarding and forecasting.

What is Supply Chain Management Best Practice?

February 1, 2007 from Supply Chain Digest – “We all hear a lot of talk about supply chain and logistics “Best Practices”, including from me. But what are they, really? Are they truly useful?

This column was spawned, in part, from a panel discussion I moderated more than a year ago on Best Practices. It went in a direction I don’t think the panelists or the audience expected. By the end, we were discussing not Best Practices per se, but whether the concept was really meaningful. Somewhat to my surprise, neither the panelists nor audience, at least in this case, thought it really was. One consultant on the panel at one point near the end went so far as to say “Best Practice is baloney.”

Now, in fairness, this was a discussion centered around distribution center operations, and I think processing in a DC tends to be pretty situation specific, making (perhaps) the use of Best Practices less clear. To further think through this, we decided to get the opinions of a number of supply chain and logistics experts.

Ralph Drayer, ex-Chief Logistics Officer at Procter & Gamble and who now runs Supply Chain Insights, thought I was batty for even questioning the concept of Best Practice: “Shame on you! Of course there is such a thing as Best Practices,” Ralph told me. “The fact is that every situation is NOT really that unique, and believing so only adds to unnecessary complexity, cost and consumer value erosion.”

“That's why the consumer goods to retail industry pulled together under ECR [Efficient Consumer Response] and the Global Commerce Initiative to develop and publish Industry Best Practices for common processes," he added. "P&G did the same thing internally as we globalized our operations. A Best Practice is developed by a group of expert users who share their knowledge and experience to define the best method of operating a common process.”

There is strong merit in that perspective, to be sure. If a process is common across a company, then surely there is a “best way” to do it most of the time within that enterprise. And if a process is common across businesses generally, it would seem there is an opportunity for Best Practice – or is that commoditization?

Gene Tyndall, well-known consultant and SC Digest Contributing Editor (and a friend of Drayer’s) had a somewhat different view: “The term “Best Practices,” and the relentless pursuit of them, has caused more trouble than benefit. Everyone believes they need to find them, but then they cannot even define one, much less adopt it,” he said. “Even if you find one, it will change very soon, as someone else tops it.”

He added: “The trick, when you find one, is to "adopt and adapt" the practice to your unique situation. This is what people struggle with. I have argued for years that Dell and Wal-Mart (and others) do indeed have some, but others cannot adopt and adapt them. High-techs have struggled to do so, and K-Mart failed miserably. Others just say that their business models are different, which is a cop-out.

He also stressed the role of metrics: “Best Practices without performance measures, or metrics, are useless. Just like benchmarks, which without practices or processes are also useless.”

Jim Tompkins of Tompkins Associates, whose company runs a benchmarking consortium, agreed with Tyndall’s last point, focusing on the “result” aspect: “A Best Practice is a process that produces the best benchmark for a specific task," Tompkins said. "So, if the task being considered is inventory accuracy and one determines that 90% of the companies like my company, which have a benchmark of 99.8% or higher for inventory accuracy, utilize cycle counting, then cycle counting would be a best practice for my company. Furthermore one could look into the specifics of the best practices of cycle counting to gain more insights into how to best perform cycle counting.”

Ed Marien, well-known to many from his supply chain leadership at the University of Wisconsin and on-going consulting work, also focused on using benchmarking and metrics right. “The problem with many Best Practice comparisons is that they forget the metrics side,” he said. “The problem with many benchmarking studies is that the focus is upon the metrics, which may not be defined the same across companies or industry comparisons are made based upon metrics only, without considering the How To’s.”

I think I will make a "Part 2" of this column in a few weeks, incorporating some of your feedback. Netting it out here, though, I like the simple way Stephen Craig of transportation consultants CP Consulting answered when I asked him about whether there was such a thing as Best Practice. He answered: “I don’t know if there is Best Practice, but there is clearly Good Practice.”

