In consulting, consistent 12 to 16 hour days could be the sign of an extremely dedicated consultant or a complete incompetence on the Statement of Work creation. It may be the case that prolonged daily engagements are not due to the consultant's lack of intelligence but rather the lack of due diligence in initial requirements gathering, resource scoping and the ability to translate the customer's pain points into an accurate, actionable plan. The result is a consultant with a vague Statement of Work prepared by a non-technical salesman that requires translation, improvements and expectation management. Correct scoping leads to increased revenues for the consultancy, better customer satisfaction and a general morale boost for the consulting staff.
Also, it should be noted that the acronym SME no longer stands for Subject Matter Expert; rather, Send Me Everywhere.
Thursday, December 21, 2006
Wednesday, December 20, 2006
Solving THE Problem
The problem is that people don't understand problems in general. They may see them, they may even try to resolve them, but they are completely ineffectual because they lack the knowledge that 95% of problems we see – in any form or practice – are really just symptoms of the other 5% of real issues. Allow me to demonstrate with some analogies.
Suppose you have a deep chest cough, a severe sinus headache, a constantly running nose, chills, fever and achy joints. Suppose you've felt this way for over a week with no improvement. Do you take Tylenol for the headache, a sinus decongestant for the nose, a cough suppressant for the hacking cough, a cough expectorant to loosen the phlegm, cover with blankets to address the chills, use ice to mitigate the achy joints and occasionally cold baths to reduce the fever? Or do you consider these "problems" as merely results of a larger chronic issue that will not spontaneously improve by simply addressing the symptoms. Perhaps you head to the doctor and get an antibiotic to combat the root of your problem – the infection that is causing your symptoms. Perhaps the doctor takes it one step further and recommends you wash your hands often with antibacterial soap, get enough sleep each night and eat a proper diet to help your body's ability to fight off infection before it gains a foothold. Not only have you addressed the root cause of your ailment, but you’ve learned how to prevent it in the future.
It seems people may be aware of the fact that every action has consequences – although that statement could be debated. Assuming people believe it, it troubles me that when the consequences are undesired, people try to fix them one by one. Instead, take a look at the original action. Undue it – if possible. Work to stifle the root cause of the unwanted consequences rather than allowing them to persist with impulsive remediations.
In my profession, there is no end to application designers that have one major skill – they can code. Each and every one of them has two major flaws that counteract their coding magic: they can not code securely and they can not code an application that uses any kind of networking - whatsoever. This leads to shoddy software that performs poorly on networks, opens them to attack and leaves users to complain, "the network is slow". In fact, the network is not "slow", everything is working as it should be. Routing is working, skillfully written applications are working correctly and the one poorly written, hastily deployed application is ruining it for everyone. How to address this?
Should the network operations people deploy application acceleration technologies to compensate for the poorly written application? Should the network operations people now manage a new set of devices and configurations to offset for the poor planning of the application group? Should users learn to live with poor performance? Or instead, should the application group be held accountable? Should the application be pulled from production so it can be reengineered to work optimally across a network? Should the root cause of the network "slowness" be addressed so that no one suffers, or should everyone be brought down a level to that of the poorly performing application?
The correct answer is obvious; however, not the easiest and thus, the path never followed. No one ever said doing the right thing was easy. Proper planning and risk anticipation always fall by the wayside when a highly visible issue requiring "immediate" attention is brought to light. Corners are cut, haste is employed and waste is deployed. In networking, in politics, in personal decisions – this is always the case.
I'm convinced there are only two possible reasons people can not effectively problem solve. First, people are lazy and would rather take the easy way out by addressing the many smaller issues that result from poor decision making. The other more troubling reason – which I think may subconsciously cause the first course of action – is that people don't have advanced problem solving skills. Basic problem solving skills simply involve identifying a problem, formulating a solution and enacting it. The advanced skills include feedback loops and actually learning from successes and failures and I fear this is far beyond the grasp of normal everyday people (it shouldn't be, but I'm afraid it is).
Hazardous situations should be immediately addressed with stopgap measures. Systemic issues require a more holistic approach including analysis and research. Where did the issue come from? What is the root cause? A comprehensive understanding of the issue leads to a detailed plan of action to not only resolve the issue, but also to eliminate the resultant issues – the symptoms people spend so much time fussing over – and prevent future recurrences.
