Subscribe To
Posts
All Comments
Thursday, October 05, 2006
Okay, just a quick one I couldn't resist... Now is the time to buy Sony laptop batteries. First they had too much power and caught fire, then they suddenly had too little power (Toshiba offered to exchange 340,000 of them because they'd suddenly die without enabling any saving of work), so now they should be able to cross the two and reach homeostasis...
I was recently interviewed as a follow-up to an IT security poll being conducted by DarkReading.com. This week for the sake of discusion, I'm 'reimaging' (the verbiage gets a little less clear when there's an e-mail interview in response to an internet-based poll, because you can't really reprint what was never printed in the traditional sense - can 'reimage' be coined here?) the interview in the traditional question and answer format.
One reason for doing this is to expand on the quote from the resulting article, because there was a component of the idea that was not included in the article - the thought of a professional board of some kind to regulate/censure IT professionals. The link to the article is http://www.darkreading.com/document.asp?doc_id=105282 (DarkReading and LightReading are siblings worthy of reading; as with everything research-oriented, though, read for ideas but do a fair amount of research before taking stances). My bottom line is that we are serious professionals working the tools that shape the future of our economy, and if we are to be taken seriously, then we need to require more of ourselves.
Q: In our poll, we found that quite a number of IT people use their security privileges to "peek" at data that other employees would not be able to view. Why do you think this happens--is it just natural curiosity, or is there a broader attitude that IT people should have the right to access any data they like?
A: I believe there are two reasons why someone would do this. The first is the natural curiosity that leads to casual social engineering, phreaking, hacking and other infractions against privacy – those times when ‘can’ overwhelms ‘should’. The second reason is that there is an intellectual progression that takes place when someone enters the security arena that causes a rationalization to take place – “They wouldn’t give me access to do this if it wasn’t somehow okay, and as long as I don’t hurt anything it’s actually a good way for me to use and refine my skills at working with this so that I can help users and assist the company through a depth of knowledge.” In neither case do I believe people initially intend to do harm, but in both cases harm begins with the person who compromises their position and ends with true violations of corporate data policies and possible theft, etc. The term ‘slippery slope’ covers a wide variety of use/abuse of technology by its practitioners, and without a check and balance either externally-delivered (supervision of security activities) or internally-delivered (harder to come by, but ethics do still exist), the situation can quickly escalate.
Q:Where did you learn your personal ethics about IT security? Do you get this sort of training in school, from management, or through certification courses? Do you think there is a need for a universal "code of conduct" among IT and security people?
A: There was once a book written about the fact that the sum total of the really important things you need to get along in life are taught in kindergarten (“All I Ever Needed to Know I Learned in Kindergarten” – Robert Fulghum, if memory serves [I later checked this, and it is correct, except that the title of the book is "All I Really Need to Know I Learned in Kindergarten" - CT]), and it is mostly a true concept. I come from a deeply-religious background that had a strong sense of ethics at its core. For example, if you found an item in your grocery cart that you didn’t get charged for, then you waited in line at the customer service desk until your turn came, and you paid for it, regardless of the hassle. If the door was locked, that meant that you should stay out. It’s an affront to the naturally curious side of us, but we need to remember that’s the side of us that occasionally wonders whether or not it would be a good idea to bungee jump 100 feet using a 105-foot cord.
The fundamental elements for ethics exist almost universally, as long as they are subscribed to and followed. The real problem comes in when, instead of ethics, children/adults are instructed in the art of the situational ethic – that the ends justify the means. There’s certainly a lot of buzz now about this very issue, but a lot of the people buzzing are doing so to relieve the tension they felt when they realized it could have been them that got caught with their hand in the cookie jar. We need a licensing or other certification program that contains a code of ethics. I find it interesting that we require a person to pass the bar to practice law and pass the boards to practice medicine, and that we hold them accountable against their ability to practice their discipline, yet we don’t have anything analogous to that in the security field. If a lawyer malpractices, we lose some money, generally, and when a doctor malpractices, the damage, though serious, is generally limited to a small group. Then we freely hand out the security keys to those whose malpractice can affect thousands of people, and might even destroy the company. There are IT certifications and degrees of education, but those are traditionally held safe no matter what.
Has a certification or an academic degree ever been withdrawn due to a person’s actions in the field? Though it has infrequently happened due to plagiarism perpetrated while a person was studying, I don’t believe it happens as the result of how they ply their trade, and we need to stop and take a look at that. If someone who was mostly honest but was being tempted to abuse their power considered that the struggles they went through in graduate school might be all for naught if they cross that line, they may find the ability to withstand and do the right thing. For someone so totally dishonest as to discount that eventuality, we’re much better off with them being stripped of the ability to do it again in the future.
Q: Despite the emergence of state laws that require companies to report security breaches, many respondents to our survey said they still would not report breaches publicly. Do you think current laws have enough teeth to force companies to report their vulnerabilities? Have these laws had any impact on your policies for reporting breaches?