SCDigest Technology Editor Mark Fralick took a similar tack, and maybe even summed it up best. In working with clients, he said, “I don’t worry so much about Best Practice as I do in eliminating Bad Practice.” Now that’s something I think we can all agree on.

180 View – We often hear the vendors offering “best practice” to their prospects. This article backs up our long-held belief what’s good for one company could be a disaster for another. It’s a great idea to know how others are doing it and compare metrics to benchmarks, but every company has uniqueness. If nothing else, the people are different with different motivations, which could have a huge impact on efficiency and effectiveness.

Salesforce.com and Deloitte Consulting Ally

January 30, 2007 from Destination CRM – “Salesforce.com is pairing with Deloitte Consulting in a strategic alliance that may enhance the on-demand CRM giant's ability to further penetrate into larger organizations. As part of the alliance, revealed on Tuesday, Deloitte will incorporate Salesforce.com's on-demand CRM apps and the Apex on-demand platform into its consulting services.

Salesforce.com's alliance with Deloitte will help give enterprises the confidence they need to develop, customize, integrate, and deploy on-demand applications with consultants that can help them address their global requirements, according to Bobby Napiltonia, senior vice president of worldwide channels and alliances at Salesforce.com. "The largest enterprise businesses worldwide are realizing they too can take part in on-demand success," he said in a written statement. "With Salesforce Winter '07 and the Apex on-demand platform, companies are able to extend the benefits of on-demand applications to any part of the enterprise."

"Salesforce.com's on-demand model can help change the way large organizations approach their customers," said Paul Clemmons, Deloitte Consulting principal and emerging solutions leader, in a written statement. "We look forward to working even more closely with Salesforce.com to help our clients in their efforts to realize significant results from their on demand applications. The Salesforce.com Apex on-demand platform represents an opportunity to expand the benefits of on-demand computing across many facets of an enterprise."

The announcement dovetails with the findings of a study unveiled today by Nucleus Research and KnowledgeStorm, a search resource for tech solutions and information. More than half of the 198 organizations surveyed use on-demand solutions, and nearly two-thirds plan on implementing an on-demand offering in the next year, according to the study. "This survey shows that the on-demand model is beginning to outgrow its image as a small business solution that, while cost-effective, couldn't scale reliably," Jeff Ramminger, executive vice president of KnowledgeStorm, said in a written statement. "Now, companies of all sizes can take advantage of the efficiencies of these types of solutions."

Salesforce.com has been trying to move up-market for a while, says Timothy Hickernell, associate senior analyst at Info-Tech Research Group. "At some point in this process, software vendors do need to have credible system integration partnerships to get their foot in the door of large firms. The key will be to see how many resources Deloitte--and other SIs--ultimately put towards this partnership, such as full-time consultants trained and certified on Salesforce.com's technology."

180 View – This article is interesting partly because of the statistics supporting the on demand model as well as Deloitte’s commitment to it. Another view is about lack of independence. Deloitte has other strategic relationships including with Cognos, Lawson, Microsoft, Oracle and SAP. Our perspective is that Deloitte (and the other firms like it that offer implementation services with specific systems) will be unable to provide independent consulting advice in business process improvement projects that potentially involve either replacement or upgrades.

Two new tools that CIOs want – Virtualization and Software as a Service

May 2006 from The McKinsey Quarterly – “While many promising new technologies vie for the attention of IT leaders and CIOs, only a few of these innovations actually end up improving top-line performance or bottom-line productivity. Our recent survey of senior US IT executives and our experience with clients suggest that companies view two new technologies as highly promising tools for obtaining real business benefits: server virtualization (which helps companies improve the match between their computing capacity and their application workloads, so that they can do more with fewer machines) and software as a service (which allows IT departments to offload the delivery and maintenance of software applications). Companies clearly view these technologies as priorities that promise to help them become more efficient and agile.

