I’m in a new job, which offers me the benefit of looking at the IT department with an outsider’s perspective. What I’ve noticed is that this group of IT professionals has been trained to be technology-focused. In some environments this can be a good thing, but this company needs solutions, not just technology.

One problem facing technology-focused groups is the formation of silos. We have several silos that prevent IT from focusing on business solutions. Instead, these silos – infrastructure, help desk, application development – tend to focus on technology solutions. Each challenge becomes an opportunity to point the finger at a different silo, or a problem to be solved using a single silo’s skillset. In the nine months I’ve been here, I’ve very rarely seen all three silos come together for the purpose of implementing a single business solution (it has happened, but is rare).

In the current environment, IT has business value, but only as long as it is billable to external clients. The company does not generally see IT as a group of experts who can analyze a business challenge and creatively identify an excellent solution. Instead, IT is more often seen as a slow, cumbersome department that is capable of quick fixes and work-arounds, not long-term, value-added solutions.

We’ve found ourselves in this predicament, in part, because of the legacy applications that should have been replaced a decade ago. But I think there are deeper, fundamental reasons for the current (largely negative) view of IT:

• Failure to measure against satisfaction ratings – when providing a service to the rest of the company, IT must be able to measure how well it performs. This is a basic starting point that we are implementing now.
• Failure to market itself properly to the organization – Surprisingly, IT (done right) includes an element of sales & marketing. Organizational departments and employees are often intimidated by technology. This is why I LOVE being included in sales meetings with potential clients. It provides an opportunity to contribute in a meaningful way to helping the company succeed – by “selling” IT services directly to our company’s clients and by collaborating with the business to identify the BEST solution.
• Failure to increase its level of value to the organization – Every year IT should identify some new value it provides to the organization. Perhaps we can automate a manual process, or consolidate servers, or create a new product to sell. This is the fun, innovative side of IT – figuring out how to use new technology to benefit the business.

Ultimately, IT needs to bring technology to the business in a way that makes it apply to the business world, without requiring the business to do all the thinking. Consider the differences in these two approaches to a custom report:

• Typical technology-focused approach: “tell me every field you want on this report, or provide an example in an excel spreadsheet of all fields you wish to see”.
• Value-added approach: “tell me what you wish to accomplish with this report – what will it be used for and what is your overall goal”.

In the first example, we’re asking the business to do all the thinking. In some cases, that may be expected and acceptable. But we should also be able to accomplish the value-added approach for those cases where the customer is looking for a business solution, rather than a technology-focused solution.

I had lunch with an old friend yesterday. After catching up with each other on work and life stuff, he made a comment in response to a recent success I had just experienced – “you were really lucky”, he said.

It didn’t occur to me until much later that luck had very little to do with it. This particular success came about because I had built up a large network of relationships over the past several years, so when I reached out to this network for help, I received an immediate response. Luck may have played a part, but it was a small part compared to the preparation that led up to it.

One of my favorite quotes is by Earl Nightingale: “Luck is what happens when preparedness meets opportunity, and opportunity is there all the time”.

Lucky people are quite often simply those people who have taken the time to fully prepare themselves for life’s opportunities. They look lucky, because things tend to go their way — but things tend to go their way because they are equipped to respond, while others are not.

Being fully prepared for our opportunities means we are able to apply vision, creativity, and intelligence to offer something of value. Regardless of the type of work, there are opportunities to provide value to help move the organization toward success. The type of success will vary, depending on your position within the company. The motto “bloom where you are planted” is a good example – impact what you can, for the overall good.

Before lunch with my friend yesterday, I was considering dropping out of my Master’s degree program for a while (after my current class). My new job has been very demanding and my fear was that it would become too much. However, my friend convinced me to stick with it, and after writing this article on preparation, I think he’s right.

I read about Hershey’s web site compromise in this morning’s paper: “Hacker targets Hershey recipe”, and couldn’t help but wonder, why? Why hack into a website, only to change a recipe involving chocolate? What’s the point?