A: I grew up with the teaching that locks are for honest people, as are laws. The basic ethics crisis in our industry dictates that the laws are going to be ineffective as currently written and enforced. In order for a law’s teeth to sink in, the breach must first be identified, then “known about,” then investigated, then attributed. By that time there are going to be precious few people who haven’t found a way out of the situation, either by something as sneaky as back-dating documents to something as seemingly innocent as pointing out that their latest statement of security that was mailed out (consisting of 35 pages of a 5-size font) detailed the potentials that existed for a leak, and that the breach was something that they’d given their best due diligence to try to stop. Layer after layer, the root cause of being more concerned about corporate wealth than data health will emerge from the fog, at which time it’s too late for the victims. The guilty execs will spend $300,000 or so of the corporation’s money to wrangle a fine and time served, then will go forward with their stocks still in hand, retiring underneath the comforting shadow of their golden parachute.
As for the effects on our IT area, each breach that is revealed gives further credence to the intensity with which we pursue data security. We have found that data security is assisted by firm policies and procedures. They take some time to work through, as in the approval for someone to be able to view certain data, but that time allows the responsibilities and expectations to be clearly communicated, and for those in positions of accountability to have fair knowledge of what is going on. I’d suggest that a safer approach than what seems to be the common, “Just give it to them – we have things to do,” approach would be the “Ice On Bridge” sign. Though the speed limit is 55, there are still times when you slow down to go over the bridge, because it’s not safe to hit it at full speed. You might make it just fine, but if you crash, everyone will know it was due to failure to heed the signs and conditions that were guiding your trip.
Q: Most of our respondents said that their companies take a fairly lax approach to e-mail and Internet access, allowing employees to use company systems for some personal reasons, as long as they don't abuse the privilege. However, there has been a recent increase in security violations that occur through social networking sites, phishing e-mails, and other Web usage. In view of these developments, do you expect your company to "crack down" on the use of Internet and e-mail access for non-business reasons? Why or why not?
A: We are in a unique situation. As a public university, we have to be very careful when it comes to academic rights and freedoms, the freedom of expression, etc. As an example, if we thoroughly blocked MySpace, we could possibly endanger relevant sociological research; if we really tightened e-mail down it would most likely not allow valid communication through. It is difficult to balance the scales between rights/freedoms and responsible system usage.
We are also an organization that works to actually define what good work is. Some of the findings that have come through research into the new work world shed light on how difficult it is to thoroughly connect employees to their jobs (Blackberries, 24/7/365 arrangements, etc.) and expect there to still be a clear line of demarcation between their business and personal lives. It is difficult to define where the line between social and business interaction is, and there are sometimes informal networks that produce formidable results (e.g.: “I have a friend who just happens to know AJAX…”), so we as an organization have to be especially careful how and where we apply control. If someone commits a crime, then we fully-cooperate with the authorities, but if they haven’t committed a crime against anything other than good taste, the waters are a great deal murkier. A for-profit company or private institution would most likely not have to be as tolerant of variations in user habits, so this is an issue that begins and ends with the latitude we can offer. Either way, addressing the problem has a lot to do with educating the users, a place where I believe most companies fall short.
Q: Nearly three-quarters of survey respondents said that the biggest threat to the security of their organizations comes from *inside* the company: dishonest employees, disgruntled employees, top-level executives or unethical IT staffers. Why do you think the "insider" threat is greater than the external threat from hackers and organized crime? What is your organization doing to protect itself from this insider threat?
A: The reason the insider is so much more a threat is that they’re in the front door already. Just the fact that they have a user account inside your firewall means that they are a larger threat. They have overcome the first boundary to a hacker – the perimeter. In addition, status seems to be attached in the industry to how much access you have, so the accumulation of access seems to have replaced the corner office in the hierarchy of the corporate world. The likelihood that those accumulating the access have relevant needs for all of the abilities they have is slim, but they have it because they said they needed it, and they are in charge. So, when a person feels their power base threatened, they are more likely to do something significant to demonstrate that they are in charge.
We are fortunate in this aspect, because anyone requesting access to information must be approved through at least two different levels of the organization, and access is not granted on the basis of status, but on the basis of need. In addition, no one person holds “the keys”. In my area of responsibility, I can grant some access, but I don’t have even have rudimentary access to the financial system, and the granters of access to the financial system have no way to grant access to other parts of the system. On top of that, we don’t operate in a vacuum, and have fostered a relationship between those doing primary functions and their backups so that there is communication when a change is made, and all changes are made using a standardized system in a batch manner, so that both can see what has happened, when and especially why. When you give one person the ability to do all security functions, you invite trouble.
Q: What do you see as the biggest ethical dilemma that IT and security professionals face today?
A: I think this topic is it. Our systems are so complex, and there are so many variables that errors and omissions are relatively easy to cover up. As kids we learned on the playground that if you don’t call your own fouls and ‘fess up’ that the other kids will shortly not invite you to play. As we grow and enter to work world we forget that, and so we make mistakes and, instead of calling our own fouls and admitting to them with a plan for correcting the problem, we blur everything to try to escape the blame. Show me an IT worker who never makes a mistake, and I’ll show you someone who’s either so deeply ineffective as to be immaterial to any of the work, or so untrustworthy that they’ll hide anything at any time. We all make mistakes, and as we teach our children, it’s better to admit what you’ve done before your parents find out independently. Is my approach to this matter simplistic? You bet. It’s as simple as blending the basic foundations for human relationships – trust and respect – with the basic foundations of sound business practices – accountability and ethics – to create the operating theater for the IT practitioner.