Virtualization is a software technology that helps raise the utilization rates of servers. It allows companies to run several different operating systems—UNIX, Linux, and Windows, for example, as well as the applications that run on top of them—on a single machine. Distributed servers running a single operating system typically utilize only about 5 to 15 percent of their full processing capacity. Virtualization can make it possible for companies to boost their average server utilization rates to 40 percent or higher while still meeting peak demand. IT departments can then consolidate their servers, reduce the complexity of their environments, and, over time, buy less hardware (though the servers they do buy may be higher-capacity boxes). Related technologies let a single application run across several machines, further boosting reliability and utilization rates, since a machine that isn't too busy can take some of the load off others that are. Finally, the flexibility to set up and tear down test environments quickly and to move applications across physical servers helps to increase administrative productivity and to reduce hardware outlays still further.

Most companies have already begun consolidating their servers—86 percent of the CIOs we asked cited progress in this area. Virtualization is the next natural move. Consolidation aims to combine multiple instances of identical or similar applications on fewer machines. Virtualization goes a step further by making it possible to run more applications on them and by increasing a company's flexibility, so that it can meet shifting workloads without excess hardware. One CIO with a budget of $600 million told us that his company has virtualized 30 percent of its servers and plans to have 60 percent of them virtualized within two or three years. He expects to reduce capital expenditures during the next server-refresh cycle by 30 percent and to reallocate the savings to different projects.

The other trend cited by the IT executives we surveyed is the delivery of software as a service over the Internet. Rather than purchasing and deploying applications inside the enterprise, many companies are buying access to externally hosted applications, so they pay for the software as they use it. The software-as-a-service model can cut the total cost of deploying some classes of enterprise applications by 30 to 40 percent as compared with the total cost of purchasing and maintaining them in house. Of the senior IT executives we talked with, 38 percent said that they plan to use the software-as-a-service approach during the next 12 months. Popular applications include business software for human-resource management (including payroll), billing and order entry, and sales management, as well as security services that guard against spam and viruses. The range of applications delivered in this mode continues to grow, though to date few companies are using software as a service in systems (such as those for production planning and forecasting) that need a lot of tailoring or customization.

Software as a service differs from the fad of the late 1990s for application service providers (ASPs) because the most successful companies offering this latest generation of hosted software have redesigned their applications for scalable delivery over the Web. In this way, these companies innovate more quickly and thus have lower total costs—and pass the benefits on to their customers. Contrary to some expectations, the acceptance of this model isn't limited to midsize companies with understaffed IT departments; some very large enterprises are among the earliest adopters.

IT executives are shifting to the software-as-a-service model for some applications not only for lower licensing and maintenance fees but also because implementation is usually quicker and companies don't have to maintain special skills in software-specific areas. Some enterprise applications can cost tens of millions of dollars and take 6 to 24 months to implement, and many executives prefer to outsource the task. Web services protocols—transport rules that make it easier to link applications flexibly—are helping to speed this migration: 60 percent of our survey respondents said they were implementing Web services, in some cases to integrate externally hosted applications into their own systems.

Taken together, these two adoption trends indicate that a technology architecture transformation is beginning to take shape in many large and midsize organizations. In the past, CIOs deployed their own self-contained application architectures on their own servers and storage systems. This old model is giving way to a hybrid application architecture that combines hosted functionality with in-house applications running on consolidated and virtualized commodity servers. We believe that this transformation will drive efficiencies across the full stack, from business processes to physical infrastructure, while increasing IT's ability to meet new demands in a rapidly changing business environment. Of course, technology alone won't deliver this vision: IT and business leaders will need to rethink governance models and management processes to take full advantage of new technology trends.”

180 View – This article was recommended to us by a company called FavorData
that builds custom systems. The article discusses two important IT trends - Virtualization and Software as a Service (SaaS). The article says that “few companies are using software as a service in systems that need a lot of tailoring or customization.” We think that we will see more customized SaaS solutions using Service-Oriented Architectures (SOA). SOA enables a network architect to mix and match existing elements (software, data, or processes) to create custom-made composites to better serve the business’s needs. SaaS using SOA - don’t you just love acronyms?