Politicians and lawmakers are probably the guiltiest of these trespasses. Writing new laws to address undesired outcomes of previous legislation is not the correct path. Creating new directives that address shortcomings in civil systems is not fruitful. If drunk driving is an issue, the answer is not to raise the drinking age, but to create stiff penalties for first time offenders and mandatory maximum sentences for repeaters. If high health care premiums are of concern, don't ban smoking and fatty foods, fix the health care system so that smokers and fatties pay more for their habits. Eating bad foods in large quantities is not a disease; however, it does cause disease – heart disease for example. Chronic diseases are much more of a drain on health care dollars than are the occasional X-rays and stitches I may get from mountain biking.
Ultimately, people don't want to be held responsible or liable for any of their actions when in reality, that is precisely what should happen. If you make stupid mistakes, you – not me – should suffer the consequences. If you are genetically predisposed to heart disease, laziness or stupidity, I refuse to help you. As it is your choice to ruin you life or to make the best of it, it is mine to neither watch you do either, nor care about - or much less be responsible for - your consequences.
Suppose you have a deep chest cough, a severe sinus headache, a constantly running nose, chills, fever and achy joints. Suppose you've felt this way for over a week with no improvement. Do you take Tylenol for the headache, a sinus decongestant for the nose, a cough suppressant for the hacking cough, a cough expectorant to loosen the phlegm, cover with blankets to address the chills, use ice to mitigate the achy joints and occasionally cold baths to reduce the fever? Or do you consider these "problems" as merely results of a larger chronic issue that will not spontaneously improve by simply addressing the symptoms. Perhaps you head to the doctor and get an antibiotic to combat the root of your problem – the infection that is causing your symptoms. Perhaps the doctor takes it one step further and recommends you wash your hands often with antibacterial soap, get enough sleep each night and eat a proper diet to help your body's ability to fight off infection before it gains a foothold. Not only have you addressed the root cause of your ailment, but you’ve learned how to prevent it in the future.
It seems people may be aware of the fact that every action has consequences – although that statement could be debated. Assuming people believe it, it troubles me that when the consequences are undesired, people try to fix them one by one. Instead, take a look at the original action. Undue it – if possible. Work to stifle the root cause of the unwanted consequences rather than allowing them to persist with impulsive remediations.
In my profession, there is no end to application designers that have one major skill – they can code. Each and every one of them has two major flaws that counteract their coding magic: they can not code securely and they can not code an application that uses any kind of networking - whatsoever. This leads to shoddy software that performs poorly on networks, opens them to attack and leaves users to complain, "the network is slow". In fact, the network is not "slow", everything is working as it should be. Routing is working, skillfully written applications are working correctly and the one poorly written, hastily deployed application is ruining it for everyone. How to address this?
Should the network operations people deploy application acceleration technologies to compensate for the poorly written application? Should the network operations people now manage a new set of devices and configurations to offset for the poor planning of the application group? Should users learn to live with poor performance? Or instead, should the application group be held accountable? Should the application be pulled from production so it can be reengineered to work optimally across a network? Should the root cause of the network "slowness" be addressed so that no one suffers, or should everyone be brought down a level to that of the poorly performing application?
The correct answer is obvious; however, not the easiest and thus, the path never followed. No one ever said doing the right thing was easy. Proper planning and risk anticipation always fall by the wayside when a highly visible issue requiring "immediate" attention is brought to light. Corners are cut, haste is employed and waste is deployed. In networking, in politics, in personal decisions – this is always the case.
I'm convinced there are only two possible reasons people can not effectively problem solve. First, people are lazy and would rather take the easy way out by addressing the many smaller issues that result from poor decision making. The other more troubling reason – which I think may subconsciously cause the first course of action – is that people don't have advanced problem solving skills. Basic problem solving skills simply involve identifying a problem, formulating a solution and enacting it. The advanced skills include feedback loops and actually learning from successes and failures and I fear this is far beyond the grasp of normal everyday people (it shouldn't be, but I'm afraid it is).
Hazardous situations should be immediately addressed with stopgap measures. Systemic issues require a more holistic approach including analysis and research. Where did the issue come from? What is the root cause? A comprehensive understanding of the issue leads to a detailed plan of action to not only resolve the issue, but also to eliminate the resultant issues – the symptoms people spend so much time fussing over – and prevent future recurrences.