One reason for doing this is to expand on the quote from the resulting article, because there was a component of the idea that was not included in the article - the thought of a professional board of some kind to regulate/censure IT professionals. The link to the article is http://www.darkreading.com/document.asp?doc_id=105282 (DarkReading and LightReading are siblings worthy of reading; as with everything research-oriented, though, read for ideas but do a fair amount of research before taking stances). My bottom line is that we are serious professionals working the tools that shape the future of our economy, and if we are to be taken seriously, then we need to require more of ourselves.
Q: In our poll, we found that quite a number of IT people use their security privileges to "peek" at data that other employees would not be able to view. Why do you think this happens--is it just natural curiosity, or is there a broader attitude that IT people should have the right to access any data they like?
A: I believe there are two reasons why someone would do this. The first is the natural curiosity that leads to casual social engineering, phreaking, hacking and other infractions against privacy – those times when ‘can’ overwhelms ‘should’. The second reason is that there is an intellectual progression that takes place when someone enters the security arena that causes a rationalization to take place – “They wouldn’t give me access to do this if it wasn’t somehow okay, and as long as I don’t hurt anything it’s actually a good way for me to use and refine my skills at working with this so that I can help users and assist the company through a depth of knowledge.” In neither case do I believe people initially intend to do harm, but in both cases harm begins with the person who compromises their position and ends with true violations of corporate data policies and possible theft, etc. The term ‘slippery slope’ covers a wide variety of use/abuse of technology by its practitioners, and without a check and balance either externally-delivered (supervision of security activities) or internally-delivered (harder to come by, but ethics do still exist), the situation can quickly escalate.
Q:Where did you learn your personal ethics about IT security? Do you get this sort of training in school, from management, or through certification courses? Do you think there is a need for a universal "code of conduct" among IT and security people?
A: There was once a book written about the fact that the sum total of the really important things you need to get along in life are taught in kindergarten (“All I Ever Needed to Know I Learned in Kindergarten” – Robert Fulghum, if memory serves [I later checked this, and it is correct, except that the title of the book is "All I Really Need to Know I Learned in Kindergarten" - CT]), and it is mostly a true concept. I come from a deeply-religious background that had a strong sense of ethics at its core. For example, if you found an item in your grocery cart that you didn’t get charged for, then you waited in line at the customer service desk until your turn came, and you paid for it, regardless of the hassle. If the door was locked, that meant that you should stay out. It’s an affront to the naturally curious side of us, but we need to remember that’s the side of us that occasionally wonders whether or not it would be a good idea to bungee jump 100 feet using a 105-foot cord.
The fundamental elements for ethics exist almost universally, as long as they are subscribed to and followed. The real problem comes in when, instead of ethics, children/adults are instructed in the art of the situational ethic – that the ends justify the means. There’s certainly a lot of buzz now about this very issue, but a lot of the people buzzing are doing so to relieve the tension they felt when they realized it could have been them that got caught with their hand in the cookie jar. We need a licensing or other certification program that contains a code of ethics. I find it interesting that we require a person to pass the bar to practice law and pass the boards to practice medicine, and that we hold them accountable against their ability to practice their discipline, yet we don’t have anything analogous to that in the security field. If a lawyer malpractices, we lose some money, generally, and when a doctor malpractices, the damage, though serious, is generally limited to a small group. Then we freely hand out the security keys to those whose malpractice can affect thousands of people, and might even destroy the company. There are IT certifications and degrees of education, but those are traditionally held safe no matter what.
Has a certification or an academic degree ever been withdrawn due to a person’s actions in the field? Though it has infrequently happened due to plagiarism perpetrated while a person was studying, I don’t believe it happens as the result of how they ply their trade, and we need to stop and take a look at that. If someone who was mostly honest but was being tempted to abuse their power considered that the struggles they went through in graduate school might be all for naught if they cross that line, they may find the ability to withstand and do the right thing. For someone so totally dishonest as to discount that eventuality, we’re much better off with them being stripped of the ability to do it again in the future.
Q: Despite the emergence of state laws that require companies to report security breaches, many respondents to our survey said they still would not report breaches publicly. Do you think current laws have enough teeth to force companies to report their vulnerabilities? Have these laws had any impact on your policies for reporting breaches?
A: I grew up with the teaching that locks are for honest people, as are laws. The basic ethics crisis in our industry dictates that the laws are going to be ineffective as currently written and enforced. In order for a law’s teeth to sink in, the breach must first be identified, then “known about,” then investigated, then attributed. By that time there are going to be precious few people who haven’t found a way out of the situation, either by something as sneaky as back-dating documents to something as seemingly innocent as pointing out that their latest statement of security that was mailed out (consisting of 35 pages of a 5-size font) detailed the potentials that existed for a leak, and that the breach was something that they’d given their best due diligence to try to stop. Layer after layer, the root cause of being more concerned about corporate wealth than data health will emerge from the fog, at which time it’s too late for the victims. The guilty execs will spend $300,000 or so of the corporation’s money to wrangle a fine and time served, then will go forward with their stocks still in hand, retiring underneath the comforting shadow of their golden parachute.