Are Background Checks Necessary For IT Workers?

January 29, 2007 from Information Week – “When UBS PaineWebber hired Roger Duronio as a full-time systems administrator in 1999, it didn't do a background check on him. An investigation likely would've turned up a police record that included burglary and aggravated assault convictions in the 1960s, drug charges in 1978 and 1980 for which he wasn't convicted, and a drunken driving case in the 1990s.

Those records were filed by the U.S. District Court in New Jersey's Probation Office ahead of last month's sentencing of Duronio, 63, convicted this summer of computer sabotage and securities fraud. In 2002, Duronio unleashed a "logic bomb" on UBS' computer systems that crashed 2,000 of the company's servers and left 17,000 brokers unable to make trades. It cost about $3.1 million to fix. UBS didn't disclose the damage from lost business.

Duronio's criminal past is the kind of information most employers need to know, especially if they're hiring someone who will have access to key systems and applications. Duronio was one of about 40 people with the company's highest computer security clearance, according to court documents, and he had root access to the system.

UBS PaineWebber, renamed UBS Wealth Management USA in 2003, did background checks on a selective basis in 1999, but not on Duronio when he went from being a contractor to a full-timer, a company spokeswoman says. Now the company checks all full-time, part-time and temporary workers, she says.

That's good policy. "You better consider how important IT is," says Alan Paller, director of research at the SANS Institute (www.sans.org). "Consider if you could keep on doing business if someone inside hit you with a logic bomb," he says. "If you can't, you should think about background checks."

Would a background check have turned up Duronio's record? At I&T sibling publication InformationWeek's request, investigation firm Fairfax Group found most of the information in the probation report within four days using only public records, and some within 24 hours. Such a search would cost about $500, or about $250 if the person provided a waiver and information such as a Social Security number, says Fairfax Group president Michael Hershman.

Thirty percent of insiders who launch system attacks have criminal records, says Dawn Cappelli, a senior member of Carnegie Mellon University's CERT security response team, citing a 2006 study. In that study, 73 percent of companies did background checks, compared with just 48 percent in the 2005 study.

Companies just starting to do checks on job candidates also should do checks on current employees, says Ken van Wyk of Alexandria, Va.-based information security consulting firm KRvW Associates. But be open about it, and make sure people understand why it's necessary, he says.

IT and HR managers also need to discuss beforehand what's acceptable past behavior and what isn't, says Howard Schmidt, a former White House security adviser who's now CEO of R&H Security Consulting. "If someone had a DUI 20 years ago, or they were arrested for marijuana in the '60s, you check the circumstances," Schmidt says. "Was it a drinking problem, or was it one night out celebrating a birthday? It's the repeating of a failure to comply with the rule of law that I would be looking for."
Schmidt warns that background checks are no guarantee. But in fighting insider threats, more companies are deciding they're worth the time and expense.

180 View - While insiders aren't the most common security problem, they can be among the most costly and the most damaging to a company's reputation. Insider attacks against IT infrastructure and data are among the security breaches most feared by both government and corporate security pros.

Lawrence Young (an associate of 180 Systems) has always done background checks on the people he employed in the past. Lawrence says that the degree of checking, including using a third party investigation agency, varies with the job the individual is being hired to perform. In fact, Lawrence made every employment offer conditional upon receiving a satisfactory background check, and advised the potential employee that he may use a third party investigation agency.

Investigation agencies typically provide written reports including details on an individual’s education, past employment, lifestyle habits, and encounters with ‘the law’ if any that would otherwise be difficult for the typical employer to gain access to.

Lawrence also strongly suggests that all system access be revoked immediately when an IT employee is terminated. While that may sound obvious, research shows that about half of all insider attacks take place between the time an IT employee is dismissed and his or her user privileges are taken away.