Clearly, there may be more to the story than we know. The movie-watching, suspicious part of me speculates that the recipe change was merely a cover-up for some more nefarious purpose. Hershey admits that the site stores consumer name and address information, so perhaps that consumer data was stolen. And there is the possibility that this website was simply a jumping-off place for hacking further into the network.  We may never know, which is why we should all be very careful about handing out our personal data.

As a consumer, the lesson-learned is this: always weigh the benefits against the potential risks — before you provide a website with your personal information. Is that chocolate recipe really worth the increased risk of someone using your email for spam (or worse, identity theft)?

For businesses, this hack highlights the importance of accurately identifying the scope of an incident. If something similar happened to your company, do you have confidence that the team can accurately identify how deep the compromise went? Can the security team successfully implement security measures to prevent reoccurrence?

The Hershey website hack seems like a simple case of teenage-hacker-showoff tactics. For similar hacks within your business, can you prove it is nothing more?

How can you tell when it’s time for a change?

Regardless of how much I may like to be “comfortable”, there is nothing like the feeling of needed change – especially when that change is necessary for your own personal growth.

I recently struggled with the job-change decision, after 18 years in the same job. During this process, I realized that the decision often involves issues much larger than pay scale, title, and perks.

Here are some hints that may indicate a change is required, even if you’re satisfied with your job overall:

• I’ve done everything I can within my sphere of influence – I’ve always like the quote “bloom where you are planted”. But there are times when we’ve done all we can, where we are. To do more may require a move.
• I’m ready for new challenges -  In some cases, we simply outgrow our current position. If the company has no growth opportunities, we may need to move on in order to experience bigger and better challenges.
• I’m looking to the future – Focusing on the past is seldom helpful, except in learning to avoid past mistakes. Equally important is to expand our focus away from what’s happening today and move toward what can or should be. This is the difference between managing by crisis (focusing only on today’s fires) and strategic management.
• I don’t see passion around me – Maybe I’m too ideological, but I think a career should include passion. What’s the point of spending a significant amount of your time at a job that doesn’t inspire you? I’m passionate about Information Technology – not just the hardware and software, but specifically the part of IT that solves business problems. I don’t expect everyone around me to share my enthusiasm for IT, but ideally each person has their own passion to contribute to the business and ultimately help move the company toward success.

While I’m sensitive to differences in leadership styles, I think passion is one trait that isn’t easily learned. You either have it or you don’t. Leaders with a natural enthusiasm seem to radiate confidence and optimism, while a lack of passion can easily lead to apathy.

Are you struggling with a tough, life-changing decision? Think about what is really important to you and then embrace your decision with confidence!

I worked on several Android projects during 2009, in conjunction with Albright College. These projects gave me an opportunity to learn about the Android OS first-hand and, I’ll admit it, it’s more fun than the typical integration projects I work on during my day job.

Android Emulator

So in March of 2010, when I saw “Malicious Android Software” topic come through on a GIAC Gold application, I was quick to volunteer as advisor. My student has since completed her GIAC Gold paper (wonderful job!) and it’s available at the SANS Reading Room.

In this paper, the author outlines her reverse-engineering process to highlight how easily malware can end up on mobile devices. However, the concepts really apply to any system that allows the user to install and update applications.

The security flaws may be easier to prove on the Android platform, because Android applications can be created by anyone. But the security issue is not much different from the malicious screensaver apps people downloaded in the 90s. This remains a fundamental security concern today: If users can install/update their machines, they can install malware.

That said, there are a couple of things that currently make mobile app security a bit worse than, say, Windows security:

1. Android and iPhone devices typically aren’t managed at the Enterprise level. Many of these devices have no anti-malware software installed and most of the users don’t fully understand the platform.
2. Mobile device applications number in the thousands. As I write this, AndroLib reports over 145,000 Android Apps in the Android Market. By the time I publish this, the number will have increased.

Mobile security is a dynamic topic, but here are a few current security tips that can help:

• Install some sort of anti-malware app. TrendMicro has  Mobile Security for Android, most anti-virus vendors have something similar. Also, check out Lookout Mobile Security for a free alternative.
• aFirewall - is a free version of the Android Firewall that blocks incoming calls and SMS from numbers you specify.
• App Protector – password-protects any Android application.