As for the effects on our IT area, each breach that is revealed gives further credence to the intensity with which we pursue data security. We have found that data security is assisted by firm policies and procedures. They take some time to work through, as in the approval for someone to be able to view certain data, but that time allows the responsibilities and expectations to be clearly communicated, and for those in positions of accountability to have fair knowledge of what is going on. I’d suggest that a safer approach than what seems to be the common, “Just give it to them – we have things to do,” approach would be the “Ice On Bridge” sign. Though the speed limit is 55, there are still times when you slow down to go over the bridge, because it’s not safe to hit it at full speed. You might make it just fine, but if you crash, everyone will know it was due to failure to heed the signs and conditions that were guiding your trip.
Q: Most of our respondents said that their companies take a fairly lax approach to e-mail and Internet access, allowing employees to use company systems for some personal reasons, as long as they don't abuse the privilege. However, there has been a recent increase in security violations that occur through social networking sites, phishing e-mails, and other Web usage. In view of these developments, do you expect your company to "crack down" on the use of Internet and e-mail access for non-business reasons? Why or why not?
A: We are in a unique situation. As a public university, we have to be very careful when it comes to academic rights and freedoms, the freedom of expression, etc. As an example, if we thoroughly blocked MySpace, we could possibly endanger relevant sociological research; if we really tightened e-mail down it would most likely not allow valid communication through. It is difficult to balance the scales between rights/freedoms and responsible system usage.
We are also an organization that works to actually define what good work is. Some of the findings that have come through research into the new work world shed light on how difficult it is to thoroughly connect employees to their jobs (Blackberries, 24/7/365 arrangements, etc.) and expect there to still be a clear line of demarcation between their business and personal lives. It is difficult to define where the line between social and business interaction is, and there are sometimes informal networks that produce formidable results (e.g.: “I have a friend who just happens to know AJAX…”), so we as an organization have to be especially careful how and where we apply control. If someone commits a crime, then we fully-cooperate with the authorities, but if they haven’t committed a crime against anything other than good taste, the waters are a great deal murkier. A for-profit company or private institution would most likely not have to be as tolerant of variations in user habits, so this is an issue that begins and ends with the latitude we can offer. Either way, addressing the problem has a lot to do with educating the users, a place where I believe most companies fall short.
Q: Nearly three-quarters of survey respondents said that the biggest threat to the security of their organizations comes from *inside* the company: dishonest employees, disgruntled employees, top-level executives or unethical IT staffers. Why do you think the "insider" threat is greater than the external threat from hackers and organized crime? What is your organization doing to protect itself from this insider threat?
A: The reason the insider is so much more a threat is that they’re in the front door already. Just the fact that they have a user account inside your firewall means that they are a larger threat. They have overcome the first boundary to a hacker – the perimeter. In addition, status seems to be attached in the industry to how much access you have, so the accumulation of access seems to have replaced the corner office in the hierarchy of the corporate world. The likelihood that those accumulating the access have relevant needs for all of the abilities they have is slim, but they have it because they said they needed it, and they are in charge. So, when a person feels their power base threatened, they are more likely to do something significant to demonstrate that they are in charge.
We are fortunate in this aspect, because anyone requesting access to information must be approved through at least two different levels of the organization, and access is not granted on the basis of status, but on the basis of need. In addition, no one person holds “the keys”. In my area of responsibility, I can grant some access, but I don’t have even have rudimentary access to the financial system, and the granters of access to the financial system have no way to grant access to other parts of the system. On top of that, we don’t operate in a vacuum, and have fostered a relationship between those doing primary functions and their backups so that there is communication when a change is made, and all changes are made using a standardized system in a batch manner, so that both can see what has happened, when and especially why. When you give one person the ability to do all security functions, you invite trouble.
Q: What do you see as the biggest ethical dilemma that IT and security professionals face today?
A: I think this topic is it. Our systems are so complex, and there are so many variables that errors and omissions are relatively easy to cover up. As kids we learned on the playground that if you don’t call your own fouls and ‘fess up’ that the other kids will shortly not invite you to play. As we grow and enter to work world we forget that, and so we make mistakes and, instead of calling our own fouls and admitting to them with a plan for correcting the problem, we blur everything to try to escape the blame. Show me an IT worker who never makes a mistake, and I’ll show you someone who’s either so deeply ineffective as to be immaterial to any of the work, or so untrustworthy that they’ll hide anything at any time. We all make mistakes, and as we teach our children, it’s better to admit what you’ve done before your parents find out independently. Is my approach to this matter simplistic? You bet. It’s as simple as blending the basic foundations for human relationships – trust and respect – with the basic foundations of sound business practices – accountability and ethics – to create the operating theater for the IT practitioner.
Monday, October 02, 2006
Something disturbing...
I'm not one to keep pummeling a deceaced equine (and they said that 'Word-A-Day' calendar was a waste of money), but I will this one time due to something very disturbing and unsettling.
If you've been paying attention to the Congressional investigation of the HP fiasco, you have seen partial transcripts of the proceedings (if you haven't, then your natural cusiousity is less than mine). In one exchange, Patricia Dunn is being addressed by a congressman, who asks her if she'd give him her phone records. She replies that, given his position, she would. He proceeds to tell her that he wouln't give her his, and she replies that she hopes he's not hiding anything.
