Tuesday, April 29, 2008

PCI - the mess of security

Having spent some years in the computer forensics industry, I can tell you that criminals today are very smart. They look for the path of least resistance, they are very determined to find the data they want, and they have the tools to accomplish the task. In recent years the credit card industry has congealed around a set of standards for credit card security, called the PCI standard (i.e., Payment Card Industry). Prior to that, each credit card company maintained their own set of standards...making it very difficult for merchants to keep up. This new standard is still evolving, yet many of the merchants are still trying to meet the bare minimum. This is a tough problem, as we have a real war going on - the criminals getting smarter about how they steal data, and the industry trying desperately to put in place standards to stop them.

The reality is that we will never be able to stop these criminals. We can slow them down, and make them work much harder to find what they are looking for, but we will not be able to stop them completely. Even now, as merchants are becoming compliant with PCI standards, they are still suffering from data breaches. Take the story of Delhaize Group, who on the same day that they received notification of compliance with PCI also received notice that 4.2 million credit cards may have been stolen (as reported in todays Wall Street Journal). This breach was not a result of poor implementation of PCI standards, but rather was a result of the criminals understanding PCI as well as anyone in the industry, and finding a new access point for the data they wanted. Rather than attacking the data in-transit, or at the point-of-sale, they actually attacked the internal network of this company, where PCI has no rules regarding the safety of the data. Once the data is within the companies network, it was assumed that the data would be safe.

Criminals are very smart, and since security standards are open, they can keep up with them just like the rest of the industry can. PCI is not the silver-bullet to protecting our data: the real answer is that those who have our data need to start treating it as a precious commodity, and understand its real value. Security is not cheap - encryption slows down access to data, and key management is always problematic. Putting in place rules and regulations regarding who can access the data is a pain, and keeping anti-virus and anti-spyware applications updated and functioning on a network are difficult tasks - but these are all steps that must be taken to make it more difficult for criminals to find our data. Until companies view PCI as the minimum bar, and take steps to really protect our data from end-to-end, and view themselves as stewards of important data, the criminals will find the paths of least resistance around the security measures.

Securing our data is less about adhering to standards, and more about shifting the mind-set of corporations. Until that happens, our data will be vulnerable.

Saturday, April 12, 2008

Net Neutrality

The argument about Net Neutrality has been going on for a while now. I was first introduced to the topic when working at my last job, where our business success was tied to ensuring that our filter product didn't get in the way of anyone's fast internet connection, which they were paying good money for.

The Wall Street Journal recently reported that the 100 million streaming videos that are watched daily account for as much bandwidth as was used in an entire year in 2000. With the advent of sites like YouTube, and with TV networks posting full episodes of their shows, the pipeline into our home is again getting constrained, much like in the days of dial-up access, and will soon slow to a crawl again if Internet content and usage remains on the trajectory that it is on.

So, the providers of those pipes want to start charging on a "use more, pay more" model. And, congress wants to stop it by passing a law that the Internet must remain free (or at least that our flat-rate model needs to remain intact). Thus, the net-neutrality debate.

CIO magazine has posted this commentary, which I found quite interesting, on the topic. It is about 5 minutes, and certainly provides some food for thought on this topic.

Monday, April 7, 2008

The Futuristic CIO

I am attending the Gartner symposium this week, on the topic of "emerging technologies". After a full day of breakout sessions, it seems that there is a theme running through the track that I have chosen. It is that the futuristic CIO is going to be very different from the CIOs today. Many of the current CIOs could be CTO in another company - they are very technically-minded, understand technology in at least a broad sense, and some are even quite deep in some technical areas. They are concerned about uptime, managing risk and maintaining business continuity. They manage technology, and consider themselves to be a service organization to the business.

The CIO of tomorrow will be very different. They will be concerned about maintaining services, and providing good experiences for all consumers: both internal and external to their company. They will be an integral part of the business, not a service organization to the business. In fact, they will be part of business decisions, not looped in after the fact to simply enable a prior decision to be carried out. They will be concerned about managing information, not technology (these are very different things, incidentally). The CIO of tomorrow may not even have a technology background - they won't need to even understand technology very broadly at all.

Very interesting. And vaguely familiar...(I posted a blog entry last year on this topic). It will be fun to watch the CIO role evolve over the next few years...

Friday, April 4, 2008

Technology Projects: Thin line between Success and Failure

This article from today's edition of the Wall Street Journal really leaves me scratching my head. Here are the facts:

- The Census Bureau is scrapping the use of new, hand-held devices to complete the 2010 census, for which they paid $600 million to a high-tech company for development
- The cost of NOT using them will add an additional $3 billion to complete the census
- The effort to fix the devices so they can be used in the future will double the value of the contract to this high-tech company, raising it to $1.3 billion

But, here is what really makes me crazy. According to the contracted company,
the devices reportedly operated with 99.5% accuracy. The reason that they won't be used is reported as the lack of "comfort level" of using them by the census bureau. According to the census bureau, the reason for the failure boiled down to scope creep.

So, the bottom line is that as a result of spending $600 million to successfully complete a project (99.5% accuracy has to be considered a success), the government will now spend an additional $3 billion to complete the census, and will then tack on an additional $700 million to "fix" the successful project - all so that the agency can be more "comfortable" using the devices. All of which could have been resolved with better requirements management throughout the project.

So, who ends up footing the bill for the $3.7 billion cost of poor requirements management? The Project Manager? Nope - the U.S. taxpayers.


Personal Note - cancer update

It is hard to believe that it has been only 6 months since I completed my cancer treatments. To me, it really seems like much longer. I guess that is an indication of how quickly my life got back to "normal" - whatever that is. Many people have commented that they believe this is because of my positive attitude going through this process. I guess there might be something to that theory - but to me, I just can't imagine it being any other way.

I talked with some of the nurses in the treatment center yesterday, and they couldn't believe that it had already been 6 months...to them, it seemed much shorter. I am really quite impressed with all of those who work in the Central Utah Cancer Center. They all remember my name, as well as the specifics regarding my treatments, and they all make very kind comments each time I return for a check-up. With the number of patients that go through that facility, I am really surprised that they even remember my name.

I have been meeting with my oncologist every month since treatment ended, and have been on blood thinners for that entire time, since we have been trying to get rid of the blood clot caused by the PICC line which was inserted for my treatments. Yesterday I had another monthly visit, and we have now crossed another bridge in the recovery process. I am now off of the blood thinners, and my visits to the oncologist are reducing to once each three months. For now, I am in complete remission, and all is well. If we keep this up for 5 years, then I can be considered "cured".

I still find it strange that I am a cancer patient. I signed up for a blood drive last week, and my wife asked me if I really thought I would be able to donate. I couldn't figure out why she was asking me that question - then she gently reminded me that I am a cancer patient...sure enough, it will be between 5 and 10 years before I can donate blood again. This was not the first time that my wife had to remind me of my new health situation. I am not sure I will ever get used to it, but as of now my situation is not disruptive in the least - just the occasional CT scan and more frequent visits to the doctor than I have historically done.

I truly appreciate the notes, e-mails and comments from everyone as my family and I went through this process. Please know that all is well, and I am settling back into life as normal.