In my IT role, I’m often asked to evaluate various solutions and pick the best option. There are many methods for evaluation (AHP is my favorite everyday approach), and some work better than others for software vs hardware projects. But, unless your organization has an unlimited budget, all evaluation matrices will include a COST component.

In this article, I’ll provide a simple method to evaluate the cost of a project in a way that includes the up-front costs, ongoing costs, any salvage value, and the time value of money (TVOM). By identifying the project’s Present Worth, we can more accurately compare projects that have varying cost components.

Let’s assume that your organization is planning to replace a machine that is used in the production of one of your products. The life of the machine has been estimated at 4 years. The choice of machines has been narrowed down to three different vendors and you have pricing for the up-front cost, as well as the ongoing yearly cost and any salvage value at the end of the period. Here is the data so far:

Initially, we may choose Machine 3, based on the low up-front cost. However, the ongoing annual operating cost is higher than the other two machines. Machine 1 has the lowest annual cost, but the highest initial cost. Which machine is really the lowest cost option?

You may be tempted to perform a simple calculation that combines the initial cost with 4 years of annual operating expense. Here is the result:

Using these figures, Machine 1 looks like the best-cost option. However, this calculation does not allow for the time value of money (TVOM), or the salvage value at the end of four years.

The Present Value function of Excel allows us to include all components of the cost and calculate each machine’s present worth. Here are the calculations using 10% TVOM, which represents the amount we expect to earn on our investment:

The calculation takes the initial cost and combines it with Excel’s PV function to get the present value of the ongoing costs and salvage value over 4 years.

Since we are evaluating Present Worth, we want to select the Machine with the greatest value. In the example above, all three machines show a negative Present Worth, so the least negative machine is the greatest value (Machine 2).

Try this excel function next time you are evaluating a purchase for home as well, such as a new car or a new home heating system.

As a lifelong adult student, I truly enjoy education. There is something very satisfying about learning a new concept and then applying it somewhere in your life. Here are five key reasons to consider continuing your education:

1. Success in coursework will enhance your confidence. Success and confidence work together in a sort of upward spiral. As you experience success, you gain confidence. As your confidence improves, you reach for higher success.
2. As you learn about new concepts, you will become a more interesting person. As you increase your level of knowledge, you will be able to intelligently participate in more varied topics of conversation.
3. Your value as an employee will increase. As you gain knowledge, you become a more valuable asset to the organization.
4. You will be better prepared for the future. According to Earl Nightingale, “Luck is what happens when preparedness meets opportunity“. The more you know, the better prepared you are for the opportunities that come your way.
5. You will expand your comfort zone. Experts agree one of the best ways to achieve more out of life is to expand your comfort zone. Your comfort zone limits you to the familiar. When you move outside this zone, you grow beyond your current situation.

Do it – one class at a time. Sign up for a college class, online instruction, or maybe a certification course. I’ve taken the following types of classes over the past 20 years – all of them have been great!

• Traditional college night classes – I chose the Albright College cohort system because you attend core classes with a cohort group.
• 100% Online classes – I’m currently enrolled in University of Maryland University College Master’s program.
• Certification programs – There are tons of programs out there in hundreds of topics. I choose SANS for security certifications. Pick one that interests you and get started.

On the morning before my second-degree black belt test, I was overwhelmed with fear. It was like the fear I felt years ago when public speaking made me (quite literally) sick. I couldn’t focus. My hands were shaking and my stomach was doing flips.

I had two hours before the test was to start and I considered calling out sick.  But then my type-A personality kicked in and I realized that if I didn’t do the test now, I’d have to do it later (NOT completing it was never an option).

With little time to pull myself together, I first turned to prayer. I’ve noticed that the basic act of acknowledging I need help and listening for guidance often spurs ideas. On this particular day, the idea that hit was to look through a book my karate master had given me years ago titled, Zen in the Martial Arts, by Joe Hyams. It’s a book of small stories, each with their own “words of wisdom”.