What's disturbing about that? Plenty! First and foremost, her total disrespect for the proceedings shows how much power she still assumes she has. Just the comment about having something to hide shows that she clearly feels that she was, and still is, entitled to have whatever information she wishes. Though I feel it was meant as a sarcastic aside, it also hints at an underlying layer of suspicion, or even paranoia, about any and all. How much press and opinion and facing of facts will it take for her to realize that she really was wrong in what she did? My guess is that the body count related to hubris has risen one, and that she is so far gone that she'll be lecturing on a circuit when she's 80 and talking about how a culture of betrayal kept her from doing her job.
The question that springs to mind is: where do they FIND these people?! How is it that someone so paranoid and vindictive rises to such a position of power? Was Machiavelli accurate all the way through the highest ranks of business? Is such a vicious approach to operating the only way to get ahead?
I submit that it isn't necessary to act as Dunn did to be successful. Note that Machiavelli's book was entitled, "The Prince," and not "The King." There are certain maneuvers and machinations that can be employed in order to rise to a level of power, but there is an underlying problem that is one part practicality, and one part philosophy, but is known far and wide as the Golden Rule (treat others as you would wish to be treated).
Dunn rose, and fell, as the result of a ruthless approach to life in general, and business in specificity. She obviously overcame odds to reach the point where she was, but it appears that the process she employed was not about working through to overcome odds, but was instead working over people in order to avoid the odds. She short-cut the general basis for human relations - trust (I realize that she was on a mole hunt, and some might insist that she had a right to repay treachery with some of her own, but the vast majority of people are more or less trustworthy, and if you take the minority view that no one is worthy of respect, you deal with the thought expressed so wellin my favorite Russian proverb: 'Before starting out to get revenge, make sure to dig two graves.')
Someone else who also took the short and definitely less ethical route to gain also entered another phase of his life. Bernie Ebbers' new home is a prison in Mississippi. He thought he had a right to whatever he wanted as well. Will Dunn go to prison? Probably not, attorneys' general blustering aside. The point is, though, that her 'end justifies the means' ideology provided the means to the end of her power, and she started out less than she was before. She began her working life as someone who was considered to be honest, even though her abilities weren't known at the time. Now she is known to be dishonest, and whatever abilities she has are forever overshadowed by her works.
The overarching point is that each one of us begins each day, each career, each phase of life, with what amounts to a challenge. We can decide to treat others well, work hard and prove our worth, or we can decide to walk all over others, work craftily and assert our inferred worth. At the core of it all is the substance we are made from. If our core looks good, but is actually shellac over styrofoam, we will crumble under examination. If our core is made of the right stuff through and through, then we stand up to the level of examination that comes our way. To rise to the helm of a large company is not worth the price of your integrity (writ your soul, however you wish to interpret that), especially since the most commonly-found business success is with a company that has between 10 and 100 employees anyway. Aside from that, if your definition of true success is expressed in the currency of money, or of power, then you're on the wrong track to begin with.
A year ago, many would have traded places with Dunn - today, not so much. Okay, I'm Dunn with this topic...
I'm not one to keep pummeling a deceaced equine (and they said that 'Word-A-Day' calendar was a waste of money), but I will this one time due to something very disturbing and unsettling.
If you've been paying attention to the Congressional investigation of the HP fiasco, you have seen partial transcripts of the proceedings (if you haven't, then your natural cusiousity is less than mine). In one exchange, Patricia Dunn is being addressed by a congressman, who asks her if she'd give him her phone records. She replies that, given his position, she would. He proceeds to tell her that he wouln't give her his, and she replies that she hopes he's not hiding anything.
What's disturbing about that? Plenty! First and foremost, her total disrespect for the proceedings shows how much power she still assumes she has. Just the comment about having something to hide shows that she clearly feels that she was, and still is, entitled to have whatever information she wishes. Though I feel it was meant as a sarcastic aside, it also hints at an underlying layer of suspicion, or even paranoia, about any and all. How much press and opinion and facing of facts will it take for her to realize that she really was wrong in what she did? My guess is that the body count related to hubris has risen one, and that she is so far gone that she'll be lecturing on a circuit when she's 80 and talking about how a culture of betrayal kept her from doing her job.
The question that springs to mind is: where do they FIND these people?! How is it that someone so paranoid and vindictive rises to such a position of power? Was Machiavelli accurate all the way through the highest ranks of business? Is such a vicious approach to operating the only way to get ahead?
I submit that it isn't necessary to act as Dunn did to be successful. Note that Machiavelli's book was entitled, "The Prince," and not "The King." There are certain maneuvers and machinations that can be employed in order to rise to a level of power, but there is an underlying problem that is one part practicality, and one part philosophy, but is known far and wide as the Golden Rule (treat others as you would wish to be treated).
Dunn rose, and fell, as the result of a ruthless approach to life in general, and business in specificity. She obviously overcame odds to reach the point where she was, but it appears that the process she employed was not about working through to overcome odds, but was instead working over people in order to avoid the odds. She short-cut the general basis for human relations - trust (I realize that she was on a mole hunt, and some might insist that she had a right to repay treachery with some of her own, but the vast majority of people are more or less trustworthy, and if you take the minority view that no one is worthy of respect, you deal with the thought expressed so wellin my favorite Russian proverb: 'Before starting out to get revenge, make sure to dig two graves.')