Politicians and lawmakers are probably the guiltiest of these trespasses. Writing new laws to address undesired outcomes of previous legislation is not the correct path. Creating new directives that address shortcomings in civil systems is not fruitful. If drunk driving is an issue, the answer is not to raise the drinking age, but to create stiff penalties for first time offenders and mandatory maximum sentences for repeaters. If high health care premiums are of concern, don't ban smoking and fatty foods, fix the health care system so that smokers and fatties pay more for their habits. Eating bad foods in large quantities is not a disease; however, it does cause disease – heart disease for example. Chronic diseases are much more of a drain on health care dollars than are the occasional X-rays and stitches I may get from mountain biking.
Ultimately, people don't want to be held responsible or liable for any of their actions when in reality, that is precisely what should happen. If you make stupid mistakes, you – not me – should suffer the consequences. If you are genetically predisposed to heart disease, laziness or stupidity, I refuse to help you. As it is your choice to ruin you life or to make the best of it, it is mine to neither watch you do either, nor care about - or much less be responsible for - your consequences.
Tagged:
tech
Sunday, December 10, 2006
Security Solutions for Uninterested Users
With the latest concerns of IT security being insider threats and the lack of user participation in security, Single Sign On (SSO) coupled with biometrics may become the most important technologies in securing your network.
The alternatives are rigorous user training on information security and policies that not only enforce, but provide penalties for non-conformance. User security awareness training is not new to the industry, but the seeming unwillingness of users to comply may be. A change in user attitudes towards corporate security may be a task rapidly approaching the impossible.
While network administrators try to mitigate weak user security habits with password controls such as uniqueness and complexity algorithms, these approaches are more counterproductive than beneficial. The more users are required to have complex and changing passwords, the more likely they are to write them down or share them with co-workers to prevent troublesome logons. Complicating matters is the many applications that are moving to web based interfaces that do not integrate with a user's desktop environment. These individual applications require a unique sign on that in many cases differs from the user’s normal username/password combination for desktop access.
While SSO can minimize the user frustration of multiple passwords, it does provide the "keys to the kingdom" if a user's password is compromised. The elimination of the "what you know" form of authentication addresses this.
Biometrics, a form of authentication based on "what you are" – such as a fingerprint or retina scan – is unique per user and does not require the user to remember a complex or changing set of criteria. Single or dual factor biometric authentication methods – such as fingerprint with or without voice recognition – provide a secure, easy authentication method while proving more robust and reducing false positives.
The main hurdle is the cost of deployment. Integrating biometrics into the user desktop logon procedure is not an inexpensive proposition especially with a large install base. Some laptop models provide integrated biometrics in the form of a fingerprint scanner; however, this requires a one-for-one swap of all installed models. Furthermore, the deployment of new applications – either those developed in house or those from external vendors – is seriously limited to applications that support integrated token authorization based on the biometric authentication method.
Still, when weighed against the potential losses of a data compromise, a technically feasible authentication scheme that addresses the crux of the problem – users that do not have the same priority for information security as those enforcing it – is the best approach.
The alternatives are rigorous user training on information security and policies that not only enforce, but provide penalties for non-conformance. User security awareness training is not new to the industry, but the seeming unwillingness of users to comply may be. A change in user attitudes towards corporate security may be a task rapidly approaching the impossible.
While network administrators try to mitigate weak user security habits with password controls such as uniqueness and complexity algorithms, these approaches are more counterproductive than beneficial. The more users are required to have complex and changing passwords, the more likely they are to write them down or share them with co-workers to prevent troublesome logons. Complicating matters is the many applications that are moving to web based interfaces that do not integrate with a user's desktop environment. These individual applications require a unique sign on that in many cases differs from the user’s normal username/password combination for desktop access.
While SSO can minimize the user frustration of multiple passwords, it does provide the "keys to the kingdom" if a user's password is compromised. The elimination of the "what you know" form of authentication addresses this.
Biometrics, a form of authentication based on "what you are" – such as a fingerprint or retina scan – is unique per user and does not require the user to remember a complex or changing set of criteria. Single or dual factor biometric authentication methods – such as fingerprint with or without voice recognition – provide a secure, easy authentication method while proving more robust and reducing false positives.
The main hurdle is the cost of deployment. Integrating biometrics into the user desktop logon procedure is not an inexpensive proposition especially with a large install base. Some laptop models provide integrated biometrics in the form of a fingerprint scanner; however, this requires a one-for-one swap of all installed models. Furthermore, the deployment of new applications – either those developed in house or those from external vendors – is seriously limited to applications that support integrated token authorization based on the biometric authentication method.
Still, when weighed against the potential losses of a data compromise, a technically feasible authentication scheme that addresses the crux of the problem – users that do not have the same priority for information security as those enforcing it – is the best approach.
Tagged:
tech