Focus your Mind

I randomly opened the book to the chapter titled Kime: Tighten your Mind, which means to simply exclude all extraneous thoughts from your mind and focus 100% on your immediate goal.  Don’t think about what you just messed up and don’t think about what’s coming in the next few minutes. Instead, give 100% effort to the thing you are working on at this exact moment.

It sounds obvious, but how many of us actually practice it? When my type-A personality is particularly present, I’m very often focused a few steps ahead, thinking about goals, options, and various consequences. When I’m lacking confidence, I focus on past mistakes — what if I’d done this differently? Why did I do it that way? How could I have done it better? But the times in my life that I practice Kime, focusing 100% on the current task, have been remarkable moments.

Try it for yourself. The next time you have an exceptionally stressful or important task, try to focus all of your energy on the task itself. Don’t think about what might happen IF, or anything else leading up to the moment. Instead, live “in the moment”. It works great for important presentations and stressful public speaking events.

Practice this technique on the small stuff also — the daily tasks in your life. When your kids want to tell you about their day at school, or a colleague is talking to you at work, focus 100% on what they are saying.  It’s tougher than you might think, but when you practice it on the small stuff, it will be easier to do when you really need it for something big (and you might improve your listening skills along the way).

Back to my black-belt crisis — After reading and thinking about the Kime concept for a few minutes, I was able to calm myself down enough to leave for the test. When I arrived, I found many people there to participate or watch. My nervousness wasn’t gone, but I was better able to channel it into focused energy. The moment I dreaded most was free-sparring against opponents I did not know.

When it came time for sparring, I worked hard to focus all of my attention on each moment. I didn’t plan attacks or complicated combinations.  I simply responded to opportunities and reacted when necessary. It went amazingly well. My karate master said it was the best sparring he had ever seen me do! I’ll never be a great sparring champ and I still do not enjoy that aspect of karate training (I simply don’t like fighting). However, on that day with my mind totally focused, I felt like Neo on the Matrix — it seemed so easy.

Since then I’ve used this technique for other important events, and I try to apply the concept to my daily interactions with people.  I can’t say I’ve perfected it, but I think it’s a practice worth continuing.

Most of our FTP clients send order data on a predetermined schedule. We might, for example, receive order files at 7:00 am, noon, and 3:00pm each day. If files come at a fixed time, we can write processes that are scheduled to run at a fixed time also, so that the entire process is automated.

However, some of our clients send us event mailing data that isn’t scheduled in advance. We have no way of knowing the event will be happening, until the client notifies us. This has caused problems — for example, the client may send us a file, but forget to tell us. If the event is time-critical, then the mailing may not be done in time.

I searched online for an FTP alert script and was surprised at how poorly-written some scripts were — in fact, I couldn’t find a good example at all, so I decided to share mine here.

This is the logic I ended up using (the script runs from crontab):

# get current directory list:
ls -lr /home/ftp/incoming/userdir/* > /tmp/test2.txt
# compare to previously-created list (cp before 1st run):
diff /tmp/test.txt /tmp/test2.txt > /tmp/testdiff.txt
if test -s /tmp/testdiff.txt
 then
 #echo "you've got new files or files were removed..."
 mail -s "FTP file changes exist" email@domain.com < /tmp/testdiff.txt
 # reset both:
 ls -lr /home/ftp/incoming/userdir/* > /tmp/test.txt
 ls -lr /home/ftp/incoming/userdir/* > /tmp/test2.txt
 cp /dev/null /tmp/testdiff.txt
fi

I’m not a Unix script guru, so this script can probably be improved upon, but the logic works.

I was surprised by the bad logic I found on the web, from people trying to solve the same problem.  In one example, the script uses the ‘ls’ and ‘wc’ commands to list the directory and then count the number of files. If the file count changes, an alert is sent.  However, if a file is removed before the alert runs, this program will not pick up the change, since it’s based on a count that has remained the same (add 1 and subtract 1 = 0).