Someone else who also took the short and definitely less ethical route to gain also entered another phase of his life. Bernie Ebbers' new home is a prison in Mississippi. He thought he had a right to whatever he wanted as well. Will Dunn go to prison? Probably not, attorneys' general blustering aside. The point is, though, that her 'end justifies the means' ideology provided the means to the end of her power, and she started out less than she was before. She began her working life as someone who was considered to be honest, even though her abilities weren't known at the time. Now she is known to be dishonest, and whatever abilities she has are forever overshadowed by her works.
The overarching point is that each one of us begins each day, each career, each phase of life, with what amounts to a challenge. We can decide to treat others well, work hard and prove our worth, or we can decide to walk all over others, work craftily and assert our inferred worth. At the core of it all is the substance we are made from. If our core looks good, but is actually shellac over styrofoam, we will crumble under examination. If our core is made of the right stuff through and through, then we stand up to the level of examination that comes our way. To rise to the helm of a large company is not worth the price of your integrity (writ your soul, however you wish to interpret that), especially since the most commonly-found business success is with a company that has between 10 and 100 employees anyway. Aside from that, if your definition of true success is expressed in the currency of money, or of power, then you're on the wrong track to begin with.
A year ago, many would have traded places with Dunn - today, not so much. Okay, I'm Dunn with this topic...
Tuesday, September 12, 2006
(Wall) Street Justice? Not likely, but it should be dispensed...
The more things that come out about the HP scandal, the more frustrating and saddening it becomes. Where are the ethics that govern conduct? Unfortunately the ethics are all about the cash, not the principle.
The problem is that this has always been the case. No matter how far you reach back into history, the same ethical gaps appear in the history of even the acknowledged leaders in every area of business.
The problem is two-fold: continual financial performance is considered sacred, with anything that does not contribute to the bottom line relegated to the scrap heap. This is why patent fights are so prevalent, why shady accounting practices go forth and why things like wiretapping and spying are done. Unfortunately, this is also why it is difficult to justify Disaster Recovery costs and due diligence with data handling to upper management.
There are a lot of people who will weigh in on what has happened, with their reactions generally geared to their level of culpability in something similar, or their sympathy for those caught with their ethics around their ankles. Where should the academic world weigh in? That's a good question. How many of the schools granting the degrees to the folks who did the wiretapping came out in public and denounced the activity as being unworthy of the education that was received?
How many of the degree programs involved placed the spotlight on the issue and began a serious debate about rescinding the degrees granted? This is not unprecedented, as some degrees have been rescinded based on plagiarism in the past. The rescinding of a degree is normally done based solely on the student's actions during their matriculation, however "isn't" is definitely not "can't." A degree can be awarded based on merit instead of accomplishment based on a consensus of the grantors, so the only stumbling block to toughening the practicing standards for graduates is the lack of forceful application of ethical standards on the part of the schools.
I'm not attempting to be overly aggressive, but we do need to take a serious look at the standards we allow to exist within the business world, especially within the technology sector. Ministers can be de-frocked, lawyers disbarred, doctors and psychologists can have their licenses revoked, yet business professionals are permitted to exercise their own lack of ethics whenever they wish without recourse to their ability to further carry out their abuses.
In the case of the HP fiasco, taking away a journalism degree won't really accomplish anything, and isn't relevant to the crime; however, if Harvard stripped away an MBA from a graduate who perpetrated securities fraud, or if MIT suspended a doctorate for a known research 'shortcut', it would send ripples through the professional community. The individuals affected would be unable to practice the skills they abused previously, and if they had to go through a rigorous process to restore their credentials, it might be sufficient to keep them from making further bad decisions.
One need in the academic community is for the education garnered to be relevant, a guiding principle for the proper practice of the learned skills. If what we learn is irrelevant once we graduate, there is no need to graduate. If the practices we use are so different than those we learn, then why do the work to begin with? We can discuss ethics ad infinitum, and we can frown when they are broken in the 'real world', but until we do something about it, until there is an aggressive response from the community that produces the violators, nothing will improve. We cannot be surprised if individuals do the very things we allow them to do by refusing to directly address violations.
Technology is arguably more important to our economy than medicine, and we need to have similarly high standards for the practitioners. The effects of this breach of ethics could affect the employees of HP very negatively (especially since HP has a line of servers called the Integrity series - hmmmmm...), thus making this malpractice of a professional skill harmful to the blameless. A bad doctor may harm a few patients, but how many more people are harmed through bad business ethics?
The more things that come out about the HP scandal, the more frustrating and saddening it becomes. Where are the ethics that govern conduct? Unfortunately the ethics are all about the cash, not the principle.
The problem is that this has always been the case. No matter how far you reach back into history, the same ethical gaps appear in the history of even the acknowledged leaders in every area of business.
