Canadian IT Manager

Part 2/4: The Value of Security for Mobile/Wireless

I was interviewed on the topic of Mobile, Wireless, and Security several times this year however only a portion typically makes it to print so I'm blogging about it.

I encourage you to share your experiences here or send me an e-mail at sibaraki@cips.ca, Thank you from Stephen Ibaraki, I.S.P., DF/NPA, CNP
_________________________________

This is a four-part blog series:

Part 1/4: The Major Move to Mobile and Wireless: are you prepared?
Part 2/4: The Value of Security for Mobile/Wireless
Part 3/4: Managing Mobile and Wireless Security Effectively
Part 4/4: 5 Essential Tips for Mobile and Wireless Computing

A study by Symantec (http://www.digital-lifestyles.info/display_page.asp?section=cm&id=2960) puts the average value of the "intellectual property or commercially sensitive information" on laptops at nearly 1 million USD. Only 42% of companies backup the e-mail on laptops where the much of this sensitive information is located. "It's alarming that executives have mobile devices containing data of such financial value and that very little is being done to protect the information on them. The research shows that only a few organizations have measures in place to retrieve this information if their laptop is lost or stolen, which is very worrying," said Lindsey Armstrong, senior vice president EMEA at Symantec.

Let's examine more closely what these security concerns can be.

If you provide mobile wireless connectivity within the office then the business needs to be concerned by public access to sensitive information available from the internal wireless network: business information, employee data, customer information, pricing data, credit card numbers, ...

Also, the business must manage:
(a) Who gets access? Are you looking for and preventing rogue systems [unauthorized computers] from accessing your business network? Do you have policies [rules or guidelines automatically enforced] in place for wireless usage of your network?

(b) What kind of access are employees granted? Do they have full read and write access to all data, or just the ability to read the information? Do they have access only to data that pertains to them or all business data? What policies do you have in place to control access to data and the kinds of data employees can access? These issues are more pronounced when you have mobile wireless computing since without controls employees can access any kind of information, at anytime, from anywhere. There in lies the danger!

(c) Should everyone have wireless access? Should the vehicle drivers, front desk assistant, a business associate have access? Who gets access and for what reasons? What kinds of information are more sensitive than others to general employee access or public access?

(d) What kind of devices are allowed access? What kind of wireless access points [physical devices that allow wireless communications] are allowed access and are there rogue [unauthorized] access points? Without security measures, any employee could plug in their own wireless router or hub and create their own wireless network. What devices can connect to the wireless network? For example, I would recommend only authorized business systems can receive access but not personal devices [a personal computer or device brought in by an employee]. And clear guidelines must be in place to detect rogue devices, rogue wireless access points and procedures to deny them access.

(e) What are the distance limits or boundaries to this wireless access? Can your competitor across the street access your unsecured wireless signal? Can a driver on the street "sniff" into your wireless network? Can someone else steal your services or ride on the back of our wireless network?

(f) What sort of authentication system will be used? For example, 802.11i offers EAP [Extensible Authentication Protocol) authentication and encryption using WPA [Wi-Fi Protected Access] and TKIP [temporal key interchange/integrity protocol] but this doesn't work for all devices. So the hardware/software/clients have to support the kinds of wireless protocols you are using. This means you need to plan ahead of time to ensure compatibility.

(g) What sort of encryption will be used? WEP [Wired Equivalent Privacy] as one example has challenges since keys are shared by everyone on the network and are manually changed. WPA [Wi-Fi Protected Access] has dynamically rotating pre-shared keys but they still need to be deployed manually. AES [Advanced Encryption Standard] supported by 802.11i is a good one to use but likely requires a hardware upgrade, new policies for deployment, and changes to security procedures. The 802.11i Wi-Fi [Wireless Fidelity] standard provides enhanced security, superior encryption, and uses Extensible Authentication Protocol (EAP), and measures such as using VPN and 802.1x authentications processes for end-users so if you are not using 802.1x now, it makes it harder to implement. Are you considering these factors?

(h) Should you be installing Virtual Machine software on the mobile computers to ensure a perfectly managed environment and prevent un-managed systems from entering your network. Un-managed systems are the greatest risk to create open doors for hackers to enter the business network. A user sits a home or at a hotel, browsing the internet and opening up attachments receiving hacker-generated programs along the way. These programs now reside on the un-managed computer waiting for access to other systems. The user logs into the business network and now the hacker has an back-door [open-door] to gain access to the business network stealing, not only information on the un-managed computer, but systems within the business network.

(i) If you have employees carrying around this sensitive information such as private business data or client data on their mobile computers and connecting to wireless networks outside the office, they again need to be concerned about public access to sensitive information on their mobile computer hard disks. "Evil twin" or "Wireless Phishing" are wireless networks specifically designed to steal information from you. For example, your employees are on the road and in a hotel and looking for available wireless networks (hotspots) to do their e-mail. They find an innocent looking wireless network that is free and sounds legitimate. However, this network is designed to steal information from the employee.

(j) Also, businesses need to protect against theft of the mobile computer since the sensitive data on the hard disks can be breached. Encryption, passwords, locked devices, virtual machine software, remote deletion, can be means to provide safeguards.

(k) If employees are operating from home and they have added computers at home, even a VPN [Virtual Private Network secure access] doesn't provide the necessary security. The internal business network can be exposed to anything the employee downloads at home. These employee downloads can contain spyware, viruses, trojans, and other dangerous applications that can breach the internal business network through the VPN. Policies about usage or Virtual Machine software can be used to provide protection.

Part 1/4: The Major Move to Mobile and Wireless: are you prepared?

I was interviewed on the topic of Mobile, Wireless, and Security several times this year however only a portion typically makes it to print so I’m blogging about it.