In another example of poor logic, the script gets the file count, then sleeps for 5 minutes, then compares the number of files to the prior file count. The programmer suggests putting the script in crontab to repeat every 10 minutes, which means the timing must be precisely right for the program to alert. If a file is sent outside of the 5 minute wait period, the alert doesn’t catch it.

Given that scripts are written all the time to solve system admin problems at almost every company, the result of this little project causes me to wonder about the quality of scripts sitting on corporate servers (but that sounds like an issue for another day).

Recently I’ve seen many articles discussing the issue of tech-savvy users and their impact on the future role of the corporate IT/IS department. After all, why require an IT department, when users will simply implement and support their own gadgets? This is a valid argument, but it’s not new. Over the past 30 years working in IT, I’ve seen this topic played out over and over. It’s the classic struggle between flexibility (to do what we want) and standardization (through IT, corporate, or industry).

I’ve found that almost any type of IT project can be loosely categorized into two types: 1) Fast and Flexible, or 2) Slow and Standardized.

Data Integration with Enterprise Standardization

To illustrate, let’s consider data integration type projects. For the past 15 years, I’ve worked for an order fulfillment company. Order fulfillment is all about accepting orders – in any format. Decades ago, the formats were:  phone/fax/email. Today they’re:  EDI/XML/delimited transactions.

We take data in any format, and import it into our order processing/inventory control system. We also export data for feeds back into client manufacturing, accounting, and reporting systems. We’ve worked with data from eCommerce systems like Amazon, Yahoo, Volusion, and HSN, as well as JD Edwards, Siebel CRM, SQL/MySQL, Access, and blackbox systems. As a result, we’ve become somewhat adept at slinging data around.

Within IT, flexibility is critical. We want IT departments to look for solutions that meet the needs of our clients and users. But often, flexibility is incompatible with standardization. This is made even more difficult when you need flexibility to support dozens of clients, each residing in a different industry with differing data requirements, which is the challenge faced by order fulfillment companies.

Project team data feeds can get messy

Our attempt at standardization started in 1998, when we created our APIs. Our “standard” set of APIs includes order transaction, order status, and inventory inquiry. These web service APIs are available to our clients for use on their own web sites, or as a component of their enterprise applications.

Most clients are delighted to know we have a set of APIs available. They are delighted, but that doesn’t mean their IT department can accommodate.

Surprisingly, our largest clients — Fortune 500 companies — often implement solutions that go around the standardization they already have in place. Why? Because the effort required to interface using their enterprise system may cost more and/or take longer than a Fast & Flexible alternative.

Increasingly, our client contacts are choosing to work around their IT departments, rather than standardizing through IT. I have a related article, The Scary Realities of Web Data that discusses some of the security issues, so I won’t cover security here.  However, IT departments today face a huge challenge — they must respond to requests quickly, while also maintaining an appropriate level of standardization and security.

If the response isn’t fast, today’s end-users are tech-savvy enough to simply work around IT (and drop any standardization that may exist). For example, as head of marketing for your corporate product, why work through your own IT department when you can simply have your web vendor send order data directly to your order fulfillment vendor?

This is the type of project I see on a weekly basis, with customer data completely bypassing the corporation (the security of the data often isn’t considered at all).

It’s a dilemma.  If a standard is dictated, then we lose some sense of freedom to choose. Yet without standards, we have chaos. The X12 document list contains standards for “order series” transactions, but in 15 years of implementing order-type data transfers, I’ve had only one request to use these standards.

Web services may be a long-range answer, but most of the large corporations I work with are unable to quickly implement web service solutions.

There are several possible solutions. First, if IT departments wish to stay relevant, they need to turn around projects quickly and at a competitive price. But quick turn-around is hard to do if the entire IT infrastructure is outsourced.

Another solution is an IT-business liaison operating as a resource to the corporation users. This role requires  someone who truly understands the technical scope to assist during meetings with vendors and identify the best solution for the corporation. Without this perspective, the ‘owner’ of the project will pick the fast & flexible alternative every time.

Finally, it is important that everyone in the organization has an appreciation for the value of data (through training and education).

Are these realistic goals? What solutions have you seen work?