The problem is two-fold: continual financial performance is considered sacred, with anything that does not contribute to the bottom line relegated to the scrap heap. This is why patent fights are so prevalent, why shady accounting practices go forth and why things like wiretapping and spying are done. Unfortunately, this is also why it is difficult to justify Disaster Recovery costs and due diligence with data handling to upper management.
There are a lot of people who will weigh in on what has happened, with their reactions generally geared to their level of culpability in something similar, or their sympathy for those caught with their ethics around their ankles. Where should the academic world weigh in? That's a good question. How many of the schools granting the degrees to the folks who did the wiretapping came out in public and denounced the activity as being unworthy of the education that was received?
How many of the degree programs involved placed the spotlight on the issue and began a serious debate about rescinding the degrees granted? This is not unprecedented, as some degrees have been rescinded based on plagiarism in the past. The rescinding of a degree is normally done based solely on the student's actions during their matriculation, however "isn't" is definitely not "can't." A degree can be awarded based on merit instead of accomplishment based on a consensus of the grantors, so the only stumbling block to toughening the practicing standards for graduates is the lack of forceful application of ethical standards on the part of the schools.
I'm not attempting to be overly aggressive, but we do need to take a serious look at the standards we allow to exist within the business world, especially within the technology sector. Ministers can be de-frocked, lawyers disbarred, doctors and psychologists can have their licenses revoked, yet business professionals are permitted to exercise their own lack of ethics whenever they wish without recourse to their ability to further carry out their abuses.
In the case of the HP fiasco, taking away a journalism degree won't really accomplish anything, and isn't relevant to the crime; however, if Harvard stripped away an MBA from a graduate who perpetrated securities fraud, or if MIT suspended a doctorate for a known research 'shortcut', it would send ripples through the professional community. The individuals affected would be unable to practice the skills they abused previously, and if they had to go through a rigorous process to restore their credentials, it might be sufficient to keep them from making further bad decisions.
One need in the academic community is for the education garnered to be relevant, a guiding principle for the proper practice of the learned skills. If what we learn is irrelevant once we graduate, there is no need to graduate. If the practices we use are so different than those we learn, then why do the work to begin with? We can discuss ethics ad infinitum, and we can frown when they are broken in the 'real world', but until we do something about it, until there is an aggressive response from the community that produces the violators, nothing will improve. We cannot be surprised if individuals do the very things we allow them to do by refusing to directly address violations.
Technology is arguably more important to our economy than medicine, and we need to have similarly high standards for the practitioners. The effects of this breach of ethics could affect the employees of HP very negatively (especially since HP has a line of servers called the Integrity series - hmmmmm...), thus making this malpractice of a professional skill harmful to the blameless. A bad doctor may harm a few patients, but how many more people are harmed through bad business ethics?
Thursday, August 31, 2006
Wow! It's hot as Dell in here! Does anyone smell baked Apples? Sony, yet so far away...
Puns aside (or asides with puns...), the IT world has recently been aglow with news regarding batteries that apparently burst into flames, potentially causing injury. What hasn't been covered so well is the types of issues that can cause this to happen.
As IT system users, we demand a great deal from the systems we use, to the extent that, if we had such a thing (let's tentatively call it the 'what have you done for me today' law - WHYDoFMeT Law), our expectations of our machines' performance gains far exceed Moore's Law. We find larger files to store on smaller machines, and we seem to be driven to carry terabytes in a teaspoon.
There is no such thing as a free lunch, and that is the rub. We demand smaller, cheaper and faster, forgetting the unofficial engineering principle that you can pick any two and get them safely. I don't know the degree of engineering and testing that went into the batteries that have been burning, but I do know that the prices of laptops have been going down, and their speeds have been going up, so the additional demand of being smaller introduces a risk into the system.
When the smoke clears, and all financial costs have been counted, how much cheaper were all those laptops? Not much, if any at all. This is again a case of "can" outpacing "should". I am a fan of performance, but proven performance, not short-term performance. I hope that the industry re-thinks the pace with which they are driving into the future and applies more sound engineering practices to ensure that the components can support the assembly.
In addition, I'd like to posit that one or two more mistakes of this magnitude by Sony (let's not forget the other one within the past year - the spyware on the CD's from their music division) will leave them primed for a buy-out, or for a fade-out, from the environment. There are some interesting possibilities for sure.
Puns aside (or asides with puns...), the IT world has recently been aglow with news regarding batteries that apparently burst into flames, potentially causing injury. What hasn't been covered so well is the types of issues that can cause this to happen.
As IT system users, we demand a great deal from the systems we use, to the extent that, if we had such a thing (let's tentatively call it the 'what have you done for me today' law - WHYDoFMeT Law), our expectations of our machines' performance gains far exceed Moore's Law. We find larger files to store on smaller machines, and we seem to be driven to carry terabytes in a teaspoon.
There is no such thing as a free lunch, and that is the rub. We demand smaller, cheaper and faster, forgetting the unofficial engineering principle that you can pick any two and get them safely. I don't know the degree of engineering and testing that went into the batteries that have been burning, but I do know that the prices of laptops have been going down, and their speeds have been going up, so the additional demand of being smaller introduces a risk into the system.