I encourage you to share your experiences here or send me an e-mail at sibaraki@cips.ca, Thank you from Stephen Ibaraki, I.S.P., DF/NPA, CNP
_________________________________

This is a four-part blog series:

Part 1/4: The Major Move to Mobile and Wireless: are you prepared?
Part 2/4: The Value of Security for Mobile/Wireless
Part 3/4: Managing Mobile and Wireless Security Effectively
Part 4/4: 5 Essential Tips for Mobile and Wireless Computing

Let’s make sure businesses realize that this combination of mobile and wireless is something they can’t ignore. Mobile computing will surpass standard desktops in purchases. The reason: extended battery life (example: 11 hours), major price drops (well under $1000), increased power (Intel and AMD dual-core CPUs.), flexibility, and an increasingly mobile workforce. Plus the majority of end-user business computing will be wireless by 2008. There are even forecasts that this will happen in 2007. Moreover, there is a buzzword that is happening: convergence! Mobile, wireless devices will have converged capabilities and support multiple network types. If you want one example, look at mobile phones two years ago and then compare to the new models coming out today with high-speed internet access, computing abilities, voice, e-mail, video, an mpeg player, built-in camera and more features as time goes on. Add to this Voice over IP (VoIP) allowing inexpensive calls using the internet, community (wide-area) wireless access (Wi-Max) that is free, and you have a list of benefits to businesses that just doesn’t quit.

Now, let us look at this a little closer.

First of all, mobile is really a separate category from wireless. Mobile computing encompasses devices such as laptops, notebooks, tablets, personal digital assistants or PDAs, mobile phones, and so on. In particular, mobile phones are increasingly becoming more powerful and an internet platform with the capability of handling rich media such as video. Look at new devices such as the Treo 700w (a fine Windows mobile), Nokia N92 (fall 2006), and Synaptics Concept phone (2010) and you will see what I mean. For example, in China which has nearly 400 million cell phones, or more than the next three nations combined, the platform for mobile computing and particularly internet access is the mobile phone and this is replacing the traditional PC.

The benefits for mobile computing are obvious. You can take your work with you. And it provides the flexibility increasingly demanded from the workforce such as telecommuting or working from home. Plus you can work while you are traveling such as from hotel rooms or other centers – you are not necessarily office-bound. This allows an increase in productivity from business employees of between 20 to 50% and savings on providing office infrastructure.

Wireless provides the capability of connecting with other devices to allow collaboration on projects and documents; sharing of resources such as storage and printing; managing inventory (using RFID); and providing easy accessibility to the internet. However wireless is available on both static and mobile devices. An example of a static device would be a standard desktop PC. All of this is possible without having wiring infrastructure. So adding PCs within a business is merely a matter of finding a location. However, when you combine wireless with mobile computing, a business derives maximum benefits. Employees can pick-up and go and still be connected. This can be within the same office, in a hotel room, at a conference, or even in a coffee shop. There are many hotspots (wireless connectivity points) within most cities today.

But you need to keep in mind that wireless also comes in different forms such as short distance (Example: Bluetooth used in wireless headsets); medium distance (Example: 802.11g used in a typically office allowing wireless computer connectivity; Wi-Max or 802.16 allowing connectivity over a city); and wider access for phones (2.5-3G networks, Digital Video Broadcasting for Handhelds [DVB-H], and 4G—the last two are future systems). Internet accessibility is a primary driver around wireless for computers and now for phones.

Essentially, most computing devices are now provided with wireless connectivity and particularly mobile computers. This trend will continue as more power goes to mobile devices. For example, at the CES (Consumer Electronics Show in January 2006), Intel released their Core series of computing chips which replaces their Pentium-M series for mobile computers. With Intel’s announcement came new mobile announcements from the big names such as Lenova (ThinkPad lines), Dell, HP, and Gateway. The new Apple notebook coming in February 2006 also uses the Core Duo. Dual-core first followed by multi-core will become the mainstream by late 2006 since it makes a lot of sense. We can't continue with Moore's Law ad infinitum so multi-core technology offers the alternative path with increasing processor performance with no corresponding added space, power consumption or heat dissipation requirements. That's why you are seeing it in all the new laptops and in the new Apple computers.

Widespread use is often driven by consumer acceptance. So let's see what's happening in this segment: rich media, digital video, large data sets, more processing power requirements but in a small form factor, low cost, low power, low heat dissipation, long battery life. Hey, dual-core or multi-core offers all of these. If there are consumer products supporting dual-core, what do you think will happen in the business market? It is just going to grow and mobile computing with it. When you get broad market acceptance at the consumer level, you will see this driving wholesale movement in the business space too! This means mobile computing and wireless is pervasive and will become more so—it’s time to plan for it and take advantage of its flexibility.

Linux, Open Source, and Microsoft

Rick has posted a couple of posts over on the CanITPro blog that talk about events that I’m either currently delivering, or will be delivering early next month.  In both cases, the topic of discussion is Linux, Open Source, and Microsoft.

Check them out, and perhaps I’ll see you at one of the events.

Barnaby

John Boufford, I.S.P. -- IT Governance: An Opportunity or Hindrance?

John Boufford, I.S.P., CIPS’ current National Vice President and incoming President for 2006-2007, has a compelling message that needs to be heard. John is writing and speaking on issues crucial to the profession and to businesses. His recent featured article appearing in the Financial Post Magazine is generating much needed discussion so John is blogging the article here. Moreover, John is co-presenting with Kerry Augustine, CIPS Manitoba President at the INFORMATICS conference in May: speaking on "Managing Business Risk through IT Certification." This session demonstrates the value of professional certification and professionalism to businesses.

_______________________________________

From: John Boufford I.S.P.

I spoke on Managing Business Risk through IT Certification at a security seminar this week.  The audience consisted entirely of certified security professionals.  The thrust of my presentation was the need for better IT governance and how CIPS’ programs contribute to more reliable IT processes.  From the questions, I think the message resonated with the audience.

This message is similar to my greatly condensed message appearing in the Financial Post supplement to the April 7, 2006 National Post.  The Financial Post article appears below.

IT Governance: An Opportunity or Hindrance?

Sarbanes-Oxley (SOX) is having a profound impact on the Information Technology (IT) profession.  Senior IT leaders are experiencing an increased concern with IT governance.  The Chief Executive Officer (CEO) is calling upon the Chief Information Officer (CIO) to attest to rigour in IT processes and projects before the CEO signs-off on the company financials.  Both the CEO and CIO have to work together to understand what the government regulations require and what is necessary to be in compliance with them.

Regulatory compliance demands rigour in IT governance.  Sadly, current IT governance practices as implemented in some organizations are not adequate as evident in the software failures that have occurred in the past few years.  In a 2005 report, The Hartwell Group identified 20 recent high profile [IT] glitches  that:

§         Affected more than 61 million people;

§         Resulted in more than $30 million in financial impacts (plus impacts such as lost business, project delays, loss of reputation, loss of customer privacy, and required additional medical tests); and

§         Had potential life and death impacts.

The effect of SOX and other regulatory compliance requirements will be felt well beyond its immediate sphere of influence.  While SOX only applies to publicly traded companies on U.S. stock exchanges, the IT audit community will promulgate the lessons of SOX IT governance well beyond that arena.  With so much at stake, will CIOs look for more than technical excellence in their IT recruiting practices? 

The days of the narrowly specialized are numbered.  IT professionals today require a broad IT knowledge, a variety of business experience, a strong foundation in emerging standards of practice, and a code of ethics that puts the public and employer interests ahead of their own.  CIOs and human resources executives will be looking for a way to identify these IT professionals.  Fortunately, there is a way.

Canada has a professional IT designation: the Information Systems Professional – I.S.P. designation (in French, Informaticien professionnel agréé - IPA) that identifies IT practitioners who possess the education and experience to practice IT at the professional level.  The “I.S.P.” is the only IT designation in Canada that is recognized by law as a self-regulating profession.  Currently, legislation exists in the provinces of British Columbia, Alberta, Saskatchewan, Ontario, New Brunswick and Nova Scotia.  (Other provinces are working toward legislation.)  The I.S.P designation is offered by Canada’s association of IT professionals known as the Canadian Information Processing Society or “CIPS.”

I have been calling on IT leaders to deliver the Information Systems Professional message.  They understand the importance of IT professionalism and governance, and how this translates into a more ethical and productive workforce that improves their bottom-line.  Quite fittingly, they are moving to adopt the I.S.P. designation in their organizations. 

The I.S.P. designation in association with regulatory compliance and IT governance is an opportunity for executives to take a leadership role in further aligning IT with business priorities.  For the IT industry and profession, this is a good thing.

Thank you John for sharing your thoughts and Financial Post article with the audience…

Cheers,

Stephen Ibaraki, I.S.P.

Microsoft News

Daily Newswire

Hu, Gates Expected To Get Down to Basics Seattle P-I - 4/17/2006 Experts say discussions Tuesday between Chinese President Hu Jintao and Microsoft Chairman Bill Gates are likely to focus on establishing a basic relationship that can lead to bigger things. Microsoft Tries To Mimic Boeing's Fortunes In China Wall Street Journal - 4/17/2006 In his first stop on a U.S. tour this week, Chinese President Hu Jintao will visit Microsoft and Boeing, two companies that have encountered different fortunes in China. Microsoft Shoots For Photo Search eWeek - 4/17/2006 Microsoft researchers are working on a way to search the Internet using photos captured by cellphone cameras. Microsoft To Sponsor World Cyber Games BetaNews - 4/17/2006 Microsoft has agreed to be the premier sponsor of the World Cyber Games competition for the next three years. Microsoft Subpoenaed In AMD-Intel Suit InternetNews - 4/17/2006 Advanced Micro Devices has subpoenaed Microsoft as part of its antitrust case against chip-making rival Intel. Big Players Compete For On-Demand Supremacy BusinessWeek - 4/17/2006 Oracle, Microsoft, and SAP are battling one another - and smaller players - to gain a bigger slice of the fast-growing on-demand software pie. RealNetworks Wins Patent Suit Over Ethos InfoWorld - 4/17/2006 RealNetworks says it has won a patent-infringement suit over downloading technology that Ethos Technologies brought against the company in 2002. U.S. Retail Sales Of PCs Have Strong Q1 CNET - 4/17/2006 Retail PC sales in the U.S. were fairly strong during the first quarter of 2006, as notebook growth continued to rise, and desktops made a bit of a comeback, according to analysts. Once-Wary Industry Giants Embrace Internet Advertising Wall Street Journal - 4/17/2006 After years of cautiously experimenting with Web marketing, powerhouse advertisers like General Mills and Kraft are cranking up online spending, underlining the Internet's threat to traditional media. In Silicon Valley, A Man Without A Patent New York Times - 4/17/2006 Geoff Goodfellow came up with the idea of wireless e-mail, but he will never see a penny of the $612.5 million payday that has resulted from the technology. Filmmakers Flock To The Internet CNET - 4/17/2006 More and more filmmakers and animators see the Web as an alternative to the mainstream moviemaking industry and are showcasing their short films on the Web. USA Network To Air Video-Game League Play Wall Street Journal - 4/17/2006 Major League Gaming has signed an agreement with USA Network to air its video-game tournaments on the cable-television channel.

Media and Entertainment News

Windows Media Player Upgrade Is On The Way CNET - 4/17/2006 Microsoft is on track to release the Windows XP version of Windows Media Player 11 before the end of June and is building it into the Windows Vista operating system.

.NET News

Q&A: Microsoft's Web Services Path BusinessWeek - 4/17/2006 Blake Irving, corporate vice president of the Windows Live Platform Group, discusses how Web services are moving from the desktop to the Internet and how that changes Microsoft's thinking.

Enterprise Server and Tools News

Microsoft Mass Market Play Targets Enterprise Tools eWeek - 4/17/2006 Microsoft is bringing a mass market approach to enterprise tools as the launch of its Team Foundation Server rounds out the first release of its enterprise toolset. Oracle Considers Adding Linux OS Financial Times - 4/17/2006 Oracle is studying whether to launch its own version of the Linux operating system and has looked at buying Novell in order to acquire a system, CEO Larry Ellison says.

What constitutes "Good Management?"

Enough material to fill several warehouses must have been written on Management over the centuries, yes centuries; the need for and challenges of management are hardly new! Major construction feats, such as the Pyramids etc. didn't "just happen". So what's new about today? Frankly not a lot!

That's not to say that we don't have a better grasp of the challenges, are better educated, etc. but we are still dealing with the same fundamentals. Equally I wouldn't dare to suggest that reading on the subject wouldn't be enlightening or valuable. There are many very erudite people who study it for a living. But for me my very varied 30 years in management/supervisory positions (plant operations in a unionized environment, engineering, technical, project, IT) has convinced me that management is very much a "practice" and not a "principle".

There are only 3 components to every management position; 1) administration (don't we just love the admin?), 2) the "task/objective" to be accomplished and 3) the resources to accomplish the task/objective, which includes people, equipment and money. To understand better what constitutes "good" management let's first look at what constitutes "bad" management. Now I realize that I am trying to discuss absolutes and life doesn't work that way. So please cut me some slack on that otherwise the discussion can get very convoluted, especially if we start to introduce "company politics" and "personal ambition", ie. what might be good for the individual manager might not be good for the company in the longer term, etc.. I will leave such debate to those who write books on the subject and I don't claim any right to be in such exalted company.

Where things often go wrong is that most of us are more comfortable dealing with the "inanimate", ie. focusing on admin, the task/objective or equipment rather than the "animate", ie. the people. People are "difficult" don't you know. Unfortunately, it's the people who accomplish the task/objective and/or operate the equipment. I have emphasized the "practice" of management and I have been on a number of excellent courses over the years, all of the best ones were "practical" in nature, ie. short on theory and long on practice, eg. role playing based on "back home" real situations, group discussion on experience, etc.. One that I fondly remember was entirely devoted to "industrial relations". It was actually quite good fun to role play a shop steward; some people were amazingly good at it! BTW I was told don't expect "traditional" persuasion approaches to work on shop stewards or spouses!

The main point here is "forget the people at your peril". Much is made of "teams" today and personally I have always been very team oriented; the manager may "lead" the team but they must also be part of the team! So team building is obviously important. But wait a minute, a team is a "collective" of individuals (sounds like the Borg). One cannot consider the team without paying attention to every single individual in the team. Unlike the Borg we are not drones. We are all different with different needs.

Another course that I attended took an interesting approach by using movie clips to illustrate management situations and challenges. How many of us go to the movies and really "see" the movie in that way. We primarily go to be entertained (I won't discuss the other reason, principally because I cannot remember that far back -)). I found this quite enlightening and I had a new found admiration for the screenwriters who understood enough about people to be able to weave it into a story so expertly. The movie that I remember the most was a WWII movie called "Twelve o'clock high", which is about a squadron of American pilots based in England. Since the course I have seen it several times on TV and every single time I get some new insight into what the movie is really about.

So what did all of these courses and experience teach me? Management is a balancing act akin to the high wire at the circus. If you don't pay attention to all around you, you are going to fall heavily! More importantly I learned "how to balance". If we think in very simple terms of 1) the task/objective, 2) the individuals and 3) the team, then I learned that over time you MUST give equal attention to each one. But isn't the "task/objective" the "thing" I hear you cry? It may be the ultimate "goal" but it's not how we get there!

Typically people get promoted into management/supervisory positions from a related "subject matter" role often without any "people skills" training. So they are still in their "comfort zone". Unfortunately, this often leads to a "task oriented" approach where the manager is tempted to spend too much time in the "kitchen". Then they wonder why the team is sitting back and waiting for them to "fall". Training costs money don't you know and the budget won't stand it! Lack of training costs a lot more money in the end and you may just be setting the individual up to fail, when properly handled they may have proved to be a valuable resource.

Over the years I have also picked up a few "little pearls of wisdom" from my own managers, which have helped me to overcome some of the things that I, and I suspect others, have had difficulty with. For example, timely decision making is an important component of management. Quote, "there is no such thing as a right decision; there are only less wrong ones". We can never be in possession of all of the facts and the decision that you make today may not be the one you would have made tomorrow, which leads to, "making decisions is easy; living with the consequences is the real problem!". I have never forgotten both of these and I still keep them in mind to this day in "running" my life.

Now I realize that nobody can even touch the surface in a few paragraphs when it comes to discussing management. However, I would like to promote the KISS principle of management, not because I think that management is "easy" but rather because it is "difficult". I have found that the formula that I have outlined here has worked well for me; take care of the individual and the team and a lot of the task/objective will take care of itself! Practice at being a good "leader", "guide" and "coach" and you will be a long way towards being a "Good Manager".

Knowing the nature of the topic, there are no doubt people out there who may totally disagree. That's absolutely fine. Either way let's hear from you.

Cheers
Graham Jones

CIPS, Microsoft, IAMCP: Vancouver Channel Builder Meeting

I saw this notice and thought, what a great opportunity for everyone. So here's the blog:
____________

Find Out How to Build Your Business with Microsoft

The Canadian Information Processing Society (CIPS), The International Association of Microsoft Certified Partners (IAMCP) and Microsoft Canada cordially invite you to join us May 17th at The Hyatt Hotel in Vancouver to attend an evening cocktail reception with Chris Olson, Senior Marketing Manager, Independent Software Vendor Strategy Group, Microsoft Corporation.

Microsoft recognizes the value of the technology partner community and has developed a number of programs designed to help technology partners grow their business. Chris will provide insight into the programs that can help your company expand its reach to partners and customers as well as licensing options to help you drive revenue.

Please join us on May 17th

Time:
5:00 p.m. - 6:00 p.m. – Registration and networking (Cocktails and appetizers)   
6:00 p.m. - 6:45 p.m. – Presentation from Chris Olson, Microsoft Corporation
6:45 p.m. - 7:30 p.m. – Partner networking.
 
Location:
The Hyatt Hotel , 34th Floor
655 Burrard Street, Vancouver, BC
 
Cost and registration:
There is no charge for this event but pre-registration is required.
To register online click on the following hyperlink: http://cips-vancouver.org/opencms/opencms/events/msevnt/msreg.html
 

Do not hesitate to contact us for further questions:

CIPS Vancouver Section
Suite 102 - 211 Columbia Street, Vancouver B.C., V6A 2R5, Ph. (604) 681-2796
Comments and Suggestions to: vancouver@cips.ca
Web Site Issues / Questions to: info@cips-vancouver.org

For more information on the IAMCP, visit, www.iamcp.org/canada     

For more information on CIPS, visit, www.cips.ca

For more information on Microsoft Canada, visit www.microsoft.ca      

______________

Enjoy :)

Stephen Ibaraki

Understanding Software Assurance

I recently had the opportunity to talk to Eric Jewett, Sr. Marketing Manager for Software Assurance about some of the announcements we have recently made around Software Assurance.  Eric wrote up the following article to help IT Managers understand the value of Software Assurance.

—————————————

On March 13th, Microsoft launch a number of new benefits and enhancements to Software Assurance based on customer feedback, including 24x7 Problem Resolution Support, Desktop Deployment Planning Services and Virtual PC Express (early availability of part of Windows Vista Enterprise). The release was part of our commitment made when Software Assurance was first released in 2001 to continue to improve and evolve it to meet customers’ needs.

Software Assurance is Microsoft’s maintenance offering for Windows, Office applications and servers that helps customers get the most value from their Microsoft software through a broad range of benefits. Microsoft Software Assurance combines over 15 benefits, including the latest software with 24x7 support, partner services, training, and IT tools that help customers plan, deploy, use, maintain, and transition their software solutions. Enabling customers to stay current with the ever-changing IT landscape and leverage technology and resources to migrate or transition their software. With SA, companies gain more flexibility, support and tools to deploy and maintain software. IT Professionals and Information Workers increase their productivity with exclusive features and new software versions.

In early June, customers with SA on Windows will be able to deploy Windows Fundamentals for Legacy PCs on older hardware to get the security and stability of Windows XP on machines that may still be running Windows 98 or NT. In November, they will receive an exclusive version of Windows called Windows Vista Enterprise, which includes data protection, application compatibility and Mutli-Lingual Interface (MUI) functionality.

If your Volume Licensing agreement with Software Assurance started before March 13th, then you can receive even more SA phone incidents if you take advantage of a promotion to activate the 24x7 Problem Resolution Support benefit before June 30, 2006. For these customers, they will earn SA phone incidents based on their SA spend from September 15, 2005 when the SA 2006 enhancements were announced through the end of their agreement.

Premier customers with SA can even transfer their SA phone incidents into their Premier agreement to receive higher service levels and TAM coverage.

Customers must choose Software Assurance up front at the time of Software Assurance. Partners often play an important role in helping customers activate and start using their benefits immediately to realize the value of their invest­ment over the term of the license agreement.

You can learn more about the benefits at http://www.microsoft.com/licensing/progams/sa or by watching webcasts about the benefits at www.sawebcasts.com.

Eric R. Jewett
Sr. Marketing Manager, Software Assurance Value

—————————————
Thanks Eric for sharing that information with us.

If you have any comments or questions, leave us a comment.

 

“…G2G, POS!!”

I recently had the opportunity to sit down with Gavin Thompson, Microsoft Canada’s Director of Community Affairs. In addition to working on initiatives to help children and youth realize their potential through technology, working with community stakeholders to create initiatives that bridge the digital divide in Canada and empowering Microsoft Canada employees to be active volunteers in their communities – a large part of his role is to ensure that we do what we can to keep kids safe online. I asked Gavin to share his thoughts on how Canada is doing with respect to this issue and what we can all do to help out.

———————————

"…G2G, POS!!"

I’ve been getting the feeling lately that kids don’t like me. I get a lot of dirty looks from them when I talk to their parents about research I have done and what we have learned their kids are up to. It may be the fact that part of my role at Microsoft Canada is to help parents and educators de-mystify what kids are doing when they are online and give them the resources they need to help keep them safe when doing so. We have heard the term that parents are "technical immigrants" of today’s society, while children are the "technical natives" and I was recently very surprised to see a growing gap in perception about what kids are actually doing on the internet and what their parents think they are up to. In late January, I worked with Ipsos-Reid on a research survey titled "Untangling the Web: The FACTS About Kids and the Internet", and we found that more teens have been exposed to "risky" situations online than parents believe:

• 16% of teens report they have been in a chat room while someone was being bullied (versus 9% of parents who think their teen has encountered this situation).
• One-third (34%) of teens say they have been asked for personal information such as their last name, address or phone number from someone online (versus 25% of parents who think their teen has encountered this situation).
• While only 7% of parents of teens believe their child has shared personal information with someone online, more than double this proportion (16%) of teens report having done so.

Many teens have also encountered other ‘risky’ online situations:

• More than one-half (52%) report having seen inappropriate content such as pornography, violent or hateful messages while online.
• Four-in-five teens (79%) report receiving junk email spam and seeing online ads for gambling.
• In addition, one-in-five (20%) report having been a victim of "phishing".
• Perhaps one of the most disturbing findings of the study is that 10% of teens admit to having inappropriate communication with an adult while online.

We recently finished a cross-country tour that gave parents these facts and provided them with the tools they needed to keep their kids safe and Microsoft Canada employees continue to work in their communities giving presentations and seminars to parents and teachers to shed light on this issue. During these presentations, parents across Canada asked us "What software is available to keep them safe?" and "What controls can I put on my computer to keep them safe?" – but the biggest resource available was, simply put, them: The best way to help keep kids safe online, as a parent, is to talk to them and to get involved in their web activities. If you are a parent, or know one who has questions – check out www.bewebaware.ca it is a great resource for parents and builds their comfort level for interacting with their children about safe online experiences. Another great one is http://safety.sympatico.msn.ca/ which provides lots of tips and is a great all-around resource for parents. While the Internet is a rich and stimulating place for kids, like every other place – it is not without its hazards. We will continue to help give parents and educators the tools they need to keep kids safe when they are online. I hope you will join us to help spread the word and tell parents what their kids are up to when they are surfing the web.

If kids don’t like me right now for that reason – I can take it. Keep the dirty looks coming.

——————————

Thank Gavin for taking the time to provide us this great information. If you are a parent, be sure to take a look at the links Gavin provides.

Barnaby

oh, for those of you that haven’t figured it out yet (or don’t have kids to help you):
…G2G, POS!! = …Got to Go, Parents over Shoulder!!

Interface - Where Technology and people meet

I seen this link on one of my friend's blogs (John Weston) and while I haven't had a chance to see the whole thing yet,  there seems to be a good conversation about it on our internal email DL's.  It's a MS sponsered online show about the impact of IT on our world and lives.  The site's tag line is as follows.

InterFace is a television show about the impact of information technology on our world and our lives. Information technology is transforming our everyday lives, often at a rapid pace. Sometimes this transformation is right in front of us; other times it's hardly visible. InterFace looks at the invisible boundary, the place where people work, play, and live with technology, the point where technology transforms us.

I plan to finsh watching it tonight when the kids go to bed as I'm hopeful that tonight is the night my two young sons will sleep thru the night :-).

You can check it out at http://www.interfacetvshow.com/episode1.asp

I always love to see how technology can help people and would enjoy to hear any stories that you may have! 

take care

John

Implications of the 85/95 Rule of Project Management I

In my last column, I tried to show that a good Project Manager can calculate odds, and understands the importance even a ten percent increase in the success of a project. But what if the volatility of the project is greater than ten percent? For example, what if having a mediocre PM means the project has a 70% of success but a good PM can bring it up to 90%? How can you estimate the odds correctly? Just as importantly, is it good for your career to take on projects with a large Delta? Here's a guide:
 
So the first thing a project manager should do to correctly estimate odds is go to the owner of each task or subtask in a project and ask for that person's opinion on the probability of success or failure in the time allotted. They will give you a percentage or say "I don't know."
And for heaven's sake, you are asking them their opinion, not telling them your expectations. Cripes, don't queer the data collection just yet, you moron. Ask them what needs to be done to up the percentage of success. Don't expect good answers.
Next day, or next week if you have the time, go around and ask them again the same questions. For people who still say, I don't know, negotiate politely a WAG (Wild-Ass-Guess) out of them. Expect the WAG to be somewhere between 50%-75%. Carefully take note of the conditions that have been stated by the stakeholders. Always assure them that you are not going to hold them to their predictions and beat them over the head if things start going south.
Tally up the numbers. You should have anywhere from 3 to 10 tasks with percentages ranging from 49% to 99% . Going deep (having a lot of tasks) is good because it shows you've done a lot of research & talked to a lot of people. Now you should have two numbers: the expected success percentage of the project without conditions and the success percentage with conditions.

The delta of these two number is what's important. I've listed a chart below with sample success percentages and what this means:

Example #1
Success without conditions: 95%
Success with conditions: 99%
Delta is 4.

This is a great project to undertake if you are lazy and don't want to get fired. Basically, it's going to be a success even if you only show up at the office for 2 hours of the day. The downside is that it's probably going to be a boring ride. But boring is good when the economy is bad or you just finished a project from hell and need some down time.

Example #2
Success without conditions: 50%
Success with conditions: 90%
Delta is 40.

You will work hard on this project but your efforts with be appreciated by members of your team. This is a good project to take especially if Those Above You are willing to award Glory Points for success. The downside of this project is that if some of people who quoted the percentages were wildly optimistic, you could get hosed. The bigger the Delta, the more you have to scrutinize the predictions.

Example #3
Success without conditions: 60%
Success with conditions: 75%
Delta is 15.

Even though the percentage of success has only dropped by 15 points, you should run away very fast from projects like this. Remember that people's perception of project success are fundamentally flawed (too optimistic). So you're going to work very hard on this project, people are going to expect success, but you have a very significant risk of failure. ANY project that has a success with conditions percentage of 60% to 75% should be avoided, but the absolute worst are the ones with a big delta, which means you need to bust your rear end and still end getting zero glory points.

Example #4
Success without conditions: 15-25%
Success with conditions: 49%
Delta is 14-34.

These types of projects are common in R & D. As the success rate drops below 50%, so do people's expectations. These projects are attempted because success means a big payoff. Or at least it should. If you are project managing one of these suckers, you are either a) Entitled to some serious bon-bons like a bonus or promotion if you pull it off or b) having a lot of fun because of the nature of the work. If the answer is c) Neither then I recommend digging out some resume templates when you have a minute.

In conclusion, and it bears repeating over and over, you want to be high (85+) or low (under 50). Getting stuck in the mushy middle happens every once in awhile but if it happens continually then there's a problem with your organization or maybe you.

Watch the Delta too, you should try to alternate between high and low Delta projects or else you run the risk of burning out.

 

DJ Dunkerley
Senior Product Development Professional
http://lastdaysoftheloneranger.blogspot.com/

Patricia MacInnis Computing Canada’s Editor talks with Bernard Courtois, President of ITAC

There are those special industry voices that need to be heard in our forum. They provide great insights and create a wonderful context for their views.

I just finished an interview with Patricia MacInnis, Editor of Computing Canada. However her recent March 17^th editorial just struck a chord with us in this forum; so we invited Patricia to guest blog it. She connects the dots giving us the big picture!

Here's Patricia blog from her editorial: Computing Canada, March 17, 2006, Vol. 32 No. 4

I've always regarded ITAC strictly as a vendor association representing the interests of its various members and lobbying -when necessary - on their behalf. While that assessment is accurate, it is not complete. ITAC's interest in the overall health of Canada's information technology and communication sector is not to be discounted.

Courtois and I had a frank discussion about the state of affairs in Canada's IT industry, mulling over such topics as the impending skills shortage, productivity gaps between Canada and the U.S. and the impact of offshore outsourcing. It was one of the most illuminating conversations I've had in recent months.

Let's begin with the productivity gap. Courtois told me about a recent study conducted by the Centre for the Study of Living Standards in Ottawa that shows that small and medium enterprises in Canada are falling behind their U.S. counterparts in terms of investing in IT and communication technologies. In 2004, information and communications technologies investment per worker in the Canadian business sector was 45 per cent of that of the U.S.

Part of the reason for the discrepancy, Courtois said, is the hyper-competitive environment in the U.S.'s SME space. South of the border, SMEs see advanced technology as a key advantage in gaining a competitive edge. And although SMEs comprise the majority of businesses in Canada, SMEs here have been lulled into a false sense of security, Courtois said, relying on what has traditionally been a relatively low Canadian dollar. But with the strength of our dollar in recent years, small and medium businesses must find new ways to compete in the world market. Technology, Courtois argues, is the obvious differentiating factor.

The next trend we reviewed was the drop in enrolment in post-secondary IT education across the country, a multi-faceted problem. Computing Canada has followed this issue closely over the last few years, but Courtois was able to shed new light on the domino effect that goes hand-in-hand with decreased enrolment.

Courtois said he's found that some uninformed high school career counsellors have been steering students away from careers in IT since the dot-com bust. The news that the industry has had a marked recovery since then apparently has not made it to some schools.

ITAC, along with the Software Human Resources Council and other industry associations, has been warning of an impending skills crisis. If our colleges and universities aren't producing enough Canadian IT grads, Courtois insists we will have to look beyond our borders to fill those vacancies. One logical choice would be India, which is producing large numbers of well-educated graduates, especially scientists and engineers.But it's going to take a holistic effort from all sides of the industry to maintain our position as a leader in the development and adoption of information technologies. And the time to begin is now.

____________________

For more than 30 years, Computing Canada continues to serve the needs of Canada’s information technology management community—You can request your free subscription at: www.itbusiness.ca/CC/subs

____________________

Thank you Patricia for sharing your insights with the audience here at CIM and we look forward to more posts.

Stephen Ibaraki

Computing Canada (CC) “Blogged Down” – interview with Ben Grebinski: Superintendent of School Operations, Administrative Services and Technology, Regina Catholic Schools

There's a new editorial feature, Blogged Down (BD), in Computing Canada (CC) where editor Patricia MacInnis features an upcoming interview that appears here in the Canadian IT Managers forum (CIM). Computing Canada (CC) is the oldest, largest, most influential bi-weekly business/technology print publication with an audience that includes more than 42,000 IT decision makers in medium-to-large enterprises.

This is the fifth interview in the series Blogged Down. The interview is with Ben Grebinski, Superintendent of School Operations, Administrative Services and Technology, Regina Catholic Schools. In 2005, Ben was the recipient of the 2005 Computing Canada IT Leadership: IT Executive of the Year Award. The Computing Canada IT Leadership Awards represent the highest of honours for the industry with an estimated size of 500,000 to 800,000 professionals:

To listen to the interview directly, click on this MP3 file link.

In the interview Ben shares his views on:

The first CC Blogged Down interview was with software architect and Microsoft MVP, Roger Sessions appearing here Jan 10, 2006: http://blogs.technet.com/cdnitmanagers/archive/2006/01/10/417165.aspx

The second CC Blogged Down interview appearing  Feb 7, 2006 was with cryptologist and security authority Bruce Schneier: http://blogs.technet.com/cdnitmanagers/archive/2006/02/07/418933.aspx

The third CC Blogged Down interview appearing March 10, 2006 was with senior protocol analyst and security expert, Laura Chappell: http://blogs.technet.com/cdnitmanagers/archive/2006/03/10/421727.aspx

The fourth CC Blogged Down interview appearing March 21st, 2006 was with Trevor Eddolls author, editor, founder and CEO of iTech-Ed ltd: http://blogs.technet.com/cdnitmanagers/archive/2006/03/21/422529.aspx

I also encourage you to share your thoughts here on these interviews or send me an e-mail at sibaraki@cips.ca.

Thank you,
Stephen Ibaraki

People - A company's greatest asset

Many factors influence the success of a company, but none so much as its employees. Of the three Ps, People, Product, and Process, which contribute to a successful project or company, it is the caliber and composition of the staff that provides the greatest predictor of success. I suspect HR professionals intrinsically appreciate this, as "people" are their currency. But in IT, "product" is our currency and "process" is the mechanism by which we craft our product. Inadvertently this often creates an environment where attention to the people component is not given the appropriate level of attention.

I am being pretty abstract, so let's refer to an example I am sure you are familiar with.

A few years ago I worked on a project which received an award for process innovation. As a consultant, I was brought in to a hospital to assist in reengineering their Assessment Centre ("AC"). The AC performed third party assessments on patients' injuries to aid in the creation of treatment plans and resolution of legal disputes. In just a few years the AC had become tremendously successful for the hospital, and it had outgrown their run-your-company-by-Excel processes. We spent close to three years evaluating the business, mapping existing and to-be processes, determining requirements, appraising and selecting vendors, and then implementing the solution. Looking back, the time and energy expended on selecting any one of the several products that were part of the solution completely dwarfed the effort to secure the absolute best people to work with the solution. Yet ultimately, this was a solution to support complex case management, emotional treatment and legal decisions, and a myriad of case exceptions. The importance of the staff to the success of this project far outweighed the products we spent so much time meticulously evaluating and selecting.

Yes, that is correct, I am saying our effort selecting the software products and our effort selecting the people should have been reversed. For this reason alone, I believe the project was not nearly as successful as it should have been. Here is another example:

I am presently involved in the implementation of a clinical Oracle application. It took us over a year to select Oracle as our platform. Industry regulations and governance concerns placed a significant burden on our evaluation and decision making process. Ultimately the CEO and multiple VPs of our Fortune 20 company signed off on this product. Conversely, the project lead was hired through a cookie-cutter process. The effort expended to hire her was only nominally greater than hiring a non-knowledge worker. And yet, the project lead will have a huge impact on the success of this project. (Fortunately for me, Rebecca is brilliant!)

I will skip the governance issue altogether except to suggest that from the governance perspective a "bad choice" of person should be at least as equal a concern as a "bad choice" of product.

The difference between Oracle, which is best of breed in this product class, and the tier two products is not as great as the difference between a mediocre project lead and a great project lead. Put another way, a good project lead will make up for some inadequacies in the product, whereas a good product is not as likely to make up for inadequacies in the project lead.

A solution can be successful with less than ideal products. In the late 1980's Microsoft bundled Word, Excel, PowerPoint, and Mail together into the first version of Office. At the time these individual products were generally recognized as second- rate products. Yet the resulting suite was enormously successful. When people are a critical part of the solution, can the solution be successful with second-rate people? I will argue that this is often one of the highly overlooked areas of unsuccessful projects.

A lot can be said about the advantages of good people. Here is one quote that I like: "The best thing that can happen to any software project is to have people who know what they are doing and have the courage and self-discipline to do it. Knowledgeable people do what is right and avoid what is wrong. Courageous people tell the truth when others want to hear something else. Disciplined people work through projects and don't cut corners." To this I will add that in any project many of the greatest challenges are in handling the exceptions. Again, an intelligent person is better equipped to handle the unanticipated than a strong product or robust processes. But a career bureaucrat is going to do more harm than… You get the picture.

And what of the financial aspect? In my earlier example doesn't Oracle cost many times more than the project lead? Let's look at this. The overall implementation runs in the low millions of dollars, but much of that cost is independent of the product. (i.e. training costs, servers, consultant fees, etc.) The product cost, in this case the Oracle licensing, runs in the low hundreds-of-thousands over five years. The project lead will be in the mid hundreds over the same period of time. The project lead, without accounting for any other "people", has a bigger impact on both project outcome and project cost!

Have you performed an evaluation for a new enterprise product recently? Have you hired somebody recently? Which was more involved? [Nodding Head] Uh huh, I thought so. (Don't fret. This is true of every enterprise project I have ever worked on.)

People are a company's single greatest expense and they are the single greatest determinant if a task, project, or company as a whole will be successful. Don't skimp on your people. The marginally extra cost should be one of the easiest ROI models to defend.

I will follow up with some strategies on how to ensure you are retaining the best talent.

As always, I am curious to hear your feedback.

Adam

What Value Vista?

On March 23 I wrote an entry entitled "What Price Vista". Let's face it nothing new or better comes without a price. I always intended to try and balance the scales by starting to look at what we are getting. It is unfortunate that the first thing that you notice about Vista is the "jazzy" Aero Glass interface. At times we are all guilty of judging a book by its cover!

In this post I would like to suggest some features that I like (just my views) that might just be worth the "price of admission", or are nice to have, both for the average user and IT Pro. I do not claim this to be an exhaustive list of benefits. That is extensively debated in many places. Nor do I suggest that this is my personal final list but more of an interim one. Vista is a "huge" product.

One of the things that frustrates users is "gobbldigook" error messages which are often of no use to anyone. In that regard I think Vista has taken a giant leap forward. Not only are the messages more intelligible but they are linked to an issue resolution system, which can help the support people and the more knowledgeable user. For example, I added another 512MB memory to make a total of 1GB. All was fine for a while but then the occasional dreaded BSOD ("Blue Screen Of Death"). Ok, I am running beta code. But it got worse and Vista said "it could be me (humility is also now built in:)) or it could be your memory. Download this utility using this link and do a memory test". Low and behold I had some bad memory. I replaced it and no more BSOD's (for now at least:)). This is only illustrative of a wider range of helpful diagnostic tools that are built in. For example, "Why does my PC take so long to start-up and shutdown?" "Why is my PC getting slower?". It actually tries to tell you without you asking, giving suggestions as to what to do.

I am not totally sure what to make of the hardware rating system just yet, which I realize is still evolving. On the other hand it could be helpful to the consumer or possibly the IT Manager in matching needs to hardware requirements. To be effective though it certainly appears to need some refinement. For example, I got the definite impression that if I added the extra memory I would get some real "bang for my book". The rating stayed the same! Perhaps it is a little too course? Logically the "actual" performance has to be better but the rating system didn't reflect it.

Although I was somewhat critical of the new graphics demands from a cost/upgrade point of view in my previous post, there are some nice features other than the "glass":). When you have a lot of apps/windows open, the Taskbar Preview is actually quite helpful. This is the feature that shows a "thumbnail" of the window as you mouse over the Taskbar. In a somewhat more dramatic fashion we have the "Flip 3D View", which is basically Alt-Tab on super steroids. You can flip through the windows displayed in a perspective 3D view using the scroll button on the mouse. They even appear to come out of the screen at you! "Windows key" + Tab brings up the view (make sure to keep them both held down and use the mouse wheel to flip through the windows). I am sure that I could survive without it but it sure is "cool":).

We now have autorecovery of apps. Well at least we have a genuine attempt. So far it doesn't always work. If an app crashes Vista tries to tell you why and return you to where you left off. This of course should never be a replacement for "save often or live to regret it".

Security is always a hot issue and has been a sore point with many people. XP SP2 took things a step in the right direction with the introduction of a stateful host-based firewall. In Vista that has been extended to cover both inbound and outbound firewalling. At the advanced level it can be configured in a number of other useful improved ways. The following link explains it far better than I ever could: http://www.microsoft.com/technet/community/columns/cableguy/cg0106.mspx. The important point is that the IT Pro has a much improved set of tools.

Many people have their favorite DVD burning software (a whole argument can develop over which is best:)). However, at least now burning DVD's is now built in rather than just CD's as in XP. It may not have all the bells and whistles like Roxio or Nero, etc but it is better than nothing. Besides I can only assume that Microsoft want to steer a careful path and not get into more "legal" difficulties!

That's enough for now. I will post again when I have had more time to evaluate/research other features like the Network Centre, disk imaging, backup, deployment, etc.. One area that I haven't mentioned is Windows Explorer. Quite frankly, so far, I am having some difficulties adjusting to the changes. At this point I am prepared to accept that I am so used to the way that it is now in XP that I haven't yet adjusted. From a user perspective this could be one of the more important/challenging/contentious changes. So from a personal standpoint the "jury is still out" on that one. Look for more on my views on Vista in a little while.

Cheers

Graham Jones