When the smoke clears, and all financial costs have been counted, how much cheaper were all those laptops? Not much, if any at all. This is again a case of "can" outpacing "should". I am a fan of performance, but proven performance, not short-term performance. I hope that the industry re-thinks the pace with which they are driving into the future and applies more sound engineering practices to ensure that the components can support the assembly.
In addition, I'd like to posit that one or two more mistakes of this magnitude by Sony (let's not forget the other one within the past year - the spyware on the CD's from their music division) will leave them primed for a buy-out, or for a fade-out, from the environment. There are some interesting possibilities for sure.
Wednesday, August 30, 2006
When electrons and synapses collide...
Today's short blog posting, as I rev this back up, comes courtesy of some work that I've been involved in to try to compare three systems on a cost basis, breaking out the information into capital expenditures versus ongoing costs. While this is simple in theory, at the risk of sounding like a certain Southern politician, it depends on what you mean by capital expense.
All kidding aside, as many systems as there are in the IT universe, there are at least twice that many pricing schemes. There are price breaks, groupings for discounts, educational discounts, etc., none of which are thoroughly explained, and none of which are exactly alike. There are even different styles of licensing - most notably by the seat, and concurrent uses - with ratios that must be understood and taken into account when comparing systems. An example of this type of math is that power users for a certain system that utilizes seats should be purchased in a 3:1 ratio for concurrent uses, but in a 4:1 ratio for casual users (assuming that 'casual' is definable).
Complicating the matter was information from one of the vendors that read roughly like a Chilton's manual, re-written by a team of a lawyer and doublespeak specialist, and published in the original Latvian. No guidance was given as to how to interpret it, and requests for additional information led to faxed copies of the same gibberish, so we could see what confusion looks like in less-intelligible characters. Remember, this is for a technology purchase, and technology is supposed to simplify or improve something, or someone.
After pounding through spreadsheet after spreadsheet, trying to come to terms with the mess, we were confronted by a dilemna. We were trying to analyze a technological upgrade using technological tools in the 'new' style of working, where you use the screen for all, and with all the technology involved, it was failing.
For the solution, we re-wired the work. At a point of desperation, we took out sheets of paper and did something akin to a tabletop exercise, in which we basically installed the system from the ground up, one piece at a time. Suddenly the unclear clarified itself, and within a little while, the solution to the problem was found.
The point of all this is that we took the parallel work and turned it into serial work, at which time the solution jumped out at us. The labor savings we were trying to gain in the spreadsheet were blocking the outcomes we needed. There is nothing wrong with technology, and certainly nothing wrong with trying to use tools to automate or simplify what needs to be easier to do. We do need to remember, though, the for every electronic tool we use, there is an analog (manual, if you wish) version, likely functioning slightly differently, which may work better for a particular problem.
As we progress into the future, we need to remember the intellectual and physical nuts and bolts that form the platform upon which we base our technology. Sometimes you have to use brute force to arrive at what you need, and if we forget how to do that, we wind up spinning our wheels.
Today's short blog posting, as I rev this back up, comes courtesy of some work that I've been involved in to try to compare three systems on a cost basis, breaking out the information into capital expenditures versus ongoing costs. While this is simple in theory, at the risk of sounding like a certain Southern politician, it depends on what you mean by capital expense.
All kidding aside, as many systems as there are in the IT universe, there are at least twice that many pricing schemes. There are price breaks, groupings for discounts, educational discounts, etc., none of which are thoroughly explained, and none of which are exactly alike. There are even different styles of licensing - most notably by the seat, and concurrent uses - with ratios that must be understood and taken into account when comparing systems. An example of this type of math is that power users for a certain system that utilizes seats should be purchased in a 3:1 ratio for concurrent uses, but in a 4:1 ratio for casual users (assuming that 'casual' is definable).
Complicating the matter was information from one of the vendors that read roughly like a Chilton's manual, re-written by a team of a lawyer and doublespeak specialist, and published in the original Latvian. No guidance was given as to how to interpret it, and requests for additional information led to faxed copies of the same gibberish, so we could see what confusion looks like in less-intelligible characters. Remember, this is for a technology purchase, and technology is supposed to simplify or improve something, or someone.
After pounding through spreadsheet after spreadsheet, trying to come to terms with the mess, we were confronted by a dilemna. We were trying to analyze a technological upgrade using technological tools in the 'new' style of working, where you use the screen for all, and with all the technology involved, it was failing.
For the solution, we re-wired the work. At a point of desperation, we took out sheets of paper and did something akin to a tabletop exercise, in which we basically installed the system from the ground up, one piece at a time. Suddenly the unclear clarified itself, and within a little while, the solution to the problem was found.
The point of all this is that we took the parallel work and turned it into serial work, at which time the solution jumped out at us. The labor savings we were trying to gain in the spreadsheet were blocking the outcomes we needed. There is nothing wrong with technology, and certainly nothing wrong with trying to use tools to automate or simplify what needs to be easier to do. We do need to remember, though, the for every electronic tool we use, there is an analog (manual, if you wish) version, likely functioning slightly differently, which may work better for a particular problem.
As we progress into the future, we need to remember the intellectual and physical nuts and bolts that form the platform upon which we base our technology. Sometimes you have to use brute force to arrive at what you need, and if we forget how to do that, we wind up spinning our wheels.
Subscribe to:
Posts